ESB-2017.2271 - [Win][UNIX/Linux] IBM Db2: Multiple vulnerabilities 2017-09-08

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Oh Isee===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2271
            Security Bulletin: IBM Db2 Multiple Vulnerabilities
                             8 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Db2
Publisher:         IBM
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Administrator Compromise -- Existing Account      
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-1519 CVE-2017-1452 CVE-2017-1451
                   CVE-2017-1439 CVE-2017-1438 CVE-2017-1434

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg22005740
   http://www-01.ibm.com/support/docview.wss?uid=swg22006109
   http://www-01.ibm.com/support/docview.wss?uid=swg22007183
   http://www-01.ibm.com/support/docview.wss?uid=swg22006061
   http://www-01.ibm.com/support/docview.wss?uid=swg22006885

Comment: This bulletin contains five (5) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM Db2 sensitive information exposure in the error log
(CVE-2017-1434).

Security Bulletin

Document information

More support for:
DB2 for Linux, UNIX and Windows

Install/Migrate/Upgrade - Database

Software version:
11.1

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows

Software edition:
Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server,
Express, Express-C, Personal, Workgroup Server

Reference #: 2005740

Modified date: 07 September 2017

Summary

When a version check to upgrade Db2 to v11.x fails, the connection string is
written in the clear in an error message to db2diag.log.

Vulnerability Details

CVEID: CVE-2017-1434
DESCRIPTION:
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) under
unusual circumstances, could expose highly sensitive information in the error
log to a local user.
CVSS Base Score: 5.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/127806
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

All fix pack levels for server editions of IBM Db2 V11.1 on all platforms are
affected.

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this
vulnerability.

FIX:

Customers running any vulnerable fixpack level of an affected Program, V11.1,
can download the special build containing the interim fix for this issue from
Fix Central. These special builds are available based on the most recent
fixpack level for each impacted release: V11.1.2.2 FP2. They can be applied
to any affected fixpack level of the appropriate release to remediate this
vulnerability.

Release

Release  	Fixed in fix pack    APAR   	Download URL

V11.1.2.2       TBD                  IT21347  	Special Build for V11.1.2.2 FP2:                      
						AIX 64-bit
                                          	Linux 64-bit, x86-64
						Linux 64-bit, POWER little endian
						Linux 64-bit, System z, System z9 or zSeries
						Windows 64-bit, x86


Workarounds and Mitigations

When running the version check tool db2ckupgrade to upgrade Db2 to V11.x and
providing the tool with the password to connect to Db2, if the upgrade fails,
search the db2diag.log for the record with the connection string written in
the clear and delete the record.

Sample record:

2017-04-19-14.31.51.488000-240 I31814496F2169 LEVEL: Error
PID : 1496 TID : 2236 PROC : db2ckupgrade.exe
INSTANCE: SERVER1 NODE : 000
HOSTNAME: NAME
EDUID : 2236
FUNCTION: <0>, <0>, <0>, probe:6541
MESSAGE : Could not get a exclusive connection
DATA #1 : SQLCA, PD_DB2_TYPE_SQLCA, 136 bytes
0x00000026293ADF30 : 0000 0000 0000 0000 0000 0000 7E8A FFFF ............~...
x00000026293ADF40 : 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00000026293ADF50 : 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00000026293ADF60 : 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00000026293ADF70 : 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00000026293ADF80 : 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00000026293ADF90 : 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00000026293ADFA0 : 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00000026293ADFB0 : 0000 0000 0000 0000 ........
DATA #2 : String, 52 bytes
DSN=DB;UID=user;PWD=xxxxxxx;;MODE=EXCLUSIVE;

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

September 7, 2017: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


============================================================================

Security Bulletin: IBM Db2 vulnerability allows local user to overwrite Db2
files. (CVE-2017-1452)

Security Bulletin

Document information

More support for:
DB2 for Linux, UNIX and Windows

Software version:
9.7, 10.1, 10.5, 11.1

Operating system(s):
AIX, HP-UX, Linux, Solaris

Software edition:

Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server,
Express, Express-C, Personal, Workgroup Server

Reference #: 2006109

Modified date: 07 September 2017

Summary

A vulnerability in IBM Db2 could allow a local user to obtain elevated
privilege and overwrite Db2 files.

Vulnerability Details

CVEID: CVE-2017-1452
DESCRIPTION:
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow
a local user to obtain elevated privilege and overwrite DB2 files.
CVSS Base Score: 6.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/128180
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, and V11.1 server editions
running on AIX, Linux, HP, Solaris are affected. Db2 running on Windows is
not vulnerable.

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this
vulnerability.

FIX:

Customers running any vulnerable fixpack level of an affected Program, V9.7,
V10.1, V10.5, and Db2 V11.1, can download the special build containing the
interim fix for this issue from Fix Central. These special builds are
available based on the most recent fixpack level for each impacted release:
Db2 V9.7 FP11, V10.1 FP6, V10.5 FP8, and Db2 V11.1.2.2 FP2. They can be
applied to any affected fixpack level of the appropriate release to remediate
this vulnerability.

Release		Fixed in fix pack    APAR     		Download URL

V9.7		TBD                  IT21465  		Special Build for V9.7 FP11:                      
							AIX 64-bit
							HP-UX 64-bit
							Linux 32-bit, x86-32
							Linux 64-bit, x86-64
							Linux 64-bit, POWER big endian
							Linux 64-bit, System z, System z9 or zSeries
							Solaris 64-bit, SPARC
							Solaris 64-bit, x86-64

V10.1		TBD                  IT21464  		Special Build for V10.1 FP6:                      
							AIX 64-bit
							HP-UX 64-bit
							Linux 32-bit, x86-32
							Linux 64-bit, x86-64
							Linux 64-bit, POWER big endian
							Linux 64-bit, System z, System z9 or zSeries
							Solaris 64-bit, SPARC
							Solaris 64-bit, x86-64

V10.5		TBD                  IT21463  		Special Build for V10.5 FP8:                      
							AIX 64-bit
							HP-UX 64-bit
							Linux 32-bit, x86-32
							Linux 64-bit, x86-64
							Linux 64-bit, POWER big endian
							Linux 64-bit, POWER little endian
							Linux 64-bit, System z, System z9 or zSeries
							Solaris 64-bit, SPARC
							Solaris 64-bit, x86-64
							Inspur

V11.1.2.2	TBD                  IT21458  		Special Build for V11.1.2.2 FP2:                      
							AIX 64-bit
							Linux 64-bit, x86-64
							Linux 64-bit, POWER little endian
							Linux 64-bit, System z, System z9 or zSeries

Workarounds and Mitigations

None.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Rich Mirch.

Change History

September 7, 2017: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
============================================================================

Security Bulletin: IBM Db2 is affected by denial of service vulnerability in
the Db2 Connect Server (CVE-2017-1519)

Security Bulletin

Document information

More support for:
DB2 for Linux, UNIX and Windows

Software version:
10.5, 11.1

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows

Software edition:
Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server,
Express, Express-C, Personal, Workgroup Server

Reference #: 2007183

Modified date: 07 September 2017

Summary

IBM Db2 contains a denial of service vulnerability. A remote user can cause
disruption of service for Db2 Connect Server setup with a particular
configuration using SSL and an alternate gateway setup.

Vulnerability Details

CVEID: CVE-2017-1519
DESCRIPTION:
IBM Db2 contains a denial of service vulnerability. A remote user can cause
disruption of service for DB2 Connect Server setup with a particular
configuration.
CVSS Base Score: 5.9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/129829
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

All fix pack levels of IBM Db2 V10.5 and V11.1 Connect Server editions on all
platforms are affected.

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this
vulnerability.

FIX:

Customers running any vulnerable fixpack level of an affected Program, V10.5
and V11.1, can download the special build containing the interim fix for this
issue from Fix Central. These special builds are available based on the most
recent fixpack level for each impacted release: V10.5 FP8 and V11.1.2.2 FP2.
They can be applied to any affected fixpack level of the appropriate release
to remediate this vulnerability.

Release		Fixed in fix pack    APAR     	Download URL

V10.5           TBD                  IT21454  	Special Build for V10.5 FP8:                      
						AIX 64-bit
                                                HP-UX 64-bit
						Linux 32-bit, x86-32
						Linux 64-bit, x86-64
						Linux 64-bit, POWER big endian
						Linux 64-bit, POWER little endian
						Linux 64-bit, System z, System z9 or zSeries
						Solaris 64-bit, SPARC
						Solaris 64-bit, x86-64
						Windows 32-bit, x86
						Windows 64-bit, x86
						Inspur

V11.1.2.2 	TBD                  IT21455    Special Build for V11.1.2.2 FP2:
			                        AIX 64-bit
                                                Linux 64-bit, x86-64
						Linux 64-bit, POWER little endian
						Linux 64-bit, System z, System z9 or zSeries
						Windows 64-bit, x86

Workarounds and Mitigations

None.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

September 7, 2017: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


============================================================================

Security Bulletin: Privilege escalation vulnerabilities affect IBM Db2
(CVE-2017-1439, CVE-2017-1451)

Security Bulletin

Document information

More support for:
DB2 for Linux, UNIX and Windows

Software version:
9.7, 10.1, 10.5, 11.1

Operating system(s):
AIX, HP-UX, Linux, Solaris

Software edition:
Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server,
Express, Express-C, Personal, Workgroup Server

Reference #: 2006061

Modified date: 07 September 2017

Summary

Vulnerabilities in IBM Db2 could allow a local user to gain elevated
privilege.

Vulnerability Details

CVEID: CVE-2017-1439
DESCRIPTION:
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow
a local user with DB2 instance owner privileges to obtain root access.
CVSS Base Score: 6.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/128058
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-1451
DESCRIPTION:
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow
a local user with DB2 instance owner privileges to obtain root access.
CVSS Base Score: 6.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/128178
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, and V11.1 server editions
running on AIX, Linux, HP, Solaris are affected. Db2 running on Windows is
not vulnerable.

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this
vulnerability.

FIX:

Customers running any vulnerable fixpack level of an affected Program, V9.7,
V10.1, V10.5, V11.1, can download the special build containing the interim
fix for this issue from Fix Central. These special builds are available based
on the most recent fixpack level for each impacted release: DB2 V9.7 FP11,
V10.1 FP6, V10.5 FP8 and V11.1.2.2 FP2. They can be applied to any affected
fixpack level of the appropriate release to remediate this vulnerability.

Release		Fixed in fix pack	APAR		Download URL

V9.7		TBD			IT21396		Special Build for V9.7 FP11:
							AIX 64-bit
							HP-UX 64-bit
							Linux 32-bit, x86-32
							Linux 64-bit, x86-64
							Linux 64-bit, POWER big endian
							Linux 64-bit, System z, System z9 or zSeries
							Solaris 64-bit, SPARC
							Solaris 64-bit, x86-64

V10.1		TBD			IT21395		Special Build for V10.1 FP6:
							AIX 64-bit
							HP-UX 64-bit
							Linux 32-bit, x86-32
							Linux 64-bit, x86-64
							Linux 64-bit, POWER big endian
							Linux 64-bit, System z, System z9 or zSeries
							Solaris 64-bit, SPARC
							Solaris 64-bit, x86-64

V10.5		TBD			IT21394		Special Build for V10.5 FP8:
							AIX 64-bit
							HP-UX 64-bit
							Linux 32-bit, x86-32
							Linux 64-bit, x86-64
							Linux 64-bit, POWER big endian
							Linux 64-bit, POWER little endian
							Linux 64-bit, System z, System z9 or zSeries
							Solaris 64-bit, SPARC
							Solaris 64-bit, x86-64
							Inspur

V11.1.2.2		TBD		IT21364		Special Build for V11.1.2.2 FP2: 
							AIX 64-bit
							Linux 64-bit, x86-64
							Linux 64-bit, POWER little endian
							Linux 64-bit, System z, System z9 or zSeries

Workarounds and Mitigations

None.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerabilities were reported to IBM by Rich Mirch.

Change History

September 7, 2017: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

============================================================================

Security Bulletin: Privilege escalation vulnerabilities affect IBM Db2
(CVE-2017-1438)

Security Bulletin

Document information

More support for:
DB2 for Linux, UNIX and Windows

Software version:
9.7, 10.1, 10.5, 11.1

Operating system(s):
AIX, HP-UX, Linux, Solaris

Software edition:
Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server,
Express, Express-C, Personal, Workgroup Server

Reference #: 2006885

Modified date: 07 September 2017

Summary

Vulnerabilities in IBM Db2 could allow a local user to gain elevated
privilege.

Vulnerability Details

CVEID:CVE-2017-1438
DESCRIPTION:
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow
a local user with DB2 instance owner privileges to obtain root access.
CVSS Base Score: 6.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/128057
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, and V11.1 server editions
running on AIX, Linux, HP, Solaris are affected. Db2 running on Windows is
not vulnerable.

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this
vulnerability.

FIX:

Customers running any vulnerable fixpack level of an affected Program, V9.7,
V10.1, V10.5, V11.1, can download the special build containing the interim
fix for this issue from Fix Central. These special builds are available based
on the most recent fixpack level for each impacted release: DB2 V9.7 FP11,
V10.1 FP6, V10.5 FP8 and V11.1.2.2 FP2. They can be applied to any affected
fixpack level of the appropriate release to remediate this vulnerability.


Release		Fixed in fix pack	APAR		Download URL

V9.7		TBD                 	IT21143		Special Build for V9.7 FP11:                      
							AIX 64-bit
							HP-UX 64-bit
							Linux 32-bit, x86-32
							Linux 64-bit, x86-64
							Linux 64-bit, POWER big endian
							Linux 64-bit, System z, System z9 or zSeries
							Solaris 64-bit, SPARC
							Solaris 64-bit, x86-64

V10.1		TBD                  	IT21163  	Special Build for V10.1 FP6:                      
							AIX 64-bit
							HP-UX 64-bit
							Linux 32-bit, x86-32
							Linux 64-bit, x86-64
							Linux 64-bit, POWER big endian
							Linux 64-bit, System z, System z9 or zSeries
							Solaris 64-bit, SPARC
							Solaris 64-bit, x86-64

V10.5		TBD                  	IT21164 	Special Build for V10.5 FP8:                      
							AIX 64-bit
							HP-UX 64-bit
							Linux 32-bit, x86-32
							Linux 64-bit, x86-64
							Linux 64-bit, POWER big endian
							Linux 64-bit, POWER little endian
							Linux 64-bit, System z, System z9 or zSeries
							Solaris 64-bit, SPARC
							Solaris 64-bit, x86-64
							Inspur

V11.1.2.2		TBD         	IT21140  	Special Build for V11.1.2.2 FP2:                      
							AIX 64-bit
							Linux 64-bit, x86-64
							Linux 64-bit, POWER little endian
							Linux 64-bit, System z, System z9 or zSeries

Workarounds and Mitigations

None.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Rich Mirch.

Change History

September 7, 2017: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWbISyYx+lLeg9Ub1AQj+OQ//f5I17vEVgS9JsOBtmbBfNLtFyuc+O92c
wJBCalhzVY4/+JwAQBlfO0MNeWZSQbZtwTjLL7xptIEZpw088/yGny3/eG6ioA+v
GZ29+rqVtUWpimzE4zXcWT2Goetz+YDv53Zi9Ci4xsL0seaZ+HYGuDlLej40A5Oe
cJEOMGubVBC7IY2bs0VWmL5nKbEjNUGadsI+rGA2D2tCaDHZ1Z45sqtbqhd4FR8d
n41yrzcj51lmo1lDz9U0YnNL1mgnm2v8BEuTYp3tW0YMsmDvhJseC5qZ0bzoUgpX
H0Ih2htXKtVI2YaKLvl4y6b5xE17utjdYdQ/DptkGCWlmfUFBsbiebeiU/fdNzvD
MbunUWEkRFeBh513/EYGKjVvFOZQfTgliiKOMMU4KFhxto4cS02nhGFiwbnhN65q
S6TQ3TMK1Wvmc2+BQfhMwKJjgmI8fscI5j5qOmkLpjNLJREZmmKpg45Ah6H9sAR1
nJqcbEG8EaNOSipw0XRakNT1IOdze53TZsjVFdQVK84iZwR4hWZDnCwtp62cbSgy
P+9LDCTdUf/KXFsIRvycMHvbuH6QhW2deVhU7lHlTDK6b+8W2ZekSrdJJK9faI49
ddgS11OEoeSCQk5ik9z0HtOfSwcEqay8FmJP07VpbE804DamVhNK7vJxdUSm3Bq7
dFo9xZBQe6c=
=5DF1
-----END PGP SIGNATURE-----

« Back to bulletins