<< Previous Next >>
upgrade
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following upgrades to resolve the vulnerability.
The updates are available are available using ftp.
Location
User Name / Password
| | attacker may flood an victim site with unwanted firmware |
| | packets. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Workaround | The only device which used this firmware upgrade |
| | procedure was the IAXy ATA device, and the last firmware |
| | upgrade was more than 18 months ago. It is unlikely that |
| | any IAXy devices in use today still need the last |
| | firmware upgrade. Therefore, deleting the firmware image |
| | from the directory where it is served from and sending a |
Workaround / Fix:
-----------------
- Upgrade to firmware version 6.5.20, 7.1.39, 7.3.14 or above
- Disable the web interface until a firmware upgrade is installed
Timeline:
---------
Vendor Notified: March 19, 2009
Windows
NNM_01198 or subsequent
OV NNM v7.51
Upgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above.
Patch bundles for upgrading from NNM v7.51 to NNM v7.53 are available using ftp:
Host
Account
Password
Windows
NNM_01197 or subsequent
OV NNM v7.51
Upgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above.
Patch bundles for upgrading from NNM v7.51 to NNM v7.53 are available using ftp:
Host
Account
Password
Windows
NNM_01201 or subsequent
OV NNM v7.51
Upgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above.
Patch bundles for upgrading from NNM v7.51 to NNM v7.53 are available using ftp:
Host
Account
Password
Windows
NNM_01203 or subsequent
OV NNM v7.51
Upgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above.
Patch bundles for upgrading from NNM v7.51 to NNM v7.53 are available using ftp:
Host
Account
Password
VMware ESX 3.0.3 without patch ESX303-200904403-SG,
VMware ESX 3.0.2 without patch ESX-1008421.
NOTE: General Support for Workstation version 5.x ended on 2009-03-19.
Users should plan to upgrade to the latest Workstation version
6.x release.
Extended support for ESX 3.0.2 Update 1 ends on 2009-08-08.
Users should plan to upgrade to ESX 3.0.3 and preferably to the
newest release available.
Cisco WebEx meeting service. The Cisco WebEx meeting service
automatically downloads, installs, and configures Meeting Manager the
first time a user begins or joins a meeting.
When users connect to the WebEx meeting service, the WebEx Meeting
Manager is automatically upgraded to the latest version. There is a
manual workaround available for users who are not able to connect to
the WebEx meeting service.
Cisco WebEx is in the process of upgrading the meeting service
infrastructure with fixed versions of the affected file.
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.
Note that this security update changes BIND network behavior in a
fundamental way, and the following steps are recommended to ensure a
smooth upgrade.
1. Make sure that your network configuration is compatible with source
port randomization. If you guard your resolver with a stateless packet
filter, you may need to make sure that no non-DNS services listen on on
updated packages will attempt to update the bind policy module on
systems where it had been previously loaded and where the previous
version of refpolicy was 0.0.20061018-5 or below.
Because the Debian refpolicy packages are not yet designed with
policy module upgradeability in mind, and because SELinux-enabled
Debian systems often have some degree of site-specific policy
customization, it is difficult to assure that the new bind policy can
be successfully upgraded. To this end, the package upgrade will not
abort if the bind policy update fails. The new policy module can be
found at /usr/share/selinux/refpolicy-targeted/bind.pp after
There is no known workaround at this time.
Resolution
==========
All Mozilla Firefox users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.9"
All Mozilla Firefox binary users should upgrade to the latest version:
There is no known workaround at this time.
Resolution
==========
All Poppler users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.6.1-r1"
All KPDF users should upgrade to the latest version:
exception 1 IDLE error.
This vulnerability is documented in Cisco bug ID CSCsh57876.
In normal operations, the MSFC CLI handles the management of the CSM
and CSM-S; however, in order to upgrade the software, a user must
first log into the switch and session to the module.
For more information on how to upgrade your CSM, visit the
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080094526.shtml
page on Cisco.com.
fixed in the Bugzilla code:
* Even with account creation disabled, users can use the WebService to
create an account.
We strongly advise that 2.23.x and 3.0.x users upgrade to 3.0.2
immediately. Users of CVS HEAD or 3.1.1 should upgrade to 3.1.2
immediately. This is critical if you have a "requirelogin" installation
and also have the WebService enabled.
- -> OV NNM v7.50
===========
HP-UX (PA)
Upgrade to NNM v7.51 and install PHSS_36385 or subsequent
HP-UX (IA)
Upgrade to NNM v7.51 and install PHSS_36386 or subsequent
Solaris
Jeff Trawick discovered a flaw in the apr_brigade_split_line() function
in apr-util. A remote attacker could send crafted http requests to
cause a greatly increased memory consumption in Apache httpd, resulting
in a denial of service.
This upgrade fixes this issue. After the upgrade, any running apache2
server processes need to be restarted.
For the stable distribution (lenny), this problem has been fixed in
version 1.2.12+dfsg-8+lenny5.
is vulnerable if it is multi-threaded and uses OpenSSL's internal caching
mechanism. In particular the Apache HTTP server (which never uses OpenSSL
internal caching) and Stunnel (which includes its own workaround) are NOT
affected.
This upgrade fixes this issue. After the upgrade, any services using the
openssl libraries need to be restarted. The checkrestart script from the
debian-goodies package or lsof can help to find out which services need
to be restarted.
A note to users of the tor packages from the Debian backports or Debian
a. vCenter Server and vCenter Update Manager update Microsoft
SQL Server 2005 Express Edition to Service Pack 3
Microsoft SQL Server 2005 Express Edition (SQL Express)
distributed with vCenter Server 4.1 Update 1 and vCenter Update
Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2
to SQL Express Service Pack 3, to address multiple security
issues that exist in the earlier releases of Microsoft SQL Express.
Customers using other database solutions need not update for
these issues.
File type: .iso
MD5SUM: d68d6c2e040a87cd04cd18c04c22c998
SHA1SUM: bbaacc0d34503822c14f6ccfefb6a5b62d18ae64
ESXi 4.1 Update 1 (upgrade ZIP from ESXi 4.1)
File type: .zip
MD5SUM: 2f1e009c046b20042fae3b7ca42a840f
SHA1SUM: 1c9c644012dec657a705ddd3d033cbfb87a1fab1
ESXi 4.1 Update 1 (upgrade ZIP from ESXi 4.0)
DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following upgrade to resolve this vulnerability. The upgrade is to provide support for the deployment of Rational Clearcase on a system with HP-UX Containers.
The upgrade can be retrieved from
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HP-UX-SRP
HP-UX Containers (SRP)
Solution
users to create an account.
* A CSRF vulnerability in post_bug.cgi and in attachment.cgi could
lead to the creation of unwanted bug reports and attachments.
All affected installations are encouraged to upgrade as soon as
possible.
Vulnerability Details
=====================
of Cisco Digital Media Manager:
+-------------------------------------------------------------------+
| Version | Remediation |
|-------------------+-----------------------------------------------|
| 5.2.1 | Upgrade to 5.2.2.1 |
|-------------------+-----------------------------------------------|
| 5.2.1.1 | Upgrade to 5.2.2.1 |
|-------------------+-----------------------------------------------|
| 5.2.2 | Upgrade to 5.2.2.1 |
|-------------------+-----------------------------------------------|
CVE-2009-4143
A malicous client could cause polipo to crash by sending a large
Content-Length value.
This upgrade also fixes some other bugs that could lead to a daemon crash
or an infinite loop and may be triggerable remotely.
For the stable distribution (lenny), these problems have been fixed in
version 1.0.4-1+lenny1.
-------------------------
The ACTi Web Configurator 3.0 for ACTi IP Surveillance Cameras contains a directory traversal vulnerability within the cgi-bin directory. An unauthenticated remote attacker can use this vulnerability to retrieve arbitrary files that are located outside the root of the web server.
Solution Description
--------------------
The production of the cameras employing this version of the ACTi Web Configurator have been discontinued. However, a firmware upgrade which addresses the issue is available for download from the ACTi support team. Please contact the ACTi support team to retrieve the firmware upgrade and instructions on how to apply the changes.
Tested Systems / Software
-------------------------
ACTi Web Configurator 3.0 - camera version unknown
for both read and write access. The hard-coded community names are
"public" and "private."
Cisco recommends that all administrators deploy the mitigation
measures outlined in the Workarounds section or perform a Cisco IOS
Software upgrade.
Cisco has released free software updates that address this
vulnerability.
Workarounds that mitigate this vulnerability are available.
For the stable distribution (lenny), these problems have been fixed in
version 1.8.2.dfsg-3+lenny3.
For the oldstable distribution (etch), there are no fixed packages
available and it is too hard to backport many of the fixes. Therefore,
we recommend to upgrade to the lenny version.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 1.8.2.dfsg-6.
firefox 3.6.6+nobinonly-0ubuntu0.10.04.1
xulrunner-1.9.2 1.9.2.6+nobinonly-0ubuntu0.10.04.1
Mozilla has changed the support model for Firefox and they no longer
support version 3.0 of the browser. As a result, Ubuntu is providing an
upgrade to Firefox 3.6 for Ubuntu 8.04 LTS users, which is the most current
stable release of Firefox supported by Mozilla. When upgrading, users
should be aware of the following:
- Firefox 3.6 does not support version 5 of the Sun Java plugin. Please use
icedtea-java7-plugin or sun-java6-plugin instead.
Description:
Data retrieved from the database was used directly when forming the HTML output. This allowed an attacker to enter HTML in many of the input fields and have it used when the field was later displayed to a user. Data is now suitably encoded to make it safe for inclusion in HTML.
Mitigation:
Hyperic HQ Open Source users should upgrade to Hyperic HQ 4.2
Hyperic HQ Enterprise 4.1.x users may upgrade to Hyperic Enterprise 4.2 or 4.1.2.1
Hyperic HQ Enterprise 4.0.x users may upgrade to Hyperic Enterprise 4.2 or 4.0.3.2
Users of any earlier version should upgrade 4.2
Example:
<<Previous Next>>
|
