Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2492 Security update for SUSE Manager Client Tools 22 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SUSE Manager Tools 15 SUSE OpenStack Cloud SUSE Linux Enterprise Server SUSE Enterprise Storage Publisher: SUSE Operating System: SUSE Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-13379 CVE-2020-12245 CVE-2019-15043 CVE-2019-10215 Reference: ESB-2020.2315 ESB-2020.2302 ESB-2020.1508 ESB-2019.4276 Original Bulletin: https://www.suse.com/support/update/announcement/2020/suse-su-20201970-1 https://www.suse.com/support/update/announcement/2020/suse-su-20201972-1 Comment: This bulletin contains two (2) SUSE security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1970-1 Rating: moderate References: #1113160 #1134195 #1138822 #1141661 #1142038 #1143913 #1148177 #1153090 #1153277 #1154940 #1154968 #1155372 #1163871 #1165921 #1168310 #1170231 #1170557 #1171687 #1172462 Cross-References: CVE-2019-10215 CVE-2019-15043 CVE-2020-12245 CVE-2020-13379 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Manager Tools 12 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves four vulnerabilities and has 15 fixes is now available. Description: This update fixes the following issues: cobbler: o Calculate relative path for kernel and inited when generating grub entry (bsc#1170231) Added: fix-grub2-entry-paths.diff o Fix os-release version detection for SUSE Modified: sles15.patch o Jinja2 template library fix (bsc#1141661) o Removes string replace for textmode fix (bsc#1134195) golang-github-prometheus-node_exporter: o Update to 0.18.1 * [BUGFIX] Fix incorrect sysctl call in BSD meminfo collector, resulting in broken swap metrics on FreeBSD #1345 * [BUGFIX] Fix rollover bug in mountstats collector #1364 * Renamed interface label to device in netclass collector for consistency with * other network metrics # 1224 * The cpufreq metrics now separate the cpufreq and scaling data based on what the driver provides. #1248 * The labels for the network_up metric have changed, see issue #1236 * Bonding collector now uses mii_status instead of operstatus #1124 * Several systemd metrics have been turned off by default to improve performance #1254 * These include unit_tasks_current, unit_tasks_max, service_restart_total, and unit_start_time_seconds * The systemd collector blacklist now includes automount, device, mount, and slice units by default. #1255 * [CHANGE] Bonding state uses mii_status # 1124 * [CHANGE] Add a limit to the number of in-flight requests #1166 * [CHANGE] Renamed interface label to device in netclass collector #1224 * [CHANGE] Add separate cpufreq and scaling metrics #1248 * [CHANGE] Several systemd metrics have been turned off by default to improve performance # 1254 * [CHANGE] Expand systemd collector blacklist #1255 * [CHANGE] Split cpufreq metrics into a separate collector #1253 * [FEATURE] Add a flag to disable exporter metrics #1148 * [FEATURE] Add kstat-based Solaris metrics for boottime, cpu and zfs collectors #1197 * [FEATURE] Add uname collector for FreeBSD #1239 * [FEATURE] Add diskstats collector for OpenBSD #1250 * [FEATURE] Add pressure collector exposing pressure stall information for Linux #1174 * [FEATURE] Add perf exporter for Linux #1274 * [ENHANCEMENT] Add Infiniband counters #1120 * [ENHANCEMENT] Add TCPSynRetrans to netstat default filter #1143 * [ENHANCEMENT] Move network_up labels into new metric network_info #1236 * [ENHANCEMENT] Use 64-bit counters for Darwin netstat * [BUGFIX] Add fallback for missing /proc/1/mounts #1172 * [BUGFIX] Fix node_textfile_mtime_seconds to work properly on symlinks #1326 o Add network-online (Wants and After) dependency to systemd unit bsc#1143913 golang-github-prometheus-prometheus: o Update change log and spec file + Modified spec file: default to golang 1.14 to avoid "have choice" build issues in OBS. + Rebase and update patches for version 2.18.0 + Changed: * 0002-Default-settings.patch Changed o Update to 2.18.0 + Features * Tracing: Added experimental Jaeger support # 7148 + Changes * Federation: Only use local TSDB for federation (ignore remote read). #7096 * Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094 + Enhancements * TSDB: Significantly reduce WAL size kept around after a block cut. #7098 * Discovery: Add `architecture` meta label for EC2. #7000 + Bug fixes * UI: Fixed wrong MinTime reported by /status. #7182 * React UI: Fixed multiselect legend on OSX. #6880 * Remote Write: Fixed blocked resharding edge case. #7122 * Remote Write: Fixed remote write not updating on relabel configs change. #7073 o Changes from 2.17.2 + Bug fixes * Federation: Register federation metrics # 7081 * PromQL: Fix panic in parser error handling #7132 * Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138 * TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135 * TSDB: Make isolation more robust to panics in web handlers #7129 #7136 o Changes from 2.17.1 + Bug fixes * TSDB: Fix query performance regression that increased memory and CPU usage #7051 o Changes from 2.17.0 + Features * TSDB: Support isolation #6841 * This release implements isolation in TSDB. API queries and recording rules are guaranteed to only see full scrapes and full recording rules. This comes with a certain overhead in resource usage. Depending on the situation, there might be some increase in memory usage, CPU usage, or query latency. + Enhancements * PromQL: Allow more keywords as metric names #6933 * React UI: Add normalization of localhost URLs in targets page #6794 * Remote read: Read from remote storage concurrently #6770 * Rules: Mark deleted rule series as stale after a reload #6745 * Scrape: Log scrape append failures as debug rather than warn #6852 * TSDB: Improve query performance for queries that partially hit the head #6676 * Consul SD: Expose service health as meta label #5313 * EC2 SD: Expose EC2 instance lifecycle as meta label #6914 * Kubernetes SD: Expose service type as meta label for K8s service role #6684 * Kubernetes SD: Expose label_selector and field_selector #6807 * Openstack SD: Expose hypervisor id as meta label # 6962 + Bug fixes * PromQL: Do not escape HTML-like chars in query log #6834 #6795 * React UI: Fix data table matrix values #6896 * React UI: Fix new targets page not loading when using non-ASCII characters #6892 * Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018 * Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998 * Scrape: Prevent removal of metric names upon relabeling #6891 * Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986 * Scrape: Fix crash when reloads are separated by two scrape intervals #7011 o Changes from 2.16.0 + Features * React UI: Support local timezone on /graph #6692 * PromQL: add absent_over_time query function #6490 * Adding optional logging of queries to their own file #6520 + Enhancements * React UI: Add support for rules page and "Xs ago" duration displays #6503 * React UI: alerts page, replace filtering togglers tabs with checkboxes #6543 * TSDB: Export metric for WAL write errors #6647 * TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651 * PromQL: Refactoring in parser errors to improve error messages #6634 * PromQL: Support trailing commas in grouping opts #6480 * Scrape: Reduce memory usage on reloads by reusing scrape cache #6670 * Scrape: Add metrics to track bytes and entries in the metadata cache #6675 * promtool: Add support for line-column numbers for invalid rules output #6533 * Avoid restarting rule groups when it is unnecessary #6450 + Bug fixes * React UI: Send cookies on fetch() on older browsers #6553 * React UI: adopt grafana flot fix for stacked graphs #6603 * React UI: broken graph page browser history so that back button works as expected #6659 * TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616 * TSDB: return an error on ingesting series with duplicate labels #6664 * PromQL: Fix unary operator precedence #6579 * PromQL: Respect query.timeout even when we reach query.max-concurrency # 6712 * PromQL: Fix string and parentheses handling in engine, which affected React UI #6612 * PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493 * Scrape: Validate that OpenMetrics input ends with `# EOF` #6505 * Remote read: return the correct error if configs can't be marshal'd to JSON #6622 * Remote write: Make remote client `Store` use passed context, which can affect shutdown timing #6673 * Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511 * Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693 o Changes from 2.15.2 + Bug fixes * TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564 * TSDB: Fixed block compaction issues on Windows. #6547 o Changes from 2.15.1 + Bug fixes * TSDB: Fixed race on concurrent queries against same data. #6512 o Changes from 2.15.0 + Features * API: Added new endpoint for exposing per metric metadata `/metadata`. #6420 #6442 + Changes * Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics. Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds` and `prometheus_sd_kubernetes_workqueue_work_duration_seconds` metrics now show correct values in seconds. #6393 * Remote write: Changed `query` label on `prometheus_remote_storage_*` metrics to `remote_name` and `url`. #6043 + Enhancements * TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461 * TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475 * TSDB: Improve replay latency. #6230 * TSDB: WAL size is now used for size based retention calculation. #5886 * Remote read: Added query grouping and range hints to the remote read request #6401 * Remote write: Added `prometheus_remote_storage_sent_bytes_total` counter per queue. #6344 * promql: Improved PromQL parser performance. #6356 * React UI: Implemented missing pages like `/targets` #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements. * promql: Prometheus now accepts spaces between time range and square bracket. e.g `[ 5m]` #6065 + Bug fixes * Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455 * Remote write: Value of `prometheus_remote_storage_shards_desired` gauge shows raw value of desired shards and it's updated correctly. #6378 * Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in `labels` field. #6469 * API: Targets Metadata API `/ targets/metadata` now accepts empty `match_targets` parameter as in the spec. #6303 o Changes from 2.14.0 + Features * API: `/api/v1/status/runtimeinfo` and `/ api/v1/status/buildinfo` endpoints added for use by the React UI. #6243 * React UI: implement the new experimental React based UI. #5694 and many more * Can be found by under `/new`. * Not all pages are implemented yet. * Status: Cardinality statistics added to the Runtime & Build Information page. #6125 + Enhancements * Remote write: fix delays in remote write after a compaction. #6021 * UI: Alerts can be filtered by state. #5758 + Bug fixes * Ensure warnings from the API are escaped. #6279 * API: lifecycle endpoints return 403 when not enabled. #6057 * Build: Fix Solaris build. # 6149 * Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270 * Remote write: restore use of deduplicating logger in remote write. #6113 * Remote write: do not reshard when unable to send samples. #6111 * Service discovery: errors are no longer logged on context cancellation. #6116, #6133 * UI: handle null response from API properly. #6071 o Changes from 2.13.1 + Bug fixes * Fix panic in ARM builds of Prometheus. # 6110 * promql: fix potential panic in the query logger. #6094 * Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145 o Changes from 2.13.0 + Enhancements * Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254 * Include the tsdb tool in builds. #6089 * Service discovery: add new node address types for kubernetes. #5902 * UI: show warnings if query have returned some warnings. #5964 * Remote write: reduce memory usage of the series cache. #5849 * Remote read: use remote read streaming to reduce memory usage. #5703 * Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787 * Promtool: show the warnings during label query. #5924 * Promtool: improve error messages when parsing bad rules. #5965 * Promtool: more promlint rules. #5515 + Bug fixes * UI: Fix a Stored DOM XSS vulnerability with query history [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-102 15). #6098 * Promtool: fix recording inconsistency due to duplicate labels. # 6026 * UI: fixes service-discovery view when accessed from unhealthy targets. # 5915 * Metrics format: OpenMetrics parser crashes on short input. #5939 * UI: avoid truncated Y-axis values. #6014 - -------------------------------------------------------------------------------- SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1972-1 Rating: moderate References: #1113160 #1138822 #1142038 #1148177 #1153090 #1153277 #1154940 #1154968 #1155372 #1163871 #1165921 #1168310 #1170231 #1170557 #1170824 #1171687 #1172462 Cross-References: CVE-2019-10215 CVE-2019-15043 CVE-2020-12245 CVE-2020-13379 Affected Products: SUSE Manager Tools 15 ______________________________________________________________________________ An update that solves four vulnerabilities and has 13 fixes is now available. Description: This update fixes the following issues: dracut-saltboot: o Print a list of available disk devices (bsc#1170824) o Install wipefs to initrd o Force install crypt modules golang-github-prometheus-prometheus: o Update change log and spec file + Modified spec file: default to golang 1.14 to avoid "have choice" build issues in OBS. + Rebase and update patches for version 2.18.0 o Update to 2.18.0 + Features * Tracing: Added experimental Jaeger support # 7148 + Changes * Federation: Only use local TSDB for federation (ignore remote read). #7096 * Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094 + Enhancements * TSDB: Significantly reduce WAL size kept around after a block cut. #7098 * Discovery: Add `architecture` meta label for EC2. #7000 + Bug fixes * UI: Fixed wrong MinTime reported by /status. #7182 * React UI: Fixed multiselect legend on OSX. #6880 * Remote Write: Fixed blocked resharding edge case. #7122 * Remote Write: Fixed remote write not updating on relabel configs change. #7073 o Changes from 2.17.2 + Bug fixes * Federation: Register federation metrics # 7081 * PromQL: Fix panic in parser error handling #7132 * Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138 * TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135 * TSDB: Make isolation more robust to panics in web handlers #7129 #7136 o Changes from 2.17.1 + Bug fixes * TSDB: Fix query performance regression that increased memory and CPU usage #7051 o Changes from 2.17.0 + Features * TSDB: Support isolation #6841 * This release implements isolation in TSDB. API queries and recording rules are guaranteed to only see full scrapes and full recording rules. This comes with a certain overhead in resource usage. Depending on the situation, there might be some increase in memory usage, CPU usage, or query latency. + Enhancements * PromQL: Allow more keywords as metric names #6933 * React UI: Add normalization of localhost URLs in targets page #6794 * Remote read: Read from remote storage concurrently #6770 * Rules: Mark deleted rule series as stale after a reload #6745 * Scrape: Log scrape append failures as debug rather than warn #6852 * TSDB: Improve query performance for queries that partially hit the head #6676 * Consul SD: Expose service health as meta label #5313 * EC2 SD: Expose EC2 instance lifecycle as meta label #6914 * Kubernetes SD: Expose service type as meta label for K8s service role #6684 * Kubernetes SD: Expose label_selector and field_selector #6807 * Openstack SD: Expose hypervisor id as meta label # 6962 + Bug fixes * PromQL: Do not escape HTML-like chars in query log #6834 #6795 * React UI: Fix data table matrix values #6896 * React UI: Fix new targets page not loading when using non-ASCII characters #6892 * Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018 * Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998 * Scrape: Prevent removal of metric names upon relabeling #6891 * Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986 * Scrape: Fix crash when reloads are separated by two scrape intervals #7011 o Changes from 2.16.0 + Features * React UI: Support local timezone on /graph #6692 * PromQL: add absent_over_time query function #6490 * Adding optional logging of queries to their own file #6520 + Enhancements * React UI: Add support for rules page and "Xs ago" duration displays #6503 * React UI: alerts page, replace filtering togglers tabs with checkboxes #6543 * TSDB: Export metric for WAL write errors #6647 * TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651 * PromQL: Refactoring in parser errors to improve error messages #6634 * PromQL: Support trailing commas in grouping opts #6480 * Scrape: Reduce memory usage on reloads by reusing scrape cache #6670 * Scrape: Add metrics to track bytes and entries in the metadata cache #6675 * promtool: Add support for line-column numbers for invalid rules output #6533 * Avoid restarting rule groups when it is unnecessary #6450 + Bug fixes * React UI: Send cookies on fetch() on older browsers #6553 * React UI: adopt grafana flot fix for stacked graphs #6603 * React UI: broken graph page browser history so that back button works as expected #6659 * TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616 * TSDB: return an error on ingesting series with duplicate labels #6664 * PromQL: Fix unary operator precedence #6579 * PromQL: Respect query.timeout even when we reach query.max-concurrency # 6712 * PromQL: Fix string and parentheses handling in engine, which affected React UI #6612 * PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493 * Scrape: Validate that OpenMetrics input ends with `# EOF` #6505 * Remote read: return the correct error if configs can't be marshal'd to JSON #6622 * Remote write: Make remote client `Store` use passed context, which can affect shutdown timing #6673 * Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511 * Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693 o Changes from 2.15.2 + Bug fixes * TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564 * TSDB: Fixed block compaction issues on Windows. #6547 o Changes from 2.15.1 + Bug fixes * TSDB: Fixed race on concurrent queries against same data. #6512 o Changes from 2.15.0 + Features * API: Added new endpoint for exposing per metric metadata `/metadata`. #6420 #6442 + Changes * Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics. Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds` and `prometheus_sd_kubernetes_workqueue_work_duration_seconds` metrics now show correct values in seconds. #6393 * Remote write: Changed `query` label on `prometheus_remote_storage_*` metrics to `remote_name` and `url`. #6043 + Enhancements * TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461 * TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475 * TSDB: Improve replay latency. #6230 * TSDB: WAL size is now used for size based retention calculation. #5886 * Remote read: Added query grouping and range hints to the remote read request #6401 * Remote write: Added `prometheus_remote_storage_sent_bytes_total` counter per queue. #6344 * promql: Improved PromQL parser performance. #6356 * React UI: Implemented missing pages like `/targets` #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements. * promql: Prometheus now accepts spaces between time range and square bracket. e.g `[ 5m]` #6065 + Bug fixes * Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455 * Remote write: Value of `prometheus_remote_storage_shards_desired` gauge shows raw value of desired shards and it's updated correctly. #6378 * Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in `labels` field. #6469 * API: Targets Metadata API `/ targets/metadata` now accepts empty `match_targets` parameter as in the spec. #6303 o Changes from 2.14.0 + Features * API: `/api/v1/status/runtimeinfo` and `/ api/v1/status/buildinfo` endpoints added for use by the React UI. #6243 * React UI: implement the new experimental React based UI. #5694 and many more * Can be found by under `/new`. * Not all pages are implemented yet. * Status: Cardinality statistics added to the Runtime & Build Information page. #6125 + Enhancements * Remote write: fix delays in remote write after a compaction. #6021 * UI: Alerts can be filtered by state. #5758 + Bug fixes * Ensure warnings from the API are escaped. #6279 * API: lifecycle endpoints return 403 when not enabled. #6057 * Build: Fix Solaris build. # 6149 * Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270 * Remote write: restore use of deduplicating logger in remote write. #6113 * Remote write: do not reshard when unable to send samples. #6111 * Service discovery: errors are no longer logged on context cancellation. #6116, #6133 * UI: handle null response from API properly. #6071 o Changes from 2.13.1 + Bug fixes * Fix panic in ARM builds of Prometheus. # 6110 * promql: fix potential panic in the query logger. #6094 * Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145 o Changes from 2.13.0 + Enhancements * Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254 * Include the tsdb tool in builds. #6089 * Service discovery: add new node address types for kubernetes. #5902 * UI: show warnings if query have returned some warnings. #5964 * Remote write: reduce memory usage of the series cache. #5849 * Remote read: use remote read streaming to reduce memory usage. #5703 * Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787 * Promtool: show the warnings during label query. #5924 * Promtool: improve error messages when parsing bad rules. #5965 * Promtool: more promlint rules. #5515 + Bug fixes * UI: Fix a Stored DOM XSS vulnerability with query history [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-102 15). #6098 * Promtool: fix recording inconsistency due to duplicate labels. # 6026 * UI: fixes service-discovery view when accessed from unhealthy targets. # 5915 * Metrics format: OpenMetrics parser crashes on short input. #5939 * UI: avoid truncated Y-axis values. #6014 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXxfCrONLKJtyKPYoAQiQFw/5Af/dxu7F4JDVAaKfxq/EDZoFKH6GtuZv cPoeuvKJWcUBxv4UdItj563q3olZ61GdXb79BBiN7UW7WnebEwhlM1DVXYL6zFXR xZULVi6OqpjneghA+LQJy8MLSleK3IeLIDUQEiMLobobNFRGAa0+FcMxBuqev00b uLBWjOQXIj9y8u1V+xrhd6B3llJJaIBgH+XgSkxlRfJ+zss2Adbt756CSSkU9f3U kb/5j+9G15g23pem7etTsIhHo+dXFcFWPhPjh9DaqLNJ3alvkAGhbnBS4lyqQXLe S3Rt6VlxLvl3PuFgFo235LBarNZFymhBE1WwAua1zBMgxxzfXPgyH4y46zvYJtKz lZH/P0jQy6a253EFmNHkOVIdFj0dfT3FlQcN8ZDqbvI82dghUSclJGWgIri5muIK lkCmkdxlFbGRRDlyDCiZoilFXkOisFtqKAo+1EoZA0Huy6j3sDDIHz0mZlGFIlWs 3OcwNyW4v5cZHxk2VXj1WgHp9/qkxGFu5YGfhXRHUm8qW4Dgr4oImiY8lSln/Vxv AFprH9pA+RABe4xfbSeYWPfopilddfF85IErfI+cxZpLlp+54Kx422DBLxGy8BN5 qMldCn/5SOIMRB/KLqFpza7pijtuTzR4K5D+bLnFwp8Gf46m749piBwKdkzWpeVG 8xoBHSWRrfI= =YiA2 -----END PGP SIGNATURE-----