Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.0440
Multiple vulnerabilities have been identified in Apache Tomcat
23 February 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache Tomcat
Publisher: The Apache Software Foundation
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Cross-site Request Forgery -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-0763 CVE-2016-0714 CVE-2016-0706
CVE-2015-5351 CVE-2015-5346 CVE-2015-5345
CVE-2015-5174
Original Bulletin:
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
Comment: This bulletin contains seven (7) The Apache Software Foundation
security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CVE-2016-0763 Apache Tomcat Security Manager Bypass
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - - Apache Tomcat 7.0.0 to 7.0.67
- - - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - - Apache Tomcat 9.0.0.M1 to 9.0.0.M2
Description:
ResourceLinkFactory.setGlobalContext() is a public method and was
accessible by web applications running under a security manager
without any checks. This allowed a malicious web application to inject
a malicious global context that could in turn be used to disrupt other
web applications and/or read and write data owned by other web
applications.
Mitigation:
Users of affected versions should apply one of the following mitigations
- - - Upgrade to Apache Tomcat 9.0.0.M3 or later
- - - Upgrade to Apache Tomcat 8.0.32 or later
(8.0.31 has the fix but was not released)
- - - Upgrade to Apache Tomcat 7.0.68 or later
- - - Upgrade to Apache Tomcat 6.0.45 or later
Credit:
This issue was discovered by The Apache Tomcat Security Team.
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWyu+yAAoJEBDAHFovYFnnPIgP/j9nli2IrsZEyhDyJ6XqAcg9
AisYAv7iSQ63zLe27CERDdOS9BBFI9j+MwkabF0FzmTGxugLyRwpKLt8Y3BV/723
Jwgds8phJcOm5oouzblUBfx/HdFDRI8+J6q7CNoSh61yXatuKRe5upc51W9G8/Vd
YS6b5XNqavBgvkQZudITIsr4N9vqxb+QVS9iMJfrACikgeq6QR6rwkJWAEcUYHrn
RESKuCTPzw8yf1Q1C8Ar9BUdSx8MRFDHfV8stKmjQWslud0EOP5bObWXBsv9vrQ7
XNKVKA69Hp1Kk++ORHUPnv6B2bCRsD5mZmBwqcvi6jVMuVMKaiLgCqJqfXcJEb4+
D86kjsBCQchGWSsFEwzmoQI++wW60Mn5QRlibF90LHAJLfZLo+cCsOUZABqgv3+j
xwA6HpR5ToMepO5CNcL76wDoBJDEPRXjIuVY6RhWnS7UXi4kuqp/qxtWBifn07X/
Ncbm5TWhf4ESnS5YOPMNefA5aDQJKRclymyXB37VxMwHdJ/zkY8uV48SeG9ACHNt
KBaXiS7FiNKLWqbzZijsXM2a40benXn6ocxStyApF7h15k/8/pyyq4DC55TBMitK
/L+RHHp9RAS+wP98xyYpFnuVI8/LkHSJwnLvTURDQlr1Fi/AJ5YIB+Y9GPE2sigA
90lXXPnmrbSsQR10jD/j
=5LII
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CVE-2016-0714 Apache Tomcat Security Manager Bypass
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - - Apache Tomcat 6.0.0 to 6.0.44
- - - Apache Tomcat 7.0.0 to 7.0.67
- - - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - - Apache Tomcat 9.0.0.M1
- - - Earlier, unsupported Tomcat versions may be affected
Description:
Tomcat provides several session persistence mechanisms. The
StandardManager persists session over a restart. The PersistentManager
is able to persist sessions to files, a database or a custom Store. The
Cluster implementation persists sessions to one or more additional nodes
in the cluster. All of these mechanisms could be exploited to bypass a
security manager. Session persistence is performed by Tomcat code with
the permissions assigned to Tomcat internal code. By placing a carefully
crafted object into a session, a malicious web application could trigger
the execution of arbitrary code.
Mitigation:
Users of affected versions should apply one of the following mitigations
- - - Upgrade to Apache Tomcat 9.0.0.M3 or later
(9.0.0.M2 has the fix but was not released)
- - - Upgrade to Apache Tomcat 8.0.32 or later
(8.0.31 has the fix but was not released)
- - - Upgrade to Apache Tomcat 7.0.68 or later
- - - Upgrade to Apache Tomcat 6.0.45 or later
Credit:
This issue was discovered by The Apache Tomcat Security Team.
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWyu9PAAoJEBDAHFovYFnnllEQAMj38sm4FeeXJ2XOK/ODpj2J
SLK0VMib2gjRmMfuH15OPyYBIHPaWVD4E3ONiLz/2F9oqVAYfvswQnLfNrJ9k8oF
K+ETBoWfyODb8QddYQOd3JpDslrOLPscve6dgnkx/R8hZSPOvsmo8IIG4Bwh5VQM
rkAct8EFGpVuQ9ou59F8xSx7fhRMHhNKt8XwsuBIj43MwFv5P8rHhNJDbgC8hSP7
w8yKwrQ7alfeuzwQPegf11YEcauPog4TnD3JAuufcuPQefvDHRAIoKNRCwyvFbRC
rVHdsV5AehWaKKHj9Yu2IJB88s+0wXWlH01hG+wYl1jSVxs3CHhhP0FS55vwItWP
Igl26iz33esPlzQaVyWf5jOUOYfF0tZel4bDFcQrIQASJKS2vxCuOBgUhr+bReMD
I8W1A78EdGXm5IGqmPqHNXn+qAQKfs352eVFiS4vM+5n6wdVThxRzTIt/Op0iz8k
rOIm05kkZQedh7utUy4iW59MKHr9xGRQRI1r4/sdKHDIRSlzsfzJVrATqqLPxukg
QhG3LL0fO+kKLb526GZOlTaAcT7hM2wdYkLytiUItpMUR8ZfozqIS/nRUPmCfDgW
8QFRZEYIgETUYELbnj9chx0NJOkSH9OICV1U7EergsKsdpXN8uCDRy609ufSPn+W
M6wXyzp1l4aE2hnn22gZ
=OQbe
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CVE-2016-0706 Apache Tomcat Security Manager bypass
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - - Apache Tomcat 6.0.0 to 6.0.44
- - - Apache Tomcat 7.0.0 to 7.0.67
- - - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - - Apache Tomcat 9.0.0.M1
- - - Earlier, unsupported Tomcat versions may be affected
Description:
The StatusManagerServlet could be loaded by a web application when a
security manager was configured. This servlet would then provide the web
application with a list of all deployed applications and a list of the
HTTP request lines for all requests currently being processed. This
could have exposed sensitive information from other web applications
such as session IDs to the web application.
Mitigation:
Users of affected versions should apply one of the following mitigations
- - - Upgrade to Apache Tomcat 9.0.0.M3 or later
(9.0.0.M2 has the fix but was not released)
- - - Upgrade to Apache Tomcat 8.0.32 or later
(8.0.31 has the fix but was not released)
- - - Upgrade to Apache Tomcat 7.0.68 or later
- - - Upgrade to Apache Tomcat 6.0.45 or later
Credit:
This issue was discovered by The Apache Tomcat Security Team.
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWyu9qAAoJEBDAHFovYFnny/0P/0VtkiCt56FeS3I42BlvjAne
w/oqurmk/XoF/gof+VYxYuNOXMIwvgyGMjj21kZf+n2DjINXLHp9VFZ/APeSJ8kL
XcnTL1EBK1JBdxsieIhGAfLMeDO04wO3uuorJHwJIBbl4ymh7N4A2fgciKgCmNyB
y22TPT5Hz7iFCU8Ij6xsYJERpveUrenenAqbgjdcpILydbBoTqmZtZtWmPOFki90
cZo/2D0Av4H4SKh1PuCkzjk2DFXfyXcq+tDaX8dizPinQMQsbAX63BoYy5LrfWrJ
epgY9Q0QziOyp7b5Z72AjQ3RJR7yZS/iT3wb37jceI3Dq/mpkWFggqEGkSpFdGX7
AhoqVXjFw9eakjst0k5LZ29+dD8Fqz+2umXlRwelsxInLNgDk67Z2XehqkWWb85b
64PFh3ZYj/8CxxV6ErGq0bBhpCsNHZffEzOT/Ebldjn/afHajne3Yd9SZEbbZO3U
ejCSG2UziJ4t4mygnGyWaRCgKtjCrejzDZYicOICJEDE8enaPbNs0Ka8lR8fh21y
U3avzYIu7MosqvqoEAleMkjXySWSufqGF0ugbtsZx1lisl9Zax0LfXbq5sLmdNMS
fXhxu/1RfHfPS7NUP9YYs5OdWxCxecD/kiaxc3ArVVPdgAMSwlEyI59gSD/y7XPd
fitNMHbOMz6qG/uxVfH0
=6KO+
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CVE-2015-5351 Apache Tomcat CSRF token leak
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - - Apache Tomcat 7.0.1 to 7.0.67
- - - Apache Tomcat 8.0.0.RC1 to 8.0.31
- - - Apache Tomcat 9.0.0.M1
Description:
The index page of the Manager and Host Manager applications included a
valid CSRF token when issuing a redirect as a result of an
unauthenticated request to the root of the web application. This token
could then be used by an attacker to construct a CSRF attack.
Mitigation:
Users of affected versions should apply one of the following mitigations
- - - Upgrade to Apache Tomcat 9.0.0.M3 or later
(9.0.0.M2 has the fix but was not released)
- - - Upgrade to Apache Tomcat 8.0.32 or later
(8.0.31 has the fix but was not released)
- - - Upgrade to Apache Tomcat 7.0.68 or later
Credit:
This issue was discovered by the Apache Tomcat security team.
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWyu97AAoJEBDAHFovYFnnkOkP/353AyMvuZvUHx7MJS6QmthF
ba5gOE0JprULz0VN9q6ilf1ZXE7myZiVxt0tWT9MvuQi+iMQUtarESxv/bnA1RSF
QsUoxgb4Wc6whrWIZUSXU9Vag5e7Ar/N3con0jzMLyopx0DBnOWNKQE/pp9Q6NPI
RRvOAWnq9nm3P9/D2x9AOl/LDaEFuPHW/GkfwuosNTLCRsWYqa1DN20cFnq/S8Iz
+jPpjkYsfIOoodLcX2t4B92alC3fRNPgG4Q8iuhwj3Umsw44D5/gdbmcEeEtqB4C
wYIQsyXdIA4JBSx44w8ihP+Z+pNt+MkxgXvhfGWu30JDELXRaXU0ItveeePTjRJR
u0jC09frTLKG7UnbVxitV7CgvMtEU6zGjaJsfEQcsES6q4s9qCzHCbp9alqQnW1i
5ZvabdyAkZVfdRsgurI6RAI1R/s2mWmXlIFjiKiYt3Qeyqkg5cFBNHctEw/DREiR
6GA6xmk06uKXUzv0SZUuvadWqkJ2JwVmd5Doe5IaoK4K069Ab5EJQSG1qQcXv6G2
LsYK4L9s+Zcp+m10unFX4v1CB8UnVPKw33intlvE7/6r0yBOaigtFHqV+ifuUdOO
bkENBx8Gp/HAx0VCpwhYP2AKkoSSqSOktsv/iBokWfIrsUG304uGoa3rWsAIcGCx
I/Yy6rJBLqfrQj4qFtc3
=bm3r
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CVE-2015-5346 Apache Tomcat Session fixation
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - - Apache Tomcat 7.0.5 to 7.0.65
- - - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - - Apache Tomcat 9.0.0.M1
Description:
When recycling the Request object to use for a new request, the
requestedSessionSSL field was not recycled. This meant that a session ID
provided in the next request to be processed using the recycled Request
object could be used when it should not have been. This gave the client
the ability to control the session ID. In theory, this could have been
used as part of a session fixation attack but it would have been hard to
achieve as the attacker would not have been able to force the victim to
use the 'correct' Request object. It was also necessary for at least one
web application to be configured to use the SSL session ID as the HTTP
session ID. This is not a common configuration.
Mitigation:
Users of affected versions should apply one of the following mitigations
- - - Upgrade to Apache Tomcat 9.0.0.M3 or later
(9.0.0.M2 has the fix but was not released)
- - - Upgrade to Apache Tomcat 8.0.30 or later
- - - Upgrade to Apache Tomcat 7.0.67 or later
(7.0.66 has the fix but was not released)
Credit:
This issue was discovered by the Apache Tomcat security team.
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWyu+WAAoJEBDAHFovYFnnNasQANmHvs8L9RvbPSPvmR8sT9rc
nfoC64cVqVFx6G99+iskQ4SKL00zZk10gCNKvwu6aBW8Dv7U+sqoo09vtIVJ9qvD
9qBIaZMfnqMxMaHtonUj8E1/9GryquYNj7pWMf0tut2/RIvQq8/1tAtTgrzjVXG2
qtpB/ECBHQ53tJuPxRDakgav17Ok90DbAO4rsSdmCUwUg8NEYieNb6RG4eRSvuav
ffE2zaicXIHWLdnVEMpOWtum76+GMfS5B+zd03/OQmiJy+arVvGwyrn1ydKZI1JI
7gQT97SgLlI3iGtK3tc4S56tNQ9+K2oMp2B0qAceNG9MWimED9sC1aXoAARacoYI
c+cZdnhiRxsYycEdTXbNqhat+se6vKeXqgrsrr3CbNmaNl6siRZD/d+9PbmXh+0z
hHSC9tmG5ZAO3vS4wwHX+9qZlfdcQ2zAZnAnRZKtuRMgDphP+wszain4p+U82TV9
eshrfHzzN4R0kuBWXkl4Pf4KQd+ZCVmp8efXFcyXK2fV7FUmLRvwtZ43EPa77tRI
egiZcN/WEqGHODKNr/AGQYuiuEU7gm3hqnJlgDLpPzKF2ptkLcEh9/HYcW9yI1Kf
x+fKtcfr6jGjJRxFw5PRsHEO8ToE8w38mPmeLzQH3WRcoc+g5+BinbIe/fwMsVPM
cAK/Ln4UhXIcIM1f7h5M
=is2n
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CVE-2015-5345 Apache Tomcat Directory disclosure
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - - Apache Tomcat 6.0.0 to 6.0.44
- - - Apache Tomcat 7.0.0 to 7.0.66
- - - Apache Tomcat 8.0.0.RC1 to 8.0.29
- - - Apache Tomcat 9.0.0.M1
- - - Earlier, unsupported Tomcat versions may be affected
Description:
When accessing a directory protected by a security constraint with a URL
that did not end in a slash, Tomcat would redirect to the URL with the
trailing slash thereby confirming the presence of the directory before
processing the security constraint. It was therefore possible for a user
to determine if a directory existed or not, even if the user was not
permitted to view the directory. The issue also occurred at the root of
a web application in which case the presence of the web application was
confirmed, even if a user did not have access.
The solution was to implement the redirect in the DefaultServlet so that
any security constraints and/or security enforcing Filters were
processed before the redirect. The Tomcat team recognised that moving
the redirect could cause regressions to two new Context configuration
options (mapperContextRootRedirectEnabled and
mapperDirectoryRedirectEnabled) were introduced. The initial default was
false for both since this was more secure. However, due to regressions
such as Bug 58765 [1] the default for mapperContextRootRedirectEnabled
was later changed to true since it was viewed that the regression was
more serious than the security risk of associated with being able to
determine if a web application was deployed at a given path.
Mitigation:
Users of affected versions should apply one of the following mitigations
- - - Upgrade to Apache Tomcat 9.0.0.M3 or later
(9.0.0.M2 has the fix but was not released)
- - - Upgrade to Apache Tomcat 8.0.30 or later
- - - Upgrade to Apache Tomcat 7.0.67 or later
- - - Upgrade to Apache Tomcat 6.0.45 or later
Credit:
This issue was discovered by Mark Koek of QCSec.
References:
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58765
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html
[4] http://tomcat.apache.org/security-7.html
[5] http://tomcat.apache.org/security-6.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWyu+lAAoJEBDAHFovYFnnFrYP+wZwqPsP6vtAn4VrIslTxrkO
A31WCsXwnvggSIBLdITCwpJFywqPfpurFhce38Chgznli9E46Pr6dukTC56NhjmB
Cv7+PTdpJxM3vKFw+OlLrfIrxEFtHbYOTI6q7NgjfVjdbG9LbVgG3JRTmf3tT+GN
DU165VK7TxvBj68ll05gLECgAtrGFAEQl+51VlfWRZw8wXGFni2X43kEwUpihgHj
Ci4W1+sBUln0ww+aKa6sRpJTi/s3tKPWckjMY//bDIMfd4gdK7N6CJSrRMbj6Gsw
gfm1ixWlJJPKVvokH08NKvxcpwvRX4D1RD80WkaCrC7WMKzK8ohmhxxhIDXHmPE8
kibaJuy1WqQG+G/H00LTGpGkeevyg4/mH2hDxDbDJ5ye1RMA9GsKFC1YpDzugTxO
zr9lX9QRWpPNEJDXSipdjs27p8hcF+vgwI5eVd5R721wpv17IEg0Lsy4zvvswFik
t3rIj6wwVYHFoMNpwA/sojaRTGb62nqGREYiGMX4fPPd2OCtl1J4I8oZ3x4Q2gkJ
WRX98z6a04zMisiGNeTjl7ZkgEjNNW8/XG4J5sFmgSo5p2XwBCINLyWfnYiQporj
Ym0Ig9k8t5BHntgkP02a+CF9GScdkxNq8UC8Ad2oAHBqOEXd/9DHv80fA7ApvG7e
HnSzWGDdd63z0ixY0g2I
=6UrH
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CVE-2015-5174 Apache Tomcat Limited Directory Traversal
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - - Apache Tomcat 6.0.0 to 6.0.44
- - - Apache Tomcat 7.0.0 to 7.0.64
- - - Apache Tomcat 8.0.0.RC1 to 8.0.26
- - - Apache Tomcat 9 is not affected
- - - Earlier, unsupported Tomcat versions may be affected
Description:
When accessing resources via the ServletContext methods getResource()
getResourceAsStream() and getResourcePaths() the paths should be limited
to the current web application. The validation was not correct and paths
of the form "/.." were not rejected. Note that paths starting with
"/../" were correctly rejected.
This bug allowed malicious web applications running under a security
manager to obtain a directory listing for the directory in which the web
application had been deployed. This should not be possible when running
under a security manager. Typically, the directory listing that would be
exposed would be for $CATALINA_BASE/webapps.
Mitigation:
Users of affected versions should apply one of the following mitigations
- - - Upgrade to Apache Tomcat 8.0.27 or later
- - - Upgrade to Apache Tomcat 7.0.65 or later
- - - Upgrade to Apache Tomcat 6.0.45 or later
Credit:
This issue was discovered by the Apache Tomcat security team.
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWyu+JAAoJEBDAHFovYFnnubgQAICDB8mbxG4KbSDT1YAcqjJd
lToWRjRKVd0UzIaOZFUmqV0Ap7o181xMfQpSfGZSAAukF7+zTcX33O+cklTkZaw/
yjprJSI942enkWlGygiJxIH8DUadGa62iTMyhXmpqLqkD5ura5sSNEdzir7aEnUw
P8vLdpmfbdUqNn9Qv1L27btm5+lU6OU+I8nBTB5ESyDxjhVrpc1d8GVcRaXh0mU4
56oeIAJg7O9ozXrIQa692K4pAV+VqZFb52Vwk3XiNENn0VjwM2W7PAqy+vtAfkLt
wt5SDVjoXuCW1jBTjTU+hmxzDziN0WzgVMgFsSVZg0lyU/H837e/bOOmNVA1dfGD
F6Ln40a1eYkZQ6eXK9SPmz36OnU/akM3+rcDEz9e9spvbe/c4oH5T3/yZwmsONSO
4G+9JyMCg/YKWl2+YIJSGGxO1khaLbXZvyvVwkpq0IzJZ/ZhTp7BQY+DYb4axVY3
QLBx6/XzoIRfLxf1lpvUakGw8P/0y2BPHRa+3b0WDJSElD4H6KAQd+q5vb1eyK6+
0bNPLYd9AyxYwaIuZMk2WtT+pQO0R3Ao6mVBNFk8K/YJj7msMsS4feI76I2LYLT0
WCLKWb/noO8oPmjYk6a7AZKncT9nASN+rCfbXedw6F+COxfVjuddbttsGza2oH7o
NKmM5mCdDfQztF3uOTnu
=aYIY
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVsuqZn6ZAP0PgtI9AQK8kA/+IU5jTBtM3MgSha2TpjEEu2HaCYtBFQUh
rboTFZhSf3/FKz8UT4Nz4005nb1ApA0rLR3OOI9zD15ukzfkyaZyZ61VBzIC0qD1
a8EcRuQByQgeO+Vov0GpsMMwmDAmPh0QAgX5c0aOlOpRZCBFhL0yT1Blee8J1U6r
Aq5afZ6OvHfp2TP1wBaYoJebxl5AGoghnL0LgVagU6Iz7u1TDHnmlEPkuvNv8/Sz
hIvFCwVw5QNyLn7zznNqRRJhlY08UojrKkeddCE4+CgiJEhSfniurfWV1LlMCwx+
iFoUe1jniGCHU3HmPLmCq0tcFiEEuSb4Jw7U5BTOhDA57ivT9OJJy1kds1fO8KwM
pDiEY+11FtceSel0BGNmbAyOis8ex0dpAtrqpJLJoiGPXCww8VAjYSlxnTwGU3kD
BkcMqItjFWhasOMQeNHLd67y5DWpcW/Awl1t0/blX+0hYmTA+e/AFSG1LSqpLaxt
3trMJklAzFxBeV2coqUe6xGx+Ou+3C2+PZ8mPC6mef2R7xiu7qONq+mWBmiO+fno
Uc1uaOjdNdXuNutE5j3+dzSM7nDHmIahNCK+BRyU0QBWgY3xZZC5K8PNd4+IMKbh
ygisyzY4X6WkylJZVEXJ6q47gwXE7aCOhu+2CPrYvOnVo/Hi5f3mAf+8Ockcs0Su
/jndWT5IPyM=
=Xue8
-----END PGP SIGNATURE-----