SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01539423
Version: 3
HPSBOV02364 SSRT080078 rev.3 - HP OpenVMS SMGRTL Run Time Library, Local Authorized User, Gain Privileged Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-09-24
Last Updated: 2008-09-24
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01539423
Version: 2
HPSBOV02364 SSRT080078 rev.2 - HP OpenVMS SMGRTL Run Time Library, Local Authorized User, Gain Privileged Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-09-17
Last Updated: 2008-09-17
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01539423
Version: 1
HPSBOV02364 SSRT080078 rev.1 - HP OpenVMS SMGRTL Run Time Library, Local Authorized User, Gain Privileged Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-09-10
Last Updated: 2008-09-10
// rows of ****'s) into the new .def file
// 12. Build -> Configuration Manager; for "Active solution
// configuration", choose "Release"
// 13. For maximum portability, Project -> Properties,
// Configuration Properties: C/C++: Code Generation: set
// "Runtime Library" to "Multi-threaded (/MT)"; this will
// keep iebsfix1.dll from requiring MSVCR*.DLL
// 14. (While you're in there, Project -> Properties,
// Configuration Properties: Linker: Input, and make sure
// that "Module Definition File" contains "iebsfix1.def")
// 15. Build -> Build Solution
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2009-1563 CVE-2009-2463
Several vulnerabilities have been discovered in the NetScape Portable
Runtime Library, which may lead to the execution of arbitrary code. The
Common Vulnerabilities and Exposures project identifies the following
problems:
CVE-2009-1563
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2007-2721
Debian Bug : 528543
It was discovered that the JasPer JPEG-2000 runtime library allowed an
attacker to create a crafted input file that could lead to denial of
service and heap corruption.
Besides addressing this vulnerability, this updates also addresses a
regression introduced in the security fix for CVE-2008-3521, applied
checked version 2.3.6, and it does return NULL on overflow. There is,
however, a different version of calloc that GDB sees, but this is not
the real one invoked by application code.
On Windows, this bug depends on the Microsoft Visual C++ run-time
library. As a result, it's not completely determined by the Windows
version alone.
By the way, the similar operator new[] issue that has been reported in
conjunction with that calloc issue:
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412
Description:
Previous versions of the Apache Portable Runtime library (apr)
and the Apache Portable Utility library (apr-util) allow remote
attackers to cause a denial of service or possibly execute
arbitrary code.
http://wiki.rpath.com/Advisories:rPSA-2009-0119
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-1623
APR-util is part of the Apache Portable Runtime library which is used
by projects such as Apache httpd and Subversion.
Jeff Trawick discovered a flaw in the apr_brigade_split_line() function
in apr-util. A remote attacker could send crafted http requests to
cause a greatly increased memory consumption in Apache httpd, resulting
