ESB-2017.1808 - [Ubuntu] kernel: Multiple vulnerabilities 2017-07-24

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1808
                       Linux kernel vulnerabilities
                               24 July 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Root Compromise        -- Existing Account
                   Increased Privileges   -- Existing Account
                   Access Privileged Data -- Existing Account
                   Denial of Service      -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-1000380 CVE-2017-9605 CVE-2017-8925
                   CVE-2017-8924 CVE-2017-7895 CVE-2017-7346
                   CVE-2016-10088 CVE-2015-8967 CVE-2015-8966
                   CVE-2015-8964 CVE-2015-8963 CVE-2015-8962
                   CVE-2015-8955 CVE-2015-8944 CVE-2014-9900

Reference:         ESB-2017.1798

Original Bulletin: 
   https://www.ubuntu.com/usn/usn-3360-1
   https://www.ubuntu.com/usn/usn-3361-1
   https://www.ubuntu.com/usn/usn-3360-2

Comment: This bulletin contains three (3) Ubuntu security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

==========================================================================
Ubuntu Security Notice USN-3360-1
July 21, 2017

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- - linux: Linux kernel

Details:

It was discovered that the Linux kernel did not properly initialize a Wake-
on-Lan data structure. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2014-9900)

It was discovered that the Linux kernel did not properly restrict access to
/proc/iomem. A local attacker could use this to expose sensitive
information. (CVE-2015-8944)

It was discovered that a use-after-free vulnerability existed in the
performance events and counters subsystem of the Linux kernel for ARM64. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2015-8955)

It was discovered that the SCSI generic (sg) driver in the Linux kernel
contained a double-free vulnerability. A local attacker could use this to
cause a denial of service (system crash). (CVE-2015-8962)

Sasha Levin discovered that a race condition existed in the performance
events and counters subsystem of the Linux kernel when handling CPU unplug
events. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2015-8963)

Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the
TTY implementation in the Linux kernel. A local attacker could use this to
expose sensitive information (kernel memory). (CVE-2015-8964)

It was discovered that the fcntl64() system call in the Linux kernel did
not properly set memory limits when returning on 32-bit ARM processors. A
local attacker could use this to gain administrative privileges.
(CVE-2015-8966)

It was discovered that the system call table for ARM 64-bit processors in
the Linux kernel was not write-protected. An attacker could use this in
conjunction with another kernel vulnerability to execute arbitrary code.
(CVE-2015-8967)

It was discovered that the generic SCSI block layer in the Linux kernel did
not properly restrict write operations in certain situations. A local
attacker could use this to cause a denial of service (system crash) or
possibly gain administrative privileges. (CVE-2016-10088)

Alexander Potapenko discovered a race condition in the Advanced Linux Sound
Architecture (ALSA) subsystem in the Linux kernel. A local attacker could
use this to expose sensitive information (kernel memory).
(CVE-2017-1000380)

Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the
Linux kernel did not properly validate some ioctl arguments. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2017-7346)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server
implementations in the Linux kernel did not properly check for the end of
buffer. A remote attacker could use this to craft requests that cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB
Serial Converter device driver of the Linux kernel. An attacker with
physical access could use this to expose sensitive information (kernel
memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux
kernel did not properly perform reference counting. A local attacker could
use this to cause a denial of service (tty exhaustion). (CVE-2017-8925)

Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in
the Linux kernel did not properly initialize memory. A local attacker could
use this to expose sensitive information (kernel memory). (CVE-2017-9605)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
  linux-image-3.13.0-125-generic  3.13.0-125.174
  linux-image-3.13.0-125-generic-lpae  3.13.0-125.174
  linux-image-3.13.0-125-lowlatency  3.13.0-125.174
  linux-image-3.13.0-125-powerpc-e500  3.13.0-125.174
  linux-image-3.13.0-125-powerpc-e500mc  3.13.0-125.174
  linux-image-3.13.0-125-powerpc-smp  3.13.0-125.174
  linux-image-3.13.0-125-powerpc64-emb  3.13.0-125.174
  linux-image-3.13.0-125-powerpc64-smp  3.13.0-125.174
  linux-image-generic             3.13.0.125.135
  linux-image-generic-lpae        3.13.0.125.135
  linux-image-lowlatency          3.13.0.125.135
  linux-image-powerpc-e500        3.13.0.125.135
  linux-image-powerpc-e500mc      3.13.0.125.135
  linux-image-powerpc-smp         3.13.0.125.135
  linux-image-powerpc64-emb       3.13.0.125.135
  linux-image-powerpc64-smp       3.13.0.125.135

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
  https://www.ubuntu.com/usn/usn-3360-1
  CVE-2014-9900, CVE-2015-8944, CVE-2015-8955, CVE-2015-8962,
  CVE-2015-8963, CVE-2015-8964, CVE-2015-8966, CVE-2015-8967,
  CVE-2016-10088, CVE-2017-1000380, CVE-2017-7346, CVE-2017-7895,
  CVE-2017-8924, CVE-2017-8925, CVE-2017-9605

Package Information:
  https://launchpad.net/ubuntu/+source/linux/3.13.0-125.174

===

==========================================================================
Ubuntu Security Notice USN-3361-1
July 21, 2017

linux-hwe vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- - linux-hwe: Linux hardware enablement (HWE) kernel
- - linux-meta-hwe:

Details:

USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please
note that this update changes the Linux HWE kernel to the 4.10 based
kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from
Ubuntu 16.10.

Ben Harris discovered that the Linux kernel would strip extended privilege
attributes of files when performing a failed unprivileged system call. A
local attacker could use this to cause a denial of service. (CVE-2015-1350)

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel
did not properly validate meta block groups. An attacker with physical
access could use this to specially craft an ext4 image that causes a denial
of service (system crash). (CVE-2016-10208)

Peter Pi discovered that the colormap handling for frame buffer devices in
the Linux kernel contained an integer overflow. A local attacker could use
this to disclose sensitive information (kernel memory). (CVE-2016-8405)

It was discovered that an integer overflow existed in the InfiniBand RDMA
over ethernet (RXE) transport implementation in the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-8636)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO
PCI driver for the Linux kernel. A local attacker with access to a vfio PCI
device file could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

CAI Qian discovered that the sysctl implementation in the Linux kernel did
not properly perform reference counting in some situations. An unprivileged
attacker could use this to cause a denial of service (system hang).
(CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in
some situations did not prevent special internal keyrings from being joined
by userspace keyrings. A privileged local attacker could use this to bypass
module verification. (CVE-2016-9604)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet
discovered that the netfiler subsystem in the Linux kernel mishandled IPv6
packet reassembly. A local user could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2016-9755)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in
the Linux kernel did not properly emulate instructions on the SS segment
register. A local attacker in a guest virtual machine could use this to
cause a denial of service (guest OS crash) or possibly gain administrative
privileges in the guest OS. (CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel
improperly emulated certain instructions. A local attacker could use this
to obtain sensitive information (kernel memory). (CVE-2017-2584)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel
improperly emulated the VMXON instruction. A local attacker in a guest OS
could use this to cause a denial of service (memory consumption) in the
host OS. (CVE-2017-2596)

It was discovered that SELinux in the Linux kernel did not properly handle
empty writes to /proc/pid/attr. A local attacker could use this to cause a
denial of service (system crash). (CVE-2017-2618)

Daniel Jiang discovered that a race condition existed in the ipv4 ping
socket implementation in the Linux kernel. A local privileged attacker
could use this to cause a denial of service (system crash). (CVE-2017-2671)

It was discovered that the freelist-randomization in the SLAB memory
allocator allowed duplicate freelist entries. A local attacker could use
this to cause a denial of service (system crash). (CVE-2017-5546)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in
the Linux kernel did not properly initialize memory related to logging. A
local attacker could use this to expose sensitive information (kernel
memory). (CVE-2017-5549)

It was discovered that a fencepost error existed in the pipe_advance()
function in the Linux kernel. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2017-5550)

It was discovered that the Linux kernel did not clear the setgid bit during
a setxattr call on a tmpfs filesystem. A local attacker could use this to
gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the
VideoCore DRM driver of the Linux kernel. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-5576)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did
not properly restrict mapping page zero. A local privileged attacker could
use this to execute arbitrary code. (CVE-2017-5669)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic
Routing Encapsulation (GRE) tunneling implementation in the Linux kernel.
An attacker could use this to possibly expose sensitive information.
(CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux
kernel did not properly handle invalid IP options in some situations. An
attacker could use this to cause a denial of service or possibly execute
arbitrary code. (CVE-2017-5970)

Di Shen discovered that a race condition existed in the perf subsystem of
the Linux kernel. A local attacker could use this to cause a denial of
service or possibly gain administrative privileges. (CVE-2017-6001)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP
packets with the URG flag. A remote attacker could use this to cause a
denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did
not properly set up a destructor in certain situations. A local attacker
could use this to cause a denial of service (system crash). (CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling
code in the Linux kernel. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made
improper assumptions about internal data layout when performing checksums.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem
in the Linux kernel. A local attacker could use this to cause a denial of
service (deadlock). (CVE-2017-6348)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux
kernel contained a stack-based buffer overflow. A local attacker with
access to an sg device could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2017-7187)

It was discovered that a NULL pointer dereference existed in the Direct
Rendering Manager (DRM) driver for VMWare devices in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2017-7261)

It was discovered that the USB Cypress HID drivers for the Linux kernel did
not properly validate reported information from the device. An attacker
with physical access could use this to expose sensitive information (kernel
memory). (CVE-2017-7273)

Eric Biggers discovered a memory leak in the keyring implementation in the
Linux kernel. A local attacker could use this to cause a denial of service
(memory consumption). (CVE-2017-7472)

It was discovered that an information leak existed in the set_mempolicy and
mbind compat syscalls in the Linux kernel. A local attacker could use this
to expose sensitive information (kernel memory). (CVE-2017-7616)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash)
implementation in the Linux kernel did not properly handle a full request
queue. A local attacker could use this to cause a denial of service
(infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server
implementations in the Linux kernel did not properly handle certain long
RPC replies. A remote attacker could use this to cause a denial of service
(system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the
Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection
mechanism. A local attacker with access to /dev/mem could use this to
expose sensitive information or possibly execute arbitrary code.
(CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server
implementations in the Linux kernel did not properly check for the end of
buffer. A remote attacker could use this to craft requests that cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB
Serial Converter device driver of the Linux kernel. An attacker with
physical access could use this to expose sensitive information (kernel
memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux
kernel did not properly perform reference counting. A local attacker could
use this to cause a denial of service (tty exhaustion). (CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output
of the print_bpf_insn function. A local attacker could use this to obtain
sensitive address information. (CVE-2017-9150)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
  linux-image-4.10.0-27-generic   4.10.0-27.30~16.04.2
  linux-image-4.10.0-27-generic-lpae  4.10.0-27.30~16.04.2
  linux-image-4.10.0-27-lowlatency  4.10.0-27.30~16.04.2
  linux-image-generic-hwe-16.04   4.10.0.27.30
  linux-image-generic-lpae-hwe-16.04  4.10.0.27.30
  linux-image-lowlatency-hwe-16.04  4.10.0.27.30

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
  https://www.ubuntu.com/usn/usn-3361-1
  CVE-2015-1350, CVE-2016-10208, CVE-2016-8405, CVE-2016-8636,
  CVE-2016-9083, CVE-2016-9084, CVE-2016-9191, CVE-2016-9604,
  CVE-2016-9755, CVE-2017-2583, CVE-2017-2584, CVE-2017-2596,
  CVE-2017-2618, CVE-2017-2671, CVE-2017-5546, CVE-2017-5549,
  CVE-2017-5550, CVE-2017-5551, CVE-2017-5576, CVE-2017-5669,
  CVE-2017-5897, CVE-2017-5970, CVE-2017-6001, CVE-2017-6214,
  CVE-2017-6345, CVE-2017-6346, CVE-2017-6347, CVE-2017-6348,
  CVE-2017-7187, CVE-2017-7261, CVE-2017-7273, CVE-2017-7472,
  CVE-2017-7616, CVE-2017-7618, CVE-2017-7645, CVE-2017-7889,
  CVE-2017-7895, CVE-2017-8924, CVE-2017-8925, CVE-2017-9150

Package Information:
  https://launchpad.net/ubuntu/+source/linux-hwe/4.10.0-27.30~16.04.2
  https://launchpad.net/ubuntu/+source/linux-meta-hwe/4.10.0.27.30

===

==========================================================================
Ubuntu Security Notice USN-3360-2
July 21, 2017

linux-lts-trusty vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- - linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise

Details:

USN-3360-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 ESM.

It was discovered that the Linux kernel did not properly initialize a Wake-
on-Lan data structure. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2014-9900)

It was discovered that the Linux kernel did not properly restrict access to
/proc/iomem. A local attacker could use this to expose sensitive
information. (CVE-2015-8944)

It was discovered that a use-after-free vulnerability existed in the
performance events and counters subsystem of the Linux kernel for ARM64. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2015-8955)

It was discovered that the SCSI generic (sg) driver in the Linux kernel
contained a double-free vulnerability. A local attacker could use this to
cause a denial of service (system crash). (CVE-2015-8962)

Sasha Levin discovered that a race condition existed in the performance
events and counters subsystem of the Linux kernel when handling CPU unplug
events. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2015-8963)

Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the
TTY implementation in the Linux kernel. A local attacker could use this to
expose sensitive information (kernel memory). (CVE-2015-8964)

It was discovered that the fcntl64() system call in the Linux kernel did
not properly set memory limits when returning on 32-bit ARM processors. A
local attacker could use this to gain administrative privileges.
(CVE-2015-8966)

It was discovered that the system call table for ARM 64-bit processors in
the Linux kernel was not write-protected. An attacker could use this in
conjunction with another kernel vulnerability to execute arbitrary code.
(CVE-2015-8967)

It was discovered that the generic SCSI block layer in the Linux kernel did
not properly restrict write operations in certain situations. A local
attacker could use this to cause a denial of service (system crash) or
possibly gain administrative privileges. (CVE-2016-10088)

Alexander Potapenko discovered a race condition in the Advanced Linux Sound
Architecture (ALSA) subsystem in the Linux kernel. A local attacker could
use this to expose sensitive information (kernel memory).
(CVE-2017-1000380)

Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the
Linux kernel did not properly validate some ioctl arguments. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2017-7346)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server
implementations in the Linux kernel did not properly check for the end of
buffer. A remote attacker could use this to craft requests that cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB
Serial Converter device driver of the Linux kernel. An attacker with
physical access could use this to expose sensitive information (kernel
memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux
kernel did not properly perform reference counting. A local attacker could
use this to cause a denial of service (tty exhaustion). (CVE-2017-8925)

Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux
kernel's IPv6 stack. A local attacker could cause a denial of service or
potentially other unspecified problems. (CVE-2017-9074)

Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in
the Linux kernel did not properly initialize memory. A local attacker could
use this to expose sensitive information (kernel memory). (CVE-2017-9605)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  linux-image-3.13.0-125-generic  3.13.0-125.174~precise1
  linux-image-3.13.0-125-generic-lpae  3.13.0-125.174~precise1
  linux-image-generic-lpae-lts-trusty  3.13.0.125.116
  linux-image-generic-lts-trusty  3.13.0.125.116

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
  https://www.ubuntu.com/usn/usn-3360-2
  https://www.ubuntu.com/usn/usn-3360-1
  CVE-2014-9900, CVE-2015-8944, CVE-2015-8955, CVE-2015-8962,
  CVE-2015-8963, CVE-2015-8964, CVE-2015-8966, CVE-2015-8967,
  CVE-2016-10088, CVE-2017-1000380, CVE-2017-7346, CVE-2017-7895,
  CVE-2017-8924, CVE-2017-8925, CVE-2017-9074, CVE-2017-9605

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWXVa44x+lLeg9Ub1AQjA2w//VUaEhWAJXn9bYuxJvk5dsLbS5tUsLx34
ZiIFiVcV6pGy9EG8Mt6TJbbKQbMEtRCzAAKgIAo/FS37dTjS7/P5vVSEdbBOD/w+
rbEZQ/6F2RIJ/RfV7mGSRLLRMQjP4hx1YRQuoPGPvWY1GRZHDOFLh2WIL2Er/60+
qusT/01QIZ5wmsgrW6IZ9abHz+Fz100UJe9sNT60KAYVoDnuT2Q1ZSrwutLvnGxw
v0nKdIUNfIgw1VkwtPMDoM9wcPXYrKNxb9HycfYzwdRKtsldI89TECtHNS/Gn+LS
/R0fp+vdcWOAMx1TBHDYHlG2B15jDGftd+Z3lxm8/QE3lchs3NBAp6YD0bJfTj8U
UJN6xJUFmUQ06eUgyuvdM4lBiwcLnPBafonPsODN2ev3QpkyewivDqJ1Qct3I5pb
kt/TrARXQFErY7Wzk+bzb8Tx3FnPY6Zl8yfxo+eg/aibu/LIXtHGe6efh+j+mEdn
vWGGxzcyf8jAVgmx851SohCbj/LFnvH3iFMXsY40zSTHbOghJFLwJQ49TWHWkqKw
2SIEot+SOqzgmDFbmYyzgOkJuWx786CNHFC/k6kjDPpEPero7cJS6QN8VcQkNwm1
RJj2uxVclF3TjJx5WZTXap+gXhKUTxfEswLDWh2KW6RdVCD1BeKWmOrWjBZCPyy0
fH4lnkMtVtE=
=y1Lu
-----END PGP SIGNATURE-----

« Back to bulletins