ESB-2017.2415 - [Win][Linux][HP-UX][Solaris][AIX] IBM Cram Social Program Management: Multiple vulnerabilities 2017-09-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2415
           Vulnerabilities in IBM Cram Social Program Management
                             22 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cram Social Program Management
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Solaris
                   Windows
                   Linux variants
                   z/OS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Remote/Unauthenticated      
                   Modify Arbitrary Files          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote with User Interaction
                   Reduced Security                -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-5661 CVE-2016-3092 CVE-2016-1182
                   CVE-2016-1181 CVE-2015-1832 CVE-2015-0899
                   CVE-2014-3596  

Reference:         ESB-2017.1643
                   ESB-2016.2223
                   ESB-2016.1709

Original Bulletin: 
   https://www-01.ibm.com/support/docview.wss?uid=swg22008736
   https://www-01.ibm.com/support/docview.wss?uid=swg22008689
   https://www-01.ibm.com/support/docview.wss?uid=swg22008731
   https://www-01.ibm.com/support/docview.wss?uid=swg22008734
   https://www-01.ibm.com/support/docview.wss?uid=swg22008692

Comment: This bulletin contains five (5) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerability in Apache Derby affects IBM Cram Social
Program Management (CVE-2015-1832)

Document information

More support for:

Cram Social Program Management

Software version:

6.0.5, 6.1.1, 6.2.0, 7.0.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, z/OS

Software edition:

All Editions

Reference #:

2008736

Modified date:

21 September 2017


Security Bulletin

Summary

IBM Cram Social Program Management uses the Apache Derby Library. Apache
Derby could allow a remote attacker to obtain sensitive information, caused
by a XML external entity (XXE) error when processing XML data by the XML
datatype and XmlVTI. An attacker could exploit this vulnerability to read
arbitrary files on the system or cause a denial of service.

Vulnerability Details

CVEID:

CVE-2015-1832

DESCRIPTION:

Apache Derby could allow a remote attacker to obtain sensitive information,
caused by a XML external entity (XXE) error when processing XML data by the
XML datatype and XmlVTI. An attacker could exploit this vulnerability to read
arbitrary files on the system or cause a denial of service.

CVSS Base Score: 6.4

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/115625

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

Affected Products and Versions

IBM Cram Social Program Management 7.0.0.0 - 7.0.1.0

IBM Cram Social Program Management 6.2.0.0 - 6.2.0.5

IBM Cram Social Program Management 6.1.0.0 - 6.1.1.5

IBM Cram Social Program Management 6.0.5.0 - 6.0.5.10

Remediation/Fixes


Product

VRMF

Remediation/First Fix


+-------------------------+------+--------------------------------------------+
|Product                  |VRMF  |Remediation/First Fix                       |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |7.0   |Visit IBM Fix Central and upgrade to 7.0.1.1|
|Management               |      |or a subsequent 7.0.1 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.2   |Visit IBM Fix Central and upgrade to 6.2.0.6|
|Management               |      |or a subsequent 6.2.0 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.1   |Visit IBM Fix Central and upgrade to 6.1.1.6|
|Management               |      |or a subsequent 6.1.1 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.0.5 |Visit IBM Fix Central and upgrade to        |
|Management               |      |6.0.5.10 iFix2 or a subsequent 6.0.5 release|
+-------------------------+------+--------------------------------------------+



Workarounds and Mitigations

For information on all other versions please contact Cram Customer Support.



Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site . Security and integrity APARs and associated
fixes will be posted to this portal. IBM suggests reviewing the CVSS scores
and applying all security or integrity fixes as soon as possible to minimize
any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3



Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog



Change History

21 September 2017: Original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


- ---

Security Bulletin: Vulnerability in Apache Struts affects IBM Cram Social
Program Management (CVE-2016-1182, CVE-2016-1181, CVE-2015-0899)

Document information

More support for:

Cram Social Program Management

Software version:

6.0.5, 6.1.1, 6.2.0, 7.0.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, z/OS

Software edition:

All Editions

Reference #:

2008689

Modified date:

21 September 2017


Security Bulletin

Summary

IBM Cram Social Program Management uses the Apache Struts Library. Apache
Struts could allow a remote attacker to bypass security restrictions, caused
by the improper validation of input by the Validator; or Apache Struts could
allow a remote attacker to execute arbitrary code on the system, caused by
the failure to protect against unintended remote operations against
components on server memory by the ActionForm instance; or Apache Struts
could allow a remote attacker to bypass security restrictions, caused by an
error in the MultiPageValidator implementation.

Vulnerability Details

CVEID:

CVE-2016-1182

DESCRIPTION:

Apache Struts could allow a remote attacker to bypass security restrictions,
caused by the improper validation of input by the Validator. An attacker
could exploit this vulnerability to modify validation rules and error
messages.

CVSS Base Score: 4.8

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/113853

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

)

CVEID:

CVE-2016-1181

DESCRIPTION:

Apache Struts could allow a remote attacker to execute arbitrary code on the
system, caused by the failure to protect against unintended remote operations
against components on server memory by the ActionForm instance. An attacker
could exploit this vulnerability to execute arbitrary code on the system.

CVSS Base Score: 8.1

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/113852

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

)

CVEID:

CVE-2015-0899

DESCRIPTION:

Apache Struts could allow a remote attacker to bypass security restrictions,
caused by an error in the MultiPageValidator implementation. An attacker
could exploit this vulnerability using a modified page parameter to bypass
restrictions and launch further attacks on the system. This vulnerability
also affects other products.

CVSS Base Score: 4.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/101770

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Cram Social Program Management 7.0.0.0 - 7.0.1.0

IBM Cram Social Program Management 6.2.0.0 - 6.2.0.5

IBM Cram Social Program Management 6.1.0.0 - 6.1.1.5

IBM Cram Social Program Management 6.0.5.0 - 6.0.5.10

Remediation/Fixes

+-------------------------+------+--------------------------------------------+
|Product                  |VRMF  |Remediation/First Fix                       |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |7.0   |Visit IBM Fix Central and upgrade to 7.0.1.1|
|Management               |      |or a subsequent 7.0.1 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.2   |Visit IBM Fix Central and upgrade to 6.2.0.6|
|Management               |      |or a subsequent 6.2.0 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.1   |Visit IBM Fix Central and upgrade to 6.1.1.6|
|Management               |      |or a subsequent 6.1.1 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.0.5 |Visit IBM Fix Central and upgrade to        |
|Management               |      |6.0.5.10 iFix2 or a subsequent 6.0.5 release|
+-------------------------+------+--------------------------------------------+


Workarounds and Mitigations

For information on all other versions please contact Cram Customer Support.



Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site . Security and integrity APARs and associated
fixes will be posted to this portal. IBM suggests reviewing the CVSS scores
and applying all security or integrity fixes as soon as possible to minimize
any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3



Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog



Change History

21 September 2017: Original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


- ---

Security Bulletin: Vulnerability in Apache Axis affects IBM Cram Social
Program Management (CVE-2014-3596)

Document information

More support for:

Cram Social Program Management

Software version:

6.0.5, 6.1.1, 6.2.0, 7.0.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, z/OS

Software edition:

All Editions

Reference #:

2008731

Modified date:

21 September 2017


Security Bulletin

Summary

IBM Cram Social Program Management uses the Apache Axis Library. Apache Axis
and Axis2 could allow a remote attacker to conduct spoofing attacks, caused
by and incomplete fix related to the failure to verify that the server
hostname matches a domain name in the subject's Common Name (CN) field of the
X.509 certificate.

Vulnerability Details

CVEID:

CVE-2014-3596

DESCRIPTION:

Apache Axis and Axis2 could allow a remote attacker to conduct spoofing
attacks, caused by and incomplete fix related to the failure to verify that
the server hostname matches a domain name in the subject's Common Name (CN)
field of the X.509 certificate. By persuading a victim to visit a Web site
containing a specially-crafted certificate, an attacker could exploit this
vulnerability using man-in-the-middle techniques to spoof an SSL server.

CVSS Base Score: 4.3

CVSS Temporal Score: See

http://xforce.iss.net/xforce/xfdb/95377

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Cram Social Program Management 7.0.0.0 - 7.0.1.0

IBM Cram Social Program Management 6.2.0.0 - 6.2.0.5

IBM Cram Social Program Management 6.1.0.0 - 6.1.1.5

IBM Cram Social Program Management 6.0.5.0 - 6.0.5.10

Remediation/Fixes

+-------------------------+------+--------------------------------------------+
|Product                  |VRMF  |Remediation/First Fix                       |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |7.0   |Visit IBM Fix Central and upgrade to 7.0.1.1|
|Management               |      |or a subsequent 7.0.1 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.2   |Visit IBM Fix Central and upgrade to 6.2.0.6|
|Management               |      |or a subsequent 6.2.0 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.1   |Visit IBM Fix Central and upgrade to 6.1.1.6|
|Management               |      |or a subsequent 6.1.1 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.0.5 |Visit IBM Fix Central and upgrade to        |
|Management               |      |6.0.5.10 iFix2 or a subsequent 6.0.5 release|
+-------------------------+------+--------------------------------------------+



Workarounds and Mitigations

For information on all other versions please contact Cram Customer Support.



Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site . Security and integrity APARs and associated
fixes will be posted to this portal. IBM suggests reviewing the CVSS scores
and applying all security or integrity fixes as soon as possible to minimize
any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3



Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog



Change History

21 September 2017: Original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


- ---

Security Bulletin: Vulnerability in Apache FOP affects IBM Cram Social
Program Management (CVE-2017-5661)

Document information

More support for:

Cram Social Program Management

Software version:

6.0.5, 6.1.1, 6.2.0, 7.0.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, z/OS

Software edition:

All Editions

Reference #:

2008734

Modified date:

21 September 2017


Security Bulletin

Summary

IBM Cram Social Program Management uses the Apache FOP Library. Apache FOP
could allow a remote authenticated attacker to obtain sensitive information,
caused by an XML external entity (XXE) error when processing XML data. By
using a specially-crafted SVG file. A remote attacker could exploit this
vulnerability to obtain sensitive information or possibly cause a denial of
service.

Vulnerability Details

CVEID:

CVE-2017-5661

DESCRIPTION:

Apache FOP could allow a remote authenticated attacker to obtain sensitive
information, caused by an XML external entity (XXE) error when processing XML
data. By using a specially-crafted SVG file. A remote attacker could exploit
this vulnerability to obtain sensitive information or possibly cause a denial
of service.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/124797

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Cram Social Program Management 7.0.0.0 - 7.0.1.0

IBM Cram Social Program Management 6.2.0.0 - 6.2.0.5

IBM Cram Social Program Management 6.1.0.0 - 6.1.1.5

IBM Cram Social Program Management 6.0.5.0 - 6.0.5.10

Remediation/Fixes

+-------------------------+------+--------------------------------------------+
|Product                  |VRMF  |Remediation/First Fix                       |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |7.0   |Visit IBM Fix Central and upgrade to 7.0.1.1|
|Management               |      |or a subsequent 7.0.1 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.2   |Visit IBM Fix Central and upgrade to 6.2.0.6|
|Management               |      |or a subsequent 6.2.0 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.1   |Visit IBM Fix Central and upgrade to 6.1.1.6|
|Management               |      |or a subsequent 6.1.1 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.0.5 |Visit IBM Fix Central and upgrade to        |
|Management               |      |6.0.5.10 iFix2 or a subsequent 6.0.5 release|
+-------------------------+------+--------------------------------------------+



Workarounds and Mitigations

For information on all other versions please contact Cram Customer Support.



Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site . Security and integrity APARs and associated
fixes will be posted to this portal. IBM suggests reviewing the CVSS scores
and applying all security or integrity fixes as soon as possible to minimize
any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3



Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog



Change History

21 September 2017: Original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


- ---

Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM
Cram Social Program Management (CVE-2016-3092)

Document information

More support for:

Cram Social Program Management

Software version:

6.0.5, 6.1.1, 6.2.0, 7.0.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, z/OS

Software edition:

All Editions

Reference #:

2008692

Modified date:

21 September 2017


Security Bulletin

Summary

IBM Cram Social Program Management uses the Apache Commons FileUpload
Library. Apache Tomcat is vulnerable to a denial of service, caused by an
error in the Apache Commons FileUpload component. By sending file upload
requests, an attacker could exploit this vulnerability to cause the server to
become unresponsive.

Vulnerability Details

CVEID:

CVE-2016-3092

DESCRIPTION:

Apache Tomcat is vulnerable to a denial of service, caused by an error in the
Apache Commons FileUpload component. By sending file upload requests, an
attacker could exploit this vulnerability to cause the server to become
unresponsive.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/114336

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Cram Social Program Management 7.0.0.0 - 7.0.1.0

IBM Cram Social Program Management 6.2.0.0 - 6.2.0.5

IBM Cram Social Program Management 6.1.0.0 - 6.1.1.5

IBM Cram Social Program Management 6.0.5.0 - 6.0.5.10

Remediation/Fixes



+-------------------------+------+--------------------------------------------+
|Product                  |VRMF  |Remediation/First Fix                       |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |7.0   |Visit IBM Fix Central and upgrade to 7.0.1.1|
|Management               |      |or a subsequent 7.0.1 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.2   |Visit IBM Fix Central and upgrade to 6.2.0.6|
|Management               |      |or a subsequent 6.2.0 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.1   |Visit IBM Fix Central and upgrade to 6.1.1.6|
|Management               |      |or a subsequent 6.1.1 release               |
+-------------------------+------+--------------------------------------------+
|IBM Curam Social Program |6.0.5 |Visit IBM Fix Central and upgrade to        |
|Management               |      |6.0.5.10 iFix2 or a subsequent 6.0.5 release|
+-------------------------+------+--------------------------------------------+



Workarounds and Mitigations

For information on all other versions please contact Cram Customer Support.


Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site . Security and integrity APARs and associated
fixes will be posted to this portal. IBM suggests reviewing the CVSS scores
and applying all security or integrity fixes as soon as possible to minimize
any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3



Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog



Change History

21 September 2017: Original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWcR7T4x+lLeg9Ub1AQgoAg//S7/T0G972t+as0LPee1Frj0HNOo1mxla
exjU0Bmq0YuCJ5ZvGZNZ/lAj5VqkjFBJjBl2ZhB5hII7vrYu3xX6Kb+9zIgC77Yt
/3Lq1r/W61gpPAs+pixWlY3FLfE3HiIpHHCbulo1qExxWXGb/dmupfJg4WThaB3j
L9xpcUYHjPA/Mlj7+3vGLC+v4DIno/XF/VtnC0SVERb5sfTDG0tRpWju36YmVUCA
4nLrUkH5khVMSOGPhSgi5C4mlpgm+t6V1eP1y1pU4Im5HfdD6Jbb9KnRXq2UaAgU
OCti6HccPWdMK+uBz5A1qUmdDgG1nyIzvQmSAUmGSxI3v7WjH5DtHgy5jBUeo4s6
B0pP6O0/EXV2wFQvJfR7JUi2Gg2vyUfc8tRqWOTJmnzvURQt+0CX10gLH6bitliI
p5hgzqaRMBVpYRzM4S/0agEmk16A/qTaLw8y+FNd2cRIDRz4rvwaAd0B0qBpPuZq
JdyRL/fBUFwkTCyB9c8eNfh84yWNfsfsf+AaTf2KApkJtmcxGZ+6h84fxmarsJKO
++WPWJm2EsfNNodel7zuHkDk7Q2GSGRvH66rEo1PgV7sVS0pBXvDp/MmTcXoug0Z
3Re94VDZNTjRNJ3qIasJ/fDSf7YQinMrGsWPW1oZONdoEbD5ilBuKw+7EiU9tU2D
hfMS4psb4GM=
=BveR
-----END PGP SIGNATURE-----

« Back to bulletins