Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0644 Security Bulletin: Multiple vulnerabilities in IBM Spectrum Protect Plus 24 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Spectrum Protect Plus Publisher: IBM Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-8428 CVE-2020-4222 CVE-2020-4213 CVE-2020-4212 CVE-2020-4211 CVE-2020-4210 CVE-2019-19602 CVE-2019-19537 CVE-2019-19532 CVE-2019-19531 CVE-2019-19530 CVE-2019-19529 CVE-2019-19527 CVE-2019-19526 CVE-2019-19524 CVE-2019-18814 CVE-2019-18813 CVE-2019-18812 CVE-2019-18811 CVE-2019-18810 CVE-2019-18809 CVE-2019-18808 CVE-2019-18807 CVE-2019-18806 CVE-2019-18282 CVE-2019-18198 CVE-2019-16714 CVE-2019-15902 CVE-2019-15538 CVE-2019-15505 CVE-2019-15504 CVE-2019-14898 CVE-2019-10639 CVE-2019-4703 Reference: ESB-2020.0572.2 ESB-2020.0415 ESB-2020.0411 ESB-2020.0200 Original Bulletin: https://www.ibm.com/support/pages/node/3177915 https://www.ibm.com/support/pages/node/3178863 https://www.ibm.com/support/pages/node/3177579 Comment: This bulletin contains three (3) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Information Disclosure in IBM Spectrum Protect Plus (CVE-2019-4703) Security Bulletin Document number: 3177915 Modified date: 21 February 2020 Summary The user id and password may be exposed in IBM Spectrum Protect Plus when protecting Microsoft SQL or Microsoft Exchange. Vulnerability Details CVEID: CVE-2019-4703 DESCRIPTION: IBM Spectrum Protect Plus, when protecting Microsoft SQL or Microsoft Exchange, could allow an attacker with intimate knowledge of the system to obtain highly sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172013 for the current score. CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions +-----------------------------------+------------------+ |Affected Product(s) |Version(s) | +-----------------------------------+------------------+ |IBM Spectrum Protect Plus |10.1.0-10.1.5 | +-----------------------------------+------------------+ Remediation/Fixes +---------------+-------------+--------+----------------------------------------------------+ |Spectrum |First Fixing | | | |Protect |VRM Level |Platform|Link to Fix | |Plus Release | | | | +---------------+-------------+--------+----------------------------------------------------+ |10.1 |10.1.5 patch1|Linux |http://www.ibm.com/support/docview.wssuid= | | | | |ibm11072392 | +---------------+-------------+--------+----------------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - -------------------------------------------------------------------------------- Command injection vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4210, CVE-2020-4213, CVE-2020-4222, CVE-2020-4212, CVE-2020-4211) Security Bulletin Document number: 3178863 Modified date: 21 February 2020 Summary Command injection vulnerabilities in IBM Spectrum Protect Plus could allow a remote attacker to execute arbitrary code on the system. Vulnerability Details CVEID: CVE-2020-4210 DESCRIPTION: IBM Spectrum Protect Plus could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 175020 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2020-4213 DESCRIPTION: IBM Spectrum Protect Plus could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 175024 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2020-4222 DESCRIPTION: IBM Spectrum Protect Plus could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 175091 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2020-4212 DESCRIPTION: IBM Spectrum Protect Plus could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 175023 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2020-4211 DESCRIPTION: IBM Spectrum Protect Plus could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 175022 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions +-----------------------------------------+---------------------+ |Affected Product(s) |Version(s) | +-----------------------------------------+---------------------+ |IBM Spectrum Protect Plus |10.1.0-10.1.5 | +-----------------------------------------+---------------------+ Remediation/Fixes +-------------------+---------------+---------+----------------------------------------------------------------+ |Spectrum Protect |First Fixing |Platform |Link to Fix | |Plus Release |VRM Level | | | +-------------------+---------------+---------+----------------------------------------------------------------+ |10.1 |10.1.5 patch1 |Linux |http://www.ibm.com/support/docview.wssuid=ibm11072392 | +-------------------+---------------+---------+----------------------------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - -------------------------------------------------------------------------------- Multiple vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus Security Bulletin Document number: 3177579 Modified date: 21 February 2020 Summary There are multiple security vulnerabilities in the Linux Kernel that affect IBM Spectrum Protect Plus. Vulnerability Details CVEID: CVE-2019-19532 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by multiple out-of-bound write conditions in HID drivers. CVSS Base score: 3.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172610 for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L) CVEID: CVE-2019-19529 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/net/can/usb/mcba_usb.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic. CVSS Base score: 4.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172526 for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-19530 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/usb/class/cdc-acm.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic. CVSS Base score: 4.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172527 for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-19526 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/nfc/pn533/usb.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic. CVSS Base score: 4.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172523 for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-19531 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/usb/misc/yurex.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic. CVSS Base score: 4.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172528 for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-19524 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/input/ff-memless.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic. CVSS Base score: 4.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172521 for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-19537 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a race condition in drivers/usb/core/file.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause the system to stop responding. CVSS Base score: 4.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172608 for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-19527 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/hid/usbhid/hiddev.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic. CVSS Base score: 4.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172524 for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-18811 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the sof_set_get_large_ctrl_data function in sound/soc/sof/ipc.c. By triggering sof_get_ctrl_copy_params() failures, a remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 171184 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-18810 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the komeda_wb_connector_add function in drivers/gpu/drm/arm/ display/komeda/komeda_wb_connector.c. By triggering drm_writeback_connector_init() failures, a remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 171183 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-18813 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the dwc3_pci_probe function in drivers/usb/dwc3/dwc3-pci.c. By triggering platform_device_add_properties() failures, a remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 171186 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-18812 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the sof_dfsentry_write function in sound/soc/sof/debug.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 171185 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-18808 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the ccp_run_sha_cmd function in drivers/crypto/ccp/ccp-ops.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 171181 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-18807 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by two memory leaks in the sja1105_static_config_upload function in drivers/net/dsa/ sja1105/sja1105_spi.c. By triggering static_config_buf_prepare_for_upload() or sja1105_inhibit_tx() failures, a remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 171180 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-18809 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the af9005_identify_state function in drivers/media/usb/dvb-usb/ af9005.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 171182 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-18814 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the aa_audit_rule_init function in security/apparmor/audit.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 171187 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-18806 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the ql_alloc_large_buffers function in drivers/net/ethernet/ qlogic/qla3xxx.c. By triggering pci_dma_mapping_error() failures, a local authenticated attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 5.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 171179 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2020-8428 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in may_create_in_sticky. By executing a specially-crafted program, a local attacker could exploit this vulnerability to cause the system to crash, or possibly leak information. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 175359 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H) CVEID: CVE-2019-16714 DESCRIPTION: Linux Kernel could allow a remote attacker to obtain sensitive information, caused by the failure to initialize the tos and flags fields in the rds6_inc_info_copy function in net/rds/recv.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information from the kernel stack memory. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167373 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2019-10639 DESCRIPTION: Linux Kernel could allow a remote attacker to obtain sensitive information, caused by the use of a weak function to generate IP packet IDs. By sniffing the network, an attacker could exploit this vulnerability to obtain hash collisions information to derive the hashing key. CVSS Base score: 5.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 167414 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2019-15538 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw in xfs_setattr_nonsize in fs/xfs/xfs_iops.c. By sending a specially-crafted system call, a local attacker could exploit this vulnerability to cause the system to crash. CVSS Base score: 4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 165865 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2019-18198 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a reference count usage error in the fib6_rule_suppress function in the fib6 suppression feature of net/ipv6/fib6_rules.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to corrupt the memory resulting in a denial of service condition. CVSS Base score: 6.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 169685 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-15505 DESCRIPTION: Linux Kernel could allow a physical attacker to obtain sensitive information, caused by an out-of-bounds read flaw in technisat-usb2.c. By using a specially-crafted USB device, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition on the system. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 165745 for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) CVEID: CVE-2019-15504 DESCRIPTION: Linux Kernel could allow a physical attacker to execute arbitrary code on the system, caused by a double free flaw in rsi_91x_usb.c. By using a specially-crafted USB device, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 6.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 165744 for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2019-15902 DESCRIPTION: Linux Kernel could provide weaker than expected security, caused by a backporting error. A remote attacker could exploit this vulnerability to launch further attacks on the system. CVSS Base score: 8.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 166561 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2019-19602 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory corruption in fpregs_state_valid in arch/x86/include/asm/fpu/internal.h. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172692 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2019-14898 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a race condition in between mmget_not_zero()/get_task_mm() and core dumping. By using a specially-crafted system call, a local authenticated attacker could exploit this vulnerability to cause the system to crash or obtain sensitive information. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 175727 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H) CVEID: CVE-2019-18282 DESCRIPTION: Linux Kernel could allow a local attacker to obtain sensitive information, caused by a device tracking vulnerability in flow_dissector feature. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information and then use this information to launch further attacks against the affected system. CVSS Base score: 4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 174716 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +-------------------------------+----------------+ |Affected Product(s) |Version(s) | +-------------------------------+----------------+ |IBM Spectrum Protect Plus |10.1.0-10.1.5 | +-------------------------------+----------------+ Remediation/Fixes +-----------------+--------------+--------+----------------------------------------------------------+ |Spectrum Protect |First Fixing |Platform|Link to Fix | |Plus Release |VRM Level | | | +-----------------+--------------+--------+----------------------------------------------------------+ |10.1 |10.1.5 patch1 |Linux |http://www.ibm.com/support/docview.wssuid=ibm11072392 | +-----------------+--------------+--------+----------------------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXlMqeGaOgq3Tt24GAQgxcRAA2a7A0MQqH2QO3N81rrRLQ3pytFQj5QxN Lyd30/YOInlHJv39qPZVKbKlB6gJykVdpLbolO0wmFSD4vsEulrGAWyCbqkzW6a9 5vr9JBEGWzkgNkzI38g6Kq/uT9VVEFhlcNG+S3yuzvXbeHKaHDTmvgBloXCBXxhE 8gIBBv9NpQIfIT6h1kvWRgFnsglN961/2Zrh1Wl75Sb+2Hk/6g1ehLeiC/IdoTl+ +qbqvldeMdTp54VtbBdGERVr7pZ519O3k8EMEBJdqs04rcFIInH7aLT6zbXx3RZk WFgufqlmWZT281WNt0SsGkJmHfDN1Jwwm2pQHSCI6m/M99AGdNYFlzz9Rri4ekaw RzyO49vaz7gIrMyxMfA9fw2gb7qvVHxnVXYMlHxgyxiggN40LjoCAxTHKFSZowBx DRt7Vb4ETaoAtyNWBGNkVqVwAbhe6NE4Oa9/XY2dY18BJE0kWj1MoITpPNfLFN+9 jxhcDe4lbcqRRJwFzyE7Tzxh1lr+kvIP7pZVCQcNkKVCHboVSryqN/B+d/6K9T5S DkLIQ/z75wHMpvlYq/y6g7+ioxj1/tq7gMIgrhgDWGKoEVjtwL6YNkzOgIPWz1HR 9xdk5cO82lDi1UHv7lvGL03BOfXoNMnDa5n0CZV2XPGGWh0XgxzltHdy5hAa6V6k aycPLeGO/TQ= =Ch+8 -----END PGP SIGNATURE-----