|
|
SecureCRT | OpenSSL | PHP | XDR libraries | Flash Player
Joyce Winslow
jwins@oregon.uoregon.edu
This vulnerability, which could allow attackers to execute arbitrary code on
the machine where SecureCRT resides, is specific to SSH1 connections. SSH2 server
connections are considerably more secure, and users are urged to migrate to
SSH2 as soon as possible. VanDyke Software, which designs SecureCRT, recommends
that all users of versions 2.x and 3.x upgrade immediately.
Get the fix: To get a full description of the vulnerability and links
to the appropriate fixes, go to
http://www.vandyke.com/products/securecrt/security07-25-02.html
Several potentially serious vulnerabilities were spotted in these versions
of OpenSSL. (Note that 0.9.td servers on 32-bit systems with SSL 2.0 disabled
are not affected.) The security holes leave systems open to remote attack and
buffer overflow.
These flaws affect 0.9.6d or earlier, 0.9.7-beta 2 or earlier, and current
development snapshots of 0.9.7 to provide SSL or TLS (whether client or server).
It is probable that SSLeay is also vulnerable.
Details of this security advisory are available at http://www.openssl.org/news/secadv_20020730.txt
Remedies:
This vulnerability has the potential to allow attackers to compromise the web
server and gain privileged access.
Remedy: Upgrade to PHP 4.2.2, which incorporates a fix for this flaw.
You may download the updated version from http://www.php.net/downloads.php,
or get it from one of PHP's mirror sites at http://www.php.net/mirrors.php
Security watchdog CERT recently reported a flaw in SunRPC-derived XDR libraries,
a widely used Sun Microsystems' communications technology. The flaw also affects
the administration system of Kerberos 5, another commonly used authentication
tool.
Although the library was originally distributed by Sun Microsystems, many other
vendors have vulnerable code in their own implementations. Systems affected
thus far include Mac OS X, Red Hat, Debian, FreeBSD, Sun, and NetBSD.
Possible exploits of this vulnerability include denial of service, execution
of arbitrary
code, or exposure of sensitive information.
For details, see CERT¨ Advisory CA-2002-25: "Integer Overflow In XDR
Library" at http://www.cert.org/advisories/CA-2002-25.html
Remedies:
Apply the patch from your vendor, or obtain updated XDR/RPC libraries (links
to these are on the CERT advisory site at http://www.cert.org/advisories/CA-2002-25.html
).
Restart dynamically linked services that use XDR/RPC libraries.
Recompile statically linked applications using the patched or updated XDR/RPC
libraries.
Disable all services that are not explicitly required.
Last August, Macromedia warned that older versions of its Flash Player software,
estimated to appear on 90 percent of all PCs, have a security flaw that could
allow hackers to execute malicious code on Windows and UNIX-based operating
systems. The flaw can be exploited in any program that employs an embedded Flash
file, creating a buffer overflow in the Flash Player itself.
The latest versions of Flash Player are not vulnerable. You can download the
latest versions for all platforms from Macromedia's download site at http://www.macromedia.com/shockwave/download/alternates/
For more details, see Matthew Broersma's article in ZDnet, "Flash flooded
by security flaws" at
http://zdnet.com.com/2100-1104-949344.html