Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.1140
Time Capsule and AirPort Base Station (802.11n) Firmware 7.6
11 November 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Time Capsule
AirPort Base Station
Publisher: Apple
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-0997
Reference: ESB-2011.0383.2
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-11-10-2 Time Capsule and AirPort Base Station (802.11n)
Firmware 7.6
Time Capsule and AirPort Base Station (802.11n) Firmware 7.6 is now
available and addresses the following:
Available for: AirPort Extreme Base Station with 802.11n,
AirPort Express Base Station with 802.11n, Time Capsule
Impact: An attacker in a privileged network position may be able to
cause arbitrary command execution via malicious DHCP responses
Description: dhclient allowed remote attackers to execute arbitrary
commands via shell metacharacters in a hostname obtained from a DHCP
message. This issue is addressed by stripping shell meta-characters
in dhclient-script.
CVE-ID
CVE-2011-0997 : Sebastian Krahmer and Marius Tomaschewski of the SUSE
Security Team working with ISC
Installation note for Firmware version 7.6
Firmware version 7.6 is installed into Time Capsule or AirPort Base
Station with 802.11n via AirPort Utility, provided with the device.
It is recommended that AirPort Utility 5.5.3 or later be installed
before upgrading to Firmware version 7.6.
AirPort Utility 5.5.3 or later may be obtained through Apple's
Software Download site: http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOusONAAoJEGnF2JsdZQeerVcH/iuka+0teMpSn6bPJTzMuqy2
ea0cB1CwysYQwasw7sR1tAlUmhy1P8JPdLh8yTsb052JaRRbJ2deh3IlJealW/3q
HQgnp20rIwCPVu5m2BUWz02NIJYBHrmpl27/mNYPItQhm4ql6ma+8oBiBvzz7LGW
5/1urVr3R3rtFO+AGNnULbPNOkFfLR9+iHe0XOUEVSaKGIOF4XnZ8t/9c+/Odf/d
y3HerbAEY54ZG6IpUMvErr73IZD1bQGxqUEbclUmqxM/H0wydJrlqRgKT34rkQut
3o/yoPP+qKb0EJNQ8b0lKasIFW//aAT4ArKOlb5WW/NXeatvvhyUeO2GfZqpk5U=
=HQYl
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTryBOO4yVqjM2NGpAQI5Ew//YF4FNxnLRriAfQcl4iys+nkjJjIphgyY
ohEEMCd4IkQuUJ0nQ3H7IAv9xKjQtHUasB4lfj/+4ov1admXDg7vTJzfEyXGXKz1
9j+TvvuAkCR9bVNNHnvq7RkSnwxh00BnhmTs9YD0O7Wg0a3Ap8MLH55C4WXOQjUI
iydh8P4TRqCKh8BPoOSwfjOKZmW2D51LTmVpJIVvgsNi61tWeRIY0t9rNfQGaeig
1mlnEeMc+PZ9KqTDvvFccgCBDVFB9Dzr7TprZyL6/zHQYdmedK7pYRW3+0dPaem6
7sS67UgnwUWiQE7sc8hnmWSg5llzWeL0ADyDCchyoRhWQdV6+ujAxKXf+uIOSbBy
l4wZGrhoiVSTORIhp/zEwVragLmU50MwLfjZEMreESDJXi2QoAZXyiAsjpjK1vh3
zGKdemGh605yGcDF+Jk1pDo79GMZS6WkPDAFQeurbvNiI9GRKNxNBVpaSkMT+iZx
5B9z6iALQfhEmRQ0IcPeZdkQOWmFMf/br+OIzZhIkxbyeGa5Iy52oaCzYaQlWXpd
HuwZceQMIEn3qqu/YpRRKZfp7pI9cFmkBb8l0UwUAgGvP0Lif42yG4p7LlCzbZ2K
BFE0rESPywP1ZlCpxvqO5O/+t5fMSzMDeO8FjMghRbw1kh3TgFisg9ID7HJ2IrhK
VDjPi94RuWo=
=+1wH
-----END PGP SIGNATURE-----