Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1090
Security Bulletin: Tivoli Storage Productivity Center -
Oracle CPU January 2014
7 July 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Tivoli Storage Productivity Center
Publisher: IBM
Operating System: AIX
Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0428 CVE-2014-0424 CVE-2014-0423
CVE-2014-0422 CVE-2014-0417 CVE-2014-0416
CVE-2014-0415 CVE-2014-0411 CVE-2014-0410
CVE-2014-0403 CVE-2014-0387 CVE-2014-0376
CVE-2014-0375 CVE-2014-0373 CVE-2014-0368
CVE-2013-5910 CVE-2013-5907 CVE-2013-5899
CVE-2013-5898 CVE-2013-5896 CVE-2013-5889
CVE-2013-5888 CVE-2013-5887 CVE-2013-5884
CVE-2013-5878
Reference: ASB-2014.0005
ESB-2014.0982
ESB-2014.0980
ESB-2014.0966
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21677588
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Tivoli Storage Productivity Center - Oracle CPU
January 2014
Security Bulletin
Document information
More support for:
Tivoli Storage Productivity Center
Software version:
5.1, 5.1.1, 5.2, 5.2.1
Operating system(s):
AIX, Linux, Windows
Reference #:
1677588
Modified date:
2014-07-01
Summary
Multiple security vulnerabilities exist in IBM SDK Java Technology Edition,
Version 6 that is shipped with Tivoli Storage Productivity Center.
Vulnerability Details
Tivoli Storage Productivity Center is shipped with IBM SDK Java
Technology Edition, Version 6 that is based on the Oracle JDK. Oracle has
released January 2014 critical patch updates (CPU) which contain security
vulnerability fixes. The IBM SDK for Java has been updated to incorporate
these fixes.
Description: An unspecified vulnerability related to the JSSE component
has partial confidentiality impact, partial integrity impact, and no
availability impact.
CVEID: CVE-2014-0411
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
Description: An unspecified vulnerability related to the Deployment
component could allow a remote attacker to cause a denial of service.
CVEID: CVE-2013-5887
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90345 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Description: An unspecified vulnerability related to the Deployment
component has partial confidentiality impact, partial integrity impact,
and partial availability impact.
CVEID: CVE-2013-5888
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90354 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Description: An unspecified vulnerability related to the Deployment
component has partial confidentiality impact, partial integrity impact,
and no availability impact.
CVEID: CVE-2013-5898
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90356 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
Description: An unspecified vulnerability related to the CORBA component
could allow a remote attacker to cause a denial of service.
CVEID: CVE-2013-5896
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90347 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Description: An unspecified vulnerability related to the Deployment
component could allow a remote attacker to obtain sensitive information.
CVEID: CVE-2013-5899
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90346 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Description: An unspecified vulnerability related to the Networking
component could allow a remote attacker to obtain sensitive information.
CVEID: CVE-2014-0368
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90351 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Description: An unspecified vulnerability related to the Serviceability
component has partial confidentiality impact, partial integrity impact,
and partial availability impact.
CVEID: CVE-2014-0373
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90334 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Description: An unspecified vulnerability related to the Deployment
component has partial confidentiality impact, partial integrity impact,
and no availability impact.
CVEID: CVE-2014-0375
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90339 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Description: An unspecified vulnerability related to the JAXP component has
no confidentiality impact, partial integrity impact, and no availability
impact.
CVEID: CVE-2014-0376
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90350 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Description: An unspecified vulnerability related to the Deployment
component has partial confidentiality impact, partial integrity impact,
and no availability impact.
CVEID: CVE-2014-0403
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90338 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Description: An unspecified vulnerability related to the CORBA component
could allow a remote attacker to execute arbitrary code on the system.
CVEID: CVE-2014-0428
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90325 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Description: An unspecified vulnerability related to the JNDI component
could allow a remote attacker to execute arbitrary code on the system.
CVEID: CVE-2014-0422
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90326 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Description: This bulletin also covers all applicable CVEs published by
Oracle as part of their January 2014 Java SE Critical Patch Update. These
may apply if you have installed IBM SDK Java Technology Edition, Version
6 as the system JRE, such as for use with the Tivoli Storage Productivity
Center Java WebStart GUI. For more information please refer to Oracle's
January 2014 Java SE CPU Advisory.
CVEID: CVE-2014-0428
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90325 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-0422
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90326 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-5907
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90324 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-0415
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90323 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-0410
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90322 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-5889
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90328 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-0417
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90331 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-0387
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90332 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-0424
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90333 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-5878
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90335 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-0373
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90334 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-0375
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90339 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-0403
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90338 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-0423
CVSS Base Score: 5.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90340 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:P)
CVEID: CVE-2014-0376
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90350 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-5910
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90352 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-5884
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90348 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-5896
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90347 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-5899
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90346 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-0416
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90349 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-5887
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90345 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-0368
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90351 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2013-5888
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90354 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-5898
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90356 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-0411
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
Affected Products and Versions
Tivoli Storage Productivity Center 5.2.0 through 5.2.1.1
Tivoli Storage Productivity Center 5.1.0 through 5.1.1.4
Tivoli Storage Productivity Center 4.2.0 through 4.2.2.178
Tivoli Storage Productivity Center 4.1.x
The versions listed above apply to all licensed offerings of Tivoli
Storage Productivity Center, including IBM SmartCloud Virtual Storage
Center Storage Analytics Engine.
System Storage Productivity Center is affected if it has one of the Tivoli
Storage Productivity Center versions listed above installed on it.
Remediation/Fixes
The solution is to apply an appropriate Tivoli Storage Productivity
Center fix pack for each named product and execute the manual steps listed
below. The solution should be implemented as soon as practicable.
Note: It is always recommended to have a current backup before applying
any update procedure.
Tivoli Storage Productivity Center V5
Apply the Tivoli Storage Productivity Center fix pack as soon as
practicable. (See Latest Downloads.)
Affected TPC Version APAR Fixed TPC Version Availability
5.2.0 IT02747 5.2.2 June 6, 2014
5.1.x IT02747 5.1.1.5 July 31, 2014*
If you have downloaded and installed an IBM JRE from an older version of
Tivoli Storage Productivity Center, you should download it again after
applying the fix pack and reinstall the IBM JRE.
Do not use the IBM JRE 1.6.0 or IBM SDK 1.6.0 links provided with the
affected Tivoli Storage Productivity Center versions. Once you have
upgraded your Tivoli Storage Productivity Center components to a level
with the fix, you can use the links again as they will then allow you to
download an updated version of IBM SDK Java Technology Edition, Version 6.
* Until Tivoli Storage Productivity Center 5.1.1.5 is available, you can
apply some of the updates manually. Apply WebSphere Application Server
7.0.0 interim fix PI08996 to Tivoli Integrated Portal.
Download IBM SDK Java Technology Edition, Version 6 SR 15 FP1 (or
higher) and install it on any system where you are running the Java
WebStart GUI for Tivoli Storage Productivity Center. IBM SDK, Java
Technology Edition releases can be downloaded, subject to the terms
of the developerWorks license, from here or from Fix Central. Contact
IBM Support if the version you need is not available.
Note: The WebSphere Application Server V8 instance used by Tivoli Storage
Productivity Center will not be updated until you have upgraded to Tivoli
Storage Productivity Center 5.1.1.5.
Tivoli Storage Productivity Center V4
Apply the Tivoli Storage Productivity Center fix pack as soon as practicable
(See Latest Downloads.) and follow the manual steps provided.
Affected TPC Version APAR Fixed TPC Version Availability
4.2.x
4.1.x IT02750 4.2.2 FP7
Manual update steps are required in addition to applying 4.2.2 FP7.
July 31, 2014*
Apply embedded WebSphere Application Server fix pack 6.1.0.47 to
Tivoli Storage Productivity Center for Replication if you have not
done so before. See Upgrade of embedded WebSphere Application Server
fix pack installation procedure for IBM Tivoli Productivity Center
for Replication V4.2.2.4 for directions.
Apply WebSphere Application Server interim fix PI08999 to update the
SDK for the Replication Server. See the WebSphere Application Server
security bulletin for more info.
If you have downloaded and installed an IBM JRE from an older version
of Tivoli Storage Productivity Center, you should download it again
after applying the fix pack and reinstall the IBM JRE. IBM SDK, Java
Technology Edition releases can be downloaded, subject to the terms
of the developerWorks license, from here. A minimum level of IBM SDK
Java Technology Edition, Version 6 SR16 FP5 must be used.
Do not use the IBM JRE 1.6.0 or IBM SDK 1.6.0 links provided with the
affected Tivoli Storage Productivity Center versions. Once you have
upgraded your Tivoli Storage Productivity Center components to a level
with the fix, you can use the links again as they will then allow you
to download an updated version of IBM SDK Java Technology Edition,
Version 6 .
* Until Tivoli Storage Productivity Center 4.2.2 FP7 is available, you
can manually apply all of the updates.
Apply WebSphere Application Server interim fix PI08999 to update
the SDK for the Device Server. See the WebSphere Application Server
security bulletin for more info.
Note: You must request and receive the 32-bit version of the interim
fix from support or it will not work, even if you are applying it on
a 64-bit system.
Download Update Installer for WebSphere Application
Server. The packages are at the end of the
page. http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24012718
Unzip the Update Installer for WebSphere Application server package
and install it following the directions provided.
Once Update Installer for WebSphere Application Server is installed, copy
the *.pak file you downloaded for the interim fix to the maintenance
directory in the Update Installer for WebSphere Application Server
installation location.
Stop the IBM Tivoli Storage Productivity Center Device Server process
for WebSphere Application Server.
Start Update Installer for WebSphere Application Server. When prompted
for the location of WebSphere Application Server, enter the path to
the Tivoli Storage Productivity Center location.
Windows:
<TPC_install_location>\device\apps\was
e.g. C:\Program Files\IBM\TPC\device\apps\was
AIX and Linux:
<TPC_install_location>/device/apps/was
e.g. /opt/IBM/TPC/device/apps/was
Update Installer for WebSphere Application Server will handle the rest.
Repeat steps 1-8 to apply the WebSphere Application Server interim
fix update for the Tivoli Integrated Portal component location.
Apply embedded WebSphere Application Server fix pack 6.1.0.47 to
Tivoli Storage Productivity Center for Replication if you have not
done so before. See Upgrade of embedded WebSphere Application Server
fix pack installation procedure for IBM Tivoli Productivity Center
for Replication V4.2.2.4 for directions.
Apply WebSphere Application Server interim fix PI08999 to update the
SDK for the Replication Server. See the WebSphere Application Server
security bulletin for more info.
If you have downloaded and installed an IBM JRE from an older version
of Tivoli Storage Productivity Center, you should download it again
after applying the fix pack and reinstall the IBM SDK Java Technology
Edition, Version 6 JRE. IBM SDK, Java Technology Edition releases can
be downloaded, subject to the terms of the developerWorks license,
from here. A minimum level of IBM SDK Java Technology Edition,
Version 6 SR16 FP5 must be used.
Do not use the IBM SDK Java Technology Edition, Version 6 links provided
with the affected Tivoli Storage Productivity Center versions. Once you
have upgraded your Tivoli Storage Productivity Center components to a
level with the fix, you can use the links again as they will then allow
you to download an updated version of IBM SDK Java Technology Edition,
Version 6.
Note: If you are updating a System Storage Productivity Center (SSPC)
appliance, use the IBM SDK Java Technology Edition, Version 6 JRE downloaded
from your upgraded Tivoli Storage Productivity Center installation, as
referenced in steps 3 and 11, to also update the IBM SDK Java Technology
Edition, Version 6 JRE on that system.
Workarounds and Mitigations
None
Important note
IBM strongly suggests that all System z customers be subscribed to the
System z Security Portal to receive the latest critical System z security
and integrity service. If you are not subscribed, see the instructions
on the System z Security web site. Security and integrity APARs and
associated fixes will be posted to this portal. IBM suggests reviewing
the CVSS scores and applying all security or integrity fixes as soon as
possible to minimize any potential risk.
References
Complete CVSS Guide
On-line Calculator V2
Oracle January 2014 Java SE Critical Patch Update Advisory
IBM SDK, Java Technology Edition Security Alerts
Security Bulletin: Multiple vulnerabilities in current releases of the
IBM SDK, Java Technology Edition
Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java
for WebSphere Application Server January 2014 CPU
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
30 June 2014: Original Copy Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version Edition
Storage Management Tivoli Storage Productivity AIX, Linux, Windows 4.1, 4.1.1, 4.2,
Center Standard Edition 4.2.1, 4.2.2
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU7n4xxLndAQH1ShLAQLFcxAAvTr5VyxWM2xppgGvJTe0MfGGpVFRRbZC
Ti1EgcV8wYQqooz2q7ujt9M6gM6UzRi1DWyFmXxo1RsTB6fGqwquONm2wsu2b15Z
rRPAjtUAK4J/g+B5A50ZoDJPoybl+7t5OqL+Iug/HNvuRQgnBoVjpRDTN3ntl9G8
RMp2lY1azXp4vUQRTR7GSEEc4Z/lX1lQATTGmpbJNxSf4XYpOXFLQnLhzJbJyFj+
Fg9JfO7nv/SJXL2IOZe1EyDAPup8d+xa0BFSiq8B1PcKlF0TaklijSQYcv33lSTk
hUe3OV5RZdtiO6nwSEyPA6gTvm3m2gR8yEbX4tnnU7G+PMx3AgK6MIDrYweF6HNa
+kfSe2gVeYVpkJ35cjG+LG7tXBkX1ZtqDLnQuRYXXB3KL42sOKJjoYk0YN1+3ila
CkSrgaBLiRdpOyzsEq/RGC+afkRpGuFMfwpNKiNjoe/gR4XZONL26Ayc+0/DL48j
f2Kjq/T2Xh1YSQM7CQHk9gSobzx2diEkutSE2jxg4V336ca20TLcbLnJVSxy8leK
C+XLy7uueLaYg4yZEIOkWNw2SjzeYkoIQgw+ssD/7OXUUo6A31HoeUSZHWOom3Ca
fRcYfyN9jDayzJl9J2gKwnB24mUNXiPXLeQyPVCjqpFpMQNjXSHCWoWHXxQNxee0
vb5vH4yOsdA=
=MKje
-----END PGP SIGNATURE-----