Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2340 JSA11023 - 2020-07 Security Bulletin: Junos Space and Junos Space Security Director: Multiple vulnerabilities resolved in 20.1R1 release 9 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos Space Publisher: Juniper Networks Operating System: Juniper Impact/Access: Root Compromise -- Existing Account Increased Privileges -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-1652 CVE-2019-3863 CVE-2019-3862 CVE-2019-3857 CVE-2019-3856 CVE-2019-3855 CVE-2019-0211 CVE-2018-1000613 CVE-2018-1000180 CVE-2018-1000021 CVE-2018-19486 CVE-2018-16881 CVE-2018-11235 CVE-2018-11233 CVE-2018-5382 CVE-2018-5360 CVE-2018-3639 CVE-2017-1000117 CVE-2017-15298 CVE-2017-14867 CVE-2017-13098 CVE-2017-12588 CVE-2017-9935 CVE-2017-7895 CVE-2016-1000352 CVE-2016-1000346 CVE-2016-1000345 CVE-2016-1000344 CVE-2016-1000343 CVE-2016-1000342 CVE-2016-1000341 CVE-2016-1000339 CVE-2016-1000338 CVE-2016-9555 CVE-2016-6663 CVE-2016-6662 CVE-2016-6136 CVE-2016-5616 CVE-2016-5314 CVE-2016-4449 CVE-2016-4448 CVE-2016-4447 CVE-2016-3991 CVE-2016-3990 CVE-2016-3945 CVE-2016-3705 CVE-2016-3632 CVE-2016-3627 CVE-2016-3621 CVE-2016-2324 CVE-2016-1840 CVE-2016-1839 CVE-2016-1838 CVE-2016-1837 CVE-2016-1836 CVE-2016-1835 CVE-2016-1834 CVE-2016-1833 CVE-2016-1762 CVE-2016-0787 CVE-2015-7940 CVE-2015-7547 CVE-2015-7545 CVE-2015-7082 CVE-2015-1782 CVE-2015-1421 CVE-2015-1159 CVE-2015-1158 CVE-2014-9938 CVE-2014-9679 CVE-2014-9584 CVE-2014-9529 CVE-2014-8884 CVE-2014-8171 CVE-2014-7826 CVE-2014-7825 CVE-2014-3690 CVE-2014-3683 CVE-2014-3634 CVE-2014-3215 CVE-2013-4758 CVE-2013-4244 CVE-2013-4243 CVE-2013-4232 CVE-2013-1961 CVE-2013-1960 CVE-2013-1624 CVE-2013-0169 CVE-2012-5581 CVE-2012-4564 CVE-2012-4447 CVE-2012-3401 CVE-2012-2113 CVE-2012-2088 CVE-2012-1173 CVE-2011-3200 CVE-2011-1167 CVE-2011-0192 CVE-2010-2067 CVE-2010-2065 CVE-2010-1411 CVE-2009-5022 CVE-2009-2347 CVE-2008-2327 CVE-2006-2656 CVE-2006-2193 Reference: ESB-2019.2561 ESB-2019.0130 ESB-2017.0091 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11023 - --------------------------BEGIN INCLUDED TEXT-------------------- 2020-07 Security Bulletin: Junos Space and Junos Space Security Director: Multiple vulnerabilities resolved in 20.1R1 release Article ID : JSA11023 Last Updated: 08 Jul 2020 Version : 4.0 Product Affected: This issue affects Junos Space. This issue affects Junos Space Security Director. Problem: Multiple vulnerabilities have been resolved in the Junos Space and Junos Space Security Director 20.1R1 release by updating third party software included with Junos Space and Junos Space Security Director or by fixing vulnerabilities found during internal testing. These issues affect: Juniper Networks Junos Space and Junos Space Security Director versions prior to 20.1R1. These issue affects: Juniper Networks Junos Space versions prior to 20.1R1. Juniper Networks Junos Space Security Director versions prior to 20.1R1. This issues were discovered during an external security research. Important security issues resolved include: CVE CVSS Summary 5.5 ( Systems with microprocessors utilizing speculative CVSS:3.0/ execution and speculative execution of memory AV:L/AC:L/ reads before the addresses of all prior memory CVE-2018-3639 PR:L/UI:N/ writes are known may allow unauthorized disclosure S:U/C:H/I:N of information to an attacker with local user /A:N ) access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. In Apache HTTP Server 2.4 releases 2.4.17 to 7.8 ( 2.4.38, with MPM event, worker or prefork, code CVSS:3.0/ executing in less-privileged child processes or CVE-2019-0211 AV:L/AC:L/ threads (including scripts executed by an PR:L/UI:N/ in-process scripting interpreter) could execute S:U/C:H/I:H arbitrary code with the privileges of the parent /A:H ) process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected. seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissions, and executes programs 6.9 AV:L/ in a way that changes the relationship between the CVE-2014-3215 AC:M/Au:N/ setuid system call and the getresuid saved C:C/I:C/A:C set-user-ID value, which makes it easier for local users to gain privileges by leveraging a program that mistakenly expected that it could permanently drop privileges. arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors 4.9 (AV:L/ does not ensure that the value in the CR4 control AC:L/Au:N/ register remains the same after a VM entry, which CVE-2014-3690 C:N/I:N/ allows host OS users to kill arbitrary processes A:C) or cause a denial of service (system disruption) by leveraging /dev/kvm access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU. kernel/trace/trace_syscalls.c in the Linux kernel 4.9 (AV:L/ through 3.17.2 does not properly handle private AC:L/Au:N/ syscall numbers during use of the perf subsystem, CVE-2014-7825 C:N/I:N/ which allows local users to cause a denial of A:C) service (out-of-bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application. kernel/trace/trace_syscalls.c in the Linux kernel 4.6 (AV:L/ through 3.17.2 does not properly handle private CVE-2014-7826 AC:L/Au:N/ syscall numbers during use of the ftrace C:P/I:P/ subsystem, which allows local users to gain A:P) privileges or cause a denial of service (invalid pointer dereference) via a crafted application. 5.5 ( CVSS:3.0/ The memory resource controller (aka memcg) in the CVE-2014-8171 AV:L/AC:L/ Linux kernel allows local users to cause a denial PR:L/UI:N/ of service (deadlock) by spawning new processes S:U/C:N/I:N within a memory-constrained cgroup. /A:H ) Stack-based buffer overflow in the 6.1 (AV:L/ ttusbdecfe_dvbs_diseqc_send_master_cmd function in AC:L/Au:N/ drivers/media/usb/ttusb-dec/ttusbdecfe.c in the CVE-2014-8884 C:P/I:P/ Linux kernel before 3.17.4 allows local users to A:C) cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call. Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 6.9 AV:L/ 3.18.2 allows local users to cause a denial of CVE-2014-9529 AC:M/Au:N/ service (memory corruption or panic) or possibly C:C/I:C/A:C have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key. The parse_rock_ridge_inode_internal function in fs 2.1 AV:L/ /isofs/rock.c in the Linux kernel before 3.18.2 CVE-2014-9584 AC:L/Au:N/ does not validate a length value in the Extensions C:P/I:N/A:N Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image. Integer underflow in the cupsRasterReadPixels 6.8 AV:N/ function in filter/raster.c in CUPS before 2.0.2 CVE-2014-9679 AC:M/Au:N/ allows remote attackers to have unspecified impact C:P/I:P/A:P via a malformed compressed raster file, which triggers a buffer overflow. The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free 10.0 (AV:N/ operations for multiple-value AC:L/Au:N/ job-originating-host-name attributes, which allows CVE-2015-1158 C:C/I:C/ remote attackers to trigger data corruption for A:C) reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code. 4.3 (AV:N/ Cross-site scripting (XSS) vulnerability in the AC:M/Au:N/ cgi_puts function in cgi-bin/template.c in the CVE-2015-1159 C:N/I:P/ template engine in CUPS before 2.0.3 allows remote A:N) attackers to inject arbitrary web script or HTML via the QUERY parameter to help/. Use-after-free vulnerability in the 10.0 (AV:N/ sctp_assoc_update function in net/sctp/associola.c AC:L/Au:N/ in the Linux kernel before 3.18.8 allows remote CVE-2015-1421 C:C/I:C/ attackers to cause a denial of service (slab A:C) corruption and panic) or possibly have unspecified other impact by triggering an INIT collision that leads to improper handling of shared-key data. Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv 8.1 ( library in the GNU C Library (aka glibc or libc6) CVSS:3.0/ before 2.23 allow remote attackers to cause a CVE-2015-7547 AV:N/AC:H/ denial of service (crash) or possibly execute PR:N/UI:N/ arbitrary code via a crafted DNS response that S:U/C:H/I:H triggers a call to the getaddrinfo function with /A:H ) the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module. 8.1 ( CVSS:3.0/ The xmlNextChar function in libxml2 before 2.9.4 CVE-2016-1762 AV:N/AC:L/ allows remote attackers to cause a denial of PR:N/UI:R/ service (heap-based buffer over-read) via a S:U/C:H/I:N crafted XML document. /A:H ) 5.5 ( The htmlCurrentChar function in libxml2 before CVSS:3.0/ 2.9.4, as used in Apple iOS before 9.3.2, OS X CVE-2016-1833 AV:L/AC:L/ before 10.11.5, tvOS before 9.2.1, and watchOS PR:N/UI:R/ before 2.2.1, allows remote attackers to cause a S:U/C:N/I:N denial of service (heap-based buffer over-read) /A:H ) via a crafted XML document. 7.8 ( Heap-based buffer overflow in the xmlStrncat CVSS:3.0/ function in libxml2 before 2.9.4, as used in Apple AV:L/AC:L/ iOS before 9.3.2, OS X before 10.11.5, tvOS before CVE-2016-1834 PR:N/UI:R/ 9.2.1, and watchOS before 2.2.1, allows remote S:U/C:H/I:H attackers to execute arbitrary code or cause a /A:H ) denial of service (memory corruption) via a crafted XML document. 8.8 ( Use-after-free vulnerability in the CVSS:3.0/ xmlSAX2AttributeNs function in libxml2 before CVE-2016-1835 AV:N/AC:L/ 2.9.4, as used in Apple iOS before 9.3.2 and OS X PR:N/UI:R/ before 10.11.5, allows remote attackers to cause a S:U/C:H/I:H denial of service via a crafted XML document. /A:H ) 5.5 ( Use-after-free vulnerability in the CVSS:3.0/ xmlDictComputeFastKey function in libxml2 before CVE-2016-1836 AV:L/AC:L/ 2.9.4, as used in Apple iOS before 9.3.2, OS X PR:N/UI:R/ before 10.11.5, tvOS before 9.2.1, and watchOS S:U/C:N/I:N before 2.2.1, allows remote attackers to cause a /A:H ) denial of service via a crafted XML document. 5.5 ( Multiple use-after-free vulnerabilities in the (1) CVSS:3.0/ htmlPArsePubidLiteral and (2) AV:L/AC:L/ htmlParseSystemiteral functions in libxml2 before CVE-2016-1837 PR:N/UI:R/ 2.9.4, as used in Apple iOS before 9.3.2, OS X S:U/C:N/I:N before 10.11.5, tvOS before 9.2.1, and watchOS /A:H ) before 2.2.1, allow remote attackers to cause a denial of service via a crafted XML document. 5.5 ( The xmlPArserPrintFileContextInternal function in CVSS:3.0/ libxml2 before 2.9.4, as used in Apple iOS before CVE-2016-1838 AV:L/AC:L/ 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and PR:N/UI:R/ watchOS before 2.2.1, allows remote attackers to S:U/C:N/I:N cause a denial of service (heap-based buffer /A:H ) over-read) via a crafted XML document. 5.5 ( The xmlDictAddString function in libxml2 before CVSS:3.0/ 2.9.4, as used in Apple iOS before 9.3.2, OS X CVE-2016-1839 AV:L/AC:L/ before 10.11.5, tvOS before 9.2.1, and watchOS PR:N/UI:R/ before 2.2.1, allows remote attackers to cause a S:U/C:N/I:N denial of service (heap-based buffer over-read) /A:H ) via a crafted XML document. 7.8 ( Heap-based buffer overflow in the CVSS:3.0/ xmlFAParsePosCharGroup function in libxml2 before AV:L/AC:L/ 2.9.4, as used in Apple iOS before 9.3.2, OS X CVE-2016-1840 PR:N/UI:R/ before 10.11.5, tvOS before 9.2.1, and watchOS S:U/C:H/I:H before 2.2.1, allows remote attackers to execute /A:H ) arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. 7.5 ( The xmlStringGetNodeList function in tree.c in CVSS:3.0/ libxml2 2.9.3 and earlier, when used in recovery CVE-2016-3627 AV:N/AC:L/ mode, allows context-dependent attackers to cause PR:N/UI:N/ a denial of service (infinite recursion, stack S:U/C:N/I:N consumption, and application crash) via a crafted /A:H ) XML document. The (1) xmlParserEntityCheck and (2) 7.5 ( xmlParseAttValueComplex functions in parser.c in CVSS:3.0/ libxml2 2.9.3 do not properly keep track of the CVE-2016-3705 AV:N/AC:L/ recursion depth, which allows context-dependent PR:N/UI:N/ attackers to cause a denial of service (stack S:U/C:N/I:N consumption and application crash) via a crafted /A:H ) XML document containing a large number of nested entity references. 7.5 ( The xmlParseElementDecl function in parser.c in CVSS:3.0/ libxml2 before 2.9.4 allows context-dependent CVE-2016-4447 AV:N/AC:L/ attackers to cause a denial of service (heap-based PR:N/UI:N/ buffer underread and application crash) via a S:U/C:N/I:N crafted file, involving xmlParseName. /A:H ) 10.0 AV:N/ Format string vulnerability in libxml2 before CVE-2016-4448 AC:L/Au:N/ 2.9.4 allows attackers to have unspecified impact C:C/I:C/A:C via format string specifiers in unknown vectors. 7.1 ( XML external entity (XXE) vulnerability in the CVSS:3.0/ xmlStringLenDecodeEntities function in parser.c in CVE-2016-4449 AV:L/AC:L/ libxml2 before 2.9.4, when not in validating mode, PR:N/UI:R/ allows context-dependent attackers to read S:U/C:H/I:N arbitrary files or cause a denial of service /A:H ) (resource consumption) via unspecified vectors. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-6663. Reason: This candidate is a reservation duplicate of CVE-2016-6663. CVE-2016-5616 Notes: All CVE users should reference CVE-2016-6663 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. 4.7 ( Race condition in the audit_log_single_execve_arg CVSS:3.0/ function in kernel/auditsc.c in the Linux kernel CVE-2016-6136 AV:L/AC:H/ through 4.7 allows local users to bypass intended PR:L/UI:N/ character-set restrictions or disrupt system-call S:U/C:N/I:H auditing by changing a certain string, aka a /A:N ) "double fetch" vulnerability. Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x 9.8 ( before 5.6.32-78.0, and 5.7.x before 5.7.14-7 CVSS:3.0/ allow local users to create arbitrary AV:N/AC:L/ configurations and bypass certain protection CVE-2016-6662 PR:N/UI:N/ mechanisms by setting general_log_file to a my.cnf S:U/C:H/I:H configuration. NOTE: this can be leveraged to /A:H ) execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15. Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x 7.0 ( before 8.0.1; MariaDB before 5.5.52, 10.0.x before CVSS:3.0/ 10.0.28, and 10.1.x before 10.1.18; Percona Server AV:L/AC:H/ before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and CVE-2016-6663 PR:L/UI:N/ 5.7.x before 5.7.14-8; and Percona XtraDB Cluster S:U/C:H/I:H before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and /A:H ) 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table. 9.8 ( The sctp_sf_ootb function in net/sctp/ CVSS:3.0/ sm_statefuns.c in the Linux kernel before 4.8.8 AV:N/AC:L/ lacks chunk-length checking for the first chunk, CVE-2016-9555 PR:N/UI:N/ which allows remote attackers to cause a denial of S:U/C:H/I:H service (out-of-bounds slab access) or possibly /A:H ) have unspecified other impact via crafted SCTP data. 9.8 ( The NFSv2 and NFSv3 server implementations in the CVSS:3.0/ Linux kernel through 4.10.13 lack certain checks AV:N/AC:L/ for the end of a buffer, which allows remote CVE-2017-7895 PR:N/UI:N/ attackers to trigger pointer-arithmetic errors or S:U/C:H/I:H possibly have unspecified other impact via crafted /A:H ) requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd /nfsxdr.c. Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier 7.5 (AV:N/ allows attackers to cause a denial of service AC:L/Au:N/ (crash) and possibly execute arbitrary code via a CVE-2006-2193 C:P/I:P/ TIFF file with a DocumentName tag that contains A:P) UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call. Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might 7.5 (AV:N/ allow attackers to execute arbitrary code via a CVE-2006-2656 AC:L/Au:N/ long filename. NOTE: tiffsplit is not setuid. If C:P/I:P/ there is not a common scenario under which A:P) tiffsplit is called with attacker-controlled command line arguments, then perhaps this issue should not be included in CVE. Multiple buffer underflows in the (1) LZWDecode, 6.8 (AV:N/ (2) LZWDecodeCompat, and (3) LZWDecodeVector AC:M/Au:N/ functions in tif_lzw.c in the LZW decoder in CVE-2008-2327 C:P/I:P/ LibTIFF 3.8.2 and earlier allow context-dependent A:P) attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code. Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 9.3 (AV:N/ 3.9, and 4.0 allow context-dependent attackers to CVE-2009-2347 AC:M/Au:N/ execute arbitrary code via a TIFF image with large C:C/I:C/ (1) width and (2) height values, which triggers a A:C) heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr. 6.8 (AV:N/ Heap-based buffer overflow in tif_ojpeg.c in the CVE-2009-5022 AC:M/Au:N/ OJPEG decoder in LibTIFF before 3.9.5 allows C:P/I:P/ remote attackers to execute arbitrary code via a A:P) crafted TIFF file. Multiple integer overflows in the Fax3SetupState function in tif_fax3.c in the FAX3 decoder in 6.8 (AV:N/ LibTIFF before 3.9.3, as used in ImageIO in Apple CVE-2010-1411 AC:M/Au:N/ Mac OS X 10.5.8 and Mac OS X 10.6 before 10.6.4, C:P/I:P/ allow remote attackers to execute arbitrary code A:P) or cause a denial of service (application crash) via a crafted TIFF file that triggers a heap-based buffer overflow. 6.8 (AV:N/ Integer overflow in the TIFFroundup macro in AC:M/Au:N/ LibTIFF before 3.9.3 allows remote attackers to CVE-2010-2065 C:P/I:P/ cause a denial of service (application crash) or A:P) possibly execute arbitrary code via a crafted TIFF file that triggers a buffer overflow. Stack-based buffer overflow in the 6.8 AV:N/ TIFFFetchSubjectDistance function in tif_dirread.c CVE-2010-2067 AC:M/Au:N/ in LibTIFF before 3.9.4 allows remote attackers to C:P/I:P/A:P cause a denial of service (application crash) or possibly execute arbitrary code via a long EXIF SubjectDistance field in a TIFF file. Buffer overflow in Fax4Decode in LibTIFF 3.9.4 and possibly other versions, as used in ImageIO in Apple iTunes before 10.2 on Windows and other 9.3 (AV:N/ products, allows remote attackers to execute CVE-2011-0192 AC:M/Au:N/ arbitrary code or cause a denial of service C:C/I:C/ (application crash) via a crafted TIFF Internet A:C) Fax image file that has been compressed using CCITT Group 4 encoding, related to the EXPAND2D macro in libtiff/tif_fax3.h. NOTE: some of these details are obtained from third party information. Heap-based buffer overflow in the thunder (aka 6.8 (AV:N/ ThunderScan) decoder in tif_thunder.c in LibTIFF CVE-2011-1167 AC:M/Au:N/ 3.9.4 and earlier allows remote attackers to C:P/I:P/ execute arbitrary code via crafted A:P) THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value. Multiple integer overflows in tiff_getimage.c in 6.8 (AV:N/ LibTIFF 3.9.4 allow remote attackers to execute CVE-2012-1173 AC:M/Au:N/ arbitrary code via a crafted tile size in a TIFF C:P/I:P/ file, which is not properly handled by the (1) A:P) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow. Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and 7.5 (AV:N/ earlier allows remote attackers to cause a denial CVE-2012-2088 AC:L/Au:N/ of service (application crash) and possibly C:P/I:P/ execute arbitrary code via a negative tile depth A:P) in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow. 6.8 (AV:N/ Multiple integer overflows in tiff2pdf in libtiff AC:M/Au:N/ before 4.0.2 allow remote attackers to cause a CVE-2012-2113 C:P/I:P/ denial of service (application crash) or possibly A:P) execute arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow. The t2p_read_tiff_init function in tiff2pdf (tools /tiff2pdf.c) in LibTIFF 4.0.2 and earlier does not 6.8 (AV:N/ properly initialize the T2P context struct pointer CVE-2012-3401 AC:M/Au:N/ in certain error conditions, which allows C:P/I:P/ context-dependent attackers to cause a denial of A:P) service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers a heap-based buffer overflow. 6.8 (AV:N/ Heap-based buffer overflow in tif_pixarlog.c in AC:M/Au:N/ LibTIFF before 4.0.3 allows remote attackers to CVE-2012-4447 C:P/I:P/ cause a denial of service (application crash) and A:P) possibly execute arbitrary code via a crafted TIFF image using the PixarLog Compression format. ppm2tiff does not check the return value of the 6.8 (AV:N/ TIFFScanlineSize function, which allows remote AC:M/Au:N/ attackers to cause a denial of service (crash) and CVE-2012-4564 C:P/I:P/ possibly execute arbitrary code via a crafted PPM A:P) image that triggers an integer overflow, a zero-memory allocation, and a heap-based buffer overflow. 6.8 (AV:N/ Stack-based buffer overflow in tif_dir.c in AC:M/Au:N/ LibTIFF before 4.0.2 allows remote attackers to CVE-2012-5581 C:P/I:P/ cause a denial of service (crash) and possibly A:P) execute arbitrary code via a crafted DOTRANGE tag in a TIFF image. Heap-based buffer overflow in the 9.3 (AV:N/ t2p_process_jpeg_strip function in tiff2pdf in CVE-2013-1960 AC:M/Au:N/ libtiff 4.0.3 and earlier allows remote attackers C:C/I:C/ to cause a denial of service (crash) and possibly A:C) execute arbitrary code via a crafted TIFF image file. Stack-based buffer overflow in the 9.3 (AV:N/ t2p_write_pdf_page function in tiff2pdf in libtiff CVE-2013-1961 AC:M/Au:N/ before 4.0.3 allows remote attackers to cause a C:C/I:C/ denial of service (application crash) via a A:C) crafted image length and resolution in a TIFF image file. Use-after-free vulnerability in the 6.8 (AV:N/ t2p_readwrite_pdf_image function in tools/ CVE-2013-4232 AC:M/Au:N/ tiff2pdf.c in libtiff 4.0.3 allows remote C:P/I:P/ attackers to cause a denial of service (crash) or A:P) possibly execute arbitrary code via a crafted TIFF image. Heap-based buffer overflow in the readgifimage 6.8 (AV:N/ function in the gif2tiff tool in libtiff 4.0.3 and CVE-2013-4243 AC:M/Au:N/ earlier allows remote attackers to cause a denial C:P/I:P/ of service (crash) and possibly execute arbitrary A:P) code via a crafted height and width values in a GIF image. 6.8 (AV:N/ The LZW decompressor in the gif2tiff tool in AC:M/Au:N/ libtiff 4.0.3 and earlier allows context-dependent CVE-2013-4244 C:P/I:P/ attackers to cause a denial of service A:P) (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted GIF image. 8.8 ( The LZWEncode function in tif_lzw.c in the CVSS:3.0/ bmp2tiff tool in LibTIFF 4.0.6 and earlier, when CVE-2016-3621 AV:N/AC:L/ the "-c lzw" option is used, allows remote PR:N/UI:R/ attackers to cause a denial of service (buffer S:U/C:H/I:H over-read) via a crafted BMP image. /A:H ) 7.8 ( The _TIFFVGetField function in tif_dirinfo.c in CVSS:3.0/ LibTIFF 4.0.6 and earlier allows remote attackers CVE-2016-3632 AV:L/AC:L/ to cause a denial of service (out-of-bounds write) PR:N/UI:R/ or execute arbitrary code via a crafted TIFF S:U/C:H/I:H image. /A:H ) 7.8 ( Multiple integer overflows in the (1) cvt_by_strip CVSS:3.0/ and (2) cvt_by_tile functions in the tiff2rgba AV:L/AC:L/ tool in LibTIFF 4.0.6 and earlier, when -b mode is CVE-2016-3945 PR:N/UI:R/ enabled, allow remote attackers to cause a denial S:U/C:H/I:H of service (crash) or execute arbitrary code via a /A:H ) crafted TIFF image, which triggers an out-of-bounds write. 7.8 ( Heap-based buffer overflow in the CVSS:3.0/ horizontalDifference8 function in tif_pixarlog.c CVE-2016-3990 AV:L/AC:L/ in LibTIFF 4.0.6 and earlier allows remote PR:N/UI:R/ attackers to cause a denial of service (crash) or S:U/C:H/I:H execute arbitrary code via a crafted TIFF image to /A:H ) tiffcp. 7.8 ( Heap-based buffer overflow in the loadImage CVSS:3.0/ function in the tiffcrop tool in LibTIFF 4.0.6 and CVE-2016-3991 AV:L/AC:L/ earlier allows remote attackers to cause a denial PR:N/UI:R/ of service (out-of-bounds write) or execute S:U/C:H/I:H arbitrary code via a crafted TIFF image with zero /A:H ) tiles. 8.8 ( Buffer overflow in the PixarLogDecode function in CVSS:3.0/ tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows AV:N/AC:L/ remote attackers to cause a denial of service CVE-2016-5314 PR:N/UI:R/ (application crash) or possibly have unspecified S:U/C:H/I:H other impact via a crafted TIFF image, as /A:H ) demonstrated by overwriting the vgetparent function pointer with rgb2ycbcr. In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/ 8.8 ( tiff2pdf.c. This heap overflow could lead to CVSS:3.0/ different damages. For example, a crafted TIFF CVE-2017-9935 AV:N/AC:L/ document can lead to an out-of-bounds read in PR:N/UI:R/ TIFFCleanup, an invalid free in TIFFClose or S:U/C:H/I:H t2p_free, memory corruption in /A:H ) t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution. 8.8 ( CVSS:3.0/ LibTIFF before 4.0.6 mishandles the reading of CVE-2018-5360 AV:N/AC:L/ TIFF files, as demonstrated by a heap-based buffer PR:N/UI:R/ over-read in the ReadTIFFImage function in coders/ S:U/C:H/I:H tiff.c in GraphicsMagick 1.3.27. /A:H ) 8.8 ( An integer overflow flaw which could lead to an CVSS:3.0/ out of bounds write was discovered in libssh2 CVE-2019-3855 AV:N/AC:L/ before 1.8.1 in the way packets are read from the PR:N/UI:R/ server. A remote attacker who compromises a SSH S:U/C:H/I:H server may be able to execute code on the client /A:H ) system when a user connects to the server. 6.8 (AV:N/ The kex_agree_methods function in libssh2 before AC:M/Au:N/ 1.5.0 allows remote servers to cause a denial of CVE-2015-1782 C:P/I:P/ service (crash) or have other unspecified impact A:P) via crafted length values in an SSH_MSG_KEXINIT packet. 8.8 ( An integer overflow flaw, which could lead to an CVSS:3.0/ out of bounds write, was discovered in libssh2 CVE-2019-3856 AV:N/AC:L/ before 1.8.1 in the way keyboard prompt requests PR:N/UI:R/ are parsed. A remote attacker who compromises a S:U/C:H/I:H SSH server may be able to execute code on the /A:H ) client system when a user connects to the server. 8.8 ( An integer overflow flaw which could lead to an CVSS:3.0/ out of bounds write was discovered in libssh2 AV:N/AC:L/ before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST CVE-2019-3857 PR:N/UI:R/ packets with an exit signal are parsed. A remote S:U/C:H/I:H attacker who compromises a SSH server may be able /A:H ) to execute code on the client system when a user connects to the server. 8.8 ( A flaw was found in libssh2 before 1.8.1. A server CVSS:3.0/ could send a multiple keyboard interactive CVE-2019-3863 AV:N/AC:L/ response messages whose total length are greater PR:N/UI:R/ than unsigned char max characters. This value is S:U/C:H/I:H used as an index to copy memory causing in an out /A:H ) of bounds memory write error. 9.1 ( An out of bounds read flaw was discovered in CVSS:3.0/ libssh2 before 1.8.1 in the way AV:N/AC:L/ SSH_MSG_CHANNEL_REQUEST packets with an exit CVE-2019-3862 PR:N/UI:N/ status message and no payload are parsed. A remote S:U/C:H/I:N attacker who compromises a SSH server may be able /A:H ) to cause a Denial of Service or read data in the client memory. 5.9 ( The diffie_hellman_sha256 function in kex.c in CVSS:3.0/ libssh2 before 1.7.0 improperly truncates secrets CVE-2016-0787 AV:N/AC:H/ to 128 or 256 bits, which makes it easier for PR:N/UI:N/ man-in-the-middle attackers to decrypt or S:U/C:H/I:N intercept SSH sessions via unspecified vectors, /A:N ) aka a "bits/bytes confusion bug." 10.0 (AV:N/ Multiple unspecified vulnerabilities in Git before CVE-2015-7082 AC:L/Au:N/ 2.5.4, as used in Apple Xcode before 7.2, have C:C/I:C/ unknown impact and attack vectors. NOTE: this CVE A:C) is associated only with Xcode use cases. 9.8 ( CVSS:3.0/ Integer overflow in Git before 2.7.4 allows remote CVE-2016-2324 AV:N/AC:L/ attackers to execute arbitrary code via a (1) long PR:N/UI:N/ filename or (2) many nested trees, which triggers S:U/C:H/I:H a heap-based buffer overflow. /A:H ) Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x 8.8 ( before 2.12.5, 2.13.x before 2.13.6, and 2.14.x CVSS:3.0/ before 2.14.2 uses unsafe Perl scripts to support CVE-2017-14867 AV:N/AC:L/ subcommands such as cvsserver, which allows PR:L/UI:N/ attackers to execute arbitrary OS commands via S:U/C:H/I:H shell metacharacters in a module name. The /A:H ) vulnerable code is reachable via git-shell even without CVS support. The (1) git-remote-ext and (2) unspecified other 9.8 ( remote helper programs in Git before 2.3.10, 2.4.x CVSS:3.0/ before 2.4.10, 2.5.x before 2.5.4, and 2.6.x CVE-2015-7545 AV:N/AC:L/ before 2.6.1 do not properly restrict the allowed PR:N/UI:N/ protocols, which might allow remote attackers to S:U/C:H/I:H execute arbitrary code via a URL in a (a) /A:H ) .gitmodules file or (b) unknown other sources in a submodule. 9.8 ( Git before 2.19.2 on Linux and UNIX executes CVSS:3.0/ commands from the current working directory (as if CVE-2018-19486 AV:N/AC:L/ '.' were at the end of $PATH) in certain cases PR:N/UI:N/ involving the run_command() API and run-command.c, S:U/C:H/I:H because there was a dangerous change from execvp /A:H ) to execv during 2017. 8.8 ( GIT version 2.15.1 and earlier contains a Input CVSS:3.0/ Validation Error vulnerability in Client that can AV:N/AC:L/ result in problems including messing up terminal CVE-2018-1000021 PR:N/UI:R/ configuration to RCE. This attack appear to be S:U/C:H/I:H exploitable via The user must interact with a /A:H ) malicious git server, (or have their traffic modified in a MITM attack). A malicious third-party can give a crafted "ssh:/ 8.8 ( /..." URL to an unsuspecting victim, and an CVSS:3.0/ attempt to visit the URL can result in any program AV:N/AC:L/ that exists on the victim's machine being CVE-2017-1000117 PR:N/UI:R/ executed. Such a URL could be placed in the S:U/C:H/I:H .gitmodules file of a malicious project, and an /A:H ) unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability. 6.8 AV:N/ contrib/completion/git-prompt.sh in Git before CVE-2014-9938 AC:M/Au:N/ 1.9.3 does not sanitize branch names in the PS1 C:P/I:P/A:P variable, allowing a malicious repository to cause code execution. In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. 7.8 ( With a crafted .gitmodules file, a malicious CVSS:3.0/ project can execute an arbitrary script on a AV:L/AC:L/ machine that runs "git clone --recurse-submodules" CVE-2018-11235 PR:N/UI:R/ because submodule "names" are obtained from this S:U/C:H/I:H file, and then appended to $GIT_DIR/modules, /A:H ) leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. 7.5 ( CVSS:3.0/ In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x CVE-2018-11233 AV:N/AC:L/ before 2.15.2, 2.16.x before 2.16.4, and 2.17.x PR:N/UI:N/ before 2.17.1, code to sanity-check pathnames on S:U/C:H/I:N NTFS can result in reading out-of-bounds memory. /A:N ) Git through 2.14.2 mishandles layers of tree 5.5 ( objects, which allows remote attackers to cause a CVSS:3.0/ denial of service (memory consumption) via a CVE-2017-15298 AV:L/AC:L/ crafted repository, aka a Git bomb. This can also PR:N/UI:R/ have an impact of disk consumption; however, an S:U/C:N/I:N affected process typically would not survive its /A:H ) attempt to build the data structure in memory before writing to disk. 9.8 ( Bouncy Castle BKS version 1 keystore (BKS-V1) CVSS:3.0/ files use an HMAC that is only 16 bits long, which CVE-2018-5382 AV:N/AC:L/ can allow an attacker to compromise the integrity PR:N/UI:N/ of a BKS-V1 keystore. All BKS-V1 keystores are S:U/C:H/I:H vulnerable. Bouncy Castle release 1.47 introduces /A:H ) BKS version 2, which uses a 160-bit MAC. Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or 9.8 ( Code ('Unsafe Reflection') vulnerability in XMSS/ CVSS:3.0/ XMSS^MT private key deserialization that can CVE-2018-1000613 AV:N/AC:L/ result in Deserializing an XMSS/XMSS^MT private PR:N/UI:N/ key can result in the execution of unexpected S:U/C:H/I:H code. This attack appear to be exploitable via A /A:H ) handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later. 7.4 ( CVSS:3.0/ In the Bouncy Castle JCE Provider version 1.55 and CVE-2016-1000344 AV:N/AC:H/ earlier the DHIES implementation allowed the use PR:N/UI:N/ of ECB mode. This mode is regarded as unsafe and S:U/C:H/I:H support for it has been removed from the provider. /A:N ) 7.4 ( CVSS:3.0/ In the Bouncy Castle JCE Provider version 1.55 and CVE-2016-1000352 AV:N/AC:H/ earlier the ECIES implementation allowed the use PR:N/UI:N/ of ECB mode. This mode is regarded as unsafe and S:U/C:H/I:H support for it has been removed from the provider. /A:N ) The Bouncy Castle Java library before 1.51 does 5.0 AV:N/ not validate a point is withing the elliptic CVE-2015-7940 AC:L/Au:N/ curve, which makes it easier for remote attackers C:P/I:N/A:N to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack." In the Bouncy Castle JCE Provider version 1.55 and 7.5 ( earlier ECDSA does not fully validate ASN.1 CVSS:3.0/ encoding of signature on verification. It is CVE-2016-1000342 AV:N/AC:L/ possible to inject extra elements in the sequence PR:N/UI:N/ making up the signature and still have it S:U/C:N/I:H validate, which in some cases may allow the /A:N ) introduction of 'invisible' data into a signed structure. In the Bouncy Castle JCE Provider version 1.55 and 7.5 ( earlier the DSA key pair generator generates a CVSS:3.0/ weak private key if used with default values. If AV:N/AC:L/ the JCA key pair generator is not explicitly CVE-2016-1000343 PR:N/UI:N/ initialised with DSA parameters, 1.55 and earlier S:U/C:H/I:N generates a private value assuming a 1024 bit key /A:N ) size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator. In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that 5.3 ( if the data channel on the CPU can be monitored CVSS:3.0/ the lookup table accesses are sufficient to leak CVE-2016-1000339 AV:N/AC:L/ information on the AES key being used. There was PR:N/UI:N/ also a leak in AESEngine although it was S:U/C:L/I:N substantially less. AESEngine has been modified to /A:N ) remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate. In Bouncy Castle JCE Provider version 1.55 and 7.5 ( earlier the DSA does not fully validate ASN.1 CVSS:3.0/ encoding of signature on verification. It is CVE-2016-1000338 AV:N/AC:L/ possible to inject extra elements in the sequence PR:N/UI:N/ making up the signature and still have it S:U/C:N/I:H validate, which in some cases may allow the /A:N ) introduction of 'invisible' data into a signed structure. 5.9 ( In the Bouncy Castle JCE Provider version 1.55 and CVSS:3.0/ earlier DSA signature generation is vulnerable to AV:N/AC:H/ timing attack. Where timings can be closely CVE-2016-1000341 PR:N/UI:N/ observed for the generation of signatures, the S:U/C:H/I:N lack of blinding in 1.55, or earlier, may allow an /A:N ) attacker to gain information about the signature's k value and ultimately the private value as well. 3.7 ( In the Bouncy Castle JCE Provider version 1.55 and CVSS:3.0/ earlier the other party DH public key is not fully AV:N/AC:H/ validated. This can cause issues as invalid keys CVE-2016-1000346 PR:N/UI:N/ can be used to reveal details about the other S:U/C:L/I:N party's private key where static Diffie-Hellman is /A:N ) in use. As of release 1.56 the key parameters are checked on agreement calculation. 5.9 ( In the Bouncy Castle JCE Provider version 1.55 and CVSS:3.0/ earlier the DHIES/ECIES CBC mode vulnerable to AV:N/AC:H/ padding oracle attack. For BC 1.55 and older, in CVE-2016-1000345 PR:N/UI:N/ an environment where timings can be easily S:U/C:H/I:N observed, it is possible with enough observations /A:N ) to identify when the decryption is failing due to padding. BouncyCastle TLS prior to version 1.0.3, when 5.9 ( configured to use the JCE (Java Cryptography CVSS:3.0/ Extension) for cryptographic functions, provides a CVE-2017-13098 AV:N/AC:H/ weak Bleichenbacher oracle when any TLS cipher PR:N/UI:N/ suite using RSA key exchange is negotiated. An S:U/C:H/I:N attacker can recover the private key from a /A:N ) vulnerable application. This vulnerability is referred to as "ROBOT." The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks 4.0 AV:N/ on a noncompliant MAC check operation during the CVE-2013-1624 AC:H/Au:N/ processing of malformed CBC padding, which allows C:P/I:P/A:N remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. rsyslog before 7.6.6 and 8.x before 8.4.1 and 7.5 (AV:N/ sysklogd 1.5 and earlier allows remote attackers CVE-2014-3634 AC:L/Au:N/ to cause a denial of service (crash), possibly C:P/I:P/ execute arbitrary code, or have other unspecified A:P) impact via a crafted priority (PRI) value that triggers an out-of-bounds array access. 9.8 ( CVSS:3.0/ The zmq3 input and output modules in rsyslog CVE-2017-12588 AV:N/AC:L/ before 8.28.0 interpreted description fields as PR:N/UI:N/ format strings, possibly allowing a format string S:U/C:H/I:H attack with unspecified impact. /A:H ) Double free vulnerability in the writeDataError 6.8 (AV:N/ function in the ElasticSearch plugin AC:M/Au:N/ (omelasticsearch) in rsyslog before 7.4.2 and CVE-2013-4758 C:P/I:P/ before 7.5.2 devel, when errorfile is set to local A:P) logging, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted JSON response. Stack-based buffer overflow in the 5.0 (AV:N/ parseLegacySyslogMsg function in tools/syslogd.c CVE-2011-3200 AC:L/Au:N/ in rsyslogd in rsyslog 4.6.x before 4.6.8 and C:N/I:N/ 5.2.0 through 5.8.4 might allow remote attackers A:P) to cause a denial of service (application exit) via a long TAG in a legacy syslog message. Integer overflow in rsyslog before 7.6.7 and 8.x 5.0 (AV:N/ before 8.4.2 and sysklogd 1.5 and earlier allows CVE-2014-3683 AC:L/Au:N/ remote attackers to cause a denial of service C:N/I:N/ (crash) via a large priority (PRI) value. NOTE: A:P) this vulnerability exists because of an incomplete fix for CVE-2014-3634. 7.5 ( A denial of service vulnerability was found in CVSS:3.0/ rsyslog in the imptcp module. An attacker could CVE-2018-16881 AV:N/AC:L/ send a specially crafted message to the imptcp PR:N/UI:N/ socket, which would cause rsyslog to crash. S:U/C:N/I:N Versions before 8.27.0 are vulnerable. /A:H ) 7.5 ( Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA CVSS:3.0/ 1.0.1 and earlier have a flaw in the Low-level AV:N/AC:L/ interface to RSA key pair generator, specifically CVE-2018-1000180 PR:N/UI:N/ RSA Key Pairs generated in low-level API with S:U/C:H/I:N added certainty may have less M-R tests than /A:N ) expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. 5.6 ( CVSS:3.1/ CVE-2020-1652 AV:N/AC:H/ OpenNMS is exposed via port 9443 PR:N/UI:N/ S:U/C:L/I:L /A:L ) Solution: The following software releases have been updated to resolve this specific issue: Junos Space and Junos Space Security Director 20.1R1, and all subsequent releases. These issues are being tracked as 1482263 , 1482261 , 1482255 , 1482253 , 1482133 , 1482130 and 1233680 . Workaround: There are no workarounds for these issues. To reduce the risk of exploitation of these issues, use access lists or firewall filters to limit access to Junos Space to only trusted administrative networks, hosts and users. Implementation: Software Releases, patches and updates are available at https://www.juniper.net /support/downloads/ . Modification History: 2020-07-08: Initial Publication. CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Severity Level: Critical Severity Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXwZ+GeNLKJtyKPYoAQj9ag//X0T9lncpilKZnqzWEPPjwRN3qE/SWgqE ULF9CVrcJyJwW3w3vM9nJ5li/BpQ7HJvlXspuIJYC7cqJFEOG/FQHoZKs1mC66pq kw46STmxi/r/QkCshqZDYbiE9YtoO9FNmhss2VstwSKhyj0x/tpvo+LsbMPgc8lG bIZCh935e0Z0uzzTFwMphMoQrIwxzi7uPWdhU5D3qJmP6EUyaj5JaK0EhTSh+9j3 N7ZYMMMU5PZtNeBDrH2TpfT4dX2BgP2+0U0Wj+jfhJh3lhA23myM4QHSY/6ZMf2a K+gR9pE0g2I07GQVhUuBMunLBmg72rf5z80mvqKDOcJx0gBjug5SRp3lcqoNKXal NLrb+TtPlgWjMiOGKCTKdy8/TelgB/2ARA2NSSVrHIm2y+tc1TmleTRSB+mfnh5/ Dc2Y4ckKwD9OKCAMwD/908zFxlbpamvUL4xBpEIfOlqEh6IMNH9zDZaKJ2KYh/+K wKYCDiv9mtgymJ2ZgfWSvSqQjXeolonDAhst8+p8SsqqkDE3Z7KidEG6Kp6uSV8Y 3GUUrWiLo61J7HP47Zg8eSEZkKJAQVeh/RFYlKn4jLdcETQpwVNEloZgYmNehQCm qjwL2mLvbQcv8lxdQFhcBgSx1QQ09dBm8+rL0KNafcXwNgbmxUBHxkZsKTUSAkF3 mkZS7G9G8uA= =pQf0 -----END PGP SIGNATURE-----