VARIoT IoT vulnerabilities database
| VAR-201011-0043 | CVE-2010-3813 | Apple Safari of WebKit In DNS Vulnerability that bypasses read-ahead settings |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
The WebCore::HTMLLinkElement::process function in WebCore/html/HTMLLinkElement.cpp in WebKit, as used in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.3 on Mac OS X 10.4; webkitgtk before 1.2.6; and possibly other products does not verify whether DNS prefetching is enabled when processing an HTML LINK element, which allows remote attackers to bypass intended access restrictions, as demonstrated by an HTML e-mail message that uses a LINK element for X-Confirm-Reading-To functionality. WebKit is prone to a security-bypass vulnerability.
Attackers can exploit this issue by enticing an unsuspecting user into visiting a malicious webpage.
Successful exploits will allow clients to send requests to malicious servers that can aid in further attacks.
NOTE: This issue was previously covered in BID 44938 (Apple Safari Prior to 5.0.3 and 4.1.3 Multiple Security Vulnerabilities) but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. A remote attacker could exploit this vulnerability to bypass preset access restrictions. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA42264
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42264/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42264
RELEASE DATE:
2010-11-19
DISCUSS ADVISORY:
http://secunia.com/advisories/42264/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42264/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42264
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities and weaknesses have been reported in Apple
Safari, which can be exploited by malicious people to bypass certain
security restrictions, conduct spoofing attacks, or compromise a
user's system.
1) An integer overflow error in the handling of strings can be
exploited to corrupt memory and potentially execute arbitrary code.
2) A weakness in the random number generator for JavaScript
applications can be exploited to e.g. track users.
3) Multiple vulnerabilities in WebKit can be exploited by malicious
people to compromise a user's system.
For more information:
SA41328
4) An integer underflow error in the handling of WebSockets can be
exploited to corrupt memory and potentially execute arbitrary code.
5) An unspecified error in the handling of images created from
"canvas" elements can be exploited to conduct cross-origin image
thefts.
This is related to vulnerability #12 in:
SA41242
6) An invalid cast in the handling of editing commands can
potentially be exploited to execute arbitrary code.
7) An invalid cast in the handling of inline styling can potentially
be exploited to execute arbitrary code.
8) An error within the handling of the History object can be
exploited to spoof the address in the location bar or add arbitrary
locations to the history.
9) A use-after-free error in the handling of element attributes can
be exploited to corrupt memory and potentially execute arbitrary
code.
10) An integer overflow error in the handling of Text objects can be
exploited to corrupt memory and potentially execute arbitrary code.
11) A weakness is caused due to WebKit performing DNS prefetching for
HTML Link elements even when it is disabled.
12) Multiple use-after-free errors in the handling of plugins can be
exploited to corrupt memory and potentially execute arbitrary code.
This is related to vulnerability #5 in:
SA41014
13) A use-after-free error in the handling of element focus can be
exploited to corrupt memory and potentially execute arbitrary code.
This is related to vulnerability #10 in:
SA41242
14) A use-after-free error in the handling of scrollbars can be
exploited to corrupt memory and potentially execute arbitrary code.
15) An invalid cast in the handling of CSS 3D transforms can
potentially be exploited to execute arbitrary code.
16) A use-after-free error in the handling of inline text boxes can
be exploited to corrupt memory and potentially execute arbitrary
code.
17) An invalid cast in the handling of CSS boxes can potentially be
exploited to execute arbitrary code.
18) An unspecified error in the handling of editable elements can be
exploited to trigger an access of uninitialised memory and
potentially execute arbitrary code.
19) An unspecified error in the handling of the ':first-letter'
pseudo-element in cascading stylesheets can be exploited to corrupt
memory and potentially execute arbitrary code.
20) An uninitialised pointer error in the handling of CSS counter
styles can potentially be exploited to execute arbitrary code.
21) A use-after-free error in the handling of Geolocation objects can
be exploited to corrupt memory and potentially execute arbitrary
code.
22) A use-after-free error in the handling of "use" elements in SVG
documents can be exploited to corrupt memory and potentially execute
arbitrary code.
23) An invalid cast in the handling of SVG elements in non-SVG
documents can potentially be exploited to execute arbitrary code.
This is related to vulnerability #2 in:
SA41443
24) An invalid cast in the handling of colors in SVG documents can
potentially be exploited to execute arbitrary code.
SOLUTION:
Update to Safari 5.0.3 (Mac OS X 10.5.8, Mac OS X 10.6.4 or later,
Windows 7, Vista, XP) or Safari 4.1.3 (Mac OS X 10.4.11).
PROVIDED AND/OR DISCOVERED BY:
2) Amit Klein, Trusteer
The vendor credits:
1, 10) J23
3) Jose A. Vazquez of spa-s3c.blogspot.com, Csaba Osztrogonac of
University of Szeged, and also thabermann and chipplyman
4) Keith Campbell, and Cris Neckar, Google Chrome Security Team
5) Isaac Dawson, and James Qiu, Microsoft and Microsoft Vulnerability
Research (MSVR)
6, 22, 23) wushi, team509
7, 15 - 17, 19, 24) Abhishek Arya (Inferno), Google Chrome Security
Team
8) Mike Taylor, Opera Software
9) Michal Zalewski
11) Jeff Johnson, Rogue Amoeba Software
13) Vupen
14) Rohit Makasana, Google Inc.
20, 21) kuzzcc
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4455
Trusteer:
http://www.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Major_Browsers.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:039
http://www.mandriva.com/security/
_______________________________________________________________________
Package : webkit
Date : March 2, 2011
Affected: 2010.1
_______________________________________________________________________
Problem Description:
Multiple cross-site scripting, denial of service and arbitrary code
execution security flaws were discovered in webkit.
Please consult the CVE web links for further information.
The updated packages have been upgraded to the latest version (1.2.7)
to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2841
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0047
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0049
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0314
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0650
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0651
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1390
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1391
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1395
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1397
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1405
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1664
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1665
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1759
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1760
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1764
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1770
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1771
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1773
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1785
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1792
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2264
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2648
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3114
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3116
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3119
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3248
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3255
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3257
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3259
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3813
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4040
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4197
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4206
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
141f3cd181b875d1bb40b67a507b6db1 2010.1/i586/libwebkitgtk1.0_2-1.2.7-0.1mdv2010.2.i586.rpm
054886a3c645b3ce710b9b9daec1d5f9 2010.1/i586/libwebkitgtk1.0-devel-1.2.7-0.1mdv2010.2.i586.rpm
bef556ca3f281f6ef4086292c3b658d2 2010.1/i586/webkit1.0-1.2.7-0.1mdv2010.2.i586.rpm
a1ff7ac638646aeb64e3bbdca9bc945d 2010.1/i586/webkit1.0-webinspector-1.2.7-0.1mdv2010.2.i586.rpm
3f40e3ebc62bad67097a9e102e0e79c2 2010.1/i586/webkit-1.2.7-0.1mdv2010.2.i586.rpm
50875cf1bc8718cedce1a45dc509b44b 2010.1/i586/webkit-gtklauncher-1.2.7-0.1mdv2010.2.i586.rpm
625d27780d1cc9edb935d4ac3521ae16 2010.1/i586/webkit-jsc-1.2.7-0.1mdv2010.2.i586.rpm
8d02c28d8f21a022130be4c49f9d27be 2010.1/SRPMS/webkit-1.2.7-0.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
5ce57cd6ab823f8084030033c7c230d7 2010.1/x86_64/lib64webkitgtk1.0_2-1.2.7-0.1mdv2010.2.x86_64.rpm
690d8718a97af93f58de3bb2357fbe9b 2010.1/x86_64/lib64webkitgtk1.0-devel-1.2.7-0.1mdv2010.2.x86_64.rpm
7cc1d4aa77e1901ccc92f27faf85c9ea 2010.1/x86_64/webkit1.0-1.2.7-0.1mdv2010.2.x86_64.rpm
2b77a77159529c55f64343aba98c15d9 2010.1/x86_64/webkit1.0-webinspector-1.2.7-0.1mdv2010.2.x86_64.rpm
475cf83c5ddd8f6809c2c73a1f5a71d1 2010.1/x86_64/webkit-1.2.7-0.1mdv2010.2.x86_64.rpm
b0f1c76107c3d54241daa7e61bfb29a9 2010.1/x86_64/webkit-gtklauncher-1.2.7-0.1mdv2010.2.x86_64.rpm
97deff5e94a625a79842b4c240b0b00d 2010.1/x86_64/webkit-jsc-1.2.7-0.1mdv2010.2.x86_64.rpm
8d02c28d8f21a022130be4c49f9d27be 2010.1/SRPMS/webkit-1.2.7-0.1mdv2010.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNbgbemqjQ0CJFipgRAs9YAJ92z2WSC2ijj34b/wr42OIYLtv65gCg7XgL
Yv/ButpYAcXsmnJWUG4ayxQ=
=GRM6
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Multiple packages, Multiple vulnerabilities fixed in 2011
Date: December 11, 2014
Bugs: #194151, #294253, #294256, #334087, #344059, #346897,
#350598, #352608, #354209, #355207, #356893, #358611,
#358785, #358789, #360891, #361397, #362185, #366697,
#366699, #369069, #370839, #372971, #376793, #381169,
#386321, #386361
ID: 201412-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
This GLSA contains notification of vulnerabilities found in several
Gentoo packages which have been fixed prior to January 1, 2012. The
worst of these vulnerabilities could lead to local privilege escalation
and remote code execution. Please see the package list and CVE
identifiers below for more information.
Background
==========
For more information on the packages listed in this GLSA, please see
their homepage referenced in the ebuild.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 games-sports/racer-bin >= 0.5.0-r1 Vulnerable!
2 media-libs/fmod < 4.38.00 >= 4.38.00
3 dev-php/PEAR-Mail < 1.2.0 >= 1.2.0
4 sys-fs/lvm2 < 2.02.72 >= 2.02.72
5 app-office/gnucash < 2.4.4 >= 2.4.4
6 media-libs/xine-lib < 1.1.19 >= 1.1.19
7 media-sound/lastfmplayer
< 1.5.4.26862-r3 >= 1.5.4.26862-r3
8 net-libs/webkit-gtk < 1.2.7 >= 1.2.7
9 sys-apps/shadow < 4.1.4.3 >= 4.1.4.3
10 dev-php/PEAR-PEAR < 1.9.2-r1 >= 1.9.2-r1
11 dev-db/unixODBC < 2.3.0-r1 >= 2.3.0-r1
12 sys-cluster/resource-agents
< 1.0.4-r1 >= 1.0.4-r1
13 net-misc/mrouted < 3.9.5 >= 3.9.5
14 net-misc/rsync < 3.0.8 >= 3.0.8
15 dev-libs/xmlsec < 1.2.17 >= 1.2.17
16 x11-apps/xrdb < 1.0.9 >= 1.0.9
17 net-misc/vino < 2.32.2 >= 2.32.2
18 dev-util/oprofile < 0.9.6-r1 >= 0.9.6-r1
19 app-admin/syslog-ng < 3.2.4 >= 3.2.4
20 net-analyzer/sflowtool < 3.20 >= 3.20
21 gnome-base/gdm < 3.8.4-r3 >= 3.8.4-r3
22 net-libs/libsoup < 2.34.3 >= 2.34.3
23 app-misc/ca-certificates
< 20110502-r1 >= 20110502-r1
24 dev-vcs/gitolite < 1.5.9.1 >= 1.5.9.1
25 dev-util/qt-creator < 2.1.0 >= 2.1.0
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
-------------------------------------------------------------------
25 affected packages
Description
===========
Vulnerabilities have been discovered in the packages listed below.
Please review the CVE identifiers in the Reference section for details.
* FMOD Studio
* PEAR Mail
* LVM2
* GnuCash
* xine-lib
* Last.fm Scrobbler
* WebKitGTK+
* shadow tool suite
* PEAR
* unixODBC
* Resource Agents
* mrouted
* rsync
* XML Security Library
* xrdb
* Vino
* OProfile
* syslog-ng
* sFlow Toolkit
* GNOME Display Manager
* libsoup
* CA Certificates
* Gitolite
* QtCreator
* Racer
Impact
======
A context-dependent attacker may be able to gain escalated privileges,
execute arbitrary code, cause Denial of Service, obtain sensitive
information, or otherwise bypass security restrictions.
Workaround
==========
There are no known workarounds at this time.
Resolution
==========
All FMOD Studio users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/fmod-4.38.00"
All PEAR Mail users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-Mail-1.2.0"
All LVM2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/lvm2-2.02.72"
All GnuCash users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/gnucash-2.4.4"
All xine-lib users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.19"
All Last.fm Scrobbler users should upgrade to the latest version:
# emerge --sync
# emerge -a --oneshot -v ">=media-sound/lastfmplayer-1.5.4.26862-r3"
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-1.2.7"
All shadow tool suite users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.4.3"
All PEAR users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-PEAR-1.9.2-r1"
All unixODBC users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/unixODBC-2.3.0-r1"
All Resource Agents users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=sys-cluster/resource-agents-1.0.4-r1"
All mrouted users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/mrouted-3.9.5"
All rsync users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/rsync-3.0.8"
All XML Security Library users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/xmlsec-1.2.17"
All xrdb users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-apps/xrdb-1.0.9"
All Vino users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/vino-2.32.2"
All OProfile users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/oprofile-0.9.6-r1"
All syslog-ng users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.2.4"
All sFlow Toolkit users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/sflowtool-3.20"
All GNOME Display Manager users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-base/gdm-3.8.4-r3"
All libsoup users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.34.3"
All CA Certificates users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=app-misc/ca-certificates-20110502-r1"
All Gitolite users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/gitolite-1.5.9.1"
All QtCreator users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/qt-creator-2.1.0"
Gentoo has discontinued support for Racer. We recommend that users
unmerge Racer:
# emerge --unmerge "games-sports/racer-bin"
NOTE: This is a legacy GLSA. Updates for all affected architectures
have been available since 2012. It is likely that your system is
already no longer affected by these issues.
References
==========
[ 1 ] CVE-2007-4370
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4370
[ 2 ] CVE-2009-4023
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4023
[ 3 ] CVE-2009-4111
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4111
[ 4 ] CVE-2010-0778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0778
[ 5 ] CVE-2010-1780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1780
[ 6 ] CVE-2010-1782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1782
[ 7 ] CVE-2010-1783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1783
[ 8 ] CVE-2010-1784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1784
[ 9 ] CVE-2010-1785
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1785
[ 10 ] CVE-2010-1786
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1786
[ 11 ] CVE-2010-1787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1787
[ 12 ] CVE-2010-1788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1788
[ 13 ] CVE-2010-1790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1790
[ 14 ] CVE-2010-1791
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1791
[ 15 ] CVE-2010-1792
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1792
[ 16 ] CVE-2010-1793
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1793
[ 17 ] CVE-2010-1807
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1807
[ 18 ] CVE-2010-1812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1812
[ 19 ] CVE-2010-1814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1814
[ 20 ] CVE-2010-1815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1815
[ 21 ] CVE-2010-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2526
[ 22 ] CVE-2010-2901
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2901
[ 23 ] CVE-2010-3255
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3255
[ 24 ] CVE-2010-3257
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3257
[ 25 ] CVE-2010-3259
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3259
[ 26 ] CVE-2010-3362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3362
[ 27 ] CVE-2010-3374
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3374
[ 28 ] CVE-2010-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389
[ 29 ] CVE-2010-3812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3812
[ 30 ] CVE-2010-3813
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3813
[ 31 ] CVE-2010-3999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999
[ 32 ] CVE-2010-4042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4042
[ 33 ] CVE-2010-4197
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4197
[ 34 ] CVE-2010-4198
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4198
[ 35 ] CVE-2010-4204
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4204
[ 36 ] CVE-2010-4206
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4206
[ 37 ] CVE-2010-4492
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4492
[ 38 ] CVE-2010-4493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4493
[ 39 ] CVE-2010-4577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4577
[ 40 ] CVE-2010-4578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4578
[ 41 ] CVE-2011-0007
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0007
[ 42 ] CVE-2011-0465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0465
[ 43 ] CVE-2011-0482
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0482
[ 44 ] CVE-2011-0721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0721
[ 45 ] CVE-2011-0727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0727
[ 46 ] CVE-2011-0904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0904
[ 47 ] CVE-2011-0905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0905
[ 48 ] CVE-2011-1072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1072
[ 49 ] CVE-2011-1097
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1097
[ 50 ] CVE-2011-1144
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1144
[ 51 ] CVE-2011-1425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1425
[ 52 ] CVE-2011-1572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1572
[ 53 ] CVE-2011-1760
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1760
[ 54 ] CVE-2011-1951
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1951
[ 55 ] CVE-2011-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2471
[ 56 ] CVE-2011-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2472
[ 57 ] CVE-2011-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2473
[ 58 ] CVE-2011-2524
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2524
[ 59 ] CVE-2011-3365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3365
[ 60 ] CVE-2011-3366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3366
[ 61 ] CVE-2011-3367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3367
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-09.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ==========================================================================
Ubuntu Security Notice USN-1195-1
August 23, 2011
webkit vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
Multiple security vulnerabilities were fixed in WebKit.
Software Description:
- webkit: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKit browser and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.10:
libwebkit-1.0-2 1.2.7-0ubuntu0.10.10.1
Ubuntu 10.04 LTS:
libwebkit-1.0-2 1.2.7-0ubuntu0.10.04.1
After a standard system update you need to restart any applications that
use WebKit, such as Epiphany and Midori, to make all the necessary changes
| VAR-201011-0041 | CVE-2010-3811 | Apple Safari of WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.3 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving element attributes. WebKit is prone to a remote code-execution vulnerability.
Attackers can exploit this issue by enticing an unsuspecting user into visiting a malicious webpage.
Successful attacks will allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously covered in BID 44938 (Apple Safari Prior to 5.0.3 and 4.1.3 Multiple Security Vulnerabilities) but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA42264
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42264/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42264
RELEASE DATE:
2010-11-19
DISCUSS ADVISORY:
http://secunia.com/advisories/42264/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42264/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42264
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities and weaknesses have been reported in Apple
Safari, which can be exploited by malicious people to bypass certain
security restrictions, conduct spoofing attacks, or compromise a
user's system.
1) An integer overflow error in the handling of strings can be
exploited to corrupt memory and potentially execute arbitrary code.
2) A weakness in the random number generator for JavaScript
applications can be exploited to e.g. track users.
3) Multiple vulnerabilities in WebKit can be exploited by malicious
people to compromise a user's system.
For more information:
SA41328
4) An integer underflow error in the handling of WebSockets can be
exploited to corrupt memory and potentially execute arbitrary code.
5) An unspecified error in the handling of images created from
"canvas" elements can be exploited to conduct cross-origin image
thefts.
This is related to vulnerability #12 in:
SA41242
6) An invalid cast in the handling of editing commands can
potentially be exploited to execute arbitrary code.
7) An invalid cast in the handling of inline styling can potentially
be exploited to execute arbitrary code.
8) An error within the handling of the History object can be
exploited to spoof the address in the location bar or add arbitrary
locations to the history.
9) A use-after-free error in the handling of element attributes can
be exploited to corrupt memory and potentially execute arbitrary
code.
10) An integer overflow error in the handling of Text objects can be
exploited to corrupt memory and potentially execute arbitrary code.
11) A weakness is caused due to WebKit performing DNS prefetching for
HTML Link elements even when it is disabled.
12) Multiple use-after-free errors in the handling of plugins can be
exploited to corrupt memory and potentially execute arbitrary code.
This is related to vulnerability #5 in:
SA41014
13) A use-after-free error in the handling of element focus can be
exploited to corrupt memory and potentially execute arbitrary code.
This is related to vulnerability #10 in:
SA41242
14) A use-after-free error in the handling of scrollbars can be
exploited to corrupt memory and potentially execute arbitrary code.
15) An invalid cast in the handling of CSS 3D transforms can
potentially be exploited to execute arbitrary code.
16) A use-after-free error in the handling of inline text boxes can
be exploited to corrupt memory and potentially execute arbitrary
code.
17) An invalid cast in the handling of CSS boxes can potentially be
exploited to execute arbitrary code.
18) An unspecified error in the handling of editable elements can be
exploited to trigger an access of uninitialised memory and
potentially execute arbitrary code.
19) An unspecified error in the handling of the ':first-letter'
pseudo-element in cascading stylesheets can be exploited to corrupt
memory and potentially execute arbitrary code.
20) An uninitialised pointer error in the handling of CSS counter
styles can potentially be exploited to execute arbitrary code.
21) A use-after-free error in the handling of Geolocation objects can
be exploited to corrupt memory and potentially execute arbitrary
code.
22) A use-after-free error in the handling of "use" elements in SVG
documents can be exploited to corrupt memory and potentially execute
arbitrary code.
23) An invalid cast in the handling of SVG elements in non-SVG
documents can potentially be exploited to execute arbitrary code.
This is related to vulnerability #2 in:
SA41443
24) An invalid cast in the handling of colors in SVG documents can
potentially be exploited to execute arbitrary code.
SOLUTION:
Update to Safari 5.0.3 (Mac OS X 10.5.8, Mac OS X 10.6.4 or later,
Windows 7, Vista, XP) or Safari 4.1.3 (Mac OS X 10.4.11).
PROVIDED AND/OR DISCOVERED BY:
2) Amit Klein, Trusteer
The vendor credits:
1, 10) J23
3) Jose A. Vazquez of spa-s3c.blogspot.com, Csaba Osztrogonac of
University of Szeged, and also thabermann and chipplyman
4) Keith Campbell, and Cris Neckar, Google Chrome Security Team
5) Isaac Dawson, and James Qiu, Microsoft and Microsoft Vulnerability
Research (MSVR)
6, 22, 23) wushi, team509
7, 15 - 17, 19, 24) Abhishek Arya (Inferno), Google Chrome Security
Team
8) Mike Taylor, Opera Software
9) Michal Zalewski
11) Jeff Johnson, Rogue Amoeba Software
13) Vupen
14) Rohit Makasana, Google Inc.
20, 21) kuzzcc
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4455
Trusteer:
http://www.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Major_Browsers.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
For more information:
SA40257
SA41328
SA42151
SA42312
SOLUTION:
Upgrade to iOS 4.2 (downloadable and installable via iTunes).
For more information:
SA32349
SA33495
SA35095
SA35379
SA35411
SA35449
SA35758
SA36269
SA36677
SA37273
SA37346
SA37769
SA38061
SA38545
SA38932
SA39029
SA39091
SA39384
SA39661
SA39937
SA40002
SA40072
SA40105
SA40112
SA40148
SA40196
SA40257
SA40664
SA40783
SA41014
SA41085
SA41242
SA41328
SA41390
SA41443
SA41535
SA41841
SA41888
SA41968
SA42151
SA42264
SA42290
SA42312
SA42443
SA42461
SA42658
SA42769
SA42886
SA42956
SA43053
SOLUTION:
Apply updated packages via YaST Online Update or the SUSE FTP server
| VAR-201011-0042 | CVE-2010-3812 | Apple Safari of WebKit Integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer overflow in the Text::wholeText method in dom/Text.cpp in WebKit, as used in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.3 on Mac OS X 10.4; webkitgtk before 1.2.6; and possibly other products allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving Text objects. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Webkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the wholeText method of the Text element. When calculating the total size of all the text containing it, the application will wrap a 32-bit integer. The application will use this in an allocation and then later use a different value for populating the buffer. This can lead to code execution under the context of the application. WebKit is prone to a remote code-execution vulnerability.
Attackers can exploit this issue by enticing an unsuspecting user into visiting a malicious webpage. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously covered in BID 44938 (Apple Safari Prior to 5.0.3 and 4.1.3 Multiple Security Vulnerabilities) but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA42264
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42264/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42264
RELEASE DATE:
2010-11-19
DISCUSS ADVISORY:
http://secunia.com/advisories/42264/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42264/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42264
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities and weaknesses have been reported in Apple
Safari, which can be exploited by malicious people to bypass certain
security restrictions, conduct spoofing attacks, or compromise a
user's system.
1) An integer overflow error in the handling of strings can be
exploited to corrupt memory and potentially execute arbitrary code.
2) A weakness in the random number generator for JavaScript
applications can be exploited to e.g. track users.
3) Multiple vulnerabilities in WebKit can be exploited by malicious
people to compromise a user's system.
For more information:
SA41328
4) An integer underflow error in the handling of WebSockets can be
exploited to corrupt memory and potentially execute arbitrary code.
5) An unspecified error in the handling of images created from
"canvas" elements can be exploited to conduct cross-origin image
thefts.
7) An invalid cast in the handling of inline styling can potentially
be exploited to execute arbitrary code.
8) An error within the handling of the History object can be
exploited to spoof the address in the location bar or add arbitrary
locations to the history.
9) A use-after-free error in the handling of element attributes can
be exploited to corrupt memory and potentially execute arbitrary
code.
10) An integer overflow error in the handling of Text objects can be
exploited to corrupt memory and potentially execute arbitrary code.
11) A weakness is caused due to WebKit performing DNS prefetching for
HTML Link elements even when it is disabled.
12) Multiple use-after-free errors in the handling of plugins can be
exploited to corrupt memory and potentially execute arbitrary code.
This is related to vulnerability #5 in:
SA41014
13) A use-after-free error in the handling of element focus can be
exploited to corrupt memory and potentially execute arbitrary code.
15) An invalid cast in the handling of CSS 3D transforms can
potentially be exploited to execute arbitrary code.
16) A use-after-free error in the handling of inline text boxes can
be exploited to corrupt memory and potentially execute arbitrary
code.
17) An invalid cast in the handling of CSS boxes can potentially be
exploited to execute arbitrary code.
18) An unspecified error in the handling of editable elements can be
exploited to trigger an access of uninitialised memory and
potentially execute arbitrary code.
19) An unspecified error in the handling of the ':first-letter'
pseudo-element in cascading stylesheets can be exploited to corrupt
memory and potentially execute arbitrary code.
20) An uninitialised pointer error in the handling of CSS counter
styles can potentially be exploited to execute arbitrary code.
21) A use-after-free error in the handling of Geolocation objects can
be exploited to corrupt memory and potentially execute arbitrary
code.
22) A use-after-free error in the handling of "use" elements in SVG
documents can be exploited to corrupt memory and potentially execute
arbitrary code.
23) An invalid cast in the handling of SVG elements in non-SVG
documents can potentially be exploited to execute arbitrary code.
This is related to vulnerability #2 in:
SA41443
24) An invalid cast in the handling of colors in SVG documents can
potentially be exploited to execute arbitrary code.
SOLUTION:
Update to Safari 5.0.3 (Mac OS X 10.5.8, Mac OS X 10.6.4 or later,
Windows 7, Vista, XP) or Safari 4.1.3 (Mac OS X 10.4.11).
PROVIDED AND/OR DISCOVERED BY:
2) Amit Klein, Trusteer
The vendor credits:
1, 10) J23
3) Jose A. Vazquez of spa-s3c.blogspot.com, Csaba Osztrogonac of
University of Szeged, and also thabermann and chipplyman
4) Keith Campbell, and Cris Neckar, Google Chrome Security Team
5) Isaac Dawson, and James Qiu, Microsoft and Microsoft Vulnerability
Research (MSVR)
6, 22, 23) wushi, team509
7, 15 - 17, 19, 24) Abhishek Arya (Inferno), Google Chrome Security
Team
8) Mike Taylor, Opera Software
9) Michal Zalewski
11) Jeff Johnson, Rogue Amoeba Software
13) Vupen
14) Rohit Makasana, Google Inc.
20, 21) kuzzcc
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4455
Trusteer:
http://www.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Major_Browsers.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:039
http://www.mandriva.com/security/
_______________________________________________________________________
Package : webkit
Date : March 2, 2011
Affected: 2010.1
_______________________________________________________________________
Problem Description:
Multiple cross-site scripting, denial of service and arbitrary code
execution security flaws were discovered in webkit.
Please consult the CVE web links for further information.
The updated packages have been upgraded to the latest version (1.2.7)
to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2841
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0047
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0049
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0314
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0650
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0651
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1390
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1391
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1395
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1397
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1405
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1664
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1665
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1759
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1760
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1764
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1770
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1771
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1773
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1785
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1792
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2264
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2648
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3114
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3116
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3119
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3248
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3255
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3257
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3259
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3813
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4040
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4197
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4206
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
141f3cd181b875d1bb40b67a507b6db1 2010.1/i586/libwebkitgtk1.0_2-1.2.7-0.1mdv2010.2.i586.rpm
054886a3c645b3ce710b9b9daec1d5f9 2010.1/i586/libwebkitgtk1.0-devel-1.2.7-0.1mdv2010.2.i586.rpm
bef556ca3f281f6ef4086292c3b658d2 2010.1/i586/webkit1.0-1.2.7-0.1mdv2010.2.i586.rpm
a1ff7ac638646aeb64e3bbdca9bc945d 2010.1/i586/webkit1.0-webinspector-1.2.7-0.1mdv2010.2.i586.rpm
3f40e3ebc62bad67097a9e102e0e79c2 2010.1/i586/webkit-1.2.7-0.1mdv2010.2.i586.rpm
50875cf1bc8718cedce1a45dc509b44b 2010.1/i586/webkit-gtklauncher-1.2.7-0.1mdv2010.2.i586.rpm
625d27780d1cc9edb935d4ac3521ae16 2010.1/i586/webkit-jsc-1.2.7-0.1mdv2010.2.i586.rpm
8d02c28d8f21a022130be4c49f9d27be 2010.1/SRPMS/webkit-1.2.7-0.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
5ce57cd6ab823f8084030033c7c230d7 2010.1/x86_64/lib64webkitgtk1.0_2-1.2.7-0.1mdv2010.2.x86_64.rpm
690d8718a97af93f58de3bb2357fbe9b 2010.1/x86_64/lib64webkitgtk1.0-devel-1.2.7-0.1mdv2010.2.x86_64.rpm
7cc1d4aa77e1901ccc92f27faf85c9ea 2010.1/x86_64/webkit1.0-1.2.7-0.1mdv2010.2.x86_64.rpm
2b77a77159529c55f64343aba98c15d9 2010.1/x86_64/webkit1.0-webinspector-1.2.7-0.1mdv2010.2.x86_64.rpm
475cf83c5ddd8f6809c2c73a1f5a71d1 2010.1/x86_64/webkit-1.2.7-0.1mdv2010.2.x86_64.rpm
b0f1c76107c3d54241daa7e61bfb29a9 2010.1/x86_64/webkit-gtklauncher-1.2.7-0.1mdv2010.2.x86_64.rpm
97deff5e94a625a79842b4c240b0b00d 2010.1/x86_64/webkit-jsc-1.2.7-0.1mdv2010.2.x86_64.rpm
8d02c28d8f21a022130be4c49f9d27be 2010.1/SRPMS/webkit-1.2.7-0.1mdv2010.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNbgbemqjQ0CJFipgRAs9YAJ92z2WSC2ijj34b/wr42OIYLtv65gCg7XgL
Yv/ButpYAcXsmnJWUG4ayxQ=
=GRM6
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
-- Vendor Response:
Apple states:
iOS 4.2: http://support.apple.com/kb/HT4456
-- Disclosure Timeline:
2010-08-12 - Vulnerability reported to vendor
2010-11-23 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* J23 (http://twitter.com/HansJ23)
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Multiple packages, Multiple vulnerabilities fixed in 2011
Date: December 11, 2014
Bugs: #194151, #294253, #294256, #334087, #344059, #346897,
#350598, #352608, #354209, #355207, #356893, #358611,
#358785, #358789, #360891, #361397, #362185, #366697,
#366699, #369069, #370839, #372971, #376793, #381169,
#386321, #386361
ID: 201412-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
This GLSA contains notification of vulnerabilities found in several
Gentoo packages which have been fixed prior to January 1, 2012. Please see the package list and CVE
identifiers below for more information.
Background
==========
For more information on the packages listed in this GLSA, please see
their homepage referenced in the ebuild.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 games-sports/racer-bin >= 0.5.0-r1 Vulnerable!
2 media-libs/fmod < 4.38.00 >= 4.38.00
3 dev-php/PEAR-Mail < 1.2.0 >= 1.2.0
4 sys-fs/lvm2 < 2.02.72 >= 2.02.72
5 app-office/gnucash < 2.4.4 >= 2.4.4
6 media-libs/xine-lib < 1.1.19 >= 1.1.19
7 media-sound/lastfmplayer
< 1.5.4.26862-r3 >= 1.5.4.26862-r3
8 net-libs/webkit-gtk < 1.2.7 >= 1.2.7
9 sys-apps/shadow < 4.1.4.3 >= 4.1.4.3
10 dev-php/PEAR-PEAR < 1.9.2-r1 >= 1.9.2-r1
11 dev-db/unixODBC < 2.3.0-r1 >= 2.3.0-r1
12 sys-cluster/resource-agents
< 1.0.4-r1 >= 1.0.4-r1
13 net-misc/mrouted < 3.9.5 >= 3.9.5
14 net-misc/rsync < 3.0.8 >= 3.0.8
15 dev-libs/xmlsec < 1.2.17 >= 1.2.17
16 x11-apps/xrdb < 1.0.9 >= 1.0.9
17 net-misc/vino < 2.32.2 >= 2.32.2
18 dev-util/oprofile < 0.9.6-r1 >= 0.9.6-r1
19 app-admin/syslog-ng < 3.2.4 >= 3.2.4
20 net-analyzer/sflowtool < 3.20 >= 3.20
21 gnome-base/gdm < 3.8.4-r3 >= 3.8.4-r3
22 net-libs/libsoup < 2.34.3 >= 2.34.3
23 app-misc/ca-certificates
< 20110502-r1 >= 20110502-r1
24 dev-vcs/gitolite < 1.5.9.1 >= 1.5.9.1
25 dev-util/qt-creator < 2.1.0 >= 2.1.0
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
-------------------------------------------------------------------
25 affected packages
Description
===========
Vulnerabilities have been discovered in the packages listed below.
Please review the CVE identifiers in the Reference section for details.
* FMOD Studio
* PEAR Mail
* LVM2
* GnuCash
* xine-lib
* Last.fm Scrobbler
* WebKitGTK+
* shadow tool suite
* PEAR
* unixODBC
* Resource Agents
* mrouted
* rsync
* XML Security Library
* xrdb
* Vino
* OProfile
* syslog-ng
* sFlow Toolkit
* GNOME Display Manager
* libsoup
* CA Certificates
* Gitolite
* QtCreator
* Racer
Impact
======
A context-dependent attacker may be able to gain escalated privileges,
execute arbitrary code, cause Denial of Service, obtain sensitive
information, or otherwise bypass security restrictions.
Workaround
==========
There are no known workarounds at this time.
Resolution
==========
All FMOD Studio users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/fmod-4.38.00"
All PEAR Mail users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-Mail-1.2.0"
All LVM2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/lvm2-2.02.72"
All GnuCash users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/gnucash-2.4.4"
All xine-lib users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.19"
All Last.fm Scrobbler users should upgrade to the latest version:
# emerge --sync
# emerge -a --oneshot -v ">=media-sound/lastfmplayer-1.5.4.26862-r3"
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-1.2.7"
All shadow tool suite users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.4.3"
All PEAR users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-PEAR-1.9.2-r1"
All unixODBC users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/unixODBC-2.3.0-r1"
All Resource Agents users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=sys-cluster/resource-agents-1.0.4-r1"
All mrouted users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/mrouted-3.9.5"
All rsync users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/rsync-3.0.8"
All XML Security Library users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/xmlsec-1.2.17"
All xrdb users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-apps/xrdb-1.0.9"
All Vino users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/vino-2.32.2"
All OProfile users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/oprofile-0.9.6-r1"
All syslog-ng users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.2.4"
All sFlow Toolkit users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/sflowtool-3.20"
All GNOME Display Manager users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-base/gdm-3.8.4-r3"
All libsoup users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.34.3"
All CA Certificates users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=app-misc/ca-certificates-20110502-r1"
All Gitolite users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/gitolite-1.5.9.1"
All QtCreator users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/qt-creator-2.1.0"
Gentoo has discontinued support for Racer. We recommend that users
unmerge Racer:
# emerge --unmerge "games-sports/racer-bin"
NOTE: This is a legacy GLSA. Updates for all affected architectures
have been available since 2012. It is likely that your system is
already no longer affected by these issues.
References
==========
[ 1 ] CVE-2007-4370
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4370
[ 2 ] CVE-2009-4023
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4023
[ 3 ] CVE-2009-4111
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4111
[ 4 ] CVE-2010-0778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0778
[ 5 ] CVE-2010-1780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1780
[ 6 ] CVE-2010-1782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1782
[ 7 ] CVE-2010-1783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1783
[ 8 ] CVE-2010-1784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1784
[ 9 ] CVE-2010-1785
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1785
[ 10 ] CVE-2010-1786
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1786
[ 11 ] CVE-2010-1787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1787
[ 12 ] CVE-2010-1788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1788
[ 13 ] CVE-2010-1790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1790
[ 14 ] CVE-2010-1791
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1791
[ 15 ] CVE-2010-1792
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1792
[ 16 ] CVE-2010-1793
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1793
[ 17 ] CVE-2010-1807
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1807
[ 18 ] CVE-2010-1812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1812
[ 19 ] CVE-2010-1814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1814
[ 20 ] CVE-2010-1815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1815
[ 21 ] CVE-2010-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2526
[ 22 ] CVE-2010-2901
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2901
[ 23 ] CVE-2010-3255
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3255
[ 24 ] CVE-2010-3257
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3257
[ 25 ] CVE-2010-3259
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3259
[ 26 ] CVE-2010-3362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3362
[ 27 ] CVE-2010-3374
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3374
[ 28 ] CVE-2010-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389
[ 29 ] CVE-2010-3812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3812
[ 30 ] CVE-2010-3813
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3813
[ 31 ] CVE-2010-3999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999
[ 32 ] CVE-2010-4042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4042
[ 33 ] CVE-2010-4197
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4197
[ 34 ] CVE-2010-4198
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4198
[ 35 ] CVE-2010-4204
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4204
[ 36 ] CVE-2010-4206
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4206
[ 37 ] CVE-2010-4492
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4492
[ 38 ] CVE-2010-4493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4493
[ 39 ] CVE-2010-4577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4577
[ 40 ] CVE-2010-4578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4578
[ 41 ] CVE-2011-0007
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0007
[ 42 ] CVE-2011-0465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0465
[ 43 ] CVE-2011-0482
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0482
[ 44 ] CVE-2011-0721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0721
[ 45 ] CVE-2011-0727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0727
[ 46 ] CVE-2011-0904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0904
[ 47 ] CVE-2011-0905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0905
[ 48 ] CVE-2011-1072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1072
[ 49 ] CVE-2011-1097
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1097
[ 50 ] CVE-2011-1144
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1144
[ 51 ] CVE-2011-1425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1425
[ 52 ] CVE-2011-1572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1572
[ 53 ] CVE-2011-1760
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1760
[ 54 ] CVE-2011-1951
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1951
[ 55 ] CVE-2011-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2471
[ 56 ] CVE-2011-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2472
[ 57 ] CVE-2011-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2473
[ 58 ] CVE-2011-2524
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2524
[ 59 ] CVE-2011-3365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3365
[ 60 ] CVE-2011-3366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3366
[ 61 ] CVE-2011-3367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3367
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-09.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ==========================================================================
Ubuntu Security Notice USN-1195-1
August 23, 2011
webkit vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
Multiple security vulnerabilities were fixed in WebKit.
Software Description:
- webkit: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKit browser and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.10:
libwebkit-1.0-2 1.2.7-0ubuntu0.10.10.1
Ubuntu 10.04 LTS:
libwebkit-1.0-2 1.2.7-0ubuntu0.10.04.1
After a standard system update you need to restart any applications that
use WebKit, such as Epiphany and Midori, to make all the necessary changes
| VAR-201011-0040 | CVE-2010-3810 | Apple Safari of WebKit In the location bar URL Vulnerabilities that are disguised |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.3 on Mac OS X 10.4, does not properly handle the History object, which allows remote attackers to spoof the location bar's URL or add URLs to the history via a cross-origin attack. WebKit is prone to a same-origin validation bypass vulnerability.
Attackers can exploit this issue by enticing an unsuspecting user into visiting a malicious webpage.
Successful exploits will allow attackers to spoof addresses in the location bar or add arbitrary locations to the history.
NOTE: This issue was previously covered in BID 44938 (Apple Safari Prior to 5.0.3 and 4.1.3 Multiple Security Vulnerabilities) but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA42264
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42264/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42264
RELEASE DATE:
2010-11-19
DISCUSS ADVISORY:
http://secunia.com/advisories/42264/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42264/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42264
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities and weaknesses have been reported in Apple
Safari, which can be exploited by malicious people to bypass certain
security restrictions, conduct spoofing attacks, or compromise a
user's system.
1) An integer overflow error in the handling of strings can be
exploited to corrupt memory and potentially execute arbitrary code.
2) A weakness in the random number generator for JavaScript
applications can be exploited to e.g. track users.
3) Multiple vulnerabilities in WebKit can be exploited by malicious
people to compromise a user's system.
For more information:
SA41328
4) An integer underflow error in the handling of WebSockets can be
exploited to corrupt memory and potentially execute arbitrary code.
5) An unspecified error in the handling of images created from
"canvas" elements can be exploited to conduct cross-origin image
thefts.
This is related to vulnerability #12 in:
SA41242
6) An invalid cast in the handling of editing commands can
potentially be exploited to execute arbitrary code.
7) An invalid cast in the handling of inline styling can potentially
be exploited to execute arbitrary code.
9) A use-after-free error in the handling of element attributes can
be exploited to corrupt memory and potentially execute arbitrary
code.
10) An integer overflow error in the handling of Text objects can be
exploited to corrupt memory and potentially execute arbitrary code.
11) A weakness is caused due to WebKit performing DNS prefetching for
HTML Link elements even when it is disabled.
12) Multiple use-after-free errors in the handling of plugins can be
exploited to corrupt memory and potentially execute arbitrary code.
This is related to vulnerability #5 in:
SA41014
13) A use-after-free error in the handling of element focus can be
exploited to corrupt memory and potentially execute arbitrary code.
This is related to vulnerability #10 in:
SA41242
14) A use-after-free error in the handling of scrollbars can be
exploited to corrupt memory and potentially execute arbitrary code.
15) An invalid cast in the handling of CSS 3D transforms can
potentially be exploited to execute arbitrary code.
16) A use-after-free error in the handling of inline text boxes can
be exploited to corrupt memory and potentially execute arbitrary
code.
17) An invalid cast in the handling of CSS boxes can potentially be
exploited to execute arbitrary code.
18) An unspecified error in the handling of editable elements can be
exploited to trigger an access of uninitialised memory and
potentially execute arbitrary code.
19) An unspecified error in the handling of the ':first-letter'
pseudo-element in cascading stylesheets can be exploited to corrupt
memory and potentially execute arbitrary code.
20) An uninitialised pointer error in the handling of CSS counter
styles can potentially be exploited to execute arbitrary code.
21) A use-after-free error in the handling of Geolocation objects can
be exploited to corrupt memory and potentially execute arbitrary
code.
22) A use-after-free error in the handling of "use" elements in SVG
documents can be exploited to corrupt memory and potentially execute
arbitrary code.
23) An invalid cast in the handling of SVG elements in non-SVG
documents can potentially be exploited to execute arbitrary code.
This is related to vulnerability #2 in:
SA41443
24) An invalid cast in the handling of colors in SVG documents can
potentially be exploited to execute arbitrary code.
SOLUTION:
Update to Safari 5.0.3 (Mac OS X 10.5.8, Mac OS X 10.6.4 or later,
Windows 7, Vista, XP) or Safari 4.1.3 (Mac OS X 10.4.11).
PROVIDED AND/OR DISCOVERED BY:
2) Amit Klein, Trusteer
The vendor credits:
1, 10) J23
3) Jose A. Vazquez of spa-s3c.blogspot.com, Csaba Osztrogonac of
University of Szeged, and also thabermann and chipplyman
4) Keith Campbell, and Cris Neckar, Google Chrome Security Team
5) Isaac Dawson, and James Qiu, Microsoft and Microsoft Vulnerability
Research (MSVR)
6, 22, 23) wushi, team509
7, 15 - 17, 19, 24) Abhishek Arya (Inferno), Google Chrome Security
Team
8) Mike Taylor, Opera Software
9) Michal Zalewski
11) Jeff Johnson, Rogue Amoeba Software
13) Vupen
14) Rohit Makasana, Google Inc.
20, 21) kuzzcc
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4455
Trusteer:
http://www.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Major_Browsers.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
For more information:
SA40257
SA41328
SA42151
SA42312
SOLUTION:
Upgrade to iOS 4.2 (downloadable and installable via iTunes).
For more information:
SA32349
SA33495
SA35095
SA35379
SA35411
SA35449
SA35758
SA36269
SA36677
SA37273
SA37346
SA37769
SA38061
SA38545
SA38932
SA39029
SA39091
SA39384
SA39661
SA39937
SA40002
SA40072
SA40105
SA40112
SA40148
SA40196
SA40257
SA40664
SA40783
SA41014
SA41085
SA41242
SA41328
SA41390
SA41443
SA41535
SA41841
SA41888
SA41968
SA42151
SA42264
SA42290
SA42312
SA42443
SA42461
SA42658
SA42769
SA42886
SA42956
SA43053
SOLUTION:
Apply updated packages via YaST Online Update or the SUSE FTP server
| VAR-201011-0293 | No CVE | Hitachi Multiple Collaboration Products Unknown Denial of Service Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Multiple Hitachi products have vulnerabilities that allow malicious users to conduct denial of service attacks. There is an unspecified error in the Collaboration file sharing component, and WebDav needs to be enabled to successfully exploit the vulnerability.
A remote attacker can leverage this issue to cause denial-of-service condition. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi Products Collaboration Server Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA42299
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42299/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42299
RELEASE DATE:
2010-11-17
DISCUSS ADVISORY:
http://secunia.com/advisories/42299/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42299/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42299
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in multiple Hitachi products, which
can be exploited by malicious people to cause a DoS (Denial of
Service). No further information is
currently available.
Successful exploitation requires WebDav to be enabled.
Please see the vendor's advisory for the list of affected products.
SOLUTION:
Apply patches. Please see the vendor's advisory for more details.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS10-029:
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-029/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201011-0450 | No CVE | RETIRED: Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness |
CVSS V2: - CVSS V3: - Severity: - |
Cisco Unified Videoconferencing is prone to multiple remote vulnerabilities and a weakness.
An attacker can exploit these issue to gain unauthorized access to the affected device, gain access to sensitive information, compromise the affected device, and hijack a user's session. Other attacks are also possible.
The following products are affected:
Cisco Unified Videoconferencing 5110 System
Cisco Unified Videoconferencing 5115 System
Cisco Unified Videoconferencing 5230 System
Cisco Unified Videoconferencing 3545 System
Cisco Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway
Cisco Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway
Cisco Unified Videoconferencing 3515 Multipoint Control Unit (MCU)
This BID is being retired. The following individual records exist to better document the issues:
44922 Cisco Unified Videoconferencing Multiple Remote Command Injection Vulnerabilities
44923 Cisco Unified Videoconferencing Password Obfuscation Vulnerability
44924 Cisco Unified Videoconferencing Hardcoded User Credentials Authentication Bypass Vulnerability
44925 Cisco Unified Videoconferencing Security Bypass Vulnerability
44926 Cisco Unified Videoconferencing Web Interface Weak Session Cookie Session Hijacking Vulnerability
44927 Cisco Unified Videoconferencing Local Information Disclosure Vulnerability
44928 Cisco Unified Videoconferencing FTP Server Security Weakness
44929 Cisco Unified Videoconferencing Security Bypass Vulnerability
44936 Cisco Unified Videoconferencing Local Information Disclosure Vulnerability
| VAR-201011-0284 | No CVE | SAP NetWeaver SQL Monitor Multiple Cross-Site Scripting Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: LOW |
SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The ConnectionMonitorServlet and CatalogBufferMonitorServlet scripts included in SAP NetWeaver lack sufficient filtering for the connid and reqTableColumns parameters. Attackers can send links to administrators to obtain sensitive information such as COOKIE. The SQL Monitor of SAP NetWeaver is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks
| VAR-201011-0282 | No CVE | SAP NetWeaver Security Bypass Denial of Service Vulnerability |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The SAP Netweaver Metamodel Repository is accessible by default in the old SAP ECC version without authentication. The attacker can access the test performance page: http://sapserver:8000/mmr/MMR?page=MMRPerformance if used max. Data size for performance testing, the server will consume 100% CPU. The attacker writes a script that calls this script 100, and the server will not respond for a long time. SAP NetWeaver is prone to a remote denial-of-service vulnerability
An attacker can exploit this issue to cause a high CPU load and make the application unresponsive, denying service to legitimate users
| VAR-201011-0429 | No CVE | Vtiger CRM Multiple Remote Security Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
Vtiger CRM is prone to an arbitrary-file-upload vulnerability, multiple local file-include vulnerabilities, and multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
Attackers can exploit these issues to upload and execute arbitrary code in the context of the webserver process, view and execute arbitrary local files within the context of the webserver process, steal cookie-based authentication information, execute arbitrary client-side scripts in the context of the browser, and obtain sensitive information. Other attacks are also possible.
Vtiger CRM 5.2.0 is vulnerable; other versions may also be affected.
| VAR-201011-0292 | No CVE | Multiple Security Vulnerabilities in Cisco Unified Videoconferencing |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Unified Videoconferencing (Cisco Video Conferencing Products) is Cisco's web conferencing solution. There are multiple vulnerabilities in Cisco's universal video conferencing products that can be exploited by malicious local users to disclose sensitive information, gain higher privileges, manipulate affected systems, hijack another user's session, and secretly manipulate affected systems. 1. There are multiple hardcoded accounts that cannot be disabled. (\"root\", \"cs\", and \"develop\") 2. The value entered into goform/websXMLAdminRequestCgi.cgi via the \"username\" parameter is not properly filtered before being used as a command line argument. 3. The reversible password hashing method is used in the configuration file /opt/rv/Versions/CurrentVersion/Mcu/Config/Mcu.val to obtain the administrator password and operator account information. 4. A globally readable shadow password. 5. Create a session ID based on the time counter to hijack another user session, for example: use a barbarian attack to retell all possible time values from the last system boot time. 6, Base64 encoded cookies or plain text storage certificates to obtain device permissions, such as: steal network traffic or man-in-the-middle attacks. Note: In addition, there are some configuration issues in the FTP, Web, and OpenSSH servers.
An attacker can exploit this issue to obtain sensitive information that may lead to further attacks.
This issue is being tracked by Cisco bug ID CSCti54052
| VAR-201011-0297 | No CVE | Cisco Unified Videoconferencing Weak Password Algorithm Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. Users with access to the Linux operating system can obtain files for the storage administrator and the Cisco UVC web GUI action account. The passwords in this file use a simple and reversible hash mechanism that allows an attacker to recover the account password. Cisco Unified Videoconferencing is prone to a weak-password obfuscation vulnerability.
An attacker can exploit this issue to gain unauthorized access to the affected device.
This issue is being tracked by Cisco bug ID CSCti54010.
The following products are affected:
Cisco Unified Videoconferencing 5110 System
Cisco Unified Videoconferencing 5115 System
Cisco Unified Videoconferencing 5230 System
Cisco Unified Videoconferencing 3545 System
Cisco Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway
Cisco Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway
Cisco Unified Videoconferencing 3515 Multipoint Control Unit (MCU)
NOTE: This issue was previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but has been given its own record to better document it
| VAR-201011-0303 | No CVE | Cisco Unified Videoconferencing shadow password readable vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. The shadow password must only be readable by the root account. This application allows users who have access to the system shell to read the shadow password file. The wrong configuration allows sensitive users accessing the Linux operating system directory to obtain sensitive information. Cisco Unified Videoconferencing is prone to a security bypass vulnerability.
Successful exploits compromise the affected device or cause a denial-of-service condition. This issue affects the Linux-based operating system Cisco UVC product.
These issues are being tracked by Cisco bug ID CSCti54045.
NOTE: This issue was previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but has been given its own record to better document it
| VAR-201011-0300 | No CVE | Cisco Unified Videoconferencing Locks OpenSSH Configuration Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. The SSH server has a restricted shell, but the SSH server configuration allows X.11 to forward and create SOCK proxies. The misconfiguration of this service only affects Linux-based Cisco UVC products. Cisco Unified Videoconferencing is prone to a security bypass vulnerability.
Successful exploits compromise the affected device or cause a denial-of-service condition.
These issues are being tracked by Cisco bug ID CSCti54047.
NOTE: These issue was previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but has been given its own record to better document it
| VAR-201011-0299 | No CVE | Cisco Unified Videoconferencing WEB Interface Weak Session COOKIE Session Hijacking Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. The session ID of the Cisco UVC web interface is incremented based on the timer, guessing the session ID, and the attacker hijacks the hijacked target user session. Cisco Unified Videoconferencing is prone to a session-hijacking vulnerability.
An attacker can exploit this issue to gain access to the affected application.
This issue is being tracked by Cisco bug ID CSCti54048.
NOTE: This issue was previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but has been given its own record to better document it
| VAR-201011-0383 | No CVE | Cisco Unified Videoconferencing Local Information Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Cisco Unified Videoconferencing is prone to an information-disclosure vulnerability.
An attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
This issue is being tracked by Cisco bug ID CSCti54043.
The following products are affected:
Cisco Unified Videoconferencing 5110 System
Cisco Unified Videoconferencing 5115 System
Cisco Unified Videoconferencing 5230 System
Cisco Unified Videoconferencing 3545 System
Cisco Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway
Cisco Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway
Cisco Unified Videoconferencing 3515 Multipoint Control Unit (MCU)
NOTE: This issue was previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but has been given its own record to better document it.
| VAR-201011-0295 | No CVE | Cisco Unified Videoconferencing FTP Server Security Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. The default Cisco UVC system enables the FTP server, and an attacker can use the FTP server to obtain the /etc/shadow file. The FTP access to the device can be controlled through the \"Security mode\" field in the WEB GUI of the Cisco UVC product. If the security settings are configured to be high or medium, the device will not receive FTP connections. Cisco Unified Videoconferencing is prone to a security weakness.
The weakness can potentially be used to leverage other latent vulnerabilities in the affected device.
This issue affects Linux-based operating system Cisco UVC products and VxWorks-based Cisco UVC products.
This issue is being tracked by Cisco bug ID CSCti72032.
NOTE: This issue was previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but has been given its own record to better document it
| VAR-201011-0301 | No CVE | Hitachi Multiple Groupmax Product Unknown Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The Hitachi Groupmax client product has vulnerabilities that allow malicious users to conduct denial of service attacks or execute arbitrary code. An unknown error when processing a file can cause a buffer overflow. Successful exploitation of the vulnerability could execute arbitrary code in the application security context. Multiple Hitachi Groupmax products are prone to an unspecified buffer-overflow vulnerability. Successful exploits will compromise the application and possibly the underlying system. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi Groupmax Client Products Unspecified Buffer Overflow
Vulnerability
SECUNIA ADVISORY ID:
SA42303
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42303/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42303
RELEASE DATE:
2010-11-17
DISCUSS ADVISORY:
http://secunia.com/advisories/42303/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42303/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42303
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in multiple Hitachi Groupmax Client
products, which can be exploited by malicious people to cause a DoS
(Denial of Service) or potentially compromise a user's system.
Please see the vendor's advisory for the list of affected products.
SOLUTION:
Apply patches. Please see the vendor's advisory for more details.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS10-028:
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-028/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201011-0226 | CVE-2010-3037 | plural Cisco UVC System Vulnerability to execute arbitrary commands in the product |
CVSS V2: 8.5 CVSS V3: - Severity: HIGH |
goform/websXMLAdminRequestCgi.cgi in Cisco Unified Videoconferencing (UVC) System 5110 and 5115, and possibly Unified Videoconferencing System 3545 and 5230, Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway, Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway, and Unified Videoconferencing 3515 Multipoint Control Unit (MCU), allows remote authenticated administrators to execute arbitrary commands via the username field, related to a "shell command injection vulnerability," aka Bug ID CSCti54059. Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. The script lacks proper filtering for multiple parameters, including but not limited to the \"username\" field. Obviously, the WEB service runs with ROOT privileges, which can lead to an attacker having complete control over the device. Cisco Unified Videoconferencing is prone to multiple remote command-injection vulnerabilities because it fails to properly sanitize user-supplied input.
These issues are being tracked by Cisco bug ID CSCti54059.
NOTE: These issues were previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but have been given their own record for better documentation. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
1) Multiple hard-coded accounts exist ("root", "cs", and "develop")
that cannot be disabled, which can be exploited to potentially gain
access to the device via e.g. brute force attacks.
Successful exploitation requires administrative credentials. using a brute force attack to iterate over all
possible time values from last system boot time. sniffing network traffic or a Man-in-the-Middle (MitM)
attack.
NOTE: Additionally, some configuration issues exists in the FTP, Web,
and OpenSSH servers.
PROVIDED AND/OR DISCOVERED BY:
Florent Daigniere, Matta Consulting.
ORIGINAL ADVISORY:
Matta (MATTA-2010-001):
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
Cisco:
http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. Matta Consulting - Matta Advisory
http://www.trustmatta.com
Cisco Unified Videoconferencing multiple vulnerabilities
Advisory ID: MATTA-2010-001
CVE reference: CVE-2010-3037 CVE-2010-3038
Affected platforms: Cisco Unified Videoconferencing 3515,3522,3527,5230,3545,
5110,5115 Systems and unspecified Radvision systems
Version: 7.0.1.13.3 at least and more likely all
Date: 2010-August-03
Security risk: Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities
Researcher: Florent Daigniere
Vendor Status: Notified, working on a patch
Vulnerability Disclosure Policy:
http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
=====================================================================
Description:
During an external pentest exercise for one of our clients, multiple
vulnerabilities and weaknesses were found on the Cisco CUVC-5110-HD10 which
allowed us to ultimately gain access to the internal network.
- - Hard-coded credentials - CVE-2010-3038
Three accounts have a login shell and a password the administrator can neither
disable nor change. The affected accounts are "root", "cs" and "develop".
Matta didn't spend the CPU cycles required to get those passwords but will
provide the salted hashes to interested parties.
- - Services misconfiguration
There is an FTP daemon (vsftpd) running but no mention in the documentation
of what it might be useful for. User credentials created from the
web-interface allow to explore the filesystem/firmware of the device.
The file /etc/shadow has read permissions for all.
The ssh daemon (openssh) has a non-default but curious configuration. It
allows port-forwarding and socks proxies to be created, X11 to be
forwarded... even with the restricted shells.
The daemon binding the port of the web-interface is running as root. There are numerous ways of remotely gathering the remote time and
uptime, the easiest being to ask over RPC... Assuming that a user or an
administrator logged into the device shortly after it was powered up, and
that the network connectivity is fast, it is practical to bruteforce a
valid session id.
Using this vulnerability, a non-authenticated attacker can authenticate. Over http in default configuration. While users
are not expected to reuse their credentials, in practice they do; this is
an information-disclosure bug. This is an
information-disclosure bug. Best practices recommend using PBKDF2 to store
passwords.
=====================================================================
Impact
If successful, a malicious third party can get full control of the device and
harvest user passwords with little to no effort. The Attacker might
reposition and launch an attack against other parts of the target
infrastructure from there. All deployed versions are probably
vulnerable.
=====================================================================
Threat mitigation
Until a patch is issued by the vendor, Matta recommends you unplug the
device from its network socket.
=====================================================================
Base64 encoded decryption script for the credentials:
IyEvYmluL2Jhc2gKIyBTbWFsbCBzY3JpcHQgdG8gZGVvYmZ1c2NhdGUgQ2lzY28gQ1VWQy01MTEw
LUhEMTAncyBwYXNzd29yZHMKIyBAc2VlIE1BVFRBLTIwMTAtMDAxCiMKIyAkMSBpcyB0aGUgb2Jm
dXNjYXRlZCBwYXNzd29yZAojIGV4YW1wbGUgdXNhZ2U6CiMKIyAkLi9kZWNvZGUtcGFzc3dvcmQu
c2ggZDVjNGQ2ZDZkMmNhZDdjMQojIHBhc3N3b3JkCiMKIwoKZWNobyAtbiAkMXxzZWQgJ3MvXCgu
LlwpL1wxXG4vZyd8d2hpbGUgcmVhZCBsaW5lCmRvCgljYXNlICIkbGluZSIgaW4KCQljNCkgbD1h
IDs7CgkJZTQpIGw9QSA7OwoJCWM3KSBsPWIgOzsKCQllNykgbD1CIDs7CgkJYzYpIGw9YyA7OwoJ
CWU2KSBsPUMgOzsKCQljMSkgbD1kIDs7CgkJZTEpIGw9RCA7OwoJCWMwKSBsPWUgOzsKCQllMCkg
bD1FIDs7CgkJYzMpIGw9ZiA7OwoJCWUzKSBsPUYgOzsKCQljMikgbD1nIDs7CgkJZTIpIGw9RyA7
OwoJCWNkKSBsPWggOzsKCQllZCkgbD1IIDs7CgkJY2MpIGw9aSA7OwoJCWVjKSBsPUkgOzsKCQlj
ZikgbD1qIDs7CgkJZWYpIGw9SiA7OwoJCWNlKSBsPWsgOzsKCQllZSkgbD1LIDs7CgkJYzkpIGw9
bCA7OwoJCWU5KSBsPUwgOzsKCQljOCkgbD1tIDs7CgkJZTgpIGw9TSA7OwoJCWNiKSBsPW4gOzsK
CQllYikgbD1OIDs7CgkJY2EpIGw9byA7OwoJCWRhKSBsPU8gOzsKCQlkNSkgbD1wIDs7CgkJZjUp
IGw9UCA7OwoJCWQ0KSBsPXEgOzsKCQlmNCkgbD1RIDs7CgkJZDcpIGw9ciA7OwoJCWY3KSBsPVIg
OzsKCQlkNikgbD1zIDs7CgkJZjYpIGw9UyA7OwoJCWQxKSBsPXQgOzsKCQlmMSkgbD1UIDs7CgkJ
ZDApIGw9dSA7OwoJCWYwKSBsPVUgOzsKCQlkMykgbD12IDs7CgkJZjMpIGw9ViA7OwoJCWQyKSBs
PXcgOzsKCQlmMikgbD1XIDs7CgkJZGQpIGw9eCA7OwoJCWZkKSBsPVggOzsKCQlkYykgbD15IDs7
CgkJZmMpIGw9WSA7OwoJCWRmKSBsPXogOzsKCQlmZikgbD1aIDs7CgoJCTk1KSBsPTAgOzsKCQk5
NCkgbD0xIDs7CgkJOTcpIGw9MiA7OwoJCTk2KSBsPTMgOzsKCQk5MSkgbD00IDs7CgkJOTApIGw9
NSA7OwoJCTkzKSBsPTYgOzsKCQk5MikgbD03IDs7CgkJOWQpIGw9OCA7OwoJCTljKSBsPTkgOzsK
CQkqKSAgbD0/OzsKCWVzYWMKCWVjaG8gLW4gIiRsIjsKZG9uZQplY2hvICIiCg==
=====================================================================
Credits
This vulnerability was discovered and researched by Florent Daigniere from
Matta Consulting.
Thank you to Paul Oxman and Matthew Cerha from the Cisco PSIRT for the
coordination effort.
=====================================================================
History
30-07-10 initial discovery
05-08-10 our client has mitigated the risk for his infrastructure
...
23-08-10 initial attempt to contact the vendor
23-08-10 sent pre-advisory to the vendor
PSIRT on psirt@cisco.com using PGP id 0xCF14FEE0
23-08-10 reply from the vendor, case PSIRT-0217563645 is open
...
21-09-10 agreement on the public disclosure date
...
08-11-10 planned disclosure date (missed), CVE assignments
...
17-11-10 public disclosure
=====================================================================
About Matta
Matta is a privately held company with Headquarters in London, and a European
office in Amsterdam. Established in 2001, Matta operates in Europe, Asia,
the Middle East and North America using a respected team of senior
consultants. Matta is an accredited provider of Tigerscheme training;
conducts regular research and is the developer behind the webcheck
application scanner, and colossus network scanner.
http://www.trustmatta.com
http://www.trustmatta.com/webapp_va.html
http://www.trustmatta.com/network_va.html
=====================================================================
Disclaimer and Copyright
Copyright (c) 2010 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
free-of-charge and proper credit is given. Matta Consulting disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Matta Consulting or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if Matta Consulting or its suppliers have been advised of the
possibility of such damages. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Response: Multiple Vulnerabilities in Cisco Unified
Videoconferencing Products
http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml
Revision 1.0
For Public Release 2010 November 17 1600 UTC (GMT)
+---------------------------------------------------------------------
Cisco Response
==============
This is the Cisco Product Security Incident Response Team (PSIRT)
response to a posting entitled "Cisco Unified Videoconferencing
multiple vulnerabilities" by Florent Daigniere of Matta Consulting
regarding vulnerabilities in the Cisco Unified Videoconferencing
(Cisco UVC) 5100 series products.
The original report is available at the following links:
http://seclists.org/fulldisclosure/2010/Nov/167
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
Cisco would like to thank Florent Daigniere of Matta Consulting for
reporting these vulnerabilities to us. Cisco greatly appreciate the
opportunity to work with researchers on security vulnerabilities and
welcome the opportunity to review and assist in product reports.
All versions of system software prior to the first fixed, which is
indicated in the Software Version and Fixes Table, are affected.
To view the version of system software that is currently running on
Cisco Unified Videoconferencing 5100 Series Products, access the
Cisco UVC device via the web GUI interface. On the status screen, the
"Software Version" field below the "Product Information" section
indicates the current system software.
Details for Reported Vulnerabilities
====================================
Hard-Coded Credentials in Cisco UVC Products
+-------------------------------------------
The Linux shell contains three hard-coded usernames and passwords.
The passwords cannot be changed, and the accounts cannot be deleted.
Attackers could leverage these accounts to obtain remote access to a
device by using permitted remote access protocols.
This vulnerability only affects Linux-based operating system Cisco
UVC products. Exploitation of this
vulnerability could result in a complete compromise of the device.
This vulnerability affects Linux-based operating system Cisco UVC
products. It may also affect VxWorks-based Cisco UVC products. The passwords in this file are
obfuscated using an easily reversible hashing scheme. Exploit code
that assists in recovering the passwords exists.
This vulnerability affects only Linux-based operating system Cisco
UVC products.
FTP Server Accessible by Default in Cisco UVC Products
+-----------------------------------------------------
The FTP server is enabled by default on Cisco UVC systems. An
attacker can leverage the FTP server to exploit other vulnerabilities
in this Cisco Security Response. Authentication is required to log
into the device via the FTP server.
FTP access to the device can be controlled via the "Security mode"
field of the Cisco UVC products web GUI. If the Security setting is
configured as "High" or "Maximum," the device will not accept FTP
connections. For further information, consult the Configuration Guide
for Cisco Unified Videoconferencing 5000 MCU Release 7.0 at the
following link:
http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479
This service misconfiguration affects both Linux-based operating
system Cisco UVC products and VxWorks-based Cisco UVC products.
Shadow Password File has Read Permissions for All Users in Cisco UVC Products
+----------------------------------------------------------------------------
The shadow password file should only be readable by the root account.
Allowing read access to the shadow password file allows other users
of the system with shell access to retrieve the shadow password file.
An authenticated user who has access to the Linux operating system
directories, may be able to retrieve the shadow password file.
This service misconfiguration only affects Linux-based operating
system Cisco UVC products.
Lock Down OpenSSH Configuration in Cisco UVC Products
+----------------------------------------------------
The SSH server has a restricted shell, however the configuration of
the SSH server allows for X.11 forwarding and socks proxies to be
created.
This service misconfiguration affects only Linux-based operating
system Cisco UVC products.
Daemon That Binds the Port of the Web Interface Runs as root in Cisco
UVC Products
In the event that all attacker exploits a flaw in a script running
with root's permissions that allows them to write to files, gain
access to the system or cause a denial of service.
This service misconfiguration affects only Linux-based operating
system Cisco UVC products.
Weak Session IDs on the Web Interface in Cisco UVC Products
+----------------------------------------------------------
The Cisco UVC web interface has session IDs that are incremented
based on a time counter. Having predictable session IDs, assists in
the hijacking of user sessions.
This vulnerability affects both Linux-based operating system Cisco
UVC products and VxWorks-based Cisco UVC products.
Usage of Cookies to Store Credentials in Cisco UVC Products
+----------------------------------------------------------
On Linux-based Cisco UVC products, web interface credentials are
stored in Base64 format in the cookie that is sent to a browser. On
VxWorks-based Cisco UVC products, web interface credentials are
stored in Base64 format or in clear text.
This vulnerability affects both Linux-based operating system Cisco
UVC products and VxWorks-based Cisco UVC products.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All Cisco UVC software versions prior to the first fixed software
release, which is indicated in the following table, are affected by the
associated vulnerabilities.
This software table will be updated as software fixes become available.
+---------------------------------------+
| Linux Cisco UVC Operating System |
| Versions |
|---------------------------------------|
| Product: | First Fixed |
| | Release |
|-------------------+-------------------|
| | Currently no |
| Cisco Unified | fixed code |
| Videoconferencing | available. |
| 5110 and 5115 | Contact your |
| Systems | support |
| | organization. |
|---------------------------------------|
| VxWorks Cisco UVC Operating System |
| Versions |
|---------------------------------------|
| Product: | First Fixed |
| | Release |
|-------------------+-------------------|
| | Currently no |
| Cisco Unified | fixed code |
| Videoconferencing | available. |
| 5230 System: | Contact your |
| | support |
| | organization. |
| 3545 System: | Contact your |
| | support |
| | organization. |
| 3515 MCU: | Contact your |
| | support |
| | organization. |
| 3522 BRI Gateway: | Contact your |
| | support |
| | organization. |
| 3527 PRI Gateway: | Contact your |
| | support |
| | organization. |
+---------------------------------------+
Workarounds
===========
There are no workarounds for the vulnerabilities that are described in
this Cisco Security Response.
Administrators can mitigate these vulnerabilities by limiting access to
Cisco UVC web server to trusted hosts by disabling FTP, SSH, and Telnet
services and by setting the "Security mode" field in the "Security"
section of the Cisco UVC web GUI to "Maximum." For further information,
consult the Configuration Guide for Cisco Unified Videoconferencing 5000
MCU Release 7.0 at the following link:
http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Status of this Notice: INTERIM
==============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE.YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW
INFORMATION BECOMES AVAILABLE.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2010-November-17 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAkzj6GAACgkQQXnnBKKRMNBMtwEAhEp+BKb+iRvXhPCBw/SGJSjx
mM5ljSrDefGSCtlhkawA/Ap85VdNrVcb3lVWb5rtXoqGbrqDnDozK6DGKejmQd8M
=f751
-----END PGP SIGNATURE-----
| VAR-201011-0227 | CVE-2010-3038 | Cisco UVC System 5110 and 5115 Unauthorized access vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the Linux operating system is used, has a default password for the (1) root, (2) cs, and (3) develop accounts, which makes it easier for remote attackers to obtain access via the (a) FTP or (b) SSH daemon, aka Bug ID CSCti54008. The problem is Bug ID CSCti54008 It is a problem.By a third party (a) FTP Or (b) SSH It may be accessed through a daemon. Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. An attacker can use these accounts to gain access control for this device. Cisco Unified Videoconferencing is prone to an authentication-bypass vulnerability.
This issue is being tracked by Cisco bug ID CSCti54008.
NOTE: This issue was previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but has been given its own record to better document it. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. brute force attacks.
2) Input passed via the "username" parameter to
goform/websXMLAdminRequestCgi.cgi is not properly sanitised before
being used as a command line argument, which can be exploited to
inject arbitrary shell commands with the privileges of the root
user.
Successful exploitation requires administrative credentials. using a brute force attack to iterate over all
possible time values from last system boot time. sniffing network traffic or a Man-in-the-Middle (MitM)
attack.
NOTE: Additionally, some configuration issues exists in the FTP, Web,
and OpenSSH servers.
PROVIDED AND/OR DISCOVERED BY:
Florent Daigniere, Matta Consulting.
ORIGINAL ADVISORY:
Matta (MATTA-2010-001):
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
Cisco:
http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. Matta Consulting - Matta Advisory
http://www.trustmatta.com
Cisco Unified Videoconferencing multiple vulnerabilities
Advisory ID: MATTA-2010-001
CVE reference: CVE-2010-3037 CVE-2010-3038
Affected platforms: Cisco Unified Videoconferencing 3515,3522,3527,5230,3545,
5110,5115 Systems and unspecified Radvision systems
Version: 7.0.1.13.3 at least and more likely all
Date: 2010-August-03
Security risk: Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities
Researcher: Florent Daigniere
Vendor Status: Notified, working on a patch
Vulnerability Disclosure Policy:
http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
=====================================================================
Description:
During an external pentest exercise for one of our clients, multiple
vulnerabilities and weaknesses were found on the Cisco CUVC-5110-HD10 which
allowed us to ultimately gain access to the internal network.
Matta didn't spend the CPU cycles required to get those passwords but will
provide the salted hashes to interested parties.
- - Services misconfiguration
There is an FTP daemon (vsftpd) running but no mention in the documentation
of what it might be useful for. User credentials created from the
web-interface allow to explore the filesystem/firmware of the device.
The file /etc/shadow has read permissions for all.
The ssh daemon (openssh) has a non-default but curious configuration. It
allows port-forwarding and socks proxies to be created, X11 to be
forwarded... even with the restricted shells.
The daemon binding the port of the web-interface is running as root. There are numerous ways of remotely gathering the remote time and
uptime, the easiest being to ask over RPC... Assuming that a user or an
administrator logged into the device shortly after it was powered up, and
that the network connectivity is fast, it is practical to bruteforce a
valid session id.
Using this vulnerability, a non-authenticated attacker can authenticate. Over http in default configuration. While users
are not expected to reuse their credentials, in practice they do; this is
an information-disclosure bug. Many parameters can be abused,
including but not limited to the "username" field. This is an
information-disclosure bug. Best practices recommend using PBKDF2 to store
passwords.
=====================================================================
Impact
If successful, a malicious third party can get full control of the device and
harvest user passwords with little to no effort. The Attacker might
reposition and launch an attack against other parts of the target
infrastructure from there. All deployed versions are probably
vulnerable.
=====================================================================
Threat mitigation
Until a patch is issued by the vendor, Matta recommends you unplug the
device from its network socket.
=====================================================================
Base64 encoded decryption script for the credentials:
IyEvYmluL2Jhc2gKIyBTbWFsbCBzY3JpcHQgdG8gZGVvYmZ1c2NhdGUgQ2lzY28gQ1VWQy01MTEw
LUhEMTAncyBwYXNzd29yZHMKIyBAc2VlIE1BVFRBLTIwMTAtMDAxCiMKIyAkMSBpcyB0aGUgb2Jm
dXNjYXRlZCBwYXNzd29yZAojIGV4YW1wbGUgdXNhZ2U6CiMKIyAkLi9kZWNvZGUtcGFzc3dvcmQu
c2ggZDVjNGQ2ZDZkMmNhZDdjMQojIHBhc3N3b3JkCiMKIwoKZWNobyAtbiAkMXxzZWQgJ3MvXCgu
LlwpL1wxXG4vZyd8d2hpbGUgcmVhZCBsaW5lCmRvCgljYXNlICIkbGluZSIgaW4KCQljNCkgbD1h
IDs7CgkJZTQpIGw9QSA7OwoJCWM3KSBsPWIgOzsKCQllNykgbD1CIDs7CgkJYzYpIGw9YyA7OwoJ
CWU2KSBsPUMgOzsKCQljMSkgbD1kIDs7CgkJZTEpIGw9RCA7OwoJCWMwKSBsPWUgOzsKCQllMCkg
bD1FIDs7CgkJYzMpIGw9ZiA7OwoJCWUzKSBsPUYgOzsKCQljMikgbD1nIDs7CgkJZTIpIGw9RyA7
OwoJCWNkKSBsPWggOzsKCQllZCkgbD1IIDs7CgkJY2MpIGw9aSA7OwoJCWVjKSBsPUkgOzsKCQlj
ZikgbD1qIDs7CgkJZWYpIGw9SiA7OwoJCWNlKSBsPWsgOzsKCQllZSkgbD1LIDs7CgkJYzkpIGw9
bCA7OwoJCWU5KSBsPUwgOzsKCQljOCkgbD1tIDs7CgkJZTgpIGw9TSA7OwoJCWNiKSBsPW4gOzsK
CQllYikgbD1OIDs7CgkJY2EpIGw9byA7OwoJCWRhKSBsPU8gOzsKCQlkNSkgbD1wIDs7CgkJZjUp
IGw9UCA7OwoJCWQ0KSBsPXEgOzsKCQlmNCkgbD1RIDs7CgkJZDcpIGw9ciA7OwoJCWY3KSBsPVIg
OzsKCQlkNikgbD1zIDs7CgkJZjYpIGw9UyA7OwoJCWQxKSBsPXQgOzsKCQlmMSkgbD1UIDs7CgkJ
ZDApIGw9dSA7OwoJCWYwKSBsPVUgOzsKCQlkMykgbD12IDs7CgkJZjMpIGw9ViA7OwoJCWQyKSBs
PXcgOzsKCQlmMikgbD1XIDs7CgkJZGQpIGw9eCA7OwoJCWZkKSBsPVggOzsKCQlkYykgbD15IDs7
CgkJZmMpIGw9WSA7OwoJCWRmKSBsPXogOzsKCQlmZikgbD1aIDs7CgoJCTk1KSBsPTAgOzsKCQk5
NCkgbD0xIDs7CgkJOTcpIGw9MiA7OwoJCTk2KSBsPTMgOzsKCQk5MSkgbD00IDs7CgkJOTApIGw9
NSA7OwoJCTkzKSBsPTYgOzsKCQk5MikgbD03IDs7CgkJOWQpIGw9OCA7OwoJCTljKSBsPTkgOzsK
CQkqKSAgbD0/OzsKCWVzYWMKCWVjaG8gLW4gIiRsIjsKZG9uZQplY2hvICIiCg==
=====================================================================
Credits
This vulnerability was discovered and researched by Florent Daigniere from
Matta Consulting.
Thank you to Paul Oxman and Matthew Cerha from the Cisco PSIRT for the
coordination effort.
=====================================================================
History
30-07-10 initial discovery
05-08-10 our client has mitigated the risk for his infrastructure
...
23-08-10 initial attempt to contact the vendor
23-08-10 sent pre-advisory to the vendor
PSIRT on psirt@cisco.com using PGP id 0xCF14FEE0
23-08-10 reply from the vendor, case PSIRT-0217563645 is open
...
21-09-10 agreement on the public disclosure date
...
08-11-10 planned disclosure date (missed), CVE assignments
...
17-11-10 public disclosure
=====================================================================
About Matta
Matta is a privately held company with Headquarters in London, and a European
office in Amsterdam. Established in 2001, Matta operates in Europe, Asia,
the Middle East and North America using a respected team of senior
consultants. Matta is an accredited provider of Tigerscheme training;
conducts regular research and is the developer behind the webcheck
application scanner, and colossus network scanner.
http://www.trustmatta.com
http://www.trustmatta.com/webapp_va.html
http://www.trustmatta.com/network_va.html
=====================================================================
Disclaimer and Copyright
Copyright (c) 2010 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
free-of-charge and proper credit is given. Matta Consulting disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Matta Consulting or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if Matta Consulting or its suppliers have been advised of the
possibility of such damages. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Response: Multiple Vulnerabilities in Cisco Unified
Videoconferencing Products
http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml
Revision 1.0
For Public Release 2010 November 17 1600 UTC (GMT)
+---------------------------------------------------------------------
Cisco Response
==============
This is the Cisco Product Security Incident Response Team (PSIRT)
response to a posting entitled "Cisco Unified Videoconferencing
multiple vulnerabilities" by Florent Daigniere of Matta Consulting
regarding vulnerabilities in the Cisco Unified Videoconferencing
(Cisco UVC) 5100 series products.
The original report is available at the following links:
http://seclists.org/fulldisclosure/2010/Nov/167
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
Cisco would like to thank Florent Daigniere of Matta Consulting for
reporting these vulnerabilities to us. Cisco greatly appreciate the
opportunity to work with researchers on security vulnerabilities and
welcome the opportunity to review and assist in product reports.
All versions of system software prior to the first fixed, which is
indicated in the Software Version and Fixes Table, are affected.
To view the version of system software that is currently running on
Cisco Unified Videoconferencing 5100 Series Products, access the
Cisco UVC device via the web GUI interface. On the status screen, the
"Software Version" field below the "Product Information" section
indicates the current system software.
Details for Reported Vulnerabilities
====================================
Hard-Coded Credentials in Cisco UVC Products
+-------------------------------------------
The Linux shell contains three hard-coded usernames and passwords.
The passwords cannot be changed, and the accounts cannot be deleted.
Remote Command Injection on the Web Interface in Cisco UVC Products
+------------------------------------------------------------------
Several fields in the web server interface of Cisco UVC products are
vulnerable to a shell command injection vulnerability. An
administrator user who is authenticated to the web interface of Cisco
UVC products could exploit this vulnerability to execute root-level
commands on the Linux operating system. Exploitation of this
vulnerability could result in a complete compromise of the device. It may also affect VxWorks-based Cisco UVC products.
Weak Obfuscation of Credentials in Cisco UVC Products
+----------------------------------------------------
An attacker who can obtain access to the Linux operating system could
retrieve a file that is used to store the administrator and operator
accounts of the Cisco UVC web GUI. The passwords in this file are
obfuscated using an easily reversible hashing scheme. Exploit code
that assists in recovering the passwords exists.
FTP Server Accessible by Default in Cisco UVC Products
+-----------------------------------------------------
The FTP server is enabled by default on Cisco UVC systems. An
attacker can leverage the FTP server to exploit other vulnerabilities
in this Cisco Security Response. Authentication is required to log
into the device via the FTP server.
FTP access to the device can be controlled via the "Security mode"
field of the Cisco UVC products web GUI. If the Security setting is
configured as "High" or "Maximum," the device will not accept FTP
connections. For further information, consult the Configuration Guide
for Cisco Unified Videoconferencing 5000 MCU Release 7.0 at the
following link:
http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479
This service misconfiguration affects both Linux-based operating
system Cisco UVC products and VxWorks-based Cisco UVC products.
Shadow Password File has Read Permissions for All Users in Cisco UVC Products
+----------------------------------------------------------------------------
The shadow password file should only be readable by the root account.
Allowing read access to the shadow password file allows other users
of the system with shell access to retrieve the shadow password file.
An authenticated user who has access to the Linux operating system
directories, may be able to retrieve the shadow password file.
This service misconfiguration only affects Linux-based operating
system Cisco UVC products.
Lock Down OpenSSH Configuration in Cisco UVC Products
+----------------------------------------------------
The SSH server has a restricted shell, however the configuration of
the SSH server allows for X.11 forwarding and socks proxies to be
created.
This service misconfiguration affects only Linux-based operating
system Cisco UVC products.
Daemon That Binds the Port of the Web Interface Runs as root in Cisco
UVC Products
In the event that all attacker exploits a flaw in a script running
with root's permissions that allows them to write to files, gain
access to the system or cause a denial of service.
This service misconfiguration affects only Linux-based operating
system Cisco UVC products.
Weak Session IDs on the Web Interface in Cisco UVC Products
+----------------------------------------------------------
The Cisco UVC web interface has session IDs that are incremented
based on a time counter. Having predictable session IDs, assists in
the hijacking of user sessions.
Usage of Cookies to Store Credentials in Cisco UVC Products
+----------------------------------------------------------
On Linux-based Cisco UVC products, web interface credentials are
stored in Base64 format in the cookie that is sent to a browser. On
VxWorks-based Cisco UVC products, web interface credentials are
stored in Base64 format or in clear text.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All Cisco UVC software versions prior to the first fixed software
release, which is indicated in the following table, are affected by the
associated vulnerabilities.
This software table will be updated as software fixes become available.
+---------------------------------------+
| Linux Cisco UVC Operating System |
| Versions |
|---------------------------------------|
| Product: | First Fixed |
| | Release |
|-------------------+-------------------|
| | Currently no |
| Cisco Unified | fixed code |
| Videoconferencing | available. |
| 5110 and 5115 | Contact your |
| Systems | support |
| | organization. |
|---------------------------------------|
| VxWorks Cisco UVC Operating System |
| Versions |
|---------------------------------------|
| Product: | First Fixed |
| | Release |
|-------------------+-------------------|
| | Currently no |
| Cisco Unified | fixed code |
| Videoconferencing | available. |
| 5230 System: | Contact your |
| | support |
| | organization. |
| 3545 System: | Contact your |
| | support |
| | organization. |
| 3515 MCU: | Contact your |
| | support |
| | organization. |
| 3522 BRI Gateway: | Contact your |
| | support |
| | organization. |
| 3527 PRI Gateway: | Contact your |
| | support |
| | organization. |
+---------------------------------------+
Workarounds
===========
There are no workarounds for the vulnerabilities that are described in
this Cisco Security Response.
Administrators can mitigate these vulnerabilities by limiting access to
Cisco UVC web server to trusted hosts by disabling FTP, SSH, and Telnet
services and by setting the "Security mode" field in the "Security"
section of the Cisco UVC web GUI to "Maximum." For further information,
consult the Configuration Guide for Cisco Unified Videoconferencing 5000
MCU Release 7.0 at the following link:
http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Status of this Notice: INTERIM
==============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE.YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW
INFORMATION BECOMES AVAILABLE.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2010-November-17 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAkzj6GAACgkQQXnnBKKRMNBMtwEAhEp+BKb+iRvXhPCBw/SGJSjx
mM5ljSrDefGSCtlhkawA/Ap85VdNrVcb3lVWb5rtXoqGbrqDnDozK6DGKejmQd8M
=f751
-----END PGP SIGNATURE-----
| VAR-201011-0251 | CVE-2010-3864 | Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography. Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL (0.9.8o). OpenSSL is prone to a heap-based buffer-overflow vulnerability because the library fails to properly perform bounds-checks on user-supplied input before copying it to an insufficiently sized memory buffer.
Successfully exploiting this issue may allow attackers to execute arbitrary code in the context of applications that use the affected library, but this has not been confirmed. Failed exploit attempts may crash applications, denying service to legitimate users.
OpenSSL 0.9.8f to 0.9.8o, 1.0.0, and 1.0.0a are vulnerable.
NOTE: This issue affects servers which are multi-threaded and use OpenSSL's internal caching mechanism. Multi-processed servers or servers with disabled internal caching (like Apache HTTP server and Stunnel) are not affected. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0003
Synopsis: Third party component updates for VMware vCenter
Server, vCenter Update Manager, ESXi and ESX
Issue date: 2011-02-10
Updated on: 2011-02-10 (initial release of advisory)
CVE numbers: --- Apache Tomcat ---
CVE-2009-2693 CVE-2009-2901 CVE-2009-2902
CVE-2009-3548 CVE-2010-2227 CVE-2010-1157
--- Apache Tomcat Manager ---
CVE-2010-2928
--- cURL ---
CVE-2010-0734
--- COS Kernel ---
CVE-2010-1084 CVE-2010-2066 CVE-2010-2070
CVE-2010-2226 CVE-2010-2248 CVE-2010-2521
CVE-2010-2524 CVE-2010-0008 CVE-2010-0415
CVE-2010-0437 CVE-2009-4308 CVE-2010-0003
CVE-2010-0007 CVE-2010-0307 CVE-2010-1086
CVE-2010-0410 CVE-2010-0730 CVE-2010-1085
CVE-2010-0291 CVE-2010-0622 CVE-2010-1087
CVE-2010-1173 CVE-2010-1437 CVE-2010-1088
CVE-2010-1187 CVE-2010-1436 CVE-2010-1641
CVE-2010-3081
--- Microsoft SQL Express ---
CVE-2008-5416 CVE-2008-0085 CVE-2008-0086
CVE-2008-0107 CVE-2008-0106
--- OpenSSL ---
CVE-2010-0740 CVE-2010-0433
CVE-2010-3864 CVE-2010-2939
--- Oracle (Sun) JRE ---
CVE-2009-3555 CVE-2010-0082 CVE-2010-0084
CVE-2010-0085 CVE-2010-0087 CVE-2010-0088
CVE-2010-0089 CVE-2010-0090 CVE-2010-0091
CVE-2010-0092 CVE-2010-0093 CVE-2010-0094
CVE-2010-0095 CVE-2010-0837 CVE-2010-0838
CVE-2010-0839 CVE-2010-0840 CVE-2010-0841
CVE-2010-0842 CVE-2010-0843 CVE-2010-0844
CVE-2010-0845 CVE-2010-0846 CVE-2010-0847
CVE-2010-0848 CVE-2010-0849 CVE-2010-0850
CVE-2010-0886 CVE-2010-3556 CVE-2010-3566
CVE-2010-3567 CVE-2010-3550 CVE-2010-3561
CVE-2010-3573 CVE-2010-3565 CVE-2010-3568
CVE-2010-3569 CVE-2010-1321 CVE-2010-3548
CVE-2010-3551 CVE-2010-3562 CVE-2010-3571
CVE-2010-3554 CVE-2010-3559 CVE-2010-3572
CVE-2010-3553 CVE-2010-3549 CVE-2010-3557
CVE-2010-3541 CVE-2010-3574
--- pam_krb5 ---
CVE-2008-3825 CVE-2009-1384
- ------------------------------------------------------------------------
1. Summary
Update 1 for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere
Hypervisor (ESXi) 4.1, ESXi 4.1, addresses several security issues.
2. Relevant releases
vCenter Server 4.1 without Update 1,
vCenter Update Manager 4.1 without Update 1,
ESXi 4.1 without patch ESXi410-201101201-SG,
ESX 4.1 without patch ESX410-201101201-SG.
3. Problem Description
a. vCenter Server and vCenter Update Manager update Microsoft
SQL Server 2005 Express Edition to Service Pack 3
Microsoft SQL Server 2005 Express Edition (SQL Express)
distributed with vCenter Server 4.1 Update 1 and vCenter Update
Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2
to SQL Express Service Pack 3, to address multiple security
issues that exist in the earlier releases of Microsoft SQL Express.
Customers using other database solutions need not update for
these issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,
CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL
Express Service Pack 3.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows Update 1
vCenter 4.0 Windows affected, patch pending
VirtualCenter 2.5 Windows affected, no patch planned
Update Manager 4.1 Windows Update 1
Update Manager 4.0 Windows affected, patch pending
Update Manager 1.0 Windows affected, no patch planned
hosted * any any not affected
ESXi any ESXi not affected
ESX any ESX not affected
* Hosted products are VMware Workstation, Player, ACE, Fusion.
b. vCenter Apache Tomcat Management Application Credential Disclosure
The Apache Tomcat Manager application configuration file contains
logon credentials that can be read by unprivileged local users.
The issue is resolved by removing the Manager application in
vCenter 4.1 Update 1.
If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon
credentials are not present in the configuration file after the
update.
VMware would like to thank Claudio Criscione of Secure Networking
for reporting this issue to us.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2010-2928 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows Update 1
vCenter 4.0 Windows not affected
VirtualCenter 2.5 Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX any ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
c. vCenter Server and ESX, Oracle (Sun) JRE is updated to version
1.6.0_21
Oracle (Sun) JRE update to version 1.6.0_21, which addresses
multiple security issues that existed in earlier releases of
Oracle (Sun) JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082,
CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088,
CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092,
CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837,
CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841,
CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845,
CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849,
CVE-2010-0850.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following name to the security issue fixed in
Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows Update 1
vCenter 4.0 Windows not applicable **
VirtualCenter 2.5 Windows not applicable **
Update Manager 4.1 Windows not applicable **
Update Manager 4.0 Windows not applicable **
Update Manager 1.0 Windows not applicable **
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201101201-SG
ESX 4.0 ESX not applicable **
ESX 3.5 ESX not applicable **
ESX 3.0.3 ESX not applicable **
* hosted products are VMware Workstation, Player, ACE, Fusion.
** this product uses the Oracle (Sun) JRE 1.5.0 family
d. vCenter Update Manager Oracle (Sun) JRE is updated to version
1.5.0_26
Oracle (Sun) JRE update to version 1.5.0_26, which addresses
multiple security issues that existed in earlier releases of
Oracle (Sun) JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566,
CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573,
CVE-2010-3565,CVE-2010-3568, CVE-2010-3569, CVE-2009-3555,
CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562,
CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572,
CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541,
CVE-2010-3574.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows not applicable **
vCenter 4.0 Windows affected, patch pending
VirtualCenter 2.5 Windows affected, no patch planned
Update Manager 4.1 Windows Update 1
Update Manager 4.0 Windows affected, patch pending
Update Manager 1.0 Windows affected, no patch planned
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX not applicable **
ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX affected, no patch planned
ESX 3.0.3 ESX affected, no patch planned
* hosted products are VMware Workstation, Player, ACE, Fusion.
** this product uses the Oracle (Sun) JRE 1.6.0 family
e. vCenter Server and ESX Apache Tomcat updated to version 6.0.28
Apache Tomcat updated to version 6.0.28, which addresses multiple
security issues that existed in earlier releases of Apache Tomcat
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i
and CVE-2009-3548.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows Update 1
vCenter 4.0 Windows affected, patch pending
VirtualCenter 2.5 Windows not applicable **
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201101201-SG
ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX not applicable **
ESX 3.0.3 ESX not applicable **
* hosted products are VMware Workstation, Player, ACE, Fusion.
** this product uses the Apache Tomcat 5.5 family
f. vCenter Server third party component OpenSSL updated to version
0.9.8n
The version of the OpenSSL library in vCenter Server is updated to
0.9.8n.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-0740 and CVE-2010-0433 to the
issues addressed in this version of OpenSSL.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows Update 1
vCenter 4.0 Windows affected, patch pending
VirtualCenter 2.5 Windows affected, no patch planned
hosted * any any not applicable
ESXi any ESXi not applicable
ESX any ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
g. ESX third party component OpenSSL updated to version 0.9.8p
The version of the ESX OpenSSL library is updated to 0.9.8p.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-3864 and CVE-2010-2939 to the
issues addressed in this update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi 4.1 ESXi ESXi410-201101201-SG
ESXi 4.0 ESXi affected, patch pending
ESXi 3.5 ESXi affected, patch pending
ESX 4.1 ESX ESX410-201101201-SG
ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX affected, patch pending
ESX 3.0.3 ESX affected, patch pending
* hosted products are VMware Workstation, Player, ACE, Fusion.
h. ESXi third party component cURL updated
The version of cURL library in ESXi is updated.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-0734 to the issues addressed in
this update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 4.1 ESXi ESXi410-201101201-SG
ESXi 4.0 ESXi affected, patch pending
ESXi 3.5 ESXi affected, patch pending
ESX any ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
i. ESX third party component pam_krb5 updated
The version of pam_krb5 library is updated.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-3825 and CVE-2009-1384 to the
issues addressed in the update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201101201-SG
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
j. ESX third party update for Service Console kernel
The Service Console kernel is updated to include kernel version
2.6.18-194.11.1.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070,
CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524,
CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308,
CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086,
CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291,
CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437,
CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and
CVE-2010-3081 to the issues addressed in the update.
Note: This update also addresses the 64-bit compatibility mode
stack pointer underflow issue identified by CVE-2010-3081. This
issue was patched in an ESX 4.1 patch prior to the release of
ESX 4.1 Update 1.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201101201-SG
ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
VMware vCenter Server 4.1 Update 1 and modules
----------------------------------------------
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
Release Notes:
http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
File type: .iso
md5sum: 729cf247aa5d33ceec431c86377eee1a
sha1sum: c1e10a5fcbc1ae9d13348d43541d574c563d66f0
File type: .zip
md5sum: fd1441bef48a153f2807f6823790e2f0
sha1sum: 31737a816ed1c08ab3a505fb6db2483f49ad7c19
VMware vSphere Client
File type: .exe
md5sum: cb6aa91ada1289575355d79e8c2a9f8e
sha1sum: f9e3d8eb83196ae7c31aab554e344a46b722b1e4
ESXi 4.1 Installable Update 1
-----------------------------
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
Release Notes:
http://downloads.vmware.com/support/vsphere4/doc/vsp_esxi41_u1_rel_notes.html
http://kb.vmware.com/kb/1027919
File type: .iso
MD5SUM: d68d6c2e040a87cd04cd18c04c22c998
SHA1SUM: bbaacc0d34503822c14f6ccfefb6a5b62d18ae64
ESXi 4.1 Update 1 (upgrade ZIP from ESXi 4.1)
File type: .zip
MD5SUM: 2f1e009c046b20042fae3b7ca42a840f
SHA1SUM: 1c9c644012dec657a705ddd3d033cbfb87a1fab1
ESXi 4.1 Update 1 (upgrade ZIP from ESXi 4.0)
File type: .zip
MD5SUM: 67b924618d196dafaf268a7691bd1a0f
SHA1SUM: 9d74b639e703259d9e49c0341158e0d4e45de516
ESXi 4.1 Update 1 (upgrade ZIP from ESXi 3.5)
File type: .zip
MD5SUM: a6024b9f6c6b7b2c629696afc6d07cf4
SHA1SUM: b3841de1a30617ac68d5a861882aa72de3a93488
VMware Tools CD image for Linux Guest OSes
File type: .iso
MD5SUM: dad66fa8ece1dd121c302f45444daa70
SHA1SUM: 56535a2cfa7799607356c6fd0a7d9f041da614af
VMware vSphere Client
File type: .exe
MD5SUM: cb6aa91ada1289575355d79e8c2a9f8e
SHA1SUM: f9e3d8eb83196ae7c31aab554e344a46b722b1e4
ESXi Installable Update 1 contains the following security bulletins:
ESXi410-201101201-SG.
ESX 4.1 Update 1
----------------
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
Release Notes:
http://downloads.vmware.com/support/vsphere4/doc/vsp_esx41_u1_rel_notes.html
http://kb.vmware.com/kb/1029353
ESX 4.1 Update 1 (DVD ISO)
File type: .iso
md5sum: b9a275b419a20c7bedf31c0bf64f504e
sha1sum: 2d85edcaca8218013585e1eab00bc80db6d96e11
ESX 4.1 Update 1 (upgrade ZIP from ESX 4.1)
File type: .zip
md5sum: 2d81a87e994aa2b329036f11d90b4c14
sha1sum: c2bfc0cf7ac03d24afd5049ddbd09a865aad1798
Pre-upgrade package for ESX 4.0 to ESX 4.1 Update 1
File type: .zip
md5sum: 75f8cebfd55d8a81deb57c27def963c2
sha1sum: 889c15aa8008fe0e29439d0ab3468c2beb1c4fe2
ESX 4.1 Update 1 (upgrade ZIP from ESX 4.0)
File type: .zip
md5sum: 1dc9035cd10e7e60d27e7a7aef57b4c2
sha1sum: e6d3fb65d83a3e263d0f634a3572025854ff8922
VMware Tools CD image for Linux Guest OSes
File type: .iso
md5sum: dad66fa8ece1dd121c302f45444daa70
sha1sum: 56535a2cfa7799607356c6fd0a7d9f041da614af
VMware vSphere Client
File type: .exe
md5sum: cb6aa91ada1289575355d79e8c2a9f8e
sha1sum: f9e3d8eb83196ae7c31aab554e344a46b722b1e4
ESX410-Update01 contains the following security bulletins:
ESX410-201101201-SG (COS kernel, pam_krb5, cURL, OpenSSL,
Apache Tomcat, Oracle (Sun) JRE) | http://kb.vmware.com/kb/1027904
ESX410-201101226-SG (glibc) | http://kb.vmware.com/kb/1031330
ESX410-Update01 also contains the following non-security bulletins
ESX410-201101211-UG, ESX410-201101213-UG, ESX410-201101215-UG,
ESX410-201101202-UG, ESX410-201101203-UG, ESX410-201101204-UG,
ESX410-201101206-UG, ESX410-201101207-UG, ESX410-201101208-UG,
ESX410-201101214-UG, ESX410-201101216-UG, ESX410-201101217-UG,
ESX410-201101218-UG, ESX410-201101219-UG, ESX410-201101220-UG,
ESX410-201101221-UG, ESX410-201101222-UG, ESX410-201101225-UG.
To install an individual bulletin use esxupdate with the -b option.
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2928
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0082
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0087
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0837
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0838
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0839
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0841
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0842
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0843
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0844
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0846
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0886
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3825
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2070
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2248
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2524
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0003
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0291
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0622
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1087
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1173
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1436
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1641
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3550
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3561
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3565
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3551
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3562
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3554
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3549
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3574
- ------------------------------------------------------------------------
6. Change log
2011-02-10 VMSA-2011-0003
Initial security advisory in conjunction with the release of vCenter
Server 4.1 Update 1, vCenter Update Manager 4.1 Update 1, ESXi 4.1
Update 1, and ESX 4.1 Update 1 on 2011-02-10.
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2011 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iEYEARECAAYFAk1U1eoACgkQS2KysvBH1xm3swCfeh4sWvPOubDT1K7QlRj3SjW9
dxYAmwbNLMR9IG/rKZDYh9hqcf4IldCX
=2pVj
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02824483
Version: 1
HPSBOV02670 SSRT100475 rev.1 - HP OpenVMS running SSL, Remote Denial of Service (DoS), Unauthorized Disclosure of Information, Unauthorized Modification
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-05-05
Last Updated: 2011-05-05
Potential Security Impact: Remote Denial of Service (DoS), Unauthorized disclosure of information, unauthorized modification
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential vulnerabilities have been identified with HP OpenVMS running SSL. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS) or unauthorized disclosure of information, or by a remote unauthorized user to modify data, prompts, or responses.
References: CVE-2011-0014, CVE-2010-4180, CVE-2010-4252, CVE-2010-3864
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP SSL for OpenVMS v 1.4 and earlier.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2011-0014 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-4180 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2010-4252 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2010-3864 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following software updates available to resolve these vulnerabilities.
HP SSL V1.4-453 for OpenVMS Alpha and OpenVMS Integrity servers:
http://h71000.www7.hp.com/openvms/products/ssl/ssl.html
HISTORY
Version:1 (rev.1) - 5 May 2011 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: OpenSSL: Multiple vulnerabilities
Date: October 09, 2011
Bugs: #303739, #308011, #322575, #332027, #345767, #347623,
#354139, #382069
ID: 201110-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities were found in OpenSSL, allowing for the
execution of arbitrary code and other attacks.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/openssl < 1.0.0e >= 1.0.0e
Description
===========
Multiple vulnerabilities have been discovered in OpenSSL. Please review
the CVE identifiers referenced below for details.
Impact
======
A context-dependent attacker could cause a Denial of Service, possibly
execute arbitrary code, bypass intended key requirements, force the
downgrade to unintended ciphers, bypass the need for knowledge of
shared secrets and successfully authenticate, bypass CRL validation, or
obtain sensitive information in applications that use OpenSSL.
Resolution
==========
All OpenSSL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.0e"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since September 17, 2011. It is likely that your system is
already no longer affected by most of these issues.
References
==========
[ 1 ] CVE-2009-3245
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3245
[ 2 ] CVE-2009-4355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4355
[ 3 ] CVE-2010-0433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0433
[ 4 ] CVE-2010-0740
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0740
[ 5 ] CVE-2010-0742
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0742
[ 6 ] CVE-2010-1633
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1633
[ 7 ] CVE-2010-2939
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2939
[ 8 ] CVE-2010-3864
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3864
[ 9 ] CVE-2010-4180
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4180
[ 10 ] CVE-2010-4252
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4252
[ 11 ] CVE-2011-0014
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0014
[ 12 ] CVE-2011-3207
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3207
[ 13 ] CVE-2011-3210
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3210
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-2125-1 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
November 22, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : openssl
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
Debian Bug : 603709
CVE Id(s) : CVE-2010-3864
A flaw has been found in the OpenSSL TLS server extension code parsing
which on affected servers can be exploited in a buffer overrun attack.
This upgrade fixes this issue. After the upgrade, any services using the
openssl libraries need to be restarted. The checkrestart script from the
debian-goodies package or lsof can help to find out which services need
to be restarted.
A note to users of the tor packages from the Debian backports or Debian
volatile: This openssl update causes problems with some versions of tor.
You need to update to tor 0.2.1.26-4~bpo50+1 or 0.2.1.26-1~lennyvolatile2,
respectively. The tor package version 0.2.0.35-1~lenny2 from Debian stable
is not affected by these problems.
For the stable distribution (lenny), the problem has been fixed in
openssl version 0.9.8g-15+lenny9.
For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 0.9.8o-3.
We recommend that you upgrade your openssl packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
Size/MD5 checksum: 3354792 acf70a16359bf3658bdfb74bda1c4419
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.dsc
Size/MD5 checksum: 1973 1efb69f23999507bf2e74f5b848744af
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.diff.gz
Size/MD5 checksum: 60451 9aba44ed40b0c9c8ec82bd6cd33c44b8
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 2583248 3b3f0cbec4ec28eb310466237648db8f
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 1028998 79fe8cdd601aecd9f956033a04fb8da5
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_alpha.udeb
Size/MD5 checksum: 722114 a388304bf86381229c306e79a5e85bf8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 2814160 e0f6fc697f5e9c87b44aa15eb58c3ea8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 4369318 c3cf8c7ec27f86563c34f45e986e17c4
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 975850 778916e8b0df8e216121cd5185d7ca43
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 2243180 ff6a898ccd6fb49d5fbec9f4bd3cb6da
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_amd64.udeb
Size/MD5 checksum: 638414 9ea111d66ac5f394d35fb69defa5dd27
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 1627632 9f08e1da5cf9279cee4700e89dc6ee6d
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 1043320 9ada82a7417c0d714a38c3a7184c2401
arm architecture (ARM)
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_arm.udeb
Size/MD5 checksum: 536038 a9c90bb3ad326fa43c1285c1768df046
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 2087048 bded4e624fcf0791ae0885aa18d99123
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 1028894 20784774078f02ef7e9db2ddbd7d5548
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 1490666 700c80efddb108b3e2a65373cc10dcc8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 844426 4cad5651a6d37ab19fb80b05a423598d
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 1029206 6c6c35731ecacfc0280520097ee183d4
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_armel.udeb
Size/MD5 checksum: 540780 3b9ab48015bbd4dfc1ab205b42f1113d
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 2100958 fbf2c222a504e09e30f73cb0740a73a5
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 1504318 8eaa760844c1b81d0f8bd21bdc7ca1d0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 850286 3e656a0805eb31600f8e3e520a2a6e36
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_hppa.deb
Size/MD5 checksum: 2268562 8cb4805915dfde8326fde4281c9aaa76
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_hppa.deb
Size/MD5 checksum: 969104 805c95116706c82051a5d08efce729e5
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_hppa.deb
Size/MD5 checksum: 1047026 2e06d411c0a8764db3504638d3b59ef9
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_hppa.deb
Size/MD5 checksum: 1528456 de6a4129635ee4565696198ce3423674
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_hppa.udeb
Size/MD5 checksum: 634504 bab8594389626190b71ee97bfb46fa71
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_i386.deb
Size/MD5 checksum: 2108452 d75ba6c13fc77dd3eefddde480a05231
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_i386.deb
Size/MD5 checksum: 5393290 14bf0f44b8c802e47834234be834d80b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_i386.deb
Size/MD5 checksum: 2977384 bf4c26767b006694843d036ebdca132a
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_i386.udeb
Size/MD5 checksum: 591782 bf5007e22e4bd31445458a5379086103
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_i386.deb
Size/MD5 checksum: 1035868 64085f2b106009533bda0309f08548af
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_ia64.deb
Size/MD5 checksum: 2666530 42cdae406ce22e3e538f0d744f043a39
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_ia64.deb
Size/MD5 checksum: 1465582 33c84255a9515a9a528cbf3df9398ef5
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_ia64.udeb
Size/MD5 checksum: 865352 9cbc10e393eb3d30d34ea384c6f1f9f5
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_ia64.deb
Size/MD5 checksum: 1105090 cc7485d310d4770c2b1e93c6d74dcc2b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_ia64.deb
Size/MD5 checksum: 1280654 fde186a4983ac6cafcd3d5ec7e1d6f98
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_mips.deb
Size/MD5 checksum: 1025868 8b7f565c4c0a15b15f20f2e074bb503a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_mips.deb
Size/MD5 checksum: 900162 391ac436c8d7ed7b55a8ea9e90c7d8be
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_mips.deb
Size/MD5 checksum: 2307960 227ac5c7b409d061222b94bc40e8cd18
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_mips.deb
Size/MD5 checksum: 1622826 8a4f73d6cd497076490404a2dade26ba
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_mips.udeb
Size/MD5 checksum: 585108 d8447df55a530959b6cd9d5d3039c0da
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_mipsel.deb
Size/MD5 checksum: 1012186 4a154b5c4d864f7dcd0bf019dfb41c5d
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_mipsel.deb
Size/MD5 checksum: 1588308 1222eb6b1870602335ef0722b7047b6a
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_mipsel.udeb
Size/MD5 checksum: 572370 a2535f616be099e9361a55637c3375d3
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_mipsel.deb
Size/MD5 checksum: 2295070 7446121759684083870d5ae0d26969c0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_mipsel.deb
Size/MD5 checksum: 885668 3745e7c578002628f78f02bd5afeb84f
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_powerpc.deb
Size/MD5 checksum: 1643808 43814c865d098046bc1dca1920820354
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_powerpc.deb
Size/MD5 checksum: 1047060 5c45e5a5d02f856cb9dc29029d0b5557
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_powerpc.udeb
Size/MD5 checksum: 656166 309fdeebe15bbecbe8c55dbd5ddbdd3a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_powerpc.deb
Size/MD5 checksum: 997540 f4bf73493f3964b8a23bdd424694f079
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_powerpc.deb
Size/MD5 checksum: 2251238 35f6f59b07e57eb538da19545a733d5f
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_s390.udeb
Size/MD5 checksum: 693040 26cab41169c6b8f64ce7936a2ea65a7b
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_s390.deb
Size/MD5 checksum: 1051130 f67b4fd152e1175f81022ffd345d6c78
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_s390.deb
Size/MD5 checksum: 2231782 c7796fff8c97bbf0c5ab69440cbd50f9
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_s390.deb
Size/MD5 checksum: 1602496 a9595ac98fc11015dd4bb2634416197b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_s390.deb
Size/MD5 checksum: 1024562 ff293933ef4eb5e952659fe7caf82c8b
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_sparc.deb
Size/MD5 checksum: 2290536 e5c655fbcc524fe7bb56945cc8b2f5d1
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_sparc.deb
Size/MD5 checksum: 3868850 b9cbaa2cbb2cfa4aa1dce984148dba4b
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_sparc.deb
Size/MD5 checksum: 2146488 d0c17736c2b26a97491e34321ffff3f5
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_sparc.udeb
Size/MD5 checksum: 580510 28ab74855c8a34bb002b44fd7ecb8997
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_sparc.deb
Size/MD5 checksum: 1043044 d78ffaf44d1177b05fa0cfb02d76128a
These files will probably be moved into the stable distribution on
its next update.
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864
http://openssl.org/news/secadv_20101116.txt
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
b32e4b6e6b901d72fe4aa24bd0f41f9b 2009.0/i586/libopenssl0.9.8-0.9.8h-3.8mdv2009.0.i586.rpm
f55512826ad63a1c9c4b60fad54292ac 2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.8mdv2009.0.i586.rpm
eb005af48a71b807ef387f4c54eedd6f 2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.8mdv2009.0.i586.rpm
ed01c1d0ea3fdecc8ba3331541d18d9a 2009.0/i586/openssl-0.9.8h-3.8mdv2009.0.i586.rpm
a5b43d482e633af8952e7e04f8d7b56e 2009.0/SRPMS/openssl-0.9.8h-3.8mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
007dedca099e812b7b461e720ef5e6f1 2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.8mdv2009.0.x86_64.rpm
293194a028c940a27d11549ef84ff182 2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.8mdv2009.0.x86_64.rpm
6b1c8ced8640b51bf25761c127b3ed20 2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.8mdv2009.0.x86_64.rpm
76bbe5d36d9887cbc753b267b6d3a608 2009.0/x86_64/openssl-0.9.8h-3.8mdv2009.0.x86_64.rpm
a5b43d482e633af8952e7e04f8d7b56e 2009.0/SRPMS/openssl-0.9.8h-3.8mdv2009.0.src.rpm
Mandriva Linux 2010.0:
b92acd82153b8987f0bcdb0e277c6f0e 2010.0/i586/libopenssl0.9.8-0.9.8k-5.3mdv2010.0.i586.rpm
d780ab4e0e80a66b105f72e41a4d5b54 2010.0/i586/libopenssl0.9.8-devel-0.9.8k-5.3mdv2010.0.i586.rpm
8faae39210b0c366f619cdb71b1a7321 2010.0/i586/libopenssl0.9.8-static-devel-0.9.8k-5.3mdv2010.0.i586.rpm
2247e3b7bff72998d841d650ba25960a 2010.0/i586/openssl-0.9.8k-5.3mdv2010.0.i586.rpm
2c2a297e1c568ef69502064578516f0f 2010.0/SRPMS/openssl-0.9.8k-5.3mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
331d3064412c7b73baed5d54e7262f51 2010.0/x86_64/lib64openssl0.9.8-0.9.8k-5.3mdv2010.0.x86_64.rpm
2e90f43a521e108a8adbde35a058d7b9 2010.0/x86_64/lib64openssl0.9.8-devel-0.9.8k-5.3mdv2010.0.x86_64.rpm
7d102f6bf8bb201654aa518e3b73a27f 2010.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8k-5.3mdv2010.0.x86_64.rpm
4b7ad813fd5fdd5785bd94eb3a951244 2010.0/x86_64/openssl-0.9.8k-5.3mdv2010.0.x86_64.rpm
2c2a297e1c568ef69502064578516f0f 2010.0/SRPMS/openssl-0.9.8k-5.3mdv2010.0.src.rpm
Mandriva Linux 2010.1:
8310ac6aa860087de6992e618460f279 2010.1/i586/libopenssl1.0.0-1.0.0a-1.5mdv2010.1.i586.rpm
7e7719b1b5c2f91a6eadfab9dd696b8f 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.5mdv2010.1.i586.rpm
5b5aa8939c69c69c2ab49145aca37173 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.5mdv2010.1.i586.rpm
0e6bd59c1d6b2c459acc5c4d0851246a 2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.5mdv2010.1.i586.rpm
de46046e9b1e033cccd668b32b70972c 2010.1/i586/openssl-1.0.0a-1.5mdv2010.1.i586.rpm
f6059c72297b6510fa4c816db6742a64 2010.1/SRPMS/openssl-1.0.0a-1.5mdv2010.1.src.rpm
Mandriva Linux 2010.1/X86_64:
c792f3d19c1f9ff50c801feccd600319 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.5mdv2010.1.x86_64.rpm
7f3a6b125fc145e17c140218f3b48a92 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.5mdv2010.1.x86_64.rpm
e5f35fbeadb2f765607325f960de621e 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.5mdv2010.1.x86_64.rpm
27a8dee6459e0830be1e907f082d25a2 2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.5mdv2010.1.x86_64.rpm
4b7863a6c8b883f385613bb7a49af128 2010.1/x86_64/openssl-1.0.0a-1.5mdv2010.1.x86_64.rpm
f6059c72297b6510fa4c816db6742a64 2010.1/SRPMS/openssl-1.0.0a-1.5mdv2010.1.src.rpm
Mandriva Enterprise Server 5:
fef62b69a582a93e821a2d802fb4faee mes5/i586/libopenssl0.9.8-0.9.8h-3.8mdvmes5.1.i586.rpm
fe3c0cf3596d90cc3be37a944df1753b mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.8mdvmes5.1.i586.rpm
d5a269adf63ee6d4ce21ea651e208180 mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.8mdvmes5.1.i586.rpm
e410f94c6d8c08270aa1edd5aeb7c177 mes5/i586/openssl-0.9.8h-3.8mdvmes5.1.i586.rpm
aaa38cecee165e165beace7e0b02ecdf mes5/SRPMS/openssl-0.9.8h-3.8mdvmes5.1.src.rpm
Mandriva Enterprise Server 5/X86_64:
ebec7b3044ee3b3b0ab6c455741e5782 mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.8mdvmes5.1.x86_64.rpm
0c201edd531dd53a541739bf6db7f276 mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.8mdvmes5.1.x86_64.rpm
83a690e504f6470ffc4bce428ff09199 mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.8mdvmes5.1.x86_64.rpm
fcef579e52e20393ffd2bbae00b602a8 mes5/x86_64/openssl-0.9.8h-3.8mdvmes5.1.x86_64.rpm
aaa38cecee165e165beace7e0b02ecdf mes5/SRPMS/openssl-0.9.8h-3.8mdvmes5.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFM49pvmqjQ0CJFipgRAs5xAKDhGJdpzq9ZF6TvhezjZR8zmOQAngCggDa1
vAfiUtuiMqw0BDS3V2tLk/I=
=hDGj
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
The fix was developed by Dr Stephen Henson of the OpenSSL core team.
This vulnerability is tracked as CVE-2010-3864
Who is affected?
=================
All versions of OpenSSL supporting TLS extensions contain this vulnerability
including OpenSSL 0.9.8f through 0.9.8o, 1.0.0, 1.0.0a releases.
Patch for OpenSSL 0.9.8 releases
================================
Index: ssl/t1_lib.c
===================================================================
RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v
retrieving revision 1.13.2.27
diff -u -r1.13.2.27 t1_lib.c
--- ssl/t1_lib.c 12 Jun 2010 13:18:58 -0000 1.13.2.27
+++ ssl/t1_lib.c 15 Nov 2010 15:20:14 -0000
@@ -432,14 +432,23 @@
switch (servname_type)
{
case TLSEXT_NAMETYPE_host_name:
- if (s->session->tlsext_hostname == NULL)
+ if (!s->hit)
{
- if (len > TLSEXT_MAXLEN_host_name ||
- ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+ if(s->session->tlsext_hostname)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (len > TLSEXT_MAXLEN_host_name)
{
*al = TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
+ if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
memcpy(s->session->tlsext_hostname, sdata, len);
s->session->tlsext_hostname[len]='\0';
if (strlen(s->session->tlsext_hostname) != len) {
@@ -452,7 +461,8 @@
}
else
- s->servername_done = strlen(s->session->tlsext_hostname) == len
+ s->servername_done = s->session->tlsext_hostname
+ && strlen(s->session->tlsext_hostname) == len
&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
break;
Patch for OpenSSL 1.0.0 releases
================================
Index: ssl/t1_lib.c
===================================================================
RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v
retrieving revision 1.64.2.14
diff -u -r1.64.2.14 t1_lib.c
--- ssl/t1_lib.c 15 Jun 2010 17:25:15 -0000 1.64.2.14
+++ ssl/t1_lib.c 15 Nov 2010 15:26:19 -0000
@@ -714,14 +714,23 @@
switch (servname_type)
{
case TLSEXT_NAMETYPE_host_name:
- if (s->session->tlsext_hostname == NULL)
+ if (!s->hit)
{
- if (len > TLSEXT_MAXLEN_host_name ||
- ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+ if(s->session->tlsext_hostname)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (len > TLSEXT_MAXLEN_host_name)
{
*al = TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
+ if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
memcpy(s->session->tlsext_hostname, sdata, len);
s->session->tlsext_hostname[len]='\0';
if (strlen(s->session->tlsext_hostname) != len) {
@@ -734,7 +743,8 @@
}
else
- s->servername_done = strlen(s->session->tlsext_hostname) == len
+ s->servername_done = s->session->tlsext_hostname
+ && strlen(s->session->tlsext_hostname) == len
&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
break;
@@ -765,15 +775,22 @@
*al = TLS1_AD_DECODE_ERROR;
return 0;
}
- s->session->tlsext_ecpointformatlist_length = 0;
- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+ if (!s->hit)
{
- *al = TLS1_AD_INTERNAL_ERROR;
- return 0;
+ if(s->session->tlsext_ecpointformatlist)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+ s->session->tlsext_ecpointformatlist_length = 0;
+ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
}
- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
#if 0
fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
sdata = s->session->tlsext_ecpointformatlist;
@@ -794,15 +811,22 @@
*al = TLS1_AD_DECODE_ERROR;
return 0;
}
- s->session->tlsext_ellipticcurvelist_length = 0;
- if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
- if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+ if (!s->hit)
{
- *al = TLS1_AD_INTERNAL_ERROR;
- return 0;
+ if(s->session->tlsext_ellipticcurvelist)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+ s->session->tlsext_ellipticcurvelist_length = 0;
+ if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
+ memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
}
- s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
- memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
#if 0
fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
sdata = s->session->tlsext_ellipticcurvelist;
References
===========
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20101116.txt
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-10:10.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2010-11-29
Credits: Georgi Guninski, Rob Hulswit
Affects: FreeBSD 7.0 and later
Corrected: 2010-11-26 22:50:58 UTC (RELENG_8, 8.1-STABLE)
2010-11-29 20:43:06 UTC (RELENG_8_1, 8.1-RELEASE-p2)
2010-11-29 20:43:06 UTC (RELENG_8_0, 8.0-RELEASE-p6)
2010-11-28 13:45:51 UTC (RELENG_7, 7.3-STABLE)
2010-11-29 20:43:06 UTC (RELENG_7_3, 7.3-RELEASE-p4)
2010-11-29 20:43:06 UTC (RELENG_7_1, 7.1-RELEASE-p16)
CVE Name: CVE-2010-2939, CVE-2010-3864
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. The race condition can lead to
a buffer overflow. [CVE-2010-3864]
A double free exists in the SSL client ECDH handling code, when
processing specially crafted public keys with invalid prime
numbers. [CVE-2010-2939]
III. [CVE-2010-3864].
It may be possible to cause a DoS or potentially execute arbitrary in
the context of the user connection to a malicious SSL server.
[CVE-2010-2939]
IV. Workaround
No workaround is available, but CVE-2010-3864 only affects FreeBSD 8.0
and later. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch
dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to FreeBSD 7.1, 7.3,
8.0 and 8.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch.asc
[FreeBSD 8.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install
NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>
3) To update your vulnerable system via a binary patch:
Systems running 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or 8.1-RELEASE
on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7_3
src/UPDATING 1.507.2.34.2.6
src/sys/conf/newvers.sh 1.72.2.16.2.8
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.2.1.4.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.19
src/sys/conf/newvers.sh 1.72.2.9.2.20
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.6.2
RELENG_8_1
src/UPDATING 1.632.2.14.2.5
src/sys/conf/newvers.sh 1.83.2.10.2.6
src/crypto/openssl/ssl/s3_clnt.c 1.3.2.1.2.1
src/crypto/openssl/ssl/t1_lib.c 1.2.2.1.2.1
RELENG_8_0
src/UPDATING 1.632.2.7.2.9
src/sys/conf/newvers.sh 1.83.2.6.2.9
src/crypto/openssl/ssl/s3_clnt.c 1.3.4.1
src/crypto/openssl/ssl/t1_lib.c 1.2.4.1
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r215997
releng/7.3/ r216063
releng/7.1/ r216063
stable/8/ r215912
releng/8.0/ r216063
releng/8.1/ r216063
- -------------------------------------------------------------------------
VII