Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3904 Security updates released for IBM PowerKVM 18 December 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM PowerKVM Publisher: IBM Operating System: Linux variants Virtualisation Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Root Compromise -- Existing Account Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Existing Account Create Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Delete Arbitrary Files -- Existing Account Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-1000301 CVE-2018-1000122 CVE-2018-1000121 CVE-2018-1000120 CVE-2018-1000007 CVE-2018-17456 CVE-2018-16542 CVE-2018-16509 CVE-2018-15910 CVE-2018-14526 CVE-2018-13033 CVE-2018-12384 CVE-2018-10930 CVE-2018-10929 CVE-2018-10928 CVE-2018-10927 CVE-2018-10926 CVE-2018-10923 CVE-2018-10914 CVE-2018-10913 CVE-2018-10911 CVE-2018-10907 CVE-2018-10906 CVE-2018-10904 CVE-2018-10873 CVE-2018-10846 CVE-2018-10845 CVE-2018-10844 CVE-2018-10535 CVE-2018-10534 CVE-2018-10373 CVE-2018-10372 CVE-2018-10194 CVE-2018-8945 CVE-2018-7643 CVE-2018-7642 CVE-2018-7569 CVE-2018-7568 CVE-2018-7208 CVE-2018-5740 CVE-2018-5730 CVE-2018-5729 CVE-2018-5391 CVE-2018-2819 CVE-2018-2817 CVE-2018-2813 CVE-2018-2781 CVE-2018-2771 CVE-2018-2767 CVE-2018-2761 CVE-2018-2755 CVE-2018-2668 CVE-2018-2665 CVE-2018-2640 CVE-2018-2622 CVE-2018-2562 CVE-2018-1113 CVE-2018-1066 CVE-2018-1061 CVE-2018-1060 CVE-2018-0739 CVE-2018-0737 CVE-2018-0732 CVE-2018-0495 CVE-2018-0494 CVE-2017-1000050 CVE-2017-17833 CVE-2017-15299 CVE-2017-15274 CVE-2017-14489 CVE-2017-10661 CVE-2017-10384 CVE-2017-10379 CVE-2017-10378 CVE-2017-10268 CVE-2017-7273 CVE-2017-6346 CVE-2017-5967 CVE-2017-5669 CVE-2017-3735 CVE-2017-3653 CVE-2017-3651 CVE-2017-3641 CVE-2017-3636 CVE-2016-10044 CVE-2016-9396 CVE-2016-4913 CVE-2016-2548 CVE-2015-8830 CVE-2015-5697 Reference: ASB-2018.0308 ASB-2018.0268 ASB-2018.0241.3 ASB-2018.0087 ASB-2018.0026 ESB-2018.3585 ESB-2018.3400 ESB-2018.3331.2 ESB-2018.3054 ESB-2018.2431 ESB-2018.2342 ESB-2018.2216 ESB-2018.1886 ESB-2018.1639 ESB-2018.1344 ESB-2018.1231 ESB-2017.3177 ESB-2017.2822 ESB-2017.2700 ESB-2017.1808 ESB-2017.1801 ESB-2015.2043 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10733297 http://www.ibm.com/support/docview.wss?uid=ibm10735383 http://www.ibm.com/support/docview.wss?uid=ibm10733299 http://www.ibm.com/support/docview.wss?uid=ibm10735381 http://www.ibm.com/support/docview.wss?uid=ibm10741525 http://www.ibm.com/support/docview.wss?uid=ibm10738769 http://www.ibm.com/support/docview.wss?uid=ibm10738691 http://www.ibm.com/support/docview.wss?uid=ibm10738685 http://www.ibm.com/support/docview.wss?uid=ibm10739975 http://www.ibm.com/support/docview.wss?uid=ibm10740235 http://www.ibm.com/support/docview.wss?uid=ibm10737573 http://www.ibm.com/support/docview.wss?uid=ibm10741045 http://www.ibm.com/support/docview.wss?uid=ibm10738771 http://www.ibm.com/support/docview.wss?uid=ibm10735385 http://www.ibm.com/support/docview.wss?uid=ibm10739977 http://www.ibm.com/support/docview.wss?uid=ibm10740881 http://www.ibm.com/support/docview.wss?uid=ibm10741811 http://www.ibm.com/support/docview.wss?uid=ibm10735389 http://www.ibm.com/support/docview.wss?uid=ibm10741695 http://www.ibm.com/support/docview.wss?uid=ibm10735387 Comment: This bulletin contains twenty (20) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: A vulnerability in ISC Bind affects PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0733297 Modified date: 17 December 2018 Summary PowerKVM is affected by a vulnerability in ISC Bind. IBM has now addressed this vulnerability. Vulnerability Details CVEID: CVE-2018-5740 DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by a defect in the deny-answer-aliases feature. By triggering this defect, a remote attacker could exploit this vulnerability to cause an INSIST assertion failure in name.c. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148131 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - ------------------------------------------------------------------------------- Security Bulletin: A vulnerability in NSS affects PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0735383 Modified date: 17 December 2018 Summary PowerKVM is affected by a vulnerability in Mozilla Network Security Services (NSS). IBM has now addressed this vulnerability. Vulnerability Details CVEID: CVE-2018-12384 DESCRIPTION: Mozilla Network Security Services (NSS), as used in Mozilla Firefox, could allow a remote attacker to obtain sensitive information, caused by the improper handling of an SSLv2-compatible ClientHello message. By conducting a passive replay attack, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 4.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 150436 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: A vulnerability in OpenSLP affects PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0733299 Modified date: 17 December 2018 Summary PowerKVM is affected by a vulnerability in OpenSLP. IBM has now addressed this vulnerability. Vulnerability Details Relevant CVE Information: CVEID: CVE-2017-17833 DESCRIPTION: OpenSLP, as used in multiple products, is vulnerable to a denial of service. A remote attacker could exploit this vulnerability to corrupt the heap memory and cause a denial of service. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 142087 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: A vulnerability in SPICE affects PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0735381 Modified date: 17 December 2018 Summary PowerKVM is affected by a vulnerability in SPICE. IBM has now addressed this vulnerability. Vulnerability Details CVEID: CVE-2018-10873 DESCRIPTION: SPICE is vulnerable to a denial of service, caused by a missing check in python_modules/demarshal.py:write_validate_array_item(). By sending a specially-crafted message, a remote authenticated attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 8.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148522 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: A vulnerability in git affects PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0741525 Modified date: 17 December 2018 Summary PowerKVM is affected by a vulnerability in git. IBM has now addressed this vulnerability. Vulnerability Details CVEID: CVE-2018-17456 DESCRIPTION: Git could allow a remote attacker to execute arbitrary code on the system, caused by a flaw during processing of a recursive "git clone" of a superproject. By using a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 7.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 150956 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: A vulnerability in libfuse affects PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0738769 Modified date: 17 December 2018 Summary PowerKVM is affected by a vulnerability in libfuse. IBM has now addressed this vulnerability. Vulnerability Details CVEID: CVE-2018-10906 DESCRIPTION: libfuse could allow a remote attacker to bypass security restrictions, caused by an error when SELinux is active. An attacker could exploit this vulnerability to bypass the "allow_other" mount option. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 147321 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: A vulnerability in setup affects PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0738691 Modified date: 17 December 2018 Summary PowerKVM is affected by a vulnerability in the setup project package. IBM has now addressed this vulnerability. Vulnerability Details CVEID: CVE-2018-1113 DESCRIPTION: Setup Project could allow a remote attacker to bypass security restrictions, caused by an issue with adding /sbin/nologin and /usr/sbin/ nologin to /etc/shells. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 147843 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: A vulnerability in wget affects PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0738685 Modified date: 17 December 2018 Summary PowerKVM is affected by a vulnerability in wget. IBM has now addressed this vulnerability. Vulnerability Details CVEID: CVE-2018-0494 DESCRIPTION: GNU Wget could allow a remote attacker to bypass security restrictions, caused by the failure to properly process Set-Cookie responses. By sending a specially-crafted Set-Cookie -header request, an attacker could exploit this vulnerability to inject arbitrary cookies into the cookie jar file and set and modify cookies on the target system. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 142899 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: A vulnerability in wpa_supplicant affects PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0739975 Modified date: 17 December 2018 Summary PowerKVM is affected by a vulnerability in wpa_supplicant. IBM has now addressed this vulnerability. Vulnerability Details CVEID: CVE-2018-14526 DESCRIPTION: wpa_supplicant could allow a remote attacker within range of the Access Point and client to obtain sensitive information, caused by the improper processing of EAPOL-Key frames by rsn_supp/wpa.c. By modifying the frame in a way that allows for the decryption of the Key Data field without requiring a valid MIC value in the frame, an attacker could exploit this vulnerability to act as a decryption oracle to recover some of the Key Data payload to get knowledge of the group encryption keys. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148095 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: Vulnerabilities in GNU binutils affect PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0740235 Modified date: 17 December 2018 Summary PowerKVM is affected by vulnerabilities in GNU binutils. IBM has now addressed these vulnerabilities. Vulnerability Details CVEID: CVE-2018-13033 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an error in the _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c in GNU libiberty. By persuading a victim to open a specially crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 145673 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-10535 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by NULL pointer dereference in the ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd). By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 142629 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2018-10534 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an out-of-bounds memory write in the _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd). By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 142630 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2018-10373 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by NULL pointer dereference in concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd). By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 142402 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2018-10372 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by heap-based buffer over-read in process_cu_tu_index in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd). By persuading a victim to open a specially-crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 142399 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2018-8945 DESCRIPTION: GNU Binutils libbfd is vulnerable to a denial of service, caused by an error in the bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd). By using a large attribute section, a remote attacker could exploit this vulnerability to cause a segmentation fault. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 140738 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-7643 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an integer overflow in the display_debug_ranges function in dwarf.c. By persuading a victim to open a specially-crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 139809 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2018-7642 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by aout_32_swap_std_reloc_out NULL pointer dereference in the swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd). By persuading a victim to open a specially-crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 139810 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2018-7208 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by a flaw in the coff_pointerize_aux function in coffgen.c in libbfd. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 139203 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2018-7569 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by an integer underflow or overflow in the read_attribute_value function in dwarf2.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted ELF file with a corrupt DWARF FORM block, a remote attacker could cause a denial of service. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 139774 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2018-7568 DESCRIPTION: GNU Binutils is vulnerable to a denial of service, caused by integer overflow in the parse_die function in dwarf1.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted ELF file with corrupt dwarf1 debug information, a remote attacker could cause a denial of service. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 139775 for the current score CVSS Environmental Score*: Undefined Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: Vulnerabilities in Ghostscript affect PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0737573 Modified date: 17 December 2018 Summary PowerKVM is affected by vulnerabilities in Artifex Ghostscript. IBM has now addressed these vulnerabilities. Vulnerability Details CVEID: CVE-2018-16542 DESCRIPTION: Artifex Ghostscript is vulnerable to a denial of service, caused by an improper interpreter stack-size checking. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to crash the interpreter. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149468 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2018-16509 DESCRIPTION: Artifex Ghostscript could allow a remote attacker to execute arbitrary code on the system, caused by improper privilege checking in the handling of /invalidaccess exceptions. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 7.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149460 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2018-15910 DESCRIPTION: Artifex Ghostscript could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion in the LockDistillerParams parameter. An attacker could exploit this vulnerability to crash the interpreter or possibly execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148958 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2018-10194 DESCRIPTION: Artifex Ghostscript is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code or cause a denial of service condition on the system. CVSS Base Score: 7.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 142088 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: Vulnerabilities in GnuTLS affect PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0741045 Modified date: 17 December 2018 Summary PowerKVM is affected by vulnerabilities in GnuTLS. IBM has now addressed these vulnerabilities. Vulnerability Details CVEID: CVE-2018-10846 DESCRIPTION: GnuTLS could allow a local authenticated attacker to obtain sensitive information, caused by a cache-based side channel issue. By using a combination of Just in Time Prime+probe attack in combination with Lucky-13 attack, a remote attacker could exploit this vulnerability to recover plain text and obtain information. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148725 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N) CVEID: CVE-2018-10845 DESCRIPTION: GnuTLS could allow a remote attacker to obtain sensitive information, caused by a flaw in the implementation of HMAC-SHA-384. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to obtain information. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148730 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2018-10844 DESCRIPTION: GnuTLS could allow a remote attacker to obtain sensitive information, caused by a flaw in the implementation of HMAC-SHA-256. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to obtain information. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148731 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: Vulnerabilities in JasPer affect PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0738771 Modified date: 17 December 2018 Summary PowerKVM is affected by vulnerabilities in JasPer. IBM has now addressed these vulnerabilities. Vulnerability Details CVEID: CVE-2017-1000050 DESCRIPTION: JasPer is vulnerable to a denial of service, caused by a NULL pointer exception in the jp2_encode function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 130253 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2016-9396 DESCRIPTION: JasPer is vulnerable to a denial of service, caused by an error in the JPC_NOMINALGAIN function in jpc_t1cod.c. By using unspecified vectors, an attacker could exploit this vulnerability to trigger an assertion failure. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 123690 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: Vulnerabilities in MariaDB affect PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0735385 Modified date: 17 December 2018 Summary PowerKVM is affected by vulnerabilities in MariaDB. IBM has now addressed these vulnerabilities. Vulnerability Details CVEID: CVE-2018-2819 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server InnoDB component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141975 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-2817 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server: DDL component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141973 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-2771 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server: Locking component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base Score: 4.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141927 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-2813 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server: DDL component could allow an authenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141969 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-2781 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server: Optimizer component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base Score: 4.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141937 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-2767 DESCRIPTION: MySQL and MariaDB could allow a remote attacker to bypass security restrictions, caused by the BACKRONYM vulnerability. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions and downgrade and snoop on the SSL/TLS connection. CVSS Base Score: 6.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141353 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N) CVEID: CVE-2018-2761 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server Client programs component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141918 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-2755 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server Replication component could allow an unauthenticated attacker to take control of the system. CVSS Base Score: 7.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141913 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2018-2668 DESCRIPTION: An unspecified vulnerability in multiple Oracle products could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137923 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-2665 DESCRIPTION: An unspecified vulnerability in multiple Oracle products could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137919 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-2562 DESCRIPTION: An unspecified vulnerability in multiple Oracle products could allow an authenticated attacker to cause no confidentiality impact, low integrity impact, and high availability impact. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137818 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) CVEID: CVE-2017-10384 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server: DDL component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 133809 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-2640 DESCRIPTION: An unspecified vulnerability in multiple Oracle products could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137892 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-2622 DESCRIPTION: An unspecified vulnerability in multiple Oracle products could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 137874 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-10379 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server Client programs component could allow an authenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 133804 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2017-10378 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server: Optimizer component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 133803 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-10268 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server: Replication component could allow an authenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base Score: 4.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 133711 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2017-3653 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server: DDL component could allow an authenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base Score: 3.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 129019 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2017-3651 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server Client mysqldump component could allow an authenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 129017 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2017-3641 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server: DML component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base Score: 4.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 129007 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-3636 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server Client programs component could allow an authenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 129002 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - ------------------------------------------------------------------------------- Security Bulletin: Vulnerabilities in OpenSSL affect PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0739977 Modified date: 17 December 2018 Summary PowerKVM is affected by vulnerabilities in OpenSSL. IBM has now addressed these vulnerabilities. Vulnerability Details CVEID: CVE-2018-0732 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the sending of a very large prime value to the client by a malicious server during key agreement in a TLS handshake. By spending an unreasonably long period of time generating a key for this prime, a remote attacker could exploit this vulnerability to cause the client to hang. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144658 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-0739 DESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 140847 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-0737 DESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive information, caused by a cache-timing side channel attack in the RSA Key generation algorithm. An attacker with access to mount cache timing attacks during the RSA key generation process could exploit this vulnerability to recover the private key and obtain sensitive information. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141679 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-0495 DESCRIPTION: GnuPG Libgcrypt could allow a local attacker to obtain sensitive information, caused by a memory-cache side-channel attack on ECDSA signatures in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c. An attacker could exploit this vulnerability to recover ECDSA or DSA private keys. CVSS Base Score: 5.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144828 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2017-3735 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 131047 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: Vulnerabilities in Python affect PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0740881 Modified date: 17 December 2018 Summary PowerKVM is affected by vulnerabilities in Python. IBM has now addressed these vulnerabilities. Vulnerability Details CVEID: CVE-2018-1061 DESCRIPTION: Python is vulnerable to a denial of service, caused by catastrophic backtracking in the difflib.IS_LINE_JUNK method. A remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 145115 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2018-1060 DESCRIPTION: Python is vulnerable to a denial of service, caused by catastrophic backtracking in the pop3lib''s apop() method. A remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 145116 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: Vulnerabilities in curl affect PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0741811 Modified date: 17 December 2018 Summary PowerKVM is affected by vulnerabilities in curl. IBM has now addressed these vulnerabilities. Vulnerability Details CVEID: CVE-2018-1000301 DESCRIPTION: curl is vulnerable to a denial of service, caused by heap-based buffer over-read. By sending a specially crafted RTSP response, a remote attacker could overflow a buffer and possibly obtain sensitive information or cause the application to crash. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 143390 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) CVEID: CVE-2018-1000122 DESCRIPTION: curl could allow a remote attacker to obtain sensitive information, caused by a buffer over-read in the RTSP+RTP handling code. An attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 140316 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) CVEID: CVE-2018-1000121 DESCRIPTION: curl is vulnerable to a denial of service, caused by a NULL pointer dereference in the LDAP code. An attacker could exploit this vulnerability using LDAP URLs to crash the server. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 140315 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2018-1000120 DESCRIPTION: curl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when handling FTP URLs. By persuading a victim to open a specially crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 6.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 140314 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) CVEID: CVE-2018-1000007 DESCRIPTION: cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw when passing on custom Authorization: headers. By sending a specially-crafted HTTP redirects request, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 138218 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: Vulnerabilities in glusterfs affect PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0735389 Modified date: 17 December 2018 Summary PowerKVM is affected by vulnerabilities in glusterfs. IBM has now addressed these vulnerabilities. Vulnerability Details CVEID: CVE-2018-10913 DESCRIPTION: glusterfs could allow a remote attacker to obtain sensitive information, caused by improper handling of xattr request. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to determine the existence of arbitrary files on the system. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149299 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-10911 DESCRIPTION: glusterfs could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of negative key length values in the dict.c:dict_unserialize function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to read memory from other locations into the stored dict value. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149298 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2018-10907 DESCRIPTION: glusterfs is vulnerable to a denial of service, caused by multiple stack-based buffer overflow in unctions in server-rpc-fopc.c. By mounting a gluster volume and sending specially-crafted data, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition or execute arbitrary code on the system. CVSS Base Score: 8.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149297 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2018-10928 DESCRIPTION: glusterfs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper validation of RPC request using gfs3_symlink_req function. By sending a specially-crafted request, an attacker could exploit this vulnerability to create arbitrary symlinks and execute arbitrary code on the system. CVSS Base Score: 8.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149305 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2018-10927 DESCRIPTION: glusterfs could allow a remote authenticated attacker to obtain sensitive information, caused by improper validation of RPC request in gfs3_lookup_req function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information and cause a denial of service condition. CVSS Base Score: 8.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149304 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) CVEID: CVE-2018-10926 DESCRIPTION: glusterfs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in RPC request using gfs3_mknod_req function. By sending a specially-crafted request, an attacker could exploit this vulnerability to create files and execute arbitrary code on the system. CVSS Base Score: 8.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149303 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2018-10923 DESCRIPTION: glusterfs could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the mknod call derived from mknod (2). By creating arbitrary devices on a glusterfs server node, an attacker could exploit this vulnerability to read arbitrary data from the attached device. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149301 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2018-10914 DESCRIPTION: glusterfs is vulnerable to a denial of service, caused by improper validation of xattr request. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to crash multiple bricks and gluster volumes. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149300 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-10930 DESCRIPTION: glusterfs ould allow a remote authenticated attacker to bypass security restrictions, caused by improper validation of RPC request using gfs3_rename_req function. By sending a specially-crafted request, an attacker could exploit this vulnerability to write to a destination outside the gluster volume. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149307 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) CVEID: CVE-2018-10929 DESCRIPTION: glusterfs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper validation of RPC request using gfs2_create_req function. By sending a specially-crafted request, an attacker could exploit this vulnerability to create files and execute arbitrary code on the system. CVSS Base Score: 8.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149306 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2018-10904 DESCRIPTION: glusterfs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper validation of file paths in the trusted.io-stats-dump extended attribute. By sending a specially-crafted request, an attacker could exploit this vulnerability to create files and execute arbitrary code on the system. CVSS Base Score: 8.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149295 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: Vulnerabilities in krb5 affect PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0741695 Modified date: 17 December 2018 Summary PowerKVM is affected by vulnerabilities in krb5. IBM has now addressed these vulnerabilities. Vulnerability Details CVEID: CVE-2018-5730 DESCRIPTION: MIT krb5 could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the LDAP Kerberos database. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass DN container check. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 139970 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) CVEID: CVE-2018-5729 DESCRIPTION: MIT krb5 is vulnerable to a denial of service, caused by a NULL pointer dereference in the LDAP Kerberos database. By sending specially-crafted data, a remote authenticated attacker could exploit this vulnerability to cause a denial of service. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 139969 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - -------------------------------------------------------------------------------- Security Bulletin: Vulnerabilities in the Linux Kernel affect PowerKVM Document information Software version: 3.1 Operating system(s): Linux Reference #: 0735387 Modified date: 17 December 2018 Summary PowerKVM is affected by vulnerabilities in the Linux Kernel. IBM has now addressed these vulnerabilities. Vulnerability Details CVEID: CVE-2018-1066 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() function. An attacker controlling a CIFS server could exploit this vulnerability to cause a kernel panic. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 139836 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-7273 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw in the cp_report_fixup function in drivers/hid/hid-cypress.c. By using a specially-crafted HID report, a physically proximate attacker could exploit this vulnerability to cause a denial of service or possibly have unspecified other impact. CVSS Base Score: 4.6 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 123829 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-6346 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an use-after-free error in net/packet/af_packet.c. By using a multithreaded application that makes PACKET_FANOUT setsockopt system calls, a local attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 7.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 122669 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2017-5967 DESCRIPTION: Linux Kernel could allow a local attacker to obtain sensitive information, caused by an error in the when CONFIG_TIMER_STATS is enabled. By reading the /proc/timer_list file, an attacker could exploit this vulnerability to obtain real PID value. CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 122005 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2017-5669 DESCRIPTION: Linux Kernel could allow a local attacker to bypass security restrictions, caused by an error in the do_shmat() function. An atatcker could exploit this vulnerability to bypass a protection mechanism for the mmap system call. CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 122677 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2017-15299 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the KEYS subsystem. By using a specially-crafted system call, a remote attacker could exploit this vulnerability to cause the system to crash. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 133509 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-15274 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in security/keys/keyctl.c. By using a specially-crafted add_key or keyctl system call, a local attacker could exploit this vulnerability to cause the system to crash. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 133486 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-14489 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw in the iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c. By leveraging incorrect length validation, a local authenticated attacker could exploit this vulnerability to cause the system to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 132070 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-10661 DESCRIPTION: Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by a race condition in fs/timerfd.c. An attacker could exploit this vulnerability to gain privileges or cause a denial of service. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 130802 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-4913 DESCRIPTION: Linux Kernel could allow a local attacker to obtain sensitive information, caused by the improper handling of NM entries containing NUL characters by the get_rock_ridge_filename function in fs/isofs/rock.c. An attacker could exploit this vulnerability using a specially crafted isofs filesystem to read from kernel memory locations. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 113397 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2016-2548 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a race condition in the ALSA sound driver when unlinking specific linked lists. A local attacker could exploit this vulnerability to cause the system to crash. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 111571 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2016-10044 DESCRIPTION: Linux Kernel and Google Nexux could allow a local attacker to gain elevated privileges on the system, caused by improperly restricting execute access in aio_mount function in fs/aio.c. By using an io_setup system call, an attacker could exploit this vulnerability to bypass intended SELinux W^X policy restrictions and gain elevated privileges on the system. CVSS Base Score: 8.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 127955 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2015-8830 DESCRIPTION: Linux Kernel could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the AIO interface. By applying to certain filesystems, socket or device types, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 111186 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2015-5697 DESCRIPTION: Linux Kernel could allow a local attacker to obtain sensitive information, caused by a leak in the md driver. An attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 105221 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-5391 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by the improper handling of the reassembly of fragmented IPv4 and IPv6 packets by the IP implementation. By sending specially crafted IP fragments with random offsets, a remote attacker could exploit this vulnerability to exhaust all available CPU resources and cause a denial of service. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148388 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16. Workarounds and Mitigations none Change History 28 September 2018 - Initial Version - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXBhmQ2aOgq3Tt24GAQgC5A//T/0GX8IFH7SVmdc9n6dYnWhkoikFCMP9 oulCYJ5qA9RuoKvt5NVmT3ChHGmdtx2byVwIDhelXd+KG+878+ZUfHNpPHMVqbMn qUwC/yMMniDezzVjrVT1W1XgoB+MgIJPBYHE9GFh2OfhCkzj2usctW/UVpSNoaT1 pIP6Nk550d5aGWcV/CTMw5CrtStErf13HunvseYoj7lIvB/89e9Pal8Byaj8eUMd HXNkaO5aFWPJmLbFJLGVhaub0elCV/7+CkD4SEWXKnsIDOwZng1//sVgHX+mWuo6 dudKysyL0cfni6MWAI4DngimU+srbwITdFu6GKVPUfHmLZqStnBlzgYiWE2s/53E OSLo4gMEcXBXGEEf8G1EyWypJgE7KkUPKeOkhKQ2x094cghapRbZwHxU5LJ178vr Gcu90RnOHYCozb8mgzQjJf08+J9zo+XmqxxTiIeX3TU4kKkLaZFke6Z1MQGI10P6 IEEwJofRjqlTZ9yGPSg5NkvWeoWyo59S98kjIjET0kfJshuLxrNrtPsWYWHIU2gC clX1tM0RymoTv0DBwu4cvhyv96fSPpMiWTiP7qO6DFCFDfgVA8JbdKzImz3N7ZJV 7hxqCBdQf3RxUV7nSKnFl8/Bj4OuAlnCzeN0fnriFyd2HYfG3IBatBQSLcxnP3tD uHE/F+/qWYs= =Tirc -----END PGP SIGNATURE-----