CVE-2006-3738
CVSS10.0
发布时间 :2006-09-28 14:07:00
修订时间 :2013-08-23 01:21:54
NMCOPS    

[原文]Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers.


[CNNVD]OpenSSL 'SSL_get_shared_ciphers()'函数缓冲区溢出漏洞(CNNVD-200609-536)

        OpenSSL是一种开放源码的SSL实现,用来实现网络通信的高强度加密,现在被广泛地用于各种网络应用程序中。
        OpenSSL的SSL_get_shared_ciphers()函数在处理共享密码列表的长度时存在缓冲区溢出漏洞,远程攻击者可以向使用这个函数的应用程序发送密码列表来触发这个漏洞,导致执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:openssl:openssl:0.9.7jOpenSSL Project OpenSSL 0.9.7j
cpe:/a:openssl:openssl:0.9.7kOpenSSL Project OpenSSL 0.9.7k
cpe:/a:openssl:openssl:0.9.7hOpenSSL Project OpenSSL 0.9.7h
cpe:/a:openssl:openssl:0.9.7iOpenSSL Project OpenSSL 0.9.7i
cpe:/a:openssl:openssl:0.9.7fOpenSSL Project OpenSSL 0.9.7f
cpe:/a:openssl:openssl:0.9.7gOpenSSL Project OpenSSL 0.9.7g
cpe:/a:openssl:openssl:0.9.7bOpenSSL Project OpenSSL 0.9.7b
cpe:/a:openssl:openssl:0.9.7dOpenSSL Project OpenSSL 0.9.7d
cpe:/a:openssl:openssl:0.9.7eOpenSSL Project OpenSSL 0.9.7e
cpe:/a:openssl:openssl:0.9.8cOpenSSL Project OpenSSL 0.9.8c
cpe:/a:openssl:openssl:0.9.7aOpenSSL Project OpenSSL 0.9.7a
cpe:/a:openssl:openssl:0.9.8aOpenSSL Project OpenSSL 0.9.8a
cpe:/a:openssl:openssl:0.9.8bOpenSSL Project OpenSSL 0.9.8b
cpe:/a:openssl:openssl:0.9.7cOpenSSL Project OpenSSL 0.9.7c
cpe:/a:openssl:openssl:0.9.7OpenSSL Project OpenSSL 0.9.7
cpe:/a:openssl:openssl:0.9.8OpenSSL Project OpenSSL 0.9.8

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9370Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspeci...
oval:org.mitre.oval:def:4256Security Vulnerabilities in OpenSSL May Lead to a Denial of Service (DoS) to Applications or Execution of Arbitrary Code With Elevated Privi...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3738
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200609-536
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/547300
(UNKNOWN)  CERT-VN  VU#547300
http://www.us-cert.gov/cas/techalerts/TA06-333A.html
(UNKNOWN)  CERT  TA06-333A
http://xforce.iss.net/xforce/xfdb/29237
(PATCH)  XF  openssl-sslgetsharedciphers-bo(29237)
http://www.ubuntu.com/usn/usn-353-1
(PATCH)  UBUNTU  USN-353-1
http://www.trustix.org/errata/2006/0054
(PATCH)  TRUSTIX  2006-0054
http://www.securityfocus.com/bid/20249
(PATCH)  BID  20249
http://www.redhat.com/support/errata/RHSA-2006-0695.html
(PATCH)  REDHAT  RHSA-2006:0695
http://www.osvdb.org/29262
(PATCH)  OSVDB  29262
http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html
(VENDOR_ADVISORY)  OPENPKG  OpenPKG-SA-2006.021
http://www.novell.com/linux/security/advisories/2006_58_openssl.html
(VENDOR_ADVISORY)  SUSE  SUSE-SA:2006:058
http://www.novell.com/linux/security/advisories/2006_24_sr.html
(VENDOR_ADVISORY)  SUSE  SUSE-SR:2006:024
http://www.debian.org/security/2006/dsa-1195
(VENDOR_ADVISORY)  DEBIAN  DSA-1195
http://www.debian.org/security/2006/dsa-1185
(PATCH)  DEBIAN  DSA-1185
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1
(PATCH)  SUNALERT  102668
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946
(PATCH)  SLACKWARE  SSA:2006-272-01
http://securitytracker.com/id?1016943
(PATCH)  SECTRACK  1016943
http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
(VENDOR_ADVISORY)  FREEBSD  FreeBSD-SA-06:23
http://secunia.com/advisories/22330
(VENDOR_ADVISORY)  SECUNIA  22330
http://secunia.com/advisories/22284
(VENDOR_ADVISORY)  SECUNIA  22284
http://secunia.com/advisories/22260
(VENDOR_ADVISORY)  SECUNIA  22260
http://secunia.com/advisories/22259
(VENDOR_ADVISORY)  SECUNIA  22259
http://secunia.com/advisories/22240
(VENDOR_ADVISORY)  SECUNIA  22240
http://secunia.com/advisories/22220
(VENDOR_ADVISORY)  SECUNIA  22220
http://secunia.com/advisories/22216
(VENDOR_ADVISORY)  SECUNIA  22216
http://secunia.com/advisories/22212
(VENDOR_ADVISORY)  SECUNIA  22212
http://secunia.com/advisories/22207
(VENDOR_ADVISORY)  SECUNIA  22207
http://secunia.com/advisories/22193
(VENDOR_ADVISORY)  SECUNIA  22193
http://secunia.com/advisories/22186
(VENDOR_ADVISORY)  SECUNIA  22186
http://secunia.com/advisories/22172
(VENDOR_ADVISORY)  SECUNIA  22172
http://secunia.com/advisories/22166
(VENDOR_ADVISORY)  SECUNIA  22166
http://secunia.com/advisories/22165
(VENDOR_ADVISORY)  SECUNIA  22165
http://secunia.com/advisories/22130
(VENDOR_ADVISORY)  SECUNIA  22130
http://secunia.com/advisories/22116
(VENDOR_ADVISORY)  SECUNIA  22116
http://secunia.com/advisories/22094
(VENDOR_ADVISORY)  SECUNIA  22094
http://openvpn.net/changelog.html
(PATCH)  CONFIRM  http://openvpn.net/changelog.html
http://openbsd.org/errata.html#openssl2
(PATCH)  OPENBSD  [3.9] 20061007 013: SECURITY FIX: October 7, 2006
http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html
(PATCH)  FULLDISC  20060928 [SECURITY] OpenSSL 0.9.8d and 0.9.7l released
http://kolab.org/security/kolab-vendor-notice-11.txt
(PATCH)  CONFIRM  http://kolab.org/security/kolab-vendor-notice-11.txt
https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144
(UNKNOWN)  HP  SSRT071304
https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144
(UNKNOWN)  HP  SSRT061213
http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=498093&RenditionID=&poid=8881
(UNKNOWN)  CONFIRM  http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=498093&RenditionID=&poid=8881
http://www.vupen.com/english/advisories/2007/2783
(UNKNOWN)  VUPEN  ADV-2007-2783
http://www.vupen.com/english/advisories/2007/2315
(UNKNOWN)  VUPEN  ADV-2007-2315
http://www.vupen.com/english/advisories/2007/1401
(UNKNOWN)  VUPEN  ADV-2007-1401
http://www.vupen.com/english/advisories/2007/0343
(UNKNOWN)  VUPEN  ADV-2007-0343
http://www.vupen.com/english/advisories/2006/4750
(UNKNOWN)  VUPEN  ADV-2006-4750
http://www.vupen.com/english/advisories/2006/4443
(UNKNOWN)  VUPEN  ADV-2006-4443
http://www.vupen.com/english/advisories/2006/4417
(UNKNOWN)  VUPEN  ADV-2006-4417
http://www.vupen.com/english/advisories/2006/4401
(UNKNOWN)  VUPEN  ADV-2006-4401
http://www.vupen.com/english/advisories/2006/4314
(UNKNOWN)  VUPEN  ADV-2006-4314
http://www.vupen.com/english/advisories/2006/4264
(UNKNOWN)  VUPEN  ADV-2006-4264
http://www.vupen.com/english/advisories/2006/4036
(UNKNOWN)  VUPEN  ADV-2006-4036
http://www.vupen.com/english/advisories/2006/3936
(UNKNOWN)  VUPEN  ADV-2006-3936
http://www.vupen.com/english/advisories/2006/3902
(UNKNOWN)  VUPEN  ADV-2006-3902
http://www.vupen.com/english/advisories/2006/3869
(UNKNOWN)  VUPEN  ADV-2006-3869
http://www.vupen.com/english/advisories/2006/3860
(UNKNOWN)  VUPEN  ADV-2006-3860
http://www.vupen.com/english/advisories/2006/3820
(UNKNOWN)  VUPEN  ADV-2006-3820
http://www.serv-u.com/releasenotes/
(UNKNOWN)  CONFIRM  http://www.serv-u.com/releasenotes/
http://www.redhat.com/support/errata/RHSA-2008-0629.html
(UNKNOWN)  REDHAT  RHSA-2008:0629
http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html
(UNKNOWN)  CONFIRM  http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html
http://www.openssl.org/news/secadv_20060928.txt
(UNKNOWN)  CONFIRM  http://www.openssl.org/news/secadv_20060928.txt
http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm
http://secunia.com/advisories/31492
(UNKNOWN)  SECUNIA  31492
http://secunia.com/advisories/22385
(UNKNOWN)  SECUNIA  22385
http://marc.info/?l=bugtraq&m=130497311408250&w=2
(UNKNOWN)  HP  SSRT090208
http://marc.info/?l=bugtraq&m=130497311408250&w=2
(UNKNOWN)  HP  HPSBOV02683
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540
(UNKNOWN)  HP  SSRT071299
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
(UNKNOWN)  HP  SSRT061239
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771
(UNKNOWN)  HP  HPSBMA02250
http://docs.info.apple.com/article.html?artnum=304829
(UNKNOWN)  CONFIRM  http://docs.info.apple.com/article.html?artnum=304829
https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144
(UNKNOWN)  HP  HPSBTU02207
http://www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf
(UNKNOWN)  CONFIRM  http://www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
http://www.securityfocus.com/bid/22083
(UNKNOWN)  BID  22083
http://www.securityfocus.com/archive/1/archive/1/470460/100/0/threaded
(UNKNOWN)  BUGTRAQ  20070602 Recent OpenSSL exploits
http://www.securityfocus.com/archive/1/archive/1/456546/100/200/threaded
(UNKNOWN)  BUGTRAQ  20070110 VMware ESX server security updates
http://www.securityfocus.com/archive/1/archive/1/447393/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060929 rPSA-2006-0175-2 openssl openssl-scripts
http://www.securityfocus.com/archive/1/archive/1/447318/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060928 rPSA-2006-0175-1 openssl openssl-scripts
http://www.mandriva.com/security/advisories?name=MDKSA-2006:178
(UNKNOWN)  MANDRIVA  MDKSA-2006:178
http://www.mandriva.com/security/advisories?name=MDKSA-2006:177
(UNKNOWN)  MANDRIVA  MDKSA-2006:177
http://www.mandriva.com/security/advisories?name=MDKSA-2006:172
(UNKNOWN)  MANDRIVA  MDKSA-2006:172
http://www.gentoo.org/security/en/glsa/glsa-200805-07.xml
(UNKNOWN)  GENTOO  GLSA-200805-07
http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml
(UNKNOWN)  GENTOO  GLSA-200612-11
http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
(UNKNOWN)  CISCO  20061108 Multiple Vulnerabilities in OpenSSL library
http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_security_response09186a008077af1b.html
(UNKNOWN)  CISCO  20061108 Multiple Vulnerabilities in OpenSSL Library
http://support.avaya.com/elmodocs2/security/ASA-2006-260.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-260.htm
http://sunsolve.sun.com/search/document.do?assetkey=1-66-201531-1
(UNKNOWN)  SUNALERT  201531
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102711-1
(UNKNOWN)  SUNALERT  102711
http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
(UNKNOWN)  CONFIRM  http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
http://securitytracker.com/id?1017522
(UNKNOWN)  SECTRACK  1017522
http://security.gentoo.org/glsa/glsa-200610-11.xml
(UNKNOWN)  GENTOO  GLSA-200610-11
http://secunia.com/advisories/30161
(UNKNOWN)  SECUNIA  30161
http://secunia.com/advisories/30124
(UNKNOWN)  SECUNIA  30124
http://secunia.com/advisories/26329
(UNKNOWN)  SECUNIA  26329
http://secunia.com/advisories/25889
(UNKNOWN)  SECUNIA  25889
http://secunia.com/advisories/24950
(UNKNOWN)  SECUNIA  24950
http://secunia.com/advisories/24930
(UNKNOWN)  SECUNIA  24930
http://secunia.com/advisories/23915
(UNKNOWN)  SECUNIA  23915
http://secunia.com/advisories/23794
(UNKNOWN)  SECUNIA  23794
http://secunia.com/advisories/23680
(UNKNOWN)  SECUNIA  23680
http://secunia.com/advisories/23340
(UNKNOWN)  SECUNIA  23340
http://secunia.com/advisories/23309
(UNKNOWN)  SECUNIA  23309
http://secunia.com/advisories/23280
(UNKNOWN)  SECUNIA  23280
http://secunia.com/advisories/23155
(UNKNOWN)  SECUNIA  23155
http://secunia.com/advisories/23038
(UNKNOWN)  SECUNIA  23038
http://secunia.com/advisories/22799
(UNKNOWN)  SECUNIA  22799
http://secunia.com/advisories/22791
(UNKNOWN)  SECUNIA  22791
http://secunia.com/advisories/22772
(UNKNOWN)  SECUNIA  22772
http://secunia.com/advisories/22758
(UNKNOWN)  SECUNIA  22758
http://secunia.com/advisories/22654
(UNKNOWN)  SECUNIA  22654
http://secunia.com/advisories/22633
(UNKNOWN)  SECUNIA  22633
http://secunia.com/advisories/22626
(UNKNOWN)  SECUNIA  22626
http://secunia.com/advisories/22544
(UNKNOWN)  SECUNIA  22544
http://secunia.com/advisories/22500
(UNKNOWN)  SECUNIA  22500
http://secunia.com/advisories/22487
(UNKNOWN)  SECUNIA  22487
http://secunia.com/advisories/22460
(UNKNOWN)  SECUNIA  22460
http://secunia.com/advisories/22298
(UNKNOWN)  SECUNIA  22298
http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2006-11-28
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540
(UNKNOWN)  HP  HPSBUX02186
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
(UNKNOWN)  HP  HPSBUX02174
http://issues.rpath.com/browse/RPL-613
(UNKNOWN)  CONFIRM  http://issues.rpath.com/browse/RPL-613
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771
(UNKNOWN)  HP  SSRT061275
ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
(UNKNOWN)  SGI  20061001-01-P
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2008-007

- 漏洞信息

OpenSSL 'SSL_get_shared_ciphers()'函数缓冲区溢出漏洞
危急 缓冲区溢出
2006-09-28 00:00:00 2009-01-23 00:00:00
远程  
        OpenSSL是一种开放源码的SSL实现,用来实现网络通信的高强度加密,现在被广泛地用于各种网络应用程序中。
        OpenSSL的SSL_get_shared_ciphers()函数在处理共享密码列表的长度时存在缓冲区溢出漏洞,远程攻击者可以向使用这个函数的应用程序发送密码列表来触发这个漏洞,导致执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.debian.org/security/2005/dsa-1195

- 漏洞信息 (F101257)

HP Security Bulletin HPSBOV02683 SSRT090208 (PacketStormID:F101257)
2011-05-10 00:00:00
HP  hp.com
advisory,web,denial of service,php,vulnerability
CVE-2002-0839,CVE-2002-0840,CVE-2003-0542,CVE-2004-0492,CVE-2005-2491,CVE-2005-3352,CVE-2005-3357,CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-3747,CVE-2006-3918,CVE-2006-4339,CVE-2006-4343,CVE-2007-5000,CVE-2007-6388,CVE-2008-0005,CVE-2009-1891,CVE-2009-3095,CVE-2009-3291,CVE-2009-3292,CVE-2009-3293,CVE-2009-3555,CVE-2010-0010
[点击下载]

HP Security Bulletin HPSBOV02683 SSRT090208 - Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS running Apache and PHP. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, or unauthorized modifications. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02824490
Version: 1

HPSBOV02683 SSRT090208 rev.1 - HP Secure Web Server (SWS) for OpenVMS running Apache/PHP, Remote Denial of Service (DoS), Unauthorized Access, Unauthorized Disclosure of Information, Unauthorized Modification

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2011-05-05
Last Updated: 2011-05-05

Potential Security Impact: Remote Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, unauthorized modification

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS running Apache and PHP. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, or unauthorized modifications.

References: CVE-2002-0839, CVE-2002-0840, CVE-2003-0542, CVE-2004-0492, CVE-2005-2491, CVE-2005-3352, CVE-2005-3357, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-3747, CVE-2006-3918, CVE-2006-4339, CVE-2006-4343, CVE-2007-5000, CVE-2007-6388, CVE-2008-0005, CVE-2009-1891, CVE-2009-3095, CVE-2009-3291, CVE-2009-3292, CVE-2009-3293, CVE-2009-3555, CVE-2010-0010

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Secure Web Server (SWS) for OpenVMS (based on Apache) V2.1-1 and earlier.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2002-0839    (AV:L/AC:L/Au:N/C:C/I:C/A:C)        7.2
CVE-2002-0840    (AV:N/AC:M/Au:N/C:P/I:P/A:P)        6.8
CVE-2003-0542    (AV:L/AC:L/Au:N/C:C/I:C/A:C)        7.2
CVE-2004-0492    (AV:N/AC:L/Au:N/C:C/I:C/A:C)       10.0
CVE-2005-2491    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2005-3352    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2005-3357    (AV:N/AC:H/Au:N/C:N/I:N/A:C)        5.4
CVE-2006-2937    (AV:N/AC:L/Au:N/C:N/I:N/A:C)        7.8
CVE-2006-2940    (AV:N/AC:L/Au:N/C:N/I:N/A:C)        7.8
CVE-2006-3738    (AV:N/AC:L/Au:N/C:C/I:C/A:C)       10.0
CVE-2006-3747    (AV:N/AC:H/Au:N/C:C/I:C/A:C)        7.6
CVE-2006-3918    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2006-4339    (AV:N/AC:M/Au:N/C:P/I:N/A:N)        4.3
CVE-2006-4343    (AV:N/AC:M/Au:N/C:N/I:N/A:P)        4.3
CVE-2007-5000    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2007-6388    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2008-0005    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2009-1891    (AV:N/AC:M/Au:N/C:N/I:N/A:C)        7.1
CVE-2009-3095    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2009-3291    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2009-3292    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2009-3293    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2009-3555    (AV:N/AC:M/Au:N/C:N/I:P/A:P)        5.8
CVE-2010-0010    (AV:N/AC:M/Au:N/C:P/I:P/A:P)        6.8
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following software updates available to resolve these vulnerabilities.

Kit Name
 Location

HP SWS V2.2 for OpenVMS Alpha and OpenVMS Integrity servers.
 http://h71000.www7.hp.com/openvms/products/ips/apache/csws.html

CSWS_PHP V2.2
 http://h71000.www7.hp.com/openvms/products/ips/apache/csws_php.html

HISTORY
Version:1 (rev.1) - 5 May 2011 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-alert@hp.com
  Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
    -check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
    -verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEUEARECAAYFAk3C8qwACgkQ4B86/C0qfVnBqgCYtJgc2OLmG0JEGU4sCpzntC4E
HACgjeWEt9Ja5qNdjhL5iwOp3JVtVic=
=EvRT
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F59899)

Gentoo Linux Security Advisory 200710-6 (PacketStormID:F59899)
2007-10-09 00:00:00
Gentoo  security.gentoo.org
advisory,crypto
linux,gentoo
CVE-2006-3738,CVE-2007-3108,CVE-2007-5135
[点击下载]

Gentoo Linux Security Advisory GLSA 200710-06 - Moritz Jodeit reported an off-by-one error in the SSL_get_shared_ciphers() function, resulting from an incomplete fix of CVE-2006-3738. A flaw has also been reported in the BN_from_montgomery() function in crypto/bn/bn_mont.c when performing Montgomery multiplication. Versions less than 0.9.8e-r3 are affected.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200710-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: OpenSSL: Multiple vulnerabilities
      Date: October 07, 2007
      Bugs: #188799, #194039
        ID: 200710-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer underflow vulnerability and an information disclosure
vulnerability have been discovered in OpenSSL.

Background
==========

OpenSSL is an implementation of the Secure Socket Layer and Transport
Layer Security protocols.

Affected packages
=================

    -------------------------------------------------------------------
     Package           /   Vulnerable   /                   Unaffected
    -------------------------------------------------------------------
  1  dev-libs/openssl      < 0.9.8e-r3                    >= 0.9.8e-r3

Description
===========

Moritz Jodeit reported an off-by-one error in the
SSL_get_shared_ciphers() function, resulting from an incomplete fix of
CVE-2006-3738. A flaw has also been reported in the
BN_from_montgomery() function in crypto/bn/bn_mont.c when performing
Montgomery multiplication.

Impact
======

A remote attacker sending a specially crafted packet to an application
relying on OpenSSL could possibly execute arbitrary code with the
privileges of the user running the application. A local attacker could
perform a side channel attack to retrieve the RSA private keys.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenSSL users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8e-r3"

References
==========

  [ 1 ] CVE-2006-3738
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
  [ 2 ] CVE-2007-3108
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
  [ 3 ] CVE-2007-5135
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200710-06.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHCVBmuhJ+ozIKI5gRAv3NAKCdKfDMXmkNVek/nWT35KbBt4IjggCfRqe7
jH09QwZEvD8+yZD02L7xMjQ=
=jbkz
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F58346)

HP Security Bulletin 2006-12.75 (PacketStormID:F58346)
2007-08-08 00:00:00
Hewlett Packard  hp.com
advisory,vulnerability
CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-3747,CVE-2006-4339,CVE-2006-4343
[点击下载]

HP Security Bulletin - Potential security vulnerabilities have been identified HP System Management

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01118771
Version: 1

HPSBMA02250 SSRT061275 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Execution of Arbitrary Code and Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2007-08-01
Last Updated: 2007-08-01


Potential Security Impact: Remote execution of arbitrary code and Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified HP System Management Homepage (SMH) for Linux and Windows. These vulnerabilities could by exploited remotely resulting in the execution of arbitrary code or a Denial of Service (DoS). 

References: CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-3747, CVE-2006-4339, CVE-2006-4343

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP System Management Homepage (SMH) versions prior to 2.1.7 running on Linux and Windows.

BACKGROUND


RESOLUTION
HP has provided System Management Homepage (SMH) version 2.1.7 or subsequent for each platform to resolve this issue. 
A more recent version is available: System Management Homepage (SMH) version 2.1.8 

HP System Management Homepage for Linux (x86) version 2.1.8-177 can be downloaded from 
http://h18023.www1.hp.com/support/files/server/us/download/26864.html 

HP System Management Homepage for Linux (AMD64/EM64T) version 2.1.8-177 can be downloaded from 
http://h18023.www1.hp.com/support/files/server/us/download/26866.html 

HP System Management Homepage for Windows version 2.1.8-179 can be downloaded from 
http://h18023.www1.hp.com/support/files/server/us/download/26977.html 

PRODUCT SPECIFIC INFORMATION 

HISTORY: 
Version:1 (rev.1) - 1 August 2007 Initial Release 

Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com 
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-alert@hp.com 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.


To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux 
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
 

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.


"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

    

- 漏洞信息 (F56053)

HP Security Bulletin 2007-13.4 (PacketStormID:F56053)
2007-04-19 00:00:00
Hewlett Packard  hp.com
advisory,remote,denial of service,arbitrary,vulnerability
unix
CVE-2006-4339,CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2007-0493,CVE-2007-0494
[点击下载]

HP Security Bulletin - Potential security vulnerabilities have been identified on the Secure Sockets Layer (SSL) and BIND running on the HP Tru64 UNIX Operating System that may allow a remote attacker to execute arbitrary code or cause a Denial of Service (DoS).

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00967144
Version: 1

HPSBTU02207 SSRT061213, SSRT061239, SSRT071304 rev.1 - HP Tru64 UNIX SSL and BIND Remote Arbitrary Code Execution or Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2007-04-12
Last Updated: 2007-04-12

Potential Security Impact: Remote unauthenticated arbitrary code execution or Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified on the Secure Sockets Layer (SSL) and BIND running on the HP Tru64 UNIX Operating System that may allow a remote attacker to execute arbitrary code or cause a Denial of Service (DoS). 

References: VU#547300, VU#386964, CAN-2006-4339, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738 (SSL) 
VU#697164, VU#915404, CVE-2007-0493, CVE-2007-0494 (BIND) 

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
The following supported software versions are affected: 
HP Tru64 UNIX v 5.1B-4 (SSL and BIND) 
HP Tru64 UNIX v 5.1B-3 (SSL and BIND) 
HP Tru64 UNIX v 5.1A PK6 (BIND) 
HP Tru64 UNIX v 4.0G PK4 (BIND) 
HP Tru64 UNIX v 4.0F PK8 (BIND) 
Internet Express (IX) v 6.6 BIND (BIND) 
HP Insight Management Agents for Tru64 UNIX patch v 3.5.2 and earlier (SSL) 

BACKGROUND

RESOLUTION

HP has released the following Early Release Patch kits (ERPs) publicly for use by any customer. The ERP kits use dupatch to install and will not install over any Customer Specific Patches (CSPs) that have file intersections with the ERP. A new patch version for HP Insight Management Agents for Tru64 UNIX is also available that addresses the potential vulnerabilities.

The fixes contained in the ERP kits will be available in the following mainstream releases:
 -Targeted for availability in HP Tru64 UNIX v 5.1B-5 
 -Internet Express (IX) v 6.7 
 -HP Insight Management Agents for Tru64 UNIX patch v 3.6.1 (already available) 

HP Tru64 UNIX Version 5.1B-4 ERP Kit 
Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001167-V51BB27-ES-20070321 
Name: T64KIT1001167-V51BB27-ES-20070321
MD5 Checksum: a697a90bd0b1116b6f27d1100bbf81fd
 
HP Tru64 UNIX Version 5.1B-3 ERP Kit 
Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001163-V51BB26-ES-20070315 
Name: T64KIT1001163-V51BB26-ES-20070315
MD5 Checksum: d376d403176f0dbe7badd4df4e91c126
 
HP Tru64 UNIX Version 5.1A PK6 ERP Kit 
Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001160-V51AB24-ES-20070314 
Name: T64KIT1001160-V51AB24-ES-20070314
MD5 Checksum: 7bb43ef667993f7c4711b6cf978e0aa7
 
HP Tru64 UNIX Version 4.0G PK4 ERP Kit 
Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001166-V40GB22-ES-20070316 
Name: T64KIT1001166-V40GB22-ES-20070316
MD5 Checksum: a446c39169b769c4a03c654844d5ac45
 
HP Tru64 UNIX Version 4.0F PK8 ERP Kit 
Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=DUXKIT1001165-V40FB22-ES-20070316 
Name: DUXKIT1001165-V40FB22-ES-20070316
MD5 Checksum: 718148c87a913536b32a47af4c36b04e
 
HP Insight Management Agents for Tru64 UNIX patch version 3.6.1 (for kit CPQIIM360) 
Location: http://h30097.www3.hp.com/cma/patches.html 
Name: CPQIM360.SSL.01.tar.gz
MD5 Checksum: 1001a10ab642461c87540826dfe28652
 
Internet Express (IX) v 6.6 BIND 
Note: Customers who use Internet Express (IX) v 6.6 BIND should install the BIND 9.2.8 patch from the ERP kit appropriate for their base operating system version.
 


PRODUCT SPECIFIC INFORMATION 

The HP Tru64 UNIX v 5.1B-3 and v 5.1B-4 ERP kits distribute two patches:
 -OpenSSL 0.9.8d 
 -BIND 9.2.8 built with OpenSSL 0.9.8d 

Note: HP Tru64 UNIX v 5.1A, v 4.0G, and v 4.0F releases did not distribute OpenSSL and so their ERP kits provide only the BIND 9.2.8 patch that has been built with OpenSSL 0.9.8d

Customers who have been using OpenSSL on HP Tru64 UNIX v 5.1B-3 and v 5.1B-4 should install the OpenSSL patch from the ERP kit appropriate for their base operating system version.

The HP Insight Management Agents for Tru64 UNIX patch contains OpenSSL 0.9.8d and is applicable for HP Tru64 UNIX v 5.1A, v 5.1B-3, and v 5.1B-4.

HISTORY 
Version:1 (rev.1) - 12 April 2007 Initial release 

Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com 
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-alert@hp.com 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.


To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
 
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.


"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

    

- 漏洞信息 (F53990)

HP Security Bulletin 2007-12.99 (PacketStormID:F53990)
2007-01-27 00:00:00
Hewlett Packard  hp.com
advisory,denial of service,arbitrary,vulnerability
hpux
CVE-2006-2940,CVE-2006-2937,CVE-2006-3738,CVE-2006-4343,CVE-2006-4339,CVE-2005-2969
[点击下载]

HP Security Bulletin - Potential security vulnerabilities have been identified with Apache running on HP-UX. These vulnerabilities could be exploited remotely to allow execution of arbitrary code, Denial of Service (DoS), or unauthorized access.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00849540
Version: 1

HPSBUX02186 SSRT071299 rev.1 - HP-UX running Apache Remote Execution of Arbitrary Code, Denial of Service (DoS), Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2007-01-17
Last Updated: 2007-01-23

Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS), and unauthorized access.

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with Apache running on HP-UX. These vulnerabilities could be exploited remotely to allow execution of arbitrary code, Denial of Service (DoS), or unauthorized access.

References: CVE-2006-2940, CVE-2006-2937, CVE-2006-3738, CVE-2006-4343, CVE-2006-4339, CVE-2005-2969.

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, and B.11.31 running Apache-based Web Server prior to v.2.0.58.01

BACKGROUND

AFFECTED VERSIONS

For IPv4:
HP-UX B.11.00
HP-UX B.11.11
===========
hpuxwsAPACHE
action: install revision A.2.0.58.01 or subsequent
restart Apache
URL:http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE

For IPv6:
HP-UX B.11.11
===========
hpuxwsAPACHE,revision=B.1.0.00.01
hpuxwsAPACHE,revision=B.1.0.07.01
hpuxwsAPACHE,revision=B.1.0.08.01
hpuxwsAPACHE,revision=B.1.0.09.01
hpuxwsAPACHE,revision=B.1.0.10.01
hpuxwsAPACHE,revision=B.2.0.48.00
hpuxwsAPACHE,revision=B.2.0.49.00
hpuxwsAPACHE,revision=B.2.0.50.00
hpuxwsAPACHE,revision=B.2.0.51.00
hpuxwsAPACHE,revision=B.2.0.52.00
hpuxwsAPACHE,revision=B.2.0.53.00
hpuxwsAPACHE,revision=B.2.0.54.00
hpuxwsAPACHE,revision=B.2.0.55.00
hpuxwsAPACHE,revision=B.2.0.56.00
hpuxwsAPACHE,revision=B.2.0.58.00
action: install revision B.2.0.58.01 or subsequent
restart Apache
URL:http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE

HP-UX B.11.23
===========
hpuxwsAPACHE
action: install revision B.2.0.58.01 or subsequent
restart Apache
URL:http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE

END AFFECTED VERSIONS

RESOLUTION

HP has made the following software updates available to resolve the issue.
Software updates for the Apache-based Web Server are available from:
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE

HP-UX B.11.00, B.11.11 and HP-UX B.11.23 require the Apache-based Web Server v.2.0.58.01 or subsequent.

Apache Update Procedure

Check for Apache Installation
 -----------------------------
To determine if the Apache web server from HP is installed on your system, use Software Distributor's swlist command. All three revisions of the product may co-exist on a single system.
For example, the results of the command swlist -l product | grep -I apache
hpuxwsAPACHE B.2.0.55.00 HP-UX Apache-based Web Server

Stop Apache
 -------------
Before updating, make sure the previous Apache binary is stopped. If Apache is not stopped, the installation would be successful but the new version would be prevented from starting until a later time.
After determining which Apache is installed, stop Apache with the following commands:
for hpuxwsAPACHE: /opt/hpws/apache[32]/bin/apachectl stop

Download and Install Apache
 --------------------------
Download Apache from Software Depot. http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE
Verify successful download by comparing the cksum with the value specified on the installation web page.
Use SD to swinstall the depot. Installation of this new revision of HP Apache over an existing HP Apache installation is supported, while installation over a non-HP Apache is NOT supported.

Removing Apache Installation
 ---------------------------
The potential vulnerability can also be resolved by removing Apache rather than installing a newer revision. To remove Apache use both Software Distributor's "swremove" command and also "rm -rf" the home location as specified in the rc.config.d file "HOME" variables.
%ls /etc/rc.config.d | \ grep apache hpapache2conf hpws_apache[32]conf

MANUAL ACTIONS: Yes - Update plus other actions
Install the revision of the product.

PRODUCT SPECIFIC INFORMATION
HP-UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all HP-issued Security Bulletins to provide a subset of recommended actions that potentially affect a specific HP-UX system.
For more information: http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA

HISTORY: rev.1 - 23 January 2007 Initial Release

Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-alert@hp.com
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
  - verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

    

- 漏洞信息 (F53566)

VMware Security Advisory 2007-0001 (PacketStormID:F53566)
2007-01-13 00:00:00
VMware  vmware.com
advisory
CVE-2006-3589,CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-4980
[点击下载]

VMware Security Advisory - The VMware ESX server has new patches released that address a slew of security issues.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2007-0001
Synopsis:          VMware ESX server security updates
Issue date:        2007-01-08
Updated on:        2007-01-08
CVE:               CVE-2006-3589 CVE-2006-2937 CVE-2006-2940
                   CVE-2006-3738 CVE-2006-4339 CVE-2006-4343
                   CVE-2006-4980
- -------------------------------------------------------------------

1. Summary:

Updated ESX Patches address several security issues.

2. Relevant releases:

VMware ESX 3.0.1 without patch ESX-9986131
VMware ESX 3.0.0 without patch ESX-3069097

VMware ESX 2.5.4 prior to upgrade patch 3
VMware ESX 2.5.3 prior to upgrade patch 6
VMware ESX 2.1.3 prior to upgrade patch 4
VMware ESX 2.0.2 prior to upgrade patch 4

3. Problem description:

Problems addressed by these patches:

a. Incorrect permissions on SSL key files generated  by vmware-config
(CVE-2006-3589):

    ESX 3.0.1: does not have this problem
    ESX 3.0.0: does not have this problem
    ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502)
    ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703)
    ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803)
    ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801)

    A possible security issue with the configuration program
    vmware-config which could set incorrect permissions on SSL key
    files. Local users may be able to obtain access to the SSL key
    files. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) assigned the name CVE-2006-3589 to this issue.

b. OpenSSL library vulnerabilities:

    ESX 3.0.1: corrected by ESX 3.0.1 Patch ESX-9986131
    ESX 3.0.0: corrected by ESX 3.0.0 Patch ESX-3069097
    ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502)
    ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703)
    ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803)
    ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801)

    (CVE-2006-2937) OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d
    allows remote attackers to cause a denial of service (infinite
    loop and memory consumption) via malformed ASN.1 structures that
    trigger an improperly handled error condition.

    (CVE-2006-2940) OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d,
    and earlier versions allows attackers to cause a denial of service
    (CPU consumption) via parasitic public keys with large (1) "public
    exponent" or (2) "public modulus" values in X.509 certificates that
    require extra time to process when using RSA signature verification.

    (CVE-2006-4339) OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8
    before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1
    padding before generating a hash, which allows remote attackers to
    forge a PKCS #1 v1.5 signature that is signed by that RSA key and
    prevents OpenSSL from correctly verifying X.509 and other
    certificates that use PKCS #1.

    (CVE-2006-4343) The get_server_hello function in the SSLv2 client
    code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and
    earlier versions allows remote servers to cause a denial of service
    (client crash) via unknown vectors that trigger a null pointer
    dereference.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    assigned the names CVE-2006-2937, CVE-2006-2940, CVE-2006-3738,
    CVE-2006-4339, and CVE-2006-4343 to these issues.

c. Updated OpenSSH package addresses the following possible security issues:

    ESX 3.0.1: corrected by Patch ESX-9986131
    ESX 3.0.0: corrected by Patch ESX-3069097
    ESX 2.5.4: does not have these problems
    ESX 2.5.3: does not have these problems
    ESX 2.1.3: does not have these problems
    ESX 2.0.2: does not have these problems

    (CVE-2004-2069) sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly
    other versions, when using privilege separation, does not properly
    signal the non-privileged process when a session has been terminated
    after exceeding the LoginGraceTime setting, which leaves the
    connection open and allows remote attackers to cause a denial of
    service (connection consumption).

    (CVE-2006-0225) scp in OpenSSH 4.2p1 allows attackers to execute
    arbitrary commands via filenames that contain shell metacharacters
    or spaces, which are expanded twice.

    (CVE-2003-0386) OpenSSH 3.6.1 and earlier, when restricting host
    access by numeric IP addresses and with VerifyReverseMapping
    disabled, allows remote attackers to bypass "from=" and "user@host"
    address restrictions by connecting to a host from a system whose
    reverse DNS hostname contains the numeric IP address.

    (CVE-2006-4924) sshd in OpenSSH before 4.4, when using the version 1
    SSH protocol, allows remote attackers to cause a denial of service
    (CPU consumption) via an SSH packet that contains duplicate blocks,
    which is not properly handled by the CRC compensation attack
    detector.

    NOTE: ESX by default disables version 1 SSH protocol.

    (CVE-2006-5051) Signal handler race condition in OpenSSH before 4.4
    allows remote attackers to cause a denial of service (crash), and
    possibly execute arbitrary code if GSSAPI authentication is enabled,
    via unspecified vectors that lead to a double-free.

    NOTE: ESX doesn't use GSSAPI by default.

    (CVE-2006-5794) Unspecified vulnerability in the sshd Privilege
    Separation Monitor in OpenSSH before 4.5 causes weaker verification
    that authentication has been successful, which might allow attackers
    to bypass authentication.

    NOTE: as of 20061108, it is believed that this issue is only
    exploitable by leveraging vulnerabilities in the unprivileged
    process, which are not known to exist.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    assigned the names CVE-2004-2069, CVE-2006-0225, CVE-2003-0386,
    CVE-2006-4924, CVE-2006-5051, and CVE-2006-5794 to these issues.

d. Object reuse problems with newly created virtual disk (.vmdk or .dsk)
files:

    ESX 3.0.1: does not have this problem
    ESX 3.0.0: does not have this problem
    ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502)
    ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703)
    ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803)
    ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801)

    A possible security issue with virtual disk (.vmdk or .dsk) files
    that are newly created, but contain blocks from recently deleted
    virtual disk files.  Information belonging to the previously
    deleted virtual disk files could be revealed in newly created
    virtual disk files.

    VMware recommends the following workaround: When creating new
    virtual machines on an ESX Server that may contain sensitive
    data, use vmkfstools with the -W option. This initializes the
    virtual disk with zeros.  NOTE: ESX 3.x defines this option as -w.

e. Buffer overflow in Python function repr():

    ESX 3.0.1: corrected by Patch ESX-9986131
    ESX 3.0.0: corrected by ESX-3069097
    ESX 2.5.4: does not have this problem
    ESX 2.5.3: does not have this problem
    ESX 2.1.3: does not have this problem
    ESX 2.0.2: does not have this problem

    A possible security issue with how the Python function repr()
    function handles UTF-32/UCS-4 strings. Python applications
    using this function can open a security vulnerability that could
    allow the execution of arbitrary code.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    assigned the name CVE-2006-4980 to this issue.

4. Solution:

Please review the Patch notes for your version of ESX and verify the md5sum.

  ESX 3.0.1
  http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
  md5usm: 239375e107fd4c7af57663f023863fcb

  ESX 3.0.0
  http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
  md5sum: ca9947239fffda708f2c94f519df33dc

  ESX 2.5.4
  http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
  md5sum: 239375e107fd4c7af57663f023863fcb

  ESX 2.5.3
  http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
  md5sum: f90fcab28362edbf2311f3ca90cc7739

  ESX 2.1.3
  http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
  md5sum: 7d7d0e40f4dccd5ca64b9c13a856da8f

  ESX 2.0.2
  http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
  md5sum: 925e70f28d17714c53fdbd24de64329f


5. References:

ESX 3.0.0 Patch URL:
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
Knowledge base URL:  http://kb.vmware.com/kb/3069097

ESX 3.0.1 Patch URL:
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
Knowledge base URL:  http://kb.vmware.com/kb/9986131

ESX 2.5.4 Patch URL:
http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html

ESX 2.5.3 Patch URL:
http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html

ESX 2.1.3 Patch URL:
http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html

ESX 2.0.2 Patch URL:
http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3589
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4980

6. Contact:

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

E-mail:  security@vmware.com

Copyright 2007 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFovs16KjQhy2pPmkRCMfyAKCXhdGwZyXW5VzSwcOmu2NNXKN/OwCgo+CE
neFG0RikD74TCYeXKW6CBy4=
=9/6k
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

29262
OpenSSL SSL_get_shared_ciphers Function Unspecified Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in OpenSSL. OpenSSL contains an unspecified issue in the SSL_get_shared_ciphers function. With a specially crafted request, an attacker can cause an unspecified impact.

- 时间线

2006-09-28 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.9.7l, 0.9.8d or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability
Boundary Condition Error 20249
Yes No
2006-09-28 12:00:00 2011-05-09 07:52:00
The vendor credits Tavis Ormandy and Will Drewry of the Google Security Team with the discovery of this vulnerability.

- 受影响的程序版本

Xerox WorkCentre Pro 275
Xerox WorkCentre Pro 265
Xerox WorkCentre Pro 255
Xerox WorkCentre Pro 245
Xerox WorkCentre Pro 238
Xerox WorkCentre Pro 232
Xerox WorkCentre 7665 0
Xerox WorkCentre 7655 0
Xerox WorkCentre 275
Xerox WorkCentre 265
Xerox WorkCentre 255
Xerox WorkCentre 245
Xerox WorkCentre 238
Xerox WorkCentre 232
VMWare ESX Server 3.0.1
VMWare ESX Server 3.0
VMWare ESX Server 2.5.4
VMWare ESX Server 2.5.3
VMWare ESX Server 2.1.3
VMWare ESX Server 2.0.2
Ubuntu Ubuntu Linux 5.10 sparc
Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
Turbolinux Turbolinux Server 10.0 x86
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Server 10.0.0 x64
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux FUJI
Turbolinux Turbolinux 10 F...
TurboLinux Personal
TurboLinux Multimedia
Turbolinux Home
Turbolinux FUJI 0
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server Hosting Edition 1.0
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Turbolinux Appliance Server 2.0
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
SuSE SUSE Linux Enterprise Server 9
SuSE SUSE Linux Enterprise Server 8
SuSE SUSE Linux Enterprise Server 10
SuSE SUSE Linux Enterprise Desktop 10
Sun Solaris x86 Data Encryption Kit 10.0
Sun Solaris Data Encryption Kit 10.0
Sun Solaris 9_x86
Sun Solaris 9_sparc
Sun Solaris 10_x86
Sun Solaris 10_sparc
Sun Grid Engine 5.3 x86
Sun Grid Engine 5.3 Sun Linux
Sun Grid Engine 5.3 64-bit SPARC
Sun Grid Engine 5.3 32-bit SPARC
Sun Grid Engine 6.0 Update7_1
Sun Grid Engine 6.0 Update7
Sun Grid Engine 6.0 Update6
Sun Grid Engine 6.0 Update5
Sun Grid Engine 6.0 Update4
Sun Grid Engine 6.0 Update3
Sun Grid Engine 6.0 Update2
Sun Grid Engine 6.0 Update1
Sun Grid Engine 6.0
Stonesoft StoneGate IPS Sensor and Analyzer 2.0.1
Stonesoft StoneGate IPS Sensor and Analyzer 2.0
Stonesoft StoneGate High Availability Firewall and VPN 3.0.1
Stonesoft StoneGate High Availability Firewall and VPN 3.0
Stonesoft StoneGate High Availability Firewall and VPN 2.6.5
Stonesoft StoneGate High Availability Firewall and VPN 2.6.4
Stonesoft StoneGate High Availability Firewall and VPN 2.6.3
Stonesoft StoneGate High Availability Firewall and VPN 2.6
Stonesoft StoneGate High Availability Firewall and VPN 2.0.8
Stonesoft StoneGate High Availability Firewall and VPN 2.0
Stonesoft StoneGate High Availability Firewall and VPN 1.7
Stonesoft StoneBeat WebCluster 2.5
Stonesoft StoneBeat WebCluster 2.0
Stonesoft StoneBeat SecurityCluster 2.5
Stonesoft StoneBeat SecurityCluster 2.0
Stonesoft StoneBeat FullCluster for Raptor 2.5
Stonesoft StoneBeat FullCluster for Raptor 2.0
Stonesoft StoneBeat FullCluster for ISA Server 3.0
Stonesoft StoneBeat FullCluster for Gauntlet 2.0
Stonesoft StoneBeat FullCluster for Firewall-1 3.0
Stonesoft StoneBeat FullCluster for Firewall-1 2.0
Stonesoft ServerCluster 2.5.2
Stonesoft ServerCluster 2.5
Slackware Linux 10.2
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux -current
SGI ProPack 3.0 SP6
Serv-U FTP Server 6.3.3 0
Serv-U FTP Server 6.0 1
Serv-U FTP Server 6.0 0
Serv-U FTP Server 6.2.0.1
Serv-U FTP Server 6.1.0.5
Serv-U FTP Server 6.1.0.4
Serv-U FTP Server 6.1.0.1
Serv-U FTP Server 6.1.0.0
Secure Computing SnapGear SG710 0
Secure Computing SnapGear SG580 0
Secure Computing SnapGear SG565 0
Secure Computing SnapGear SG560 0
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 0
S.u.S.E. Novell Linux POS 9
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Novell Linux Desktop 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux Database Server 0
rPath rPath Linux 1
RedHat Network Satellite (for RHEL 4) 4.2
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 2.1 IA64
RedHat Enterprise Linux AS 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Red Hat Network Satellite Server 5.0
Red Hat Red Hat Network Satellite Server 4.2
Red Hat Network Satellite (for RHEL 3) 4.2
ProZIlla ProZilla Download Accelarator 1.4 .0
ProZIlla ProZilla Download Accelarator 1.3.2
ProZIlla ProZilla Download Accelarator 1.2.1
Oracle Oracle HTTP Server 9.2 .8
Oracle Oracle HTTP Server 9.2 .0
Oracle Oracle HTTP Server 9.1
Oracle Oracle HTTP Server 9.0.3 .1
Oracle Oracle HTTP Server 9.0.2 .3
Oracle Oracle HTTP Server 9.0.2
Oracle Oracle HTTP Server 9.0.1
Oracle Oracle HTTP Server 8.1.7
+ Apache Software Foundation Apache 1.3.12
+ Oracle Oracle8 8.1.7
+ Oracle Oracle8i Enterprise Edition 8.1.7 .0.0
+ Oracle Oracle8i Standard Edition 8.1.7
OpenVPN OpenVPN 2.0.8
OpenVPN OpenVPN 2.0.7
OpenVPN OpenVPN 2.0.6
OpenVPN OpenVPN 2.0.5
OpenVPN OpenVPN 2.0.4
OpenVPN OpenVPN 2.0.3
OpenVPN OpenVPN 2.0.2
OpenVPN OpenVPN 2.0.1
OpenVPN OpenVPN 2.0 beta11
OpenVPN OpenVPN 2.0
OpenVPN OpenVPN 1.6 .0
OpenVPN OpenVPN 1.5 .0
OpenVPN OpenVPN 1.4.3
OpenVPN OpenVPN 1.4.2
OpenVPN OpenVPN 1.4.1
OpenSSL Project OpenSSL 0.9.8 c
OpenSSL Project OpenSSL 0.9.8 b
OpenSSL Project OpenSSL 0.9.8 a
OpenSSL Project OpenSSL 0.9.8
OpenSSL Project OpenSSL 0.9.7 k
OpenSSL Project OpenSSL 0.9.7 j
OpenSSL Project OpenSSL 0.9.7 i
OpenSSL Project OpenSSL 0.9.7 h
OpenSSL Project OpenSSL 0.9.7 g
OpenSSL Project OpenSSL 0.9.7 f
OpenSSL Project OpenSSL 0.9.7 e
OpenSSL Project OpenSSL 0.9.7 d
OpenSSL Project OpenSSL 0.9.7 c
OpenSSL Project OpenSSL 0.9.7 beta3
OpenSSL Project OpenSSL 0.9.7 beta2
OpenSSL Project OpenSSL 0.9.7 beta1
OpenSSL Project OpenSSL 0.9.7 b
OpenSSL Project OpenSSL 0.9.7 a
+ Conectiva Linux 9.0
+ OpenPKG OpenPKG Current
OpenSSL Project OpenSSL 0.9.7
OpenSSL Project OpenSSL 0.9.6 m
OpenSSL Project OpenSSL 0.9.6 l
OpenSSL Project OpenSSL 0.9.6 k
OpenSSL Project OpenSSL 0.9.6 j
OpenSSL Project OpenSSL 0.9.6 i
+ HP Apache-Based Web Server 1.3.27 .01
+ HP Apache-Based Web Server 1.3.27 .00
+ HP HP-UX Apache-Based Web Server 1.0.1 .01
+ HP HP-UX Apache-Based Web Server 1.0 .07.01
+ HP HP-UX Apache-Based Web Server 1.0 .06.02
+ HP HP-UX Apache-Based Web Server 1.0 .06.01
+ HP HP-UX Apache-Based Web Server 1.0 .05.01
+ HP HP-UX Apache-Based Web Server 1.0 .04.01
+ HP HP-UX Apache-Based Web Server 1.0 .03.01
+ HP HP-UX Apache-Based Web Server 1.0 .02.01
+ HP HP-UX Apache-Based Web Server 1.0 .01
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Linux Mandrake 9.1 ppc
+ MandrakeSoft Linux Mandrake 9.1
+ MandrakeSoft Linux Mandrake 9.0
+ S.u.S.E. Linux Personal 8.2
OpenSSL Project OpenSSL 0.9.6 h
OpenSSL Project OpenSSL 0.9.6 g
OpenSSL Project OpenSSL 0.9.6 f
OpenSSL Project OpenSSL 0.9.6 e
OpenSSL Project OpenSSL 0.9.6 d
OpenSSL Project OpenSSL 0.9.6 c
OpenSSL Project OpenSSL 0.9.6 b-36.8
OpenSSL Project OpenSSL 0.9.6 b
OpenSSL Project OpenSSL 0.9.6 a
OpenSSL Project OpenSSL 0.9.6
OpenSSL Project OpenSSL 0.9.5 a
OpenSSL Project OpenSSL 0.9.5
OpenSSL Project OpenSSL 0.9.4
OpenSSL Project OpenSSL 0.9.3
OpenSSL Project OpenSSL 0.9.2 b
OpenSSL Project OpenSSL 0.9.1 c
OpenPKG OpenPKG 2.5
OpenPKG OpenPKG 2.4
OpenPKG OpenPKG 2.3
OpenPKG OpenPKG 2.2
OpenPKG OpenPKG 2.1
OpenPKG OpenPKG 2.0
OpenPKG OpenPKG Current
OpenBSD OpenBSD 3.9
OpenBSD OpenBSD 3.8
Nortel Networks WLAN Access Point 7250.0
Nortel Networks VPN Router 600 0
Nortel Networks VPN Router 5000
Nortel Networks VPN Router 2700
Nortel Networks VPN Router 1750 0
Nortel Networks VPN Router 1740
Nortel Networks VPN Router 1700
Nortel Networks VPN Router 1100
Nortel Networks VPN Router 1050
Nortel Networks VPN Router 1010
Nortel Networks VPN Router - Contivity 4600 0
Nortel Networks VPN Router - Contivity 4500 0
Nortel Networks VPN Router - Contivity 2600 0
Nortel Networks Self-Service MPS 500 0
Nortel Networks Meridian 1 - Option 81C 0
Nortel Networks Meridian 1 - Option 61C 0
Nortel Networks Meridian 1 - Option 51C 0
Nortel Networks Meridian 1 - Option 11C 0
Nortel Networks IP Address Domain Manager
Nortel Networks CS 1000
Nortel Networks Communications Server 1000
NetBSD NetBSD 3.0.2
NetBSD NetBSD 3.0.1
NetBSD NetBSD 3.1
Navision Financials Server 3.0
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Linux Mandrake 2006.0 x86_64
MandrakeSoft Linux Mandrake 2006.0
MandrakeSoft Linux Mandrake 2007.0 x86_64
MandrakeSoft Linux Mandrake 2007.0
MandrakeSoft Corporate Server 4.0 x86_64
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 4.0
Kolab Kolab Groupware Server 2.0.3
Kolab Kolab Groupware Server 2.0.2
Kolab Kolab Groupware Server 2.0.1
IPCop IPCop 1.4.12
IPCop IPCop 1.4.11
IPCop IPCop 1.4.10
Ingate SIParator 4.5.1
Ingate SIParator 4.4.1
Ingate SIParator 4.3.4
Ingate SIParator 4.3.3
Ingate SIParator 4.3.2
Ingate SIParator 4.3.1
Ingate SIParator 4.3
Ingate SIParator 4.2.3
Ingate SIParator 4.2.2
Ingate SIParator 4.2.1
Ingate SIParator 3.3.1
Ingate SIParator 3.2.1
Ingate SIParator 3.2
Ingate SIParator 4.4
Ingate Firewalll 4.4
Ingate Firewall 4.5.1
Ingate Firewall 4.4.1
Ingate Firewall 4.3.4
Ingate Firewall 4.3.3
Ingate Firewall 4.3.2
Ingate Firewall 4.3.1
Ingate Firewall 4.3
Ingate Firewall 4.2 .3
Ingate Firewall 4.2 .2
Ingate Firewall 4.2 .1
Ingate Firewall 4.1.3
Ingate Firewall 3.3.1
Ingate Firewall 3.2.1
Ingate Firewall 3.2
IBM Hardware Management Console (HMC) for pSeries 5.0 R1.0
IBM Hardware Management Console (HMC) for pSeries 4.0 R5.0
IBM Hardware Management Console (HMC) for pSeries 4.0 R4.0
IBM Hardware Management Console (HMC) for pSeries 4.0 R3.3
IBM Hardware Management Console (HMC) for pSeries 4.0 R3.2
IBM Hardware Management Console (HMC) for pSeries 4.0 R3.1
IBM Hardware Management Console (HMC) for pSeries 4.0 R2.1
IBM Hardware Management Console (HMC) for pSeries 4.0 R2.0
IBM Hardware Management Console (HMC) for pSeries 3.3.7
IBM Hardware Management Console (HMC) for pSeries 3.3.2
IBM Hardware Management Console (HMC) for pSeries 3.0 R3.6
IBM Hardware Management Console (HMC) for pSeries 4
IBM Hardware Management Console (HMC) for pSeries 3
IBM Hardware Management Console (HMC) for iSeries 5.0 R1.0
IBM Hardware Management Console (HMC) for iSeries 4.0 R5.0
IBM Hardware Management Console (HMC) for iSeries 4.0 R4.0
IBM Hardware Management Console (HMC) for iSeries 4.0 R3.3
IBM Hardware Management Console (HMC) for iSeries 4.0 R3.2
IBM Hardware Management Console (HMC) for iSeries 4.0 R3.1
IBM Hardware Management Console (HMC) for iSeries 4.0 R2.1
IBM Hardware Management Console (HMC) for iSeries 4.0 R2.0
IBM Hardware Management Console (HMC) for iSeries 4.0
IBM Hardware Management Console (HMC) for iSeries 3.3.7
IBM Hardware Management Console (HMC) for iSeries 3.3.2
IBM Hardware Management Console (HMC) for iSeries 3.0 R3.6
IBM Hardware Management Console (HMC) 5.2.1
IBM Hardware Management Console (HMC) 3.3.7
HP Tru64 5.1 B-4
HP Tru64 5.1 B-3
HP Systems Management HomePage 2.1.7.168
HP System Management Homepage 2.1.6
HP System Management Homepage 2.1.5
HP System Management Homepage 2.1.4
HP System Management Homepage 2.1.3 .132
HP System Management Homepage 2.1.3
HP System Management Homepage 2.1.2
HP System Management Homepage 2.1.1
HP System Management Homepage 2.1
HP System Management Homepage 2.0.2
HP System Management Homepage 2.0.1
HP System Management Homepage 2.0
HP OpenVMS Secure Web Server 1.2
HP OpenVMS Secure Web Server 1.1 -1
HP OpenVMS Secure Web Server 2.1-1
HP Insight Management Agents for Tru64 UNIX 3.5.2
HP HP-UX B.11.31
HP HP-UX B.11.23
HP HP-UX B.11.11
HP HP-UX B.11.00
Gentoo Linux
FreeBSD FreeBSD 6.0 -STABLE
FreeBSD FreeBSD 6.0 -RELEASE
FreeBSD FreeBSD 5.5 -STABLE
FreeBSD FreeBSD 5.5 -RELEASE
FreeBSD FreeBSD 5.4 -RELENG
FreeBSD FreeBSD 5.4 -RELEASE
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 4.11 -STABLE
FreeBSD FreeBSD 4.11 -RELENG
FreeBSD FreeBSD 4.11 -RELEASE-p3
FreeBSD FreeBSD 4.11 -RELEASE-p20
FreeBSD FreeBSD 4.11 -RELEASE
FreeBSD FreeBSD 6.1 -STABLE
FreeBSD FreeBSD 6.1 -RELEASE
FreeBSD FreeBSD 5.4-STABLE
FileZilla FileZilla Server 0.9.17
FileZilla FileZilla Server 0.9.16 b
FileZilla FileZilla Server 0.9.9
FileZilla FileZilla Server 0.9.8 c
FileZilla FileZilla Server 0.9.8 b
FileZilla FileZilla Server 0.9.8 a
FileZilla FileZilla Server 0.9.8
FileZilla FileZilla Server 0.7.1
FileZilla FileZilla Server 0.7
FileZilla FileZilla Server 0.9.6
FileZilla FileZilla Server 0.9.5
FileZilla FileZilla Server 0.9.4e
FileZilla FileZilla Server 0.9.4d
FileZilla FileZilla Server 0.9.3
FileZilla FileZilla Server 0.9.2
FileZilla FileZilla Server 0.9.1b
FileZilla FileZilla Server 0.9.0
FileZilla FileZilla Server 0.8.9
FileZilla FileZilla Server 0.8.8
FileZilla FileZilla Server 0.8.7
FileZilla FileZilla Server 0.8.6a
FileZilla FileZilla Server 0.8.5
FileZilla FileZilla Server 0.8.4
FileZilla FileZilla Server 0.8.3
FileZilla FileZilla Server 0.8.2
FileZilla FileZilla Server 0.8.1
FileZilla FileZilla 2.2.22
FileZilla FileZilla 2.2.15
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
cwRsync cwRsync 2.0.9
Cisco Works Common Services (CWCS) 3.0
Cisco Works Common Services (CWCS) 2.2
Cisco Wide Area File Services (WAFS) 0
Cisco Wide Area Application Services (WAAS) 0
Cisco Unified Presence Server 1.0(2)
Cisco Unified Presence Server 1.0
Cisco SIP Proxy Server
Cisco Security Mars 4.2.2
Cisco Security Agent 5.0 .193
Cisco Security Agent 4.5.1 .657
Cisco Security Agent 4.5.1 .639
Cisco Security Agent 4.5.1
Cisco Security Agent 4.5
Cisco Security Agent 4.0.3 .728
Cisco Security Agent 4.0.3
Cisco Security Agent 4.0.2
Cisco Security Agent 4.0.1
Cisco Security Agent 4.0
Cisco Security Agent 2.1
Cisco Security Agent 5.1
Cisco Security Agent 5.0
Cisco Security Agent 3.x
Cisco Secure ACS Solution Engine 3.3.2
Cisco Secure ACS Solution Engine 3.3.1
Cisco Secure ACS Solution Engine 3.3
Cisco Secure ACS Solution Engine
Cisco Secure ACS for Windows Server 3.2
Cisco Secure ACS for Windows NT 3.3
Cisco Secure ACS for Windows NT 3.2
Cisco Secure ACS for Windows NT 3.1.1
Cisco Secure ACS for Windows NT 3.1
Cisco Secure ACS for Windows NT 3.0.3
Cisco Secure ACS for Windows NT 3.0 .1
Cisco Secure ACS for Windows NT 3.0
Cisco Secure ACS for Windows NT 2.42
Cisco Secure ACS for Windows NT 2.6.4
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
Cisco Secure ACS for Windows NT 2.6.3
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
Cisco Secure ACS for Windows NT 2.6.2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
Cisco Secure ACS for Windows NT 2.6
Cisco Secure ACS for Windows NT 2.5
Cisco Secure ACS for Windows NT 2.4
Cisco Secure ACS for Windows NT 2.3
Cisco Secure ACS for Windows NT 2.1
Cisco Secure ACS for Unix 2.3.6 .1
Cisco Secure ACS for Unix 2.3.5 .1
Cisco Secure ACS for Unix 2.3
Cisco Secure ACS for Unix 2.0
Cisco ONS 15454SDH 4.6 (1)
Cisco ONS 15454SDH 4.6 (0)
Cisco ONS 15454SDH 4.5
Cisco ONS 15454SDH 4.1 (3)
Cisco ONS 15454SDH 4.1 (2)
Cisco ONS 15454SDH 4.1 (1)
Cisco ONS 15454SDH 4.1 (0)
Cisco ONS 15454SDH 4.0 (2)
Cisco ONS 15454SDH 4.0 (1)
Cisco ONS 15454SDH 4.0 (0)
Cisco ONS 15454SDH 4.0
Cisco ONS 15454SDH 3.4
Cisco ONS 15454SDH 3.3
Cisco ONS 15454SDH 3.2
Cisco ONS 15454SDH 3.1
Cisco ONS 15454SDH 2.3 (5)
Cisco ONS 15454E Optical Transport Platform 0
Cisco ONS 15454 Optical Transport Platform 4.14
Cisco ONS 15454 Optical Transport Platform 4.6 (1)
Cisco ONS 15454 Optical Transport Platform 4.6 (0)
Cisco ONS 15454 Optical Transport Platform 4.5
Cisco ONS 15454 Optical Transport Platform 4.1 (3)
Cisco ONS 15454 Optical Transport Platform 4.1 (2)
Cisco ONS 15454 Optical Transport Platform 4.1 (1)
Cisco ONS 15454 Optical Transport Platform 4.1 (0)
Cisco ONS 15454 Optical Transport Platform 4.1
Cisco ONS 15454 Optical Transport Platform 4.0 (2)
Cisco ONS 15454 Optical Transport Platform 4.0 (1)
Cisco ONS 15454 Optical Transport Platform 4.0
Cisco ONS 15454 Optical Transport Platform 3.4
Cisco ONS 15454 Optical Transport Platform 3.3
Cisco ONS 15454 Optical Transport Platform 3.2 .0
Cisco ONS 15454 Optical Transport Platform 3.1 .0
Cisco ONS 15454 Optical Transport Platform 3.0
Cisco ONS 15454 Optical Transport Platform 2.3 (5)
Cisco ONS 15454 MSTP 0
Cisco ONS 15454 MSPP 0
Cisco ONS 15454 IOS-Based Blades
Cisco MDS 9500 0
Cisco MDS 9216i
Cisco MDS 9000 2.0 (0.86)
Cisco MDS 9000 1.3 (4a)
Cisco MDS 9000 1.3 (3.33)
Cisco MDS 9000
Cisco IDS 0
Cisco GSS 4492 Global Site Selector 0
Cisco GSS 4491 Global Site Selector 0
Cisco GSS 4490 Global Site Selector 0
Cisco GSS 4480 Global Site Selector
Cisco CSS11500 Content Services Switch 7.30 (00.09)S
Cisco CSS11500 Content Services Switch 7.30 (00.08)S
Cisco CSS11500 Content Services Switch 7.20 (03.10)S
Cisco CSS11500 Content Services Switch 7.20 (03.09)S
Cisco CSS11500 Content Services Switch 7.10 (05.07)S
Cisco CSS11500 Content Services Switch 7.5
Cisco CSS11500 Content Services Switch 7.4
Cisco CSS11500 Content Services Switch
Cisco CiscoWorks Common Services 2.2
Cisco CiscoWorks Common Management Foundation 2.2
Cisco CiscoWorks Common Management Foundation 2.1
Cisco CiscoWorks Common Management Foundation 2.0
Cisco CiscoWorks Common Management Foundation 0
Cisco CiscoSecure ACS for Windows and Unix 0
Cisco CiscoSecure ACS 1111 Appliance
Cisco Call Manager 4.1 (3)SR2
Cisco Call Manager 4.1 (3)SR1
Cisco Call Manager 4.1 (3)ES32
Cisco Call Manager 4.1 (3)ES24
Cisco Call Manager 4.1 (3)ES07
Cisco Call Manager 4.1 (2)ES55
Cisco Call Manager 4.1 (2)ES50
Cisco Call Manager 4.1 (2)ES33
Cisco Call Manager 4.0 (2a)SR2c
Cisco Call Manager 4.0 (2a)SR2b
Cisco Call Manager 4.0 (2a)ES62
Cisco Call Manager 4.0 (2a)ES56
Cisco Call Manager 4.0 (2a)ES40
Cisco Call Manager 4.0
Cisco Call Manager 5.1
Cisco Call Manager 4.3(1)
Cisco Call Manager 4.2(3)
Cisco Call Manager 4.1(3)SR4
Cisco Application Control Engine (ACE) Module 0
Cisco Application & Content Networking Software (ACNS)
Cisco Aironet 350 ACS350 Firmware 2.6 c
Cisco Access Registrar
Cisco 4000 Series Airespace Wireless LAN Controller 3.1.59 .24
Cisco 2000 Series Airespace Wireless LAN Controller 3.1.59 .24
Avaya S8710 R2.0.1
Avaya S8710 R2.0.0
Avaya S8710 CM 3.1
Avaya S8700 R2.0.1
Avaya S8700 R2.0.0
Avaya S8700 CM 3.1
Avaya S8500 R2.0.1
Avaya S8500 R2.0.0
Avaya S8500 CM 3.1
Avaya S8500 0
Avaya S8300 R2.0.1
Avaya S8300 R2.0.0
Avaya S8300 CM 3.1
Avaya Predictive Dialing System (PDS) 11.0
Avaya Predictive Dialing System (PDS) 11.11
Avaya Predictive Dialer 0
Avaya Messaging Storage Server MM3.0
Avaya Messaging Storage Server 2.0
Avaya Messaging Storage Server 1.0
Avaya Messaging Storage Server
Avaya Message Networking
Avaya Intuity LX
Avaya Converged Communications Server 2.0
Apple Mac OS X Server 10.4.8
Apple Mac OS X Server 10.3.9
Apple Mac OS X 10.4.8
Apple Mac OS X 10.3.9
Stonesoft StoneGate IPS Sensor and Analyzer 2.0.2
Stonesoft StoneGate High Availability Firewall and VPN 3.0.2
Stonesoft StoneGate High Availability Firewall and VPN 2.6.6
Serv-U FTP Server 6.3.3.1
Secure Computing SnapGear 3.1.4 u2
OpenVPN OpenVPN 2.0.9
OpenSSL Project OpenSSL 0.9.8 d
OpenSSL Project OpenSSL 0.9.7 l
IPCop IPCop 1.4.13
Ingate SIParator 4.5.2
Ingate Firewall 4.5.2
HP System Management Homepage 2.1.9
HP System Management Homepage 2.1.8
HP System Management Homepage 2.1.7
HP OpenVMS Secure Web Server 2.2
FileZilla FileZilla Server 0.9.19
FileZilla FileZilla 2.2.28
cwRsync cwRsync 2.0.10
Cisco Security Agent 5.1 .79
Cisco Security Agent 5.0.0.201
Cisco Security Agent 4.5.1.659
Cisco ONS 15454 8.0
Cisco CSS11500 Content Services Switch 8.10.2 .65
Cisco CSS11500 Content Services Switch 7.50.3 .45

- 不受影响的程序版本

Stonesoft StoneGate IPS Sensor and Analyzer 2.0.2
Stonesoft StoneGate High Availability Firewall and VPN 3.0.2
Stonesoft StoneGate High Availability Firewall and VPN 2.6.6
Serv-U FTP Server 6.3.3.1
Secure Computing SnapGear 3.1.4 u2
OpenVPN OpenVPN 2.0.9
OpenSSL Project OpenSSL 0.9.8 d
OpenSSL Project OpenSSL 0.9.7 l
IPCop IPCop 1.4.13
Ingate SIParator 4.5.2
Ingate Firewall 4.5.2
HP System Management Homepage 2.1.9
HP System Management Homepage 2.1.8
HP System Management Homepage 2.1.7
HP OpenVMS Secure Web Server 2.2
FileZilla FileZilla Server 0.9.19
FileZilla FileZilla 2.2.28
cwRsync cwRsync 2.0.10
Cisco Security Agent 5.1 .79
Cisco Security Agent 5.0.0.201
Cisco Security Agent 4.5.1.659
Cisco ONS 15454 8.0
Cisco CSS11500 Content Services Switch 8.10.2 .65
Cisco CSS11500 Content Services Switch 7.50.3 .45

- 漏洞讨论

OpenSSL is prone to a buffer-overflow vulnerability because the library fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Successfully exploiting this issue may result in the execution of arbitrary machine code in the context of applications that use the affected library. Failed exploit attempts may crash applications, denying service to legitimate users.

- 漏洞利用

Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

The vendor has addressed this issue in OpenSSL 0.9.8d and 0.9.7l.

Please see the references for more information.


Turbolinux Turbolinux 10 F...

Secure Computing SnapGear SG560 0

Xerox WorkCentre Pro 245

Xerox WorkCentre 265

Xerox WorkCentre Pro 238

Secure Computing SnapGear SG565 0

Xerox WorkCentre Pro 255

FileZilla FileZilla Server 0.7.1

OpenSSL Project OpenSSL 0.9.7 beta1

OpenSSL Project OpenSSL 0.9.7 a

OpenSSL Project OpenSSL 0.9.7 e

OpenSSL Project OpenSSL 0.9.7 g

OpenSSL Project OpenSSL 0.9.7 f

FileZilla FileZilla Server 0.9.8 b

OpenSSL Project OpenSSL 0.9.8 c

OpenVPN OpenVPN 1.4.3

OpenVPN OpenVPN 2.0.4

HP System Management Homepage 2.1

HP System Management Homepage 2.1.3 .132

HP System Management Homepage 2.1.5

HP Tru64 5.1 B-3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站