Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.1140 Time Capsule and AirPort Base Station (802.11n) Firmware 7.6 11 November 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Time Capsule AirPort Base Station Publisher: Apple Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-0997 Reference: ESB-2011.0383.2 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-11-10-2 Time Capsule and AirPort Base Station (802.11n) Firmware 7.6 Time Capsule and AirPort Base Station (802.11n) Firmware 7.6 is now available and addresses the following: Available for: AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule Impact: An attacker in a privileged network position may be able to cause arbitrary command execution via malicious DHCP responses Description: dhclient allowed remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message. This issue is addressed by stripping shell meta-characters in dhclient-script. CVE-ID CVE-2011-0997 : Sebastian Krahmer and Marius Tomaschewski of the SUSE Security Team working with ISC Installation note for Firmware version 7.6 Firmware version 7.6 is installed into Time Capsule or AirPort Base Station with 802.11n via AirPort Utility, provided with the device. It is recommended that AirPort Utility 5.5.3 or later be installed before upgrading to Firmware version 7.6. AirPort Utility 5.5.3 or later may be obtained through Apple's Software Download site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJOusONAAoJEGnF2JsdZQeerVcH/iuka+0teMpSn6bPJTzMuqy2 ea0cB1CwysYQwasw7sR1tAlUmhy1P8JPdLh8yTsb052JaRRbJ2deh3IlJealW/3q HQgnp20rIwCPVu5m2BUWz02NIJYBHrmpl27/mNYPItQhm4ql6ma+8oBiBvzz7LGW 5/1urVr3R3rtFO+AGNnULbPNOkFfLR9+iHe0XOUEVSaKGIOF4XnZ8t/9c+/Odf/d y3HerbAEY54ZG6IpUMvErr73IZD1bQGxqUEbclUmqxM/H0wydJrlqRgKT34rkQut 3o/yoPP+qKb0EJNQ8b0lKasIFW//aAT4ArKOlb5WW/NXeatvvhyUeO2GfZqpk5U= =HQYl - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTryBOO4yVqjM2NGpAQI5Ew//YF4FNxnLRriAfQcl4iys+nkjJjIphgyY ohEEMCd4IkQuUJ0nQ3H7IAv9xKjQtHUasB4lfj/+4ov1admXDg7vTJzfEyXGXKz1 9j+TvvuAkCR9bVNNHnvq7RkSnwxh00BnhmTs9YD0O7Wg0a3Ap8MLH55C4WXOQjUI iydh8P4TRqCKh8BPoOSwfjOKZmW2D51LTmVpJIVvgsNi61tWeRIY0t9rNfQGaeig 1mlnEeMc+PZ9KqTDvvFccgCBDVFB9Dzr7TprZyL6/zHQYdmedK7pYRW3+0dPaem6 7sS67UgnwUWiQE7sc8hnmWSg5llzWeL0ADyDCchyoRhWQdV6+ujAxKXf+uIOSbBy l4wZGrhoiVSTORIhp/zEwVragLmU50MwLfjZEMreESDJXi2QoAZXyiAsjpjK1vh3 zGKdemGh605yGcDF+Jk1pDo79GMZS6WkPDAFQeurbvNiI9GRKNxNBVpaSkMT+iZx 5B9z6iALQfhEmRQ0IcPeZdkQOWmFMf/br+OIzZhIkxbyeGa5Iy52oaCzYaQlWXpd HuwZceQMIEn3qqu/YpRRKZfp7pI9cFmkBb8l0UwUAgGvP0Lif42yG4p7LlCzbZ2K BFE0rESPywP1ZlCpxvqO5O/+t5fMSzMDeO8FjMghRbw1kh3TgFisg9ID7HJ2IrhK VDjPi94RuWo= =+1wH -----END PGP SIGNATURE-----