Next Page >>
third/party
----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0001
Synopsis: VMware ESXi and ESX updates to third party library
and ESX Service Console
Issue date: 2012-01-30
Updated on: 2012-01-30 (initial advisory)
CVE numbers: --- COS Kernel ---
user interaction).
AOL's "Classic AIM 5.9" is an official alternative client for nostalgic
users and is not vulnerable due to the fact that instead of using MSHTML
to render HTML it appears to include limited rendering functionality
either provided by a third party library or homebrew code. Although there
is no guarantee that its implementation lacks vulnerabilities, in our
tests it did prevent the attack vectors described in this advisory. So
is the case for AOL‟s AOL 6.5.3.12 which although it is embedding an
Internet Explorer server control in the message window, could not be
exploited during our tests.
user interaction).
AOL's "Classic AIM 5.9" is an official alternative client for nostalgic
users and is not vulnerable due to the fact that instead of using MSHTML
to render HTML it appears to include limited rendering functionality
either provided by a third party library or homebrew code. Although there
is no guarantee that its implementation lacks vulnerabilities, in our
tests it did prevent the attack vectors described in this advisory. So
is the case for AOL‟s AOL 6.5.3.12 which although it is embedding an
Internet Explorer server control in the message window, could not be
exploited during our tests.
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0012
Synopsis: VMware ESXi and ESX updates to third party libraries
and ESX Service Console
Issue date: 2011-10-12
Updated on: 2011-10-12 (initial release of advisory)
CVE numbers: --- COS Kernel ---
CVE-2010-1083, CVE-2010-2492, CVE-2010-2798,
. 2009-08-27:
Core requests a status update from HP SSRT.
. 2009-08-27:
HP SSRT informs Core that the vulnerabilities are in third-party code
and that the third-party vendor has been notified but there isn't a
schedule for fixes yet. HP SSRT indicates that it is sure HP will not
have a solution ready by September 7th.
. 2009-08-27:
CVE-2005-1238 05/02/2005 By design, the built-in FTP server for iSeries
AS/400 systems does not support a restricted document root, which allows
attackers to read or write arbitrary files, including sensitive QSYS
databases, via a full pathname in a GET or PUT request.
CVE-2005-1239 05/02/2005 Directory traversal vulnerability in the third
party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1240 04/20/2005 Directory traversal vulnerability in the third
party tool from Castlehill, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0003
Synopsis: Third party component updates for VMware vCenter
Server, vCenter Update Manager, ESXi and ESX
Issue date: 2011-02-10
Updated on: 2011-02-10 (initial release of advisory)
CVE numbers: --- Apache Tomcat ---
CVE-2009-2693 CVE-2009-2901 CVE-2009-2902
desktop client in conjunction with IBM’s Lotus Domino server application.
The email functionality of Lotus Notes supports previewing and processing
file attachments in various formats. To preview and process files in the
Lotus Worksheet File format (WKS) used by Lotus 1-2-3 the email client
uses a library from a third-party software vendor (Autonomy’s Verity
KeyView SDK). Several buffer overflow vulnerabilities were found in the
third-party library used by Lotus Notes to process Lotus 1-2-3 file
attachments.
These vulnerabilities could allow attackers to remotely execute arbitrary
configured to utilize Microsoft dial-up networking to launch a dial-up
networking dialog box. This action may allow users to elevate their
privileges.
This vulnerability has been addressed by requiring that the configuration
option "Allow launching of third party applications before logon," which
is located in the "Windows Logon Properties" dialog box (available under
Options-> Windows Logon Properties...), be enabled to use, from the
Windows logon screen, a VPN profile that is configured for Microsoft
Dial-Up Networking.
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0013
Synopsis: VMware third party component updates for VMware vCenter
Server, vCenter Update Manager, ESXi and ESX
Issue date: 2011-10-27
Updated on: 2011-10-27 (initial release of advisory)
CVE numbers: --- openssl ---
CVE-2008-7270 CVE-2010-4180
AFFECTED SOFTWARE
=================
CVE-2010-1324
Kerberos application client and server software (including third-party
applications) using GSS-API libraries from MIT releases krb5-1.7 and
newer are vulnerable to the DES GSS-API issue if they use GSS-API for
integrity protection of unencrypted messages.
Kerberos application server software (including third-party
______________________________________________________________________
-------------------------- NSOADV-2010-008 ---------------------------
AnNoText Third-Party ActiveX Control Buffer Overflow
______________________________________________________________________
______________________________________________________________________
111101111
11111 00110 00110001111
111111 01 01 1 11111011111111
optimizing site selection, improving Domain Name System (DNS)
responsiveness, and ensuring data center availability.
The GSS is inserted into the traditional DNS hierarchy and is closely
integrated with the Cisco CSS, Cisco Content Switching Module (CSM),
or third-party server load balancers (SLBs) to monitor the health and
load of the SLBs in customers data centers. The GSS uses this
information and user-specified routing algorithms to select the
best-suited and least-loaded data center in real time.
A vulnerability exists in the GSS when processing a specific sequence
______________________________________________________________________
-------------------------- NSOADV-2010-009 ---------------------------
AnNoText Third-Party ActiveX Control file overwrite vulnerability
______________________________________________________________________
______________________________________________________________________
111101111
11111 00110 00110001111
111111 01 01 1 11111011111111
vulnerability.
Details
=======
The Cisco Application Extension Platform (AXP) allows third-party applications
to be hosted on Cisco Integrated Services Routers (ISR). A privilege escalation
vulnerability exists in command-line interface of the the tech support
diagnostic shell that may allow an authenticated user to obtain complete
administrative access to vulnerable Cisco AXP module. The tech support shell is
accessed using the "techsupport support shell" command.
Description:
All Spyce sample scripts that return client-supplied input back to the
browser are vulnerable to XSS. It is also possible to redirect users to
third-party sites and obtain the webroot path by not submitting required
parameters to certain scripts.
Note: tested on Spyce - Python Server Pages version 2.1.3
Summary
=======
Cisco Security Agent is affected by vulnerabilities that could allow
an unauthenticated attacker to perform remote code execution on the
affected device. These vulnerabilities are in a third-party library
(Oracle Outside In) and are documented in CERT-CC Vulnerability Note
VU#520721 at http://www.kb.cert.org/vuls/id/520721
Cisco has released free software updates that address this
vulnerability.
> I'm asking, with genuine interest and a listening ear, what is the best
> long term
> solution you envision, to solve the larger problem?
Apparently the long term solution is for third-party apps to point blame at
Microsoft, and for Microsoft to point blame at third-party apps. They are
both right except in absolving themselves.
To start with this problem does not exist under IE6, regardless of
third-party protocol handler vulnerability. So the question is, why did it
KJK::Hyperion ha scritto:
> Since this issue is a great big rats nest, I promise a third-party patch
> for it by tomorrow. Deal?
And "tomorrow" turned out to be "whenever it's done". Here is it, have a
temporary, third-party patch for CVE-2007-3896, by yours truly:
<http://spacebunny.xepher.net/hack/shellexecutefiasco/>
----
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
- -------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
Next Page>>
|
