Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.1189
Microsoft Security Advisory 4021279 : Vulnerabilities in .NET Core, ASP.NET
Core Could Allow Elevation of Privilege
11 May 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft .NET Core
Microsoft ASP.NET Core
Publisher: Microsoft
Operating System: Windows
OS X
Linux variants
Impact/Access: Increased Privileges -- Unknown/Unspecified
Denial of Service -- Unknown/Unspecified
Provide Misleading Information -- Unknown/Unspecified
Unauthorised Access -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2017-0256 CVE-2017-0249 CVE-2017-0248
CVE-2017-0247
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/4021279
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory 4021279
Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege
Published: May 9, 2017
Version: 1.0
Executive Summary
Microsoft is releasing this security advisory to provide information about
vulnerabilities in public .NET Core and ASP.NET Core. This advisory also
provides guidance on what developers can do to update their applications
correctly.
.NET Core & ASP.NET Core are the next generation of .NET that provide a
familiar and modern framework for web and cloud scenarios. These products are
actively developed by the .NET and ASP.NET team in collaboration with a
community of open source developers, running on Windows, Mac OS X and Linux.
When .NET Core was released, the version number was reset to 1.0.0 to reflect
the fact that it is a separate product from its predecessor -.NET.
Discussion
To discuss the ASP.NET Core issues please see aspnet/Mvc#6246
To discuss the CoreFX Core issues please see dotnet/corefx#19535
Issue CVEs and Description
CVE Description
CVE-2017-0248 Security Feature Bypass
CVE-2017-0247 Denial of Service
CVE-2017-0249 Elevation of Privilege
CVE-2017-0256 Spoofing
Affected Software
The vulnerabilities affect any Microsoft .NET Core project if it uses the
following affected package versions.
Affected package and version
Package name Package versions Fixed package versions
System.Text.Encodings.Web 4.0.0 4.0.1
4.3.0 4.3.1
System.Net.Http 4.1.1 4.1.2
4.3.1 4.3.2
System.Net.Http.WinHttpHandler 4.0.1 4.0.2
4.3.0 4.3.1
System.Net.Security 4.0.0 4.0.1
4.3.0 4.3.1
System.Net.WebSockets.Client 4.0.0 4.0.1
4.3.0 4.3.1
Microsoft.AspNetCore.Mvc 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.Core 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.Abstractions 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.ApiExplorer 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.Cors 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.DataAnnotations 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.Formatters.Json 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.Formatters.Xml 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.Localization 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.Razor.Host 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.Razor 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.TagHelpers 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.ViewFeatures 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Microsoft.AspNetCore.Mvc.WebApiCompatShim 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.0.4
1.1.0, 1.1.1, 1.1.2 1.1.3
Advisory FAQ
How do I know if I am affected?
.NET Core and ASP.NET Core have two types of dependencies: direct and
transitive. If your project has a direct or transitive dependency on any of
the packages and versions listed above, you are affected.
Note:
As part of patching ASP.NET Core MVC we update every Microsoft.AspNetCore.Mvc.
* package. If, for example, you have a dependency on Microsoft.AspNetCore.Mvc
you should update to the appropriate version first (1.0.x should be updated to
1.0.4, 1.1.x should be updated to 1.1.3), and it will also update any other
vulnerable Microsoft.AspNetCore.Mvc dependency.
.NET Core Project formats
.NET Core has two different project file formats, depending on what software
created the project.
project.json is the original format, included in .NET Core 1.0 and Microsoft
Visual Studio 2015.
csproj is the format used in Microsoft Visual Studio 2017.
You must ensure you follow the correct update instructions for your project
type.
Direct Dependencies
Direct dependencies are dependencies where you specifically add a package to
your project. For example, if you add the Microsoft.AspNetCore.Mvc package to
your project then you have taken a direct dependency on
Microsoft.AspNetCore.Mvc.
Direct dependencies are discoverable by reviewing your project.json or csproj
file.
Transitive Dependencies
Transitive dependencies occur when you add a package to your project that in
turn relies on another package. For example, if you add the
Microsoft.AspNetCore.Mvc package to your project it depends on the
Microsoft.AspNetCore.Mvc.Core package (among others). Your project has a
direct dependency on Microsoft.AspNetCore.Mvc and a transitive dependency on
the Microsoft.AspNetCore.Mvc.Core package.
Transitive dependencies are reviewable in the Visual Studio Solution Explorer
window, which supports searching, or by reviewing the project.lock.json file
contained in the root directory of your project for project.json projects or
the project.assets.json file contained in the obj directory of your project
for csproj projects. These files are the authoritative list of all packages
used by your project, containing both direct and transitive dependencies.
How do I fix my affected application?
You will need to fix both direct dependencies and review and fix any
transitive dependencies. The Affected Packages and Versions above should each
vulnerable package, the vulnerable versions and the patched versions.
If you are using ASP.NET Core MVC in your projects you should first update the
Microsoft.AspNetCore.Mvc version according to the affected versions table
above. If you are currently using version 1.0.0, 1.0.1, 1.0.2 or 1.0.3 you
should update your package version to 1.0.4. If you are using version 1.1.0,
1.1.1 or 1.1.2 you should update your package version to 1.1.3. This will
update every MVC package to the fixed versions.
Fixing Direct Dependencies project.json/VS2015
Open your project.json file in your editor. Look for the dependencies section.
Below is an example dependencies section:
"dependencies": {
"Microsoft.NETCore.App": {
"version": "1.0.1",
"type": "platform"
},
"Microsoft.AspNetCore.Server.Kestrel": "1.0.1",
"Microsoft.AspNetCore.Mvc ": "1.0.1",
}
This example has three direct dependencies: Microsoft.NETCore.App,
Microsoft.AspNetCore.Server.Kestrel and Microsoft.AspNetCore.Mvc.
Microsoft.NetCore.App is the platform the application targets, you should
ignore this. The other packages expose their version to the right of the
package name. In our example, our non-platform packages are version 1.0.1.
Review your direct dependencies for any instance of the packages and versions
listed above. In the example above, there is a direct dependency on one of the
vulnerable packages, Microsoft.AspNetCore.Mvc version 1.0.1.
To update to the fixed package, change the version number to be the
appropriate package for your release. In the example, this would be updating
Microsoft.AspNetCore.Mvc to 1.0.4.
After updating the vulnerable package versions, save your project.json file.
The dependencies section in our example project.json would now look as
follows:
"dependencies": {
"Microsoft.NETCore.App": {
"version": "1.0.1",
"type": "platform"
},
"Microsoft.AspNetCore.Server.Kestrel": "1.0.1",
"Microsoft.AspNetCore.Mvc": "1.0.4",
}
If you are using Visual Studio and save your updated project.json file, Visual
Studio will restore the new package version. You can see the restore results
by opening the Output Window (Ctrl+Alt+O) and changing the Show output from
drop-down list to Package Manager.
If you are not using Visual Studio, open a command line and change to your
project directory. Execute the dotnet restore command to restore your new
dependency.
After you have addressed all of your direct dependencies, you must also review
your transitive dependencies.
Fixing Direct Dependencies csproj/VS2017
Open your projectname.csproj file in your editor, or right click the project
in Visual Studio 2017 and choose Edit projectname.csproj from the content
menu, where projectname is the name of your project. Look for PackageReference
nodes. The following shows an example project file:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp1.1</TargetFramework>
</PropertyGroup>
<PropertyGroup>
<PackageTargetFallback>$(PackageTargetFallback);portable-net45+win8+wp8+wpa81;</PackageTargetFallback>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.2" />
</ItemGroup>
<ItemGroup>
<DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="1.0.0 " />
</ItemGroup>
</Project>
The example has two direct package dependencies, as seen by the two
PackageReference elements. The name of the package is in the Include
attribute, and the package version number is in the Version attribute that is
exposed to the right of the package name. The example shows two packages
Microsoft.AspNetCore version 1.1.1, and Microsoft.AspNetCore.Mvc.Core version
1.1.2.
Review your PackageReference elements for any instance of the packages and
versions listed above In the example above, there is a direct dependency on
one of the vulnerable packages, Microsoft.AspNetCore.Mvc version 1.1.2.
To update to the fixed package, change the version number to the appropriate
package for your release. In the example, this would be updating
Microsoft.AspNetCore.Mvc to 1.1.3.
After updating the vulnerable package version, save your csproj file.
The example csproj would now look as follows:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp1.1</TargetFramework>
</PropertyGroup>
<PropertyGroup>
<PackageTargetFallback>$(PackageTargetFallback);portable-net45+win8+wp8+wpa81;</PackageTargetFallback>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Mvc.Core" Version="1.1.3"/>
</ItemGroup>
<ItemGroup>
<DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="1.0.0 " />
</ItemGroup>
</Project>
If you are using Visual Studio and save your updated csproj file, Visual
Studio will restore the new package version. You can see the restore results
by opening the Output Window (Ctrl+Alt+O) and changing the Show output from
drop-down list to Package Manager.
If you are not using Visual Studio open a command line and change to your
project directory. Execute the dotnet restore command to restore your new
dependency.
Recompile your application.
If after recompilation you see a Dependency conflict warning, you must update
your other direct dependencies to the appropriate version. For example if your
project refers to Microsoft.AspNetCore.Routing with a version number of 1.0.1
when you update your Microsoft.AspNetCore.Mvc package to 1.0.4, compilation
will throw:
NU1012 Dependency conflict. Microsoft.AspNetCore.Mvc.Core 1.0.4 expected
Microsoft.AspNetCore.Routing >= 1.0.4 but received 1.0.1
To fix this, edit the version for the expected package to be the version
expected by updating your csproj or project.json in the same way that you used
to update the vulnerable package versions.
After you have addressed all of your direct dependencies, you must also review
your transitive dependencies.
Reviewing Transitive Dependencies
There are two ways to view transitive dependencies. You can either use Visual
Studios Solution Explorer, or you can review your project.lock.json
(project.json/VS2015) or project.assets.json (csproj/VS2017) file.
Using Visual Studio Solution Explorer (VS2015)
If you want to use Visual Studio 2015, open your project in Visual Studio 2015
and then press Ctrl+; to activate the search in Solution Explorer. Search for
each of the vulnerable package names and make a note of the version numbers of
any results you find.
For example, searching for Microsoft.AspNetCore.Mvc.Core in an example project
that contains a reference to Microsoft.AspNetCore.Mvc shows the following
results in Visual Studio 2015.
Mt808804.948623F12A9577D9AC6FF8F5CA46F8CA(en-us,Security.10).png
Figure 1: Searching references in Visual Studio 2015
The search results appear as a tree. In these results, you can see we have
found references to Microsoft.AspNetCore.Mvc, version 1.0.1, the vulnerable
version.
The first entry under the References heading refers to the target framework
your application is using. This will be .NETCoreApp, .NETStandard or
.NET-Framework-vX.Y.Z (where X.Y.Z is an actual version number) depending on
how you configured your application. Under your target framework will be the
list of packages you have directly taken a dependency on. In this example, the
application takes a dependency on Microsoft.AspNetCore.Mvc.
Microsoft.AspNetCore.Mvc in turn has leaf nodes that list its dependencies and
their versions. In this case the Microsoft.AspNetCore.Mvc package takes a
dependency on a vulnerable version of Microsoft.AspNetCore.Mvc.Core and
numerous other packages.
Manually reviewing project.lock.json (project.json/VS2015)
Open the project.lock.json file in your editor. We suggest you use an editor
that understands json and allows you to collapse and expand nodes to review
this file; both Visual Studio and Visual Studio Code provide this
functionality.
If you are using Visual Studio the project.lock.json file is under the
project.json file. Click the right pointing triangle, , to the left of the
project.json file to expand the solution tree to expose the project.lock.json
file. Figure 1 below shows a project with the project.json file expanded to
show the project.lock.json file.
Mt808804.10871F6DAB46208F3A20B4D79DC43612(en-us,Security.10).png
Figure 2: project.lock.json file location
Search the project.lock.json file for the string
Microsoft.AspNetCore.Mvc.Core/1.1.0. If your project.lock.json file includes
this string, you have a dependency on the vulnerable package.
Fixing transitive dependencies (project.json/VS2015)
If you have not found any reference to any vulnerable packages this means none
of your direct dependencies depend on any vulnerable packages or you have
already fixed the problem by updating the direct dependencies.
If your transitive dependency review found references to any of the vulnerable
packages you must add a direct dependency to the updated package to your
project.json file to override the transitive dependency. Open your
project.json and find the dependencies section. For example:
"dependencies": {
"Microsoft.NETCore.App": {
"version": "1.0.1",
"type": "platform"
},
"Microsoft.AspNetCore.Server.Kestrel": "1.1.0",
"Microsoft.AspNetCore.Mvc": "1.1.0"
}
For each of the vulnerable packages your search returned you must add a direct
dependency to the updated version by adding it to the project.json file. You
do this by adding a new line to the dependencies section, referring the fixed
version. For example, if your search showed a transitive reference to the
vulnerable System.Net.Security version 4.0.0 you would add a reference to the
appropriate fixed version, 4.0.1. Edit the project.json file as follows:
"dependencies": {
"Microsoft.NETCore.App": {
"version": "1.0.1",
"type": "platform"
},
"System.Net.Security": "4.0.1",
"Microsoft.AspNetCore.Server.Kestrel": "1.1.0",
"Microsoft.AspNetCore.Mvc": "1.1.1"
}
After you have added direct dependencies to the fixed packages, save your
project.json file.
If you are using Visual Studio save your updated project.json file and Visual
Studio will restore the new package versions. You can see the restore results
by opening the Output Window (Ctrl+Alt+O) and changing the Show output from
drop-down list to Package Manager.
If you are not using Visual Studio open a command line and change to your
project directory. Execute the dotnet restore command to restore your new
dependencies.
Using Visual Studio Solution Explorer (VS2017)
If you want to use Solution Explorer, open your project in Visual Studio 2017,
and then press Ctrl+; to activate the search in Solution Explorer. Search for
each of the vulnerable package names and make a note of the version numbers of
any results you find.
For example, searching for Microsoft.AspNetCore.Mvc.Core in an example project
that contains a package that takes a dependency on Microsoft.AspNetCore.Mvc
shows the following results in Visual Studio 2017.
Mt808804.CF4A614A1C2C51FE9505E3379A83E8D6(en-us,Security.10).png
Figure 3: Searching references in Visual Studio 2017
The search results appear as a tree. In these results, you can see we have
found references to Microsoft.AspNetCore.Mvc.Core version 1.1.2.
Under the Dependencies node will be a NuGet node. Under the NuGet node will be
the list of packages you have directly taken a dependency on and their
versions. In this example, the application takes a direct dependency on
Microsoft.AspNetCore.Mvc. Microsoft.AspNetCore.Mvc in turn has leaf nodes that
list its dependencies and their versions. In the example the
Microsoft.AspNetCore.Mvc package takes a dependency on a version of
Microsoft.AspNetCore.Mvc.ApiExplorer which in turn takes a dependency on a
vulnerable version of Microsoft.AspNetCore.Mvc.Core.
Manually reviewing project.assets.json (VS2017)
Open the project.assets.json file from your projects obj directory in your
editor. We suggest you use an editor that understands json and allows you to
collapse and expand nodes to review this file; both Visual Studio and Visual
Studio Code provide this functionality.
Search the project.assets.json file for the each of the package names in the
vulnerable packages table, followed by a /. For example looking for
Microsoft.AspNetCore.Mvc would entail using a search string of
Microsoft.AspNetCore.Mvc/. If your project.assets.json file includes this
string, and the full version number (the number after the / in any search
hits) matches one of the vulnerable versions listed above, you have a
dependency on the vulnerable package.
Fixing transitive dependencies (csproj/VS2017)
If you have not found any reference to any vulnerable packages this means none
of your direct dependencies depend on any vulnerable packages or you have
already fixed the problem by updating the direct dependencies.
If your transitive dependency review found references to any of the vulnerable
packages you must add a direct dependency to the updated package to your
csproj file to override the transitive dependency. Open your
projectname.csproj file in your editor, or right click on the project in
Visual Studio 2017 and choose Edit projectname.csproj from the content menu,
where projectname is the name of your project. Look for PackageReference
nodes, for example:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp1.1</TargetFramework>
</PropertyGroup>
<PropertyGroup>
<PackageTargetFallback>$(PackageTargetFallback);portable-net45+win8+wp8+wpa81;</PackageTargetFallback>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.3" />
</ItemGroup>
<ItemGroup>
<DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="1.0.0" />
</ItemGroup>
</Project>
For each of the vulnerable packages your search returned you must add a direct
dependency to the updated version by adding it to the csproj file. You do this
by adding a new line to the dependencies section, referring the fixed version.
For example, if your search showed a transitive reference to the vulnerable
System.Net.Security version 4.3.0 you would add a reference to the appropriate
fixed version, 4.3.1.
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp1.1</TargetFramework>
</PropertyGroup>
<PropertyGroup>
<PackageTargetFallback>$(PackageTargetFallback);portable-net45+win8+wp8+wpa81;</PackageTargetFallback>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="System.Net.Security" Version="4.3.1" />
<PackageReference Include="Microsoft.AspNetCore" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.3" />
</ItemGroup>
<ItemGroup>
<DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="1.0.0" />
</ItemGroup>
After you have added the direct dependency reference, save your csproj file.
If you are using Visual Studio, save your updated csproj file and Visual
Studio will restore the new package versions. You can see the restore results
by opening the Output Window (Ctrl+Alt+O) and changing the Show output from
drop-down list to Package Manager.
If you are not using Visual Studio, open a command line and change to your
project directory. Execute the dotnet restore command to restore your new
dependencies.
Rebuilding your application
Finally rebuild your application, test as you would do normally and redeploy
using your favored deployment mechanism.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET Core, please email
details to secure@microsoft.com. Reports may qualify for the .NET Core Bug
Bounty. Details of the .NET Core Bug Bounty including Terms and Conditions are
at https://aka.ms/corebounty.
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides
vulnerability information to major security software providers in advance of
each monthly security update release. Security software providers can then use
this vulnerability information to provide updated protections to customers via
their security software or devices, such as antivirus, network-based intrusion
detection systems, or host-based intrusion prevention systems. To determine
whether active protections are available from security software providers,
please visit the active protections websites provided by program partners,
listed in Microsoft Active Protections Program (MAPP) Partners.
Feedback
You can provide feedback by completing the Microsoft Help and Support form,
Customer Service Contact Us.
Support
You can ask questions about this issue on GitHub in the .NET Core or ASP.NET
Core organizations. These are located at https://github.com/dotnet/ and
https://github.com/aspnet/. The Announcements repo for each product
(https://github.com/dotnet/Announcements and
https://github.com/aspnet/Announcements) will contain this bulletin as an
issue and will include a link to a discussion issue where you can ask
questions.
Customers in the United States and Canada can receive technical support from
Security Support. For more information, see Microsoft Help and Support.
International customers can receive support from their local Microsoft
subsidiaries. For more information, see International Support. * Microsoft
TechNet Security provides additional information about security in Microsoft
products.
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
David Fernandez of Sidertia Solutions for reporting the ASP.NET Core Denial of
Service Vulnerability (CVE-2017-0247)
Mikhail Shcherbakov for reporting the ASP.NET Core Spoofing Vulnerability
(CVE-2017-0256)
Disclaimer
The information provided in this advisory is provided "as is" without warranty
of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if Microsoft
Corporation or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
Revisions
V1.0 (May 9, 2017): Advisory published.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWRPwWYx+lLeg9Ub1AQiUEw//WLs+q+1UoWBJx0KOv3m4aECaoPSTHP3o
XjSwQqDF+trGqCuMDuPx+gpNJL23a6BZnzybaFPV7UnNOWa1ysdYhg/5QPWmVxP1
j6xp/LvXAXjhDe+mJK9KuH3sNUgEphLbgngrhKtWfSPcVVxpIY8dTPOCNFdLqusX
VVZQSIqpclirRnL8oDRaX3K1Q4WkwI2JfgA0J86Z5JypBT4CuwAXaU4MKL4RtaY9
JKXi21TgtLlneuzct79PYCoIbQKbIrnyQUqdyfC3vHteUVRQtPAu8mPFmD2wz1Kq
GNZOzGgAk7hYjwPw2RlhLdzbEVxlv1Zl0bK8X9YqtKzwsn+gWA6sIRaOMiBOmBiE
syfsYSkTFMZPuLzjikf0YXdLd1lgmFKQKM3vH50tajfjWeBSZWXlY8lJIaxzoekP
OT+zvgubg3WGxP/tWFHkahhjjIcoc+V8PUGDwf29PVuAwOnZPgMHXY24HiMkNOht
SpjGRIUYNNa7Pr/jQuGa2yVrRsM0qAxSt01kYtYqquFZFCahXWyr4e1SA/9dTZQz
ljc+EP0D0jsqSWGvQoi25WyJk6moOXE8j2OiKFYqMMKZduY1/PH6mRt96PTb3YIT
oJqg089WjCQQQtCuNdY1BsJ+1scjcNB/bsfD6RniHMrDYYuuPHIOFANsMDDTREki
qKHabQcojgo=
=a1ge
-----END PGP SIGNATURE-----