Next Page >>
open source
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.35 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to 1.4.26.3 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to 1.6.0.17 |
|----------------------------+---------+---------------------------------|
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.34 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.26.1 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to |
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.2.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.4.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+--------------------|
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to 1.4.26.3 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to 1.6.0.17 |
|----------------------------+---------+---------------------------------|
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.2.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.4.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+--------------------|
Hi everyone,
we are pleased to announce a new project called oCERT, the Open Source
Computer Emergency Response Team.
The oCERT project is a public effort providing security handling support to
Open Source projects affected by security incidents or vulnerabilities, just
like national CERTs offer services for their respective countries.
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | Versions 1.4.22, 1.4.23, |
| | | 1.4.23.1 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to 1.6.0.6 |
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | All version prior to 1.2.31 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.23-rc4 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.x | All versions prior to |
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.32 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.24.1 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to |
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.30 |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.0.x | All versions |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.28 |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
1 Methodology
____________________________________________________
For our analysis we used popular and well known PHP forum scripts with file
uploading functions. We did not survey scripts like bbPress and Vanilla,
which require plugins for file uploading.
In Open Source scripts, we analysed the code to find out about the
safeguards in
place; the closed source scripts vB and WBB* were not analysed on the
source-code
level.
We notified all vendors on April 30th. Vendors, who had not replied,
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+--------------+----------------------|
| Asterisk Open Source | 1.0.x | All versions |
|----------------------------------+--------------+----------------------|
| Asterisk Open Source | 1.2.x | 1.2.24 and previous |
|----------------------------------+--------------+----------------------|
| Asterisk Open Source | 1.4.x | 1.4.14 and previous |
|----------------------------------+--------------+----------------------|
Today we are excited to announce another community initiative--the Open
Source Software Security community (oss-security). This project is an
ongoing effort to manage security information in Open Source software by
building on the collaborative foundation of the open source model.
The purpose of oss-security is to encourage public discussion of security
flaws, concepts, and practices in the open source community. We don't want
to simply be an information clearinghouse, or to replace any of the current
security lists and groups. The goal is to fill an existing vacuum by
encouraging active participation of those interested in the ideas and
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.0.x | Not affected |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.26 |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.30 |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.0.x | Not affected |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.2.x | Not affected |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.19-rc3 |
strings passed to the URIENCODE dialplan function should be
limited in this manner.
Affected Versions
Product Release Series
Asterisk Open Source 1.2.x All versions
Asterisk Open Source 1.4.x All versions
Asterisk Open Source 1.6.x All versions
Asterisk Open Source 1.8.x All versions
Asterisk Business Edition C.x.x All versions
AsteriskNOW 1.5 All versions
systems can be protected by disabling the vulnerable services
in their respective configuration files.
Affected Versions
Product Release Series
Asterisk Open Source 1.4.x All versions
Asterisk Open Source 1.6.1.x All versions
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Asterisk Business Edition C.x.x All versions
Resolution Asterisk now performs the proper access check where appropriate
during the originate manager action.
Affected Versions
Product Release Series
Asterisk Open Source 1.4.x All versions
Asterisk Open Source 1.6.1.x All versions
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Asterisk Business Edition C.x.x All versions
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.6.x | All 1.6.1 versions |
|-------------------------------+----------------+-----------------------|
#2009-003 LittleCMS integer errors
Description:
LittleCMS, an open source color management engine, suffers from several
integer errors, resulting in stack based buffer overflows and various heap
errors as well as dangerous memory leaks. Decoding a specially crafted
image file will result in unexpected process termination, Denial Of
Service conditions or arbitrary code execution due to stack overflow.
#2009-014 Android denial-of-service issues
Description:
Android, an open source mobile phone platform, is affected by two bugs
that lead to denial-of-service (DoS) conditions.
Two separate DoS issues have been independently reported to oCERT.
The most recent report concerns Android handling of SMS messages: a
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.6.x | All 1.6.1 versions |
|-------------------------------+----------------+-----------------------|
I am currently working on a research project and designing an application specifically aimed at locating malicious logic embedded in source code (C/C++ for now, other languages will be addressed later). As a test of the future implementation I would like to use as many real life examples of code as possible. Anything that was known to have been compromised, had a backdoor, easter egg, or other forms of malicious or undesired logic would make a good test, or at least be a 'more fair' test than anything I might write myself.
Because those malicious versions of Open Source projects are usually taken off line just as soon as the incident is discovered, I am having a difficult time in tracking down the specific examples that I am currently aware of. I therefore would like to ask if anyone out there knows of any collection/repository of malicious source code? If not, does anyone have suggestions on specific version numbers of Open Source projects (or available proprietary code) that I should be looking for across all the various Internet archives?
Thanks in advance!
btw - Just to keep this thread even remotely on topic the answer is yes, I am well aware that you can not prove a negative. So, we don't need to go there. ;)
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Business Edition | C.3 | All versions |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Date 20090818
I. BACKGROUND
Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal
for small and medium businesses, with low-cost product support available
to production users that need reliable support.
II. DESCRIPTION
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|------------------------------+----------------+------------------------|
| Asterisk Open Source | 1.2.x | All versions |
|------------------------------+----------------+------------------------|
| Asterisk Open Source | 1.4.x | All versions |
|------------------------------+----------------+------------------------|
| Asterisk Open Source | 1.6.x | All versions |
|------------------------------+----------------+------------------------|
> code as possible. Anything that was known to have been compromised, had a
> backdoor, easter egg, or other forms of malicious or undesired logic would
> make a good test, or at least be a 'more fair' test than anything I might
> write myself.
>
> Because those malicious versions of Open Source projects are usually taken
> off line just as soon as the incident is discovered, I am having a
> difficult time in tracking down the specific examples that I am currently
> aware of. I therefore would like to ask if anyone out there knows of any
> collection/repository of malicious source code? If not, does anyone have
> suggestions on specific version numbers of Open Source projects (or
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Since this is a minor issue, a new release is not |
| | immediately planned. However, the issue will be fixed in |
| | Asterisk Open Source version 1.4.12 when it is released. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
Next Page>>
|
