Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2030
Security Bulletin: Fixes for Multiple Security Vulnerabilities in IBM
Security Identity Manager Virtual Appliance available
24 August 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security Identity Manager
Publisher: IBM
Operating System: Network Appliance
Virtualisation
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-4449 CVE-2016-4448 CVE-2016-4447
CVE-2016-3705 CVE-2016-3627 CVE-2016-2518
CVE-2016-1840 CVE-2016-1839 CVE-2016-1838
CVE-2016-1837 CVE-2016-1836 CVE-2016-1835
CVE-2016-1834 CVE-2016-1833 CVE-2016-1762
CVE-2016-1550 CVE-2016-1548 CVE-2016-1547
CVE-2016-0367 CVE-2016-0353 CVE-2016-0351
CVE-2015-7979 CVE-2015-7978 CVE-2015-7977
CVE-2015-7852 CVE-2015-7703 CVE-2015-7702
CVE-2015-7701 CVE-2015-7692 CVE-2015-7691
CVE-2015-5219 CVE-2015-5195 CVE-2015-5194
Reference: ASB-2016.0074
ASB-2016.0046
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21989198
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Fixes for Multiple Security Vulnerabilities in IBM
Security Identity Manager Virtual Appliance available
Security Bulletin
Document information
More support for:
IBM Security Identity Manager
Identity Manager Virtual Appliance
Software version:
7.0
Operating system(s):
Linux, Platform Independent
Reference #:
1989198
Modified date:
2016-08-23
Summary
There are multiple security vulnerabilities in various components used by IBM
Security Identity Manager Virtual Appliance
Vulnerability Details
CVEID:
CVE-2016-0351
DESCRIPTION:
IBM Security Identity Manager Virtual Appliance could allow a remote attacker
to obtain sensitive information, caused by the failure to set the secure flag
for the session cookie in SSL mode. By intercepting its transmission within
an HTTP session, an attacker could exploit this vulnerability to capture the
cookie and obtain sensitive information.
CVSS Base Score: 3.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/111890
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID:
CVE-2016-0367
DESCRIPTION:
IBM Security Identity Manager Virtual Appliance displays sensitive
information in an error message that an authenticated user could use to
perform further attacks against the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112072
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID:
CVE-2016-0353
DESCRIPTION:
IBM Security Privileged Identity Manager Virtual Appliance could allow a
remote attacker to obtain sensitive information, caused by the failure to set
the secure flag for the session cookie in SSL mode. By intercepting its
transmission within an HTTP session, an attacker could exploit this
vulnerability to capture the cookie and obtain sensitive information.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/111892
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:
CVE-2016-1762
DESCRIPTION:
Apple Safari and Apple iOS could allow a remote attacker to execute arbitrary
code on the system, caused by a memory corruption error in libxml2. By
persuading a victim to open a specially-crafted XML file, a remote attacker
could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/111628
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID:
CVE-2016-1833
DESCRIPTION:
Apple Mac OS X and Apple IOS could allow a remote attacker to execute
arbitrary code on the system, caused by a memory corruption error in libxml2.
By persuading a victim to open a specially crafted XML file, an attacker
could exploit this vulnerability to execute arbitrary code on the system or
cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113327
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID:
CVE-2016-1834
DESCRIPTION:
Apple Mac OS X and Apple IOS could allow a remote attacker to execute
arbitrary code on the system, caused by a memory corruption error in libxml2.
By persuading a victim to open a specially crafted XML file, an attacker
could exploit this vulnerability to execute arbitrary code on the system or
cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113328
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID:
CVE-2016-1835
DESCRIPTION:
Apple Mac OS X and Apple IOS could allow a remote attacker to execute
arbitrary code on the system, caused by a memory corruption error in libxml2.
By persuading a victim to open a specially crafted XML file, an attacker
could exploit this vulnerability to execute arbitrary code on the system or
cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113329
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID:
CVE-2016-1836
DESCRIPTION:
Apple Mac OS X and Apple IOS could allow a remote attacker to execute
arbitrary code on the system, caused by a memory corruption error in libxml2.
By persuading a victim to open a specially crafted XML file, an attacker
could exploit this vulnerability to execute arbitrary code on the system or
cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113330
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID:
CVE-2016-1837
DESCRIPTION:
Apple Mac OS X and Apple IOS could allow a remote attacker to execute
arbitrary code on the system, caused by a memory corruption error in libxml2.
By persuading a victim to open a specially crafted XML file, an attacker
could exploit this vulnerability to execute arbitrary code on the system or
cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113331
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID:
CVE-2016-1838
DESCRIPTION:
Apple Mac OS X and Apple IOS could allow a remote attacker to execute
arbitrary code on the system, caused by a memory corruption error in libxml2.
By persuading a victim to open a specially crafted XML file, an attacker
could exploit this vulnerability to execute arbitrary code on the system or
cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113332
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID:
CVE-2016-4448
DESCRIPTION:
libxml2 could allow a remote attacker to execute arbitrary code on the
system, caused by a format string error. By using a specially crafted html
file containing malicious format specifiers, a remote attacker could exploit
this vulnerability to execute arbitrary code on the system or cause the
application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113523
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:
CVE-2016-4449
DESCRIPTION:
libxml2 could allow a remote attacker to obtain sensitive information, caused
by a XML external entity (XXE) error when processing XML data by the XML
parser. A remote attacker could exploit this vulnerability to obtain
sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113524
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:
CVE-2016-1839
DESCRIPTION:
Apple Mac OS X and Apple IOS could allow a remote attacker to execute
arbitrary code on the system, caused by a memory corruption error in libxml2.
By persuading a victim to open a specially crafted XML file, an attacker
could exploit this vulnerability to execute arbitrary code on the system or
cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113333
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID:
CVE-2016-1840
DESCRIPTION:
Apple Mac OS X and Apple IOS could allow a remote attacker to execute
arbitrary code on the system, caused by a memory corruption error in libxml2.
By persuading a victim to open a specially crafted XML file, an attacker
could exploit this vulnerability to execute arbitrary code on the system or
cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113334
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID:
CVE-2016-3705
DESCRIPTION:
libxml2 is vulnerable to a stack-based buffer overflow, caused by an out-of-
bounds read of xmlParserEntityCheck() and xmlParseAttValueComplex() functions
in parser.c. By persuading a victim to open a specially crafted XML file, a
remote attacker could overflow a buffer and execute arbitrary code on the
system or cause the application to crash.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112885
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID:
CVE-2016-4447
DESCRIPTION:
libxml2 is vulnerable to a denial of service, caused by a heap-based buffer
overflow. By persuading a victim to open a specially crafted XML file, a
remote attacker could overflow a buffer and cause the application to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113522
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID:
CVE-2016-3627
DESCRIPTION:
libxml2 is vulnerable to a denial of service, caused by an error in the
xmlStringGetNodeList() function when parsing xml files while in recover mode.
An attacker could exploit this vulnerability to exhaust the stack and cause a
segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/111586
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-5194
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an uninitialized variable when processing malicious commands. By sending a
specially crafted logconfig configuration command, a remote authenticated
attacker could exploit this vulnerability to cause the daemon to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107595
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-5195
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
the referencing of a statistics type that was not enabled during compilation
by the statistics or filegen configuration command. By sending a specially
crafted config command with statistics type, a remote authenticated attacker
could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107596
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-5219
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in the sntp program. By sending specially crafted NTP packets, a
remote attacker from within the local network could exploit this
vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107597
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7691
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in ntp_crypto.c. An attacker could exploit this vulnerability using
a packet containing an extension field with an invalid value for the length
of its value field to cause ntpd to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107449
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7692
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in ntp_crypto.c. An attacker could exploit this vulnerability using
a packet containing an extension field with an invalid value for the length
of its value field to cause ntpd to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107450
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7701
DESCRIPTION:
Network Time Protocol (NTP) could allow a remote attacker to obtain sensitive
information, caused by a memory leak in CRYPTO_ASSOC. An attacker could
exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107444
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:
CVE-2015-7702
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in ntp_crypto.c. An attacker could exploit this vulnerability using
a packet containing an extension field with an invalid value for the length
of its value field to cause ntpd to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107451
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7852
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a buffer overflow, caused by
improper bounds checking by thecookedprint functionality. By sending an
overly long string, a remote attacker could overflow a buffer and execute
arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107439
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:
CVE-2015-7703
DESCRIPTION:
Network Time Protocol (NTP) could allow a remote attacker to traverse
directories on the system, caused by the failure to enforce local access only
of the "pidfile" and "driftfile" configuration directives. An attacker could
exploit this vulnerability to view arbitrary files on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107445
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:
CVE-2015-7977
DESCRIPTION:
NTP is vulnerable to a denial of service, caused by a NULL pointer
dereference. By sending a specially crafted ntpdc reslist command, an
attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110022
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7978
DESCRIPTION:
NTP is vulnerable to a denial of service. By sending a specially crafted
reslist command, an attacker could exploit this vulnerability to consume all
available stack memory.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110023
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7979
DESCRIPTION:
NTP could allow a remote attacker to bypass security restrictions. By sending
specially crafted broadcast packets with bad authentication, an attacker
could exploit this vulnerability to cause the target broadcast client to tear
down the association with the broadcast server.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110024
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVEID:
CVE-2016-1547
DESCRIPTION:
NTP is vulnerable to a denial of service, caused by the demobilization of a
preemptable client association. By sending specially crafted crypto NAK
packets, an attacker could exploit this vulnerability to cause a denial of
service.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112739
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2016-1548
DESCRIPTION:
NTP could allow a remote attacker to bypass security restrictions, caused by
an error in the ntpd client. By changing the client from basic client/server
mode to interleaved symmetric mode, an attacker could exploit this
vulnerability to modify the time of the client or cause a denial of service.
CVSS Base Score: 7.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112740
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L)
CVEID:
CVE-2016-1550
DESCRIPTION:
NTP could allow a local attacker to bypass security restrictions, caused by
the failure to use a constant-time memory comparison function when validating
the authentication digest on incoming packets. By sending a specially crafted
packet with an authentication payload, an attacker could exploit this
vulnerability to conduct a timing attack to compute the value of the valid
authentication digest.
CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112742
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:
CVE-2016-2518
DESCRIPTION:
NTP is vulnerable to a denial of service, caused by an error when using a
specially crafted packet to create a peer association with hmode > 7. An
attacker could exploit this vulnerability to cause the MATCH_ASSOC() function
to trigger an out-of-bounds read.
CVSS Base Score: 2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112746
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)
Affected Products and Versions
IBM Security Identity Manager Virtual Appliance versions 7.0.0.0, 7.0.0.1,
7.0.0.2, 7.0.0.3, 7.0.1.0, 7.0.1.1, 7.0.1.3
Remediation/Fixes
Ensure that the version listed below is installed on the system.
Product Version Fix level
IBM Security Identity Manager (ISIM) Virtual Appliance releases 7.0.0.0, 7.0.0.1, 7.0.0.2, 7.0.0.3, 7.0.1.0, 7.0.1.1, 7.0.1.3 Apply
IBM Security Identity Manager (ISIM) 7.0.1.3-ISS-SIM-IF0001
Note: Interim Fix 1 (7.0.1.3-ISS-SIM-IF0001) requires ISIM fix pack 7.0.1.3 (7.0.1-ISS-SIM-FP0003) to be installed first. The 7.0.1.3 fix pack is available on Fix Central.
Upgrading from firmware version 7.0.0.0 to 7.0.1.3 requires intermediate upgrade to 7.0.0.2 or 7.0.1.0. Upgrading from 7.0.0.2 or later requires no intermediate upgrade.
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
2016-08-19: Initial Draft
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV70ewIx+lLeg9Ub1AQgQqA/9FhQJxlkp3PJbJFCOvatjtZLhv7CtWVfc
Ml7gQZeqeecK7Z7FzVSbSFgpDqp1y22q+rT29OZWlQGWxTyqRsBjkUlAyn6jB3N6
Q3CZa532aoLYflp6cTQPMoqz2p00gvZ4rDgR55+55Ax8T/ZaVZHj4et2PiebfHen
9Va4sI+YXB1O/kOPC5eFeJlcO3PPLfoI9a2eDnlTbHF6YnnjV5R2FjrDR5ZgLHoI
mB//+3r4ja4ZlsEwrOzK3u+mxy+TVZKLYKQc8BUqr6H8J41wJIGXNuxkSJyOIAYC
wZ5iIMczFhQo1G16IorcVZcTQ2Nn4J5V9Zw1B8Kq3urSHaNAelVRDYFtV59TDXSE
N1rizyzxREY1SVOrslFxc+MFz+PRmIRT96htUaW0Q4mlB+ggBcUGG732T2LBzyko
LSshNRvyAdMYyFgGN+RYLYjDI9ZijV6zhsfwIEMakkizplF73/5PPTlC3x4rf4jy
+2fHo4Zh4hyVS0co2lHl55+/h60TnUvjUCkk9EEEXyruQw74KvEHTpaJuxohqGkx
HoXianadzpN2rdd1d4Zo3BDOHhoISD5MPaqI4ScqKVZUljFFK1b8y8uL+gVLoZ5X
K1+gycuLPSvM8BlRQ+RaOurzwcHuoOhfMezqg+Dr/TqPlWR/Yo9c+zeI6OJdvzZC
OdsyvESg8iU=
=U9WB
-----END PGP SIGNATURE-----