Next Page >>
maintainer
This vulnerability impacts only Linux and HP platforms.
Status and Recommendation:
The most prudent course of action for affected customers is to
download and apply the corrective maintenance. However, updates
are provided only for the following releases: 2.6 and r3
Important: Customers using products that embed an earlier version
of Ingres r3 should upgrade Ingres to the release that is
currently supported (3.0.3/103 on Linux and 3.0.3/211 on UNIX
concrete and specific details about availability of fixes by Wednesday,
October 24th. An up to date copy of the security advisory provided for
comments and suggested workarounds.
2007-10-23: Email from Lotus Notes Security indicating that a ticket had
been opened with Autonomy and that since this is a client-side issue the
fix would be provided in one of the future maintenance releases of the
Lotus Notes client. Ongoing work with Autonomy needs to continue before
being able to confirm when the fix will be rolled into the product.
2007-10-23: Email from Core’s advisory team with follow up questions to
Lotus Notes Security: 1. Is it official policy to include fixes to
client-side vulnerabilities in maintenance releases? 2. What is the
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
from several stack-based overflows as well as insecure temporary file handling.
Affected version:
Unfortunately mimeTeX and mathTex are provided without version numbers by the
maintainer, who releases version-less zip archives. It is therefore impossible
to provide affected version numbers.
Fixed version:
At the release time for this advisory both versions available on the maintainer
CVE: CVE-2009-2265
Timeline:
2009-05-03: vulnerability reported received
2009-05-04: contacted fckeditor maintainer
2009-05-25: maintainer denies reported issues against latest version
2009-05-25: reporter confirms that latest version is affected
2009-06-21: maintainer forwards report to project security maintainer
2009-06-23: security maintainer confirms CurrentFolder vulnerability
2009-06-24: security maintainer provides patch
<http://memcached.googlecode.com/files/memcached-1.2.8.tar.gz>. The
official release announcement can be viewed at
<http://groups.google.com/group/memcached/browse_thread/thread/ \
ff96a9b88fb5d40e>.
The maintainer of MemcacheDB claimed to fix the issue in the
code repository, but unfortunately, has not released a stable
package containing it (see section V below for details). In the
meantime, the following unofficial patch can be applied to the
source tree of MemcacheDB v1.2.0:
function used in the tiff2rgba tool and the tiffcvt function used in the
rgb2ycbcr tool do not properly validate the width and height of the image.
Specific TIFF images with large width and height can be crafted to trigger the
vulnerability.
A patch has been made available by the maintainer and further improved by Tom
Lane of Red Hat.
Affected version:
libtiff <= 3.8.2, <= 3.9 (stable), <= 4.0 (development)
* Cisco System Unified Contact Center Enterprise (SUCCE)
To determine the version of software installed on the Administration
Workstation (AW), navigate to the Add or Remove Programs window on
the Windows Server. If impacted, an entry for Cisco ICM Maintenance
Release ICM 7.1(5) will be observable in the list of installed
applications.
Products Confirmed Not Vulnerable
+--------------------------------
CVE: CVE-2009-2294
Timeline:
2009-05-21: vulnerability reported received
2009-06-18: contacted dillo maintainer
2009-06-18: maintainer requests PoC
2009-06-19: PoC is supplied
2009-06-19: maintainer provides patch
2009-06-24: revised patch is provided after reporter feedback
2009-06-25: patch is confirmed, maintainer requests one week of time to
* Cisco Unified Communications Manager 5.x
* Cisco Unified Communications Manager 6.x
* Cisco Unified Communications Manager 7.x
Note: Cisco Unified Communications Manager version 5.1 reached the
End of Software Maintenance on February 13, 2010. For customers using
Cisco Unified Communications Manager 5.x versions, please contact
your Cisco support team for assistance in upgrading to a supported
version of Cisco Unified Communications Manager.
Products Confirmed Not Vulnerable
* SCCP Inspection Denial of Service Vulnerability
* Crafted IKE Message Denial of Service Vulnerability
* NTLMv1 Authentication Bypass Vulnerability
Because the Cisco PIX 500 Series Security Appliances reached End of
Software Maintenance Releases on July 28, 2009, no further software
releases will be available for the Cisco PIX 500 Series Security
Appliances. Cisco PIX 500 Series Security Appliances customers are
encouraged to migrate to Cisco ASA 5500 Series Adaptive Security
Appliances or to implement any applicable workarounds that are listed
in the "Workarounds" section of this advisory. Fixed software is
Software Versions and Fixes
===========================
This vulnerability is fixed in Cisco Unified MeetingPlace Web
Conferencing software version 6.0(517.0) also known as Maintenance
Release 4 (MR4) for the 6.0 release, and version 7.0(2) also known as
Maintenance Release 1 (MR1) for the 7.0 release.
The latest versions of Cisco MeetingPlace software can be downloaded
from:
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) describes a release
train and the platforms or products for which it is intended. If a
given release train is vulnerable, then the earliest possible
releases that contain the fix (the "First Fixed Release") and the
CVE-2009-0733 (lack of upper-ground checks on size)
Timeline:
2009-02-13: vulnerability report and patch received
2009-02-16: contacted littlecms maintainer
2009-02-16: oCERT investigated for other potential affected projects
2009-02-20: maintainer provides updated patch
2009-02-20: reporter provides new patch fixing memory leak
2009-02-21: maintainer provides fixed beta version
2009-02-23: reporter confirms fixes
During an audit of the MapServer v5.2.1 source code, five (5)
vulnerabilities were identified ranging from low to medium/high
severity. They include stack and heap overflows, a relative path
writing weakness, a file content leakage, as well as a file existence
leakage. Furthermore, after reporting these issues to the vendor, a
second audit by the project maintainer not only determined that v4.10.3
was also affected, but that four (4) additional stack overflows existed
in the code as well.
> >> As a workaround, one could try to manually replace zlib32.dll in a Windows
> >> GSView 4.8 installation with the current zlib1.dll version 1.2.3.
>
> [...]
>
> > Unfortunately the maintainer of GSview choose not to reply to my bug
> > report which included a question about the source of the ZLIB32.DLL.
>
> The maintainer finally replied to the last of my three attempts to
> contact him (very timely, regarding the different timezones we are in):
>
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
This vulnerability can be addressed by applying the appropriate
Software Maintenance Upgrade (SMU), per the table below.
Installation of the appropriate SMU does not require a system
reload. Refer to the document "Guidelines for Cisco IOS XR Software"
Unified MeetingPlace version 6.x that could be used to access and
configure the Cisco Unified MeetingPlace Audio Server systems.
MeetingTime classifies users as either end users, contacts,
attendants, or system administrators.
The end-of-software maintenance for MeetingPlace version 5.3 occurred
in April 2009. End-of-sale and end-of-life details are available at:
http://cco-rtp-1.cisco.com/en/US/prod/collateral/voicesw/ps6789/ps5664/ps5669/prod_end-of-life_notice0900aecd806e743c.html
Products Confirmed Not Vulnerable
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS Software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
Autonomous System Number Vulnerabilities" disclosed on the 2009 July
29 1600 UTC at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
Cisco is preparing to release free software maintenance upgrade (SMU)
that address this vulnerability. This advisory will be updated once
the SMU is available.
A workaround that mitigates this vulnerability is available.
Software Versions and Fixes
===========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
This vulnerability has been corrected in the following CiscoWorks Common
Services software patch:
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) describes a release
train and the platforms or products for which it is intended. If a
given release train is vulnerable, then the earliest possible
releases that contain the fix (the "First Fixed Release") and the
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following list contains the first fixed software release of each
vulnerability:
+----------------------------------------+
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
In all cases, customers should exercise caution to be certain that
the devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.
The following list contains the first fixed software release for each
vulnerability:
+---------------------------------------+
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.
The following list contains the first fixed software release of each
vulnerability:
+---------------------------------------+
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.
For more information on the terms "Rebuild" and "Maintenance," consult
the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml
>> As a workaround, one could try to manually replace zlib32.dll in a Windows
>> GSView 4.8 installation with the current zlib1.dll version 1.2.3.
[...]
> Unfortunately the maintainer of GSview choose not to reply to my bug
> report which included a question about the source of the ZLIB32.DLL.
The maintainer finally replied to the last of my three attempts to
contact him (very timely, regarding the different timezones we are in):
Next Page>>
|
