-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1307
                                   iOS 7
                             19 September 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          iOS
Publisher:        Apple
Operating System: Apple iOS
Impact/Access:    Root Compromise                 -- Existing Account            
                  Execute Arbitrary Code/Commands -- Remote with User Interaction
                  Access Privileged Data          -- Remote/Unauthenticated      
                  Modify Arbitrary Files          -- Remote/Unauthenticated      
                  Cross-site Scripting            -- Remote with User Interaction
                  Denial of Service               -- Remote with User Interaction
                  Provide Misleading Information  -- Remote/Unauthenticated      
                  Access Confidential Data        -- Remote/Unauthenticated      
                  Unauthorised Access             -- Remote with User Interaction
                  Reduced Security                -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2013-5159 CVE-2013-5158 CVE-2013-5157
                  CVE-2013-5156 CVE-2013-5155 CVE-2013-5154
                  CVE-2013-5153 CVE-2013-5152 CVE-2013-5151
                  CVE-2013-5150 CVE-2013-5149 CVE-2013-5147
                  CVE-2013-5145 CVE-2013-5142 CVE-2013-5141
                  CVE-2013-5140 CVE-2013-5139 CVE-2013-5138
                  CVE-2013-5137 CVE-2013-5134 CVE-2013-5131
                  CVE-2013-5129 CVE-2013-5128 CVE-2013-5127
                  CVE-2013-5126 CVE-2013-5125 CVE-2013-4616
                  CVE-2013-3955 CVE-2013-3954 CVE-2013-3953
                  CVE-2013-3950 CVE-2013-2848 CVE-2013-2842
                  CVE-2013-1047 CVE-2013-1046 CVE-2013-1045
                  CVE-2013-1044 CVE-2013-1043 CVE-2013-1042
                  CVE-2013-1041 CVE-2013-1040 CVE-2013-1039
                  CVE-2013-1038 CVE-2013-1037 CVE-2013-1036
                  CVE-2013-1028 CVE-2013-1026 CVE-2013-1025
                  CVE-2013-1019 CVE-2013-1012 CVE-2013-1010
                  CVE-2013-1008 CVE-2013-1007 CVE-2013-1006
                  CVE-2013-1005 CVE-2013-1004 CVE-2013-1003
                  CVE-2013-1002 CVE-2013-1001 CVE-2013-1000
                  CVE-2013-0999 CVE-2013-0998 CVE-2013-0997
                  CVE-2013-0996 CVE-2013-0995 CVE-2013-0994
                  CVE-2013-0993 CVE-2013-0992 CVE-2013-0991
                  CVE-2013-0957 CVE-2013-0926 CVE-2013-0879
                  CVE-2012-5134 CVE-2012-2871 CVE-2012-2870
                  CVE-2012-2825 CVE-2012-2807 CVE-2012-0841
                  CVE-2011-3102 CVE-2011-2391 

Reference:        ESB-2013.1276
                  ESB-2013.1275
                  ESB-2013.1274
                  ESB-2013.1271
                  ESB-2013.0912
                  ESB-2013.0788
                  ESB-2013.0705
                  ESB-2013.0136
                  ESB-2012.1123
                  ESB-2012.0940
                  ESB-2012.0885
                  ESB-2012.0737
                  ESB-2012.0492
                  ESB-2012.0201

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2013-09-18-2 iOS 7

iOS 7 is now available and addresses the following:

Certificate Trust Policy
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Root certificates have been updated
Description:  Several certificates were added to or removed from the
list of system roots.

CoreGraphics
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of JBIG2
encoded data in PDF files. This issue was addressed through
additional bounds checking.
CVE-ID
CVE-2013-1025 : Felix Groebert of the Google Security Team

CoreMedia
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of Sorenson
encoded movie files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-1019 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)
working with HP's Zero Day Initiative

Data Protection
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Apps could bypass passcode-attempt restrictions
Description:  A privilege separation issue existed in Data
Protection. An app within the third-party sandbox could repeatedly
attempt to determine the user's passcode regardless of the user's
"Erase Data" setting. This issue was addressed by requiring
additional entitlement checks.
CVE-ID
CVE-2013-0957 : Jin Han of the Institute for Infocomm Research
working with Qiang Yan and Su Mon Kywe of Singapore Management
University

Data Security
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description:  TrustWave, a trusted root CA, has issued, and
subsequently revoked, a sub-CA certificate from one of its trusted
anchors. This sub-CA facilitated the interception of communications
secured by Transport Layer Security (TLS). This update added the
involved sub-CA certificate to OS X's list of untrusted certificates.
CVE-ID
CVE-2013-5134

dyld
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  An attacker who has arbitrary code execution on a device may
be able to persist code execution across reboots
Description:  Multiple buffer overflows existed in dyld's
openSharedCacheFile() function. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2013-3950 : Stefan Esser

File Systems
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  An attacker who can mount a non-HFS filesystem may be able
to cause an unexpected system termination or arbitrary code execution
with kernel privileges
Description:  A memory corruption issue existed in the handling of
AppleDouble files. This issue was addressed by removing support for
AppleDouble files.
CVE-ID
CVE-2013-3955 : Stefan Esser

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of JPEG2000
encoded data in PDF files. This issue was addressed through
additional bounds checking.
CVE-ID
CVE-2013-1026 : Felix Groebert of the Google Security Team

IOKit
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Background applications could inject user interface events
into the foreground app
Description:  It was possible for background applications to inject
user interface events into the foreground application using the task
completion or VoIP APIs. This issue was addressed by enforcing access
controls on foreground and background processes that handle interface
events.
CVE-ID
CVE-2013-5137 : Mackenzie Straight at Mobile Labs

IOKitUser
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious local application could cause an unexpected
system termination
Description:  A null pointer dereference existed in IOCatalogue.
The issue was addressed through additional type checking.
CVE-ID
CVE-2013-5138 : Will Estes

IOSerialFamily
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Executing a malicious application may result in arbitrary
code execution within the kernel
Description:  An out of bounds array access existed in the
IOSerialFamily driver. This issue was addressed through additional
bounds checking.
CVE-ID
CVE-2013-5139 : @dent1zt

IPSec
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  An attacker may intercept data protected with IPSec Hybrid
Auth
Description:  The DNS name of an IPSec Hybrid Auth server was not
being matched against the certificate, allowing an attacker with a
certificate for any server to impersonate any other. This issue was
addressed by improved certificate checking.
CVE-ID
CVE-2013-1028 : Alexander Traud of www.traud.de

Kernel
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A remote attacker can cause a device to unexpectedly restart
Description:  Sending an invalid packet fragment to a device can
cause a kernel assert to trigger, leading to a device restart. The
issue was addressed through additional validation of packet
fragments.
CVE-ID
CVE-2013-5140 : Joonas Kuorilehto of Codenomicon, an anonymous
researcher working with CERT-FI, Antti LevomAki and Lauri Virtanen
of Vulnerability Analysis Group, Stonesoft

Kernel
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious local application could cause device hang
Description:  An integer truncation vulnerability in the kernel
socket interface could be leveraged to force the CPU into an infinite
loop. The issue was addressed by using a larger sized variable.
CVE-ID
CVE-2013-5141 : CESG

Kernel
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  An attacker on a local network can cause a denial of service
Description:  An attacker on a local network can send specially
crafted IPv6 ICMP packets and cause high CPU load. The issue was
addressed by rate limiting ICMP packets before verifying their
checksum.
CVE-ID
CVE-2011-2391 : Marc Heuse

Kernel
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Kernel stack memory may be disclosed to local users
Description:  An information disclosure issue existed in the msgctl
and segctl APIs. This issue was addressed by initializing data
structures returned from the kernel.
CVE-ID
CVE-2013-5142 : Kenzley Alphonse of Kenx Technology, Inc

Kernel
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Unprivileged processes could get access to the contents of
kernel memory which could lead to privilege escalation
Description:  An information disclosure issue existed in the
mach_port_space_info API. This issue was addressed by initializing
the iin_collision field in structures returned from the kernel.
CVE-ID
CVE-2013-3953 : Stefan Esser

Kernel
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Unprivileged processes may be able to cause an unexpected
system termination or arbitrary code execution in the kernel
Description:  A memory corruption issue existed in the handling of
arguments to the posix_spawn API. This issue was addressed through
additional bounds checking.
CVE-ID
CVE-2013-3954 : Stefan Esser

Kext Management
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  An unauthorized process may modify the set of loaded kernel
extensions
Description:  An issue existed in kextd's handling of IPC messages
from unauthenticated senders. This issue was addressed by adding
additional authorization checks.
CVE-ID
CVE-2013-5145 : "Rainbow PRISM"

libxml
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in libxml.
These issues were addressed by updating libxml to version 2.9.0.
CVE-ID
CVE-2011-3102 : Juri Aedla
CVE-2012-0841
CVE-2012-2807 : Juri Aedla
CVE-2012-5134 : Google Chrome Security Team (Juri Aedla)

libxslt
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in libxslt.
These issues were addressed by updating libxslt to version 1.1.28.
CVE-ID
CVE-2012-2825 : Nicolas Gregoire
CVE-2012-2870 : Nicolas Gregoire
CVE-2012-2871 : Kai Lu of Fortinet's FortiGuard Labs, Nicolas
Gregoire

Passcode Lock
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
bypass the screen lock
Description:  A race condition issue existed in the handling of phone
calls and SIM card ejection at the lock screen. This issue was
addressed through improved lock state management.
CVE-ID
CVE-2013-5147 : videosdebarraquito

Personal Hotspot
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  An attacker may be able to join a Personal Hotspot network
Description:  An issue existed in the generation of Personal Hotspot
passwords, resulting in passwords that could be predicted by an
attacker to join a user's Personal Hotspot. The issue was addressed
by generating passwords with higher entropy.
CVE-ID
CVE-2013-4616 : Andreas Kurtz of NESO Security Labs and Daniel Metz
of University Erlangen-Nuremberg

Push Notifications
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  The push notification token may be disclosed to an app
contrary to the user's decision
Description:  An information disclosure issue existed in push
notification registration. Apps requesting access to the push
notification access received the token before the user approved the
app's use of push notifications. This issue was addressed by
withholding access to the token until the user has approved access.
CVE-ID
CVE-2013-5149 : Jack Flintermann of Grouper, Inc.

Safari
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in the handling of
XML files. This issue was addressed through additional bounds
checking.
CVE-ID
CVE-2013-1036 : Kai Lu of Fortinet's FortiGuard Labs

Safari
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  History of pages recently visited in an open tab may remain
after clearing of history
Description:  Clearing Safari's history did not clear the
back/forward history for open tabs. This issue was addressed by
clearing the back/forward history.
CVE-ID
CVE-2013-5150

Safari
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing files on a website may lead to script execution even
when the server sends a 'Content-Type: text/plain' header
Description:  Mobile Safari sometimes treated files as HTML files
even when the server sent a 'Content-Type: text/plain' header. This
may lead to cross-site scripting on sites that allow users to upload
files. This issue was addressed through improved handling of files
when 'Content-Type: text/plain' is set.
CVE-ID
CVE-2013-5151 : Ben Toews of Github

Safari
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a malicious website may allow an arbitrary URL to
be displayed
Description:  A URL bar spoofing issue existed in Mobile Safari. This
issue was addressed through improved URL tracking.
CVE-ID
CVE-2013-5152 : Keita Haga of keitahaga.com, Lukasz Pilorz of RBS

Sandbox
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Applications that are scripts were not sandboxed
Description:  Third-party applications which used the #! syntax to
run a script were sandboxed based on the identity of the script
interpreter, not the script. The interpreter may not have a sandbox
defined, leading to the application being run unsandboxed. This issue
was addressed by creating the sandbox based on the identity of the
script.
CVE-ID
CVE-2013-5154 : evad3rs

Sandbox
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Applications can cause a system hang
Description:  Malicious third-party applications that wrote specific
values to the /dev/random device could force the CPU to enter an
infinite loop. This issue was addressed by preventing third-party
applications from writing to /dev/random.
CVE-ID
CVE-2013-5155 : CESG

Social
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Users recent Twitter activity could be disclosed on devices
with no passcode.
Description:  An issue existed where it was possible to determine
what Twitter accounts a user had recently interacted with. This issue
was resolved by restricting access to the Twitter icon cache.
CVE-ID
CVE-2013-5158 : Jonathan Zdziarski

Springboard
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to a device in Lost Mode may
be able to view notifications
Description:  An issue existed in the handling of notifications when
a device is in Lost Mode. This update addresses the issue with
improved lock state management.
CVE-ID
CVE-2013-5153 : Daniel Stangroom

Telephony
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Malicious apps could interfere with or control telephony
functionality
Description:  An access control issue existed in the telephony
subsystem. Bypassing supported APIs, sandboxed apps could make
requests directly to a system daemon interfering with or controlling
telephony functionality. This issue was addressed by enforcing access
controls on interfaces exposed by the telephony daemon.
CVE-ID
CVE-2013-5156 : Jin Han of the Institute for Infocomm Research
working with Qiang Yan and Su Mon Kywe of Singapore Management
University; Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke
Lee from the Georgia Institute of Technology

Twitter
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Sandboxed apps could send tweets without user interaction or
permission
Description:  An access control issue existed in the Twitter
subsystem. Bypassing supported APIs, sandboxed apps could make
requests directly to a system daemon interfering with or controlling
Twitter functionality. This issue was addressed by enforcing access
controls on interfaces exposed by the Twitter daemon.
CVE-ID
CVE-2013-5157 : Jin Han of the Institute for Infocomm Research
working with Qiang Yan and Su Mon Kywe of Singapore Management
University; Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke
Lee from the Georgia Institute of Technology

WebKit
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-0879 : Atte Kettunen of OUSPG
CVE-2013-0991 : Jay Civelli of the Chromium development community
CVE-2013-0992 : Google Chrome Security Team (Martin Barbella)
CVE-2013-0993 : Google Chrome Security Team (Inferno)
CVE-2013-0994 : David German of Google
CVE-2013-0995 : Google Chrome Security Team (Inferno)
CVE-2013-0996 : Google Chrome Security Team (Inferno)
CVE-2013-0997 : Vitaliy Toropov working with HP's Zero Day Initiative
CVE-2013-0998 : pa_kt working with HP's Zero Day Initiative
CVE-2013-0999 : pa_kt working with HP's Zero Day Initiative
CVE-2013-1000 : Fermin J. Serna of the Google Security Team
CVE-2013-1001 : Ryan Humenick
CVE-2013-1002 : Sergey Glazunov
CVE-2013-1003 : Google Chrome Security Team (Inferno)
CVE-2013-1004 : Google Chrome Security Team (Martin Barbella)
CVE-2013-1005 : Google Chrome Security Team (Martin Barbella)
CVE-2013-1006 : Google Chrome Security Team (Martin Barbella)
CVE-2013-1007 : Google Chrome Security Team (Inferno)
CVE-2013-1008 : Sergey Glazunov
CVE-2013-1010 : miaubiz
CVE-2013-1037 : Google Chrome Security Team
CVE-2013-1038 : Google Chrome Security Team
CVE-2013-1039 : own-hero Research working with iDefense VCP
CVE-2013-1040 : Google Chrome Security Team
CVE-2013-1041 : Google Chrome Security Team
CVE-2013-1042 : Google Chrome Security Team
CVE-2013-1043 : Google Chrome Security Team
CVE-2013-1044 : Apple
CVE-2013-1045 : Google Chrome Security Team
CVE-2013-1046 : Google Chrome Security Team
CVE-2013-1047 : miaubiz
CVE-2013-2842 : Cyril Cattiaux
CVE-2013-5125 : Google Chrome Security Team
CVE-2013-5126 : Apple
CVE-2013-5127 : Google Chrome Security Team
CVE-2013-5128 : Apple

WebKit
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a malicious website may lead to information
disclosure
Description:  An information disclosure issue existed in the handling
of the window.webkitRequestAnimationFrame() API. A maliciously
crafted website could use an iframe to determine if another site used
window.webkitRequestAnimationFrame(). This issue was addressed
through improved handling of window.webkitRequestAnimationFrame().
CVE-ID
CVE-2013-5159

WebKit
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Copying and pasting a malicious HTML snippet may lead to a
cross-site scripting attack
Description:  A cross-site scripting issue existed in the handling of
copied and pasted data in HTML documents. This issue was addressed
through additional validation of pasted content.
CVE-ID
CVE-2013-0926 : Aditya Gupta, Subho Halder, and Dev Kar of xys3c
(xysec.com)

WebKit
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description:  A cross-site scripting issue existed in the handling of
iframes. This issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-1012 : Subodh Iyengar and Erling Ellingsen of Facebook

WebKit
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to an
information disclosure
Description:  An information disclosure issue existed in XSSAuditor.
This issue was addressed through improved handling of URLs.
CVE-ID
CVE-2013-2848 : Egor Homakov

WebKit
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Dragging or pasting a selection may lead to a cross-site
scripting attack
Description:  Dragging or pasting a selection from one site to
another may allow scripts contained in the selection to be executed
in the context of the new site. This issue is addressed through
additional validation of content before a paste or a drag and drop
operation.
CVE-ID
CVE-2013-5129 : Mario Heiderich

WebKit
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description:  A cross-site scripting issue existed in the handling of
URLs. This issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5131 : Erling A Ellingsen


Installation note:

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/

iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.

The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.0".

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJSOe4/AAoJEPefwLHPlZEwToUP/jUGETRBdUjwN/gMmQAtl6zN
0VUMbnsNH51Lhsr15p9EHYJUL97pajT0N1gdd8Q2l+2NHkQzQLJziXgsO6VFOX7e
GoLNvlbyfoE0Ac9dSm9w7yi2lVf8bjGZKmEH0DAXzZD5s0ThiqPZCjTo8rCODMH2
TyQgkYtcXtrAHYaFe0dceWe3Q0ORu24cuFg0xeqX+7QvzK9mSeJWiN8OtimMzDni
5Dvgn7emHiuI6f3huQ25bEXK4gjN+CGwXg2RhQ7fwm9IeBdLnH1qKrFrrMHIhbrK
ibvud5jLS0ltUH+XnfBkoCkBntOO11vYllti8oIGCgaa5NkVkEOKbHy9uh6riGHT
KXYU/LfM8tt8Ax6iknn4mYC2QYbv7OIyzSfu/scWbeawsJb4OMx71oJrROTArgQG
QthFQvFk7NSe5kQlNz+xQHI5LP/ZSHTKdwT69zPIzjWQBOdcZ+4GQvmMsbKIeZeY
I2oIull2C7XYav8B0o+l4WlyEewNCOHQ8znapZnjCRKT/FF/ueG/WO0J4SEWUbQz
Kf24sZtFtm51QekPS3vc1XHacqJLELD8ugtgYC3hh9vUqkLV3UxpLKvI8uoOPUDt
SCV3qSpaxgBQtJWUZPq0MWVTDJKzX4MEB8e1p4jZAggEzfx9AdT0s7XyGm9H/UsR
GowSVGG+cJtvrngVhy3E
=dNVy
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUjpNvBLndAQH1ShLAQJAIQ//YTRdImnLZZMBygYaNQKpV/4e0U+xklB6
Cyko0QZ/UwNn+dF2buoFjti8jJwu/i16az37MMxoMNn7c/D0S9t4ZQhmsf9ixlps
tf4htitOzjAieWCLzMqBpObi98zPo2sJhKKoRlyLx84Ie4XXuVS9SeUUcZdJwMSG
af32j0gGeeAoN+CxePdeUPAR/AYfQKztGHCZThZeZ/MfaBx7nDhH9tbd2PiuAd1k
90JgbDkKUD0yR+pTzfxaxOVgMqxq4ZK4Ym8eQqBdEHQ7IMh+9YCQlv4soZCtcI+t
7NKxMIXljb/nBFEHA1YTeeWv3TvqsKMUyKzLC8lWQOcmi10kVvzu8iXkpm4Y1X5J
9I6GTKATJx/wj/Nh4dt8GoxbZQGqaVtZEjJlz0d612S+Y1XlWP6IqoYIOO76IOPB
5CvrCC22XsusKNH44/BZQstr6A4YP4M3QGWarXjSkASjVYG1xXgR7Z12BWyZUFQ/
ouDENlzKOhkw7BitqXqr7kj7+ecxRxo/uwNnXryJSIoIsya6hQxgjHri/WDB7HJ4
OTCztabRpzE4PPgoR3gIPMBr14Nk+NhznpXZIeUWNvoDSqvxKis3kl+vRxAk7XQk
zQlvc4h9PFIZY8fjSWRU7OqyI9t58HVZ1sVoFq450+HizpDLJIuPbH5upVHtJyVT
fjlhfd74VN8=
=ghNd
-----END PGP SIGNATURE-----