Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.1334.2
Multiple security vulnerabilities affecting IBM Rational ClearCase
23 May 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Rational ClearCase
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-1000007 CVE-2018-1000005 CVE-2018-1447
CVE-2018-1427 CVE-2017-10356 CVE-2017-10345
CVE-2017-3736 CVE-2017-3732 CVE-2016-0705
CVE-2016-0702
Reference: ASB-2016.0042
ASB-2016.0019
ESB-2016.0544
ESB-2016.0543.2
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg22012279
http://www.ibm.com/support/docview.wss?uid=swg22014495
http://www.ibm.com/support/docview.wss?uid=swg22012827
Comment: This bulletin contains three (3) IBM security advisories.
Revision History: May 23 2018: Updated Affected Products and Remediation/Fixes
on swg22012827
May 2 2018: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM
Rational ClearCase (CVE-2017-10356, CVE-2017-10345)
Document information
More support for: Rational ClearCase
ClearCase Remote Client
Software version: 9.0, 9.0.0.1, 9.0.0.2, 9.0.0.3, 9.0.0.4, 9.0.0.5, 9.0.0.6,
9.0.1, 9.0.1.1, 9.0.1.2
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows
Reference #: 2012279
Modified date: 30 April 2018
Security Bulletin
Summary
There are multiple vulnerabilities in IBM(R) Runtime Environment Java(TM) Versions 7
and 8, which are used by IBM Rational ClearCase. These issues were disclosed as
part of the IBM Java SDK updates in October 2017.
Vulnerability Details
CVEID: CVE-2017-10356
DESCRIPTION: An unspecified vulnerability related to the Java SE Security
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a high confidentiality impact using unknown attack
vectors.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133785 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-10345
DESCRIPTION: An unspecified vulnerability related to the Java SE Serialization
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133774 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
Affected Products and Versions
IBM Rational ClearCase version 9 in the following components:
o CCRC WAN server/CM Server component, when configured to use SSL
o ClearCase remote client: CCRC/CTE GUI, rcleartool, and CMAPI clients
+---------------------------------------+-------------------------------------+
| ClearCase version | Status |
+---------------------------------------+-------------------------------------+
| 9.0.1 through 9.0.1.2 | Affected |
+---------------------------------------+-------------------------------------+
| 9.0 through 9.0.0.6 | Affected |
+---------------------------------------+-------------------------------------+
Remediation/Fixes
The solution is to install a fix that includes an updated Java(TM) Virtual Machine
with fixes for the issues, and to apply fixes for WebSphere Application Server
(WAS).
CCRC Client fixes
Apply the relevant fixes as listed in the table below.
+------------------+------------------------------------------------------+
|Affected Versions | Applying the fix |
+------------------+------------------------------------------------------+
| 9.0.1 through |Install Rational ClearCase Fix Pack 3 (9.0.1.3) for |
| 9.0.1.2 |9.0.1 |
| 9.0 through | |
| 9.0.0.6 | |
+------------------+------------------------------------------------------+
For 7.0, 7.1, 8.0, and earlier releases, IBM recommends upgrading to a
fixed, supported version/release/platform of the product.
Notes:
? If you use CCRC as an extension offering installed into an Eclipse
shell (one not provided as part of a ClearCase release), or you use
rcleartool or CMAPI using a Java(TM) Virtual Machine not supplied by IBM
as part of Rational ClearCase, you should update the Java(TM) Virtual
Machine that you use to include a fix for the above issues. Contact the
supplier of your Java(TM) Virtual Machine and/or the supplier of your
Eclipse shell.
CCRC WAN server fixes
1. Determine the WAS version used by your CCRC WAN server. Navigate to the
CCRC profile directory (either the profile you specified when
installing ClearCase, or <ccase-home>/common/ccrcprofile), then execute
the script: bin/versionInfo.sh (UNIX) or bin\versionInfo.bat (Windows).
The output includes a section "IBM WebSphere Application Server". Make
note of the version listed in this section.
2. Review the following WAS security bulletin:
Security Bulletin: Multiple vulnerabilities in IBM(R) Java SDK affects
WebSphere Application Server October 2017 CPU
and apply the latest available fix for the version of WAS used for
CCRC WAN server.
Note: there may be newer security fixes for WebSphere Application
Server. Follow the link below (in the section "Get Notified about
Future Security Bulletins") to subscribe to WebSphere product support
alerts for additional Java SDK fixes.
+------------------+------------------------------------------------------+
|Affected Versions | Applying the fix |
+------------------+------------------------------------------------------+
|9.0.0.x |Apply the appropriate WebSphere Application Server fix|
|9.0.1.x |directly to your CCRC WAN server host. No |
| |ClearCase-specific steps are necessary. |
+------------------+------------------------------------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
Important note
IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity
service. If you are not subscribed, see the instructions on the System z
Security web site. Security and integrity APARs and associated fixes will be
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.
References
Complete CVSS v3 Guide
On-line Calculator v3
IBM Java SDK security bulletin
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
30 April 2018: Originally published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: Vulnerabilities in cURL component shipped with IBM Rational
ClearCase (CVE-2018-1000005, CVE-2018-1000007)
Document information
More support for: Rational ClearCase
Integrations
Software version: 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6,
8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.0.0.14,
8.0.0.15, 8.0.0.16, 8.0.0.17, 8.0.0.18, 8.0.0.19, 8.0.0.20, 8.0.0.21, 8.0.1,
8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.0.1.7, 8.0.1.8,
8.0.1.9, 8.0.1.10, 8.0.1.11, 8.0.1.12, 8.0.1.13, 8.0.1.14, 8.0.1.15, 8.0.1.16,
9.0, 9.0.0.1, 9.0.0.2, 9.0.0.3, 9.0.0.4, 9.0.0.5, 9.0.0.6, 9.0.1, 9.0.1.1,
9.0.1.2
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows
Reference #: 2014495
Modified date: 30 April 2018
Security Bulletin
Summary
IBM Rational ClearCase is affected by cURL/libcURL vulnerabilities.
Vulnerability Details
CVEID: CVE-2018-1000007
DESCRIPTION: cURL liburl could allow a remote attacker to obtain sensitive
information, caused by a flaw when passing on custom Authorization: headers. By
sending a specially-crafted HTTP redirects request, a remote attacker could
exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
138218 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2018-1000005
DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by an
out-of-bounds read flaw in code handling HTTP/2 trailers. By sending
specially-crafted HTTP/2 trailer data, a remote attacker could exploit this
vulnerability to cause a denial of service or information disclosure condition.
CVSS Base Score: 9.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
138219 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
Affected Products and Versions
The cURL component is used in the CMI integration, the OSLC-based ClearQuest
integration, and in the automatic view client.
+---------------------------------------+-------------------------------------+
| ClearCase client version | Status |
+---------------------------------------+-------------------------------------+
| 9.0.1 through 9.0.1.2 | Affected |
+---------------------------------------+-------------------------------------+
| 9.0 through 9.0.0.6 | Affected |
+---------------------------------------+-------------------------------------+
| 8.0.1 through 8.0.1.16 | Affected |
+---------------------------------------+-------------------------------------+
| 8.0 through 8.0.0.21 | Affected |
+---------------------------------------+-------------------------------------+
Remediation/Fixes
The solution is to upgrade to a fix pack of ClearCase that fixes the
vulnerabilities in the cURL component.
+------------------+----------------------------------------------------------+
|Affected Versions | Applying the fix |
+------------------+----------------------------------------------------------+
| 9.0.1 through |Install Rational ClearCase Fix Pack 3 (9.0.1.3) for 9.0.1 |
| 9.0.1.2 | |
| 9.0 through | |
| 9.0.0.6 | |
+------------------+----------------------------------------------------------+
| 8.0.1 through |Install Rational ClearCase Fix Pack 17 (8.0.1.17) for |
| 8.0.1.16 |8.0.1 |
| 8.0 through | |
| 8.0.0.21 | |
+------------------+----------------------------------------------------------+
For 7.0, 7.1, and earlier releases, IBM recommends upgrading to a fixed,
supported version/release/platform of the product.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
Important note
IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity
service. If you are not subscribed, see the instructions on the System z
Security web site. Security and integrity APARs and associated fixes will be
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.
References
Complete CVSS v3 Guide
On-line Calculator v3
cURL vulnerability listing
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
30 April 2018: Original copy published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: Multiple security vulnerabilities have been identified in
GSKit shipped with IBM Rational ClearCase
CVE-2016-0702; CVE-2018-1447; CVE-2018-1427; CVE-2017-3736; CVE-2017-3732;
CVE-2016-0705
Document information
More support for: Rational ClearCase
Integrations: IBM
Software version: 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6,
8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.0.0.14,
8.0.0.15, 8.0.0.16, 8.0.0.17, 8.0.0.18, 8.0.0.19, 8.0.0.20, 8.0.0.21, 8.0.1,
8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.0.1.7, 8.0.1.8,
8.0.1.9, 8.0.1.10, 8.0.1.11, 8.0.1.12, 8.0.1.13, 8.0.1.14, 8.0.1.15, 8.0.1.16,
9.0, 9.0.0.1, 9.0.0.2, 9.0.0.3, 9.0.0.4, 9.0.0.5, 9.0.0.6, 9.0.1, 9.0.1.1,
9.0.1.2
Operating system(s): Windows
Reference #: 2012827
Modified date: 21 May 2018
Summary
Vulnerabilities have been addressed in the GSKit component of IBM Rational
ClearCase.
Vulnerability Details
CVEID: CVE-2016-0702
DESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive
information, caused by a side-channel attack against a system based on the
Intel Sandy-Bridge microarchitecture. An attacker could exploit this
vulnerability to recover RSA keys.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
111144 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-1447
DESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting
in weaker than expected protection of passwords. A weak password may be
recovered. Note: After update the customer should change password to ensure
the new password is stored more securely. Products should encourage customers
to take this step as a high priority action.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2018-1427
DESCRIPTION:IBM GSKit contains several environment variables that a local
attacker could overflow and cause a denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139072 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-3736
DESCRIPTION:OpenSSL could allow a remote attacker to obtain sensitive
information, caused by a carry propagation flaw in the x86_64 Montgomery
squaring function bn_sqrx8x_internal(). An attacker with online access to an
unpatched system could exploit this vulnerability to obtain information about
the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
134397 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-3732
DESCRIPTION:OpenSSL could allow a remote attacker to obtain sensitive
information, caused by a carry propagating bug in the x86_64 Montgomery
squaring procedure. An attacker could exploit this vulnerability to obtain
information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
121313 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-0705
DESCRIPTION:OpenSSL is vulnerable to a denial of service, caused by a
double-free error when parsing DSA private keys. An attacker could exploit
this vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
111140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
+--------------------------------------+-------------------------------------+
| ClearCase Windows CMI/OSLC client | Status |
+--------------------------------------+-------------------------------------+
| 8.0 through 8.0.0.21 | Affected |
| 8.0.1 through 8.0.1.16 | |
| 9.0 through 9.0.0.6 | |
| 9.0.1 through 9.0.1.2 | |
+--------------------------------------+-------------------------------------+
CMI and OSLC integrations:
Windows clients only, of the indicated releases.
The IBM GSKit is used if ClearCase on Windows platforms is configured to
integrate with a change management system with communication over SSL
(https). This applies to any integration using Change Management Interface
(CMI), and to non-CMI based UCM-enabled CQ integration via OSLC. If your
ClearCase deployment is not using these integrations, or not using SSL
with the integrations, then your deployment is not affected by this
portion of the vulnerability.
The UCM-enabled CQ integration without using OSLC (SQUID) is not affected
by this vulnerability.
+--------------------------------------+-------------------------------------+
| CCRC WAN server release | Status |
+--------------------------------------+-------------------------------------+
| 8.0 through 8.0.0.21 | Affected |
| 8.0.1 through 8.0.1.16 | |
| 9.0 through 9.0.0.6 | |
| 9.0.1 through 9.0.1.2 | |
+--------------------------------------+-------------------------------------+
CCRC WAN Server:
All platforms of the indicated releases.
Remediation/Fixes
Note: After applying the fixes as noted below, please refer to this document
http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html for information
concerning password re-stashing. It is advised that you re-stash your password
due to CVE-2018-1447 after you apply the fixes.
The solution is to upgrade to a newer fix pack or release of ClearCase, and to
apply fixes for IBM HTTP Server (IHS).
CMI and OSLC integrations on Windows clients:
The solution is to install a newer, fixed version of the GSKit runtime
component.
+-------------------+--------------------------------------------------------+
| Affected Versions | Applying the fix |
+-------------------+--------------------------------------------------------+
| 9.0.1 through |Install Rational ClearCase Fix Pack 3 (9.0.1.3) for |
| 9.0.1.2 |9.0.1 |
|9.0 through 9.0.0.6| |
+-------------------+--------------------------------------------------------+
| 8.0.1 through |Install Rational ClearCase Fix Pack 17 (8.0.1.17) for |
| 8.0.1.16 |8.0.1 |
| 8.0 through | |
| 8.0.0.21 | |
+-------------------+--------------------------------------------------------+
CCRC WAN Server:
Apply an IHS fix for the issue:
1. Determine the IHS version used by your CCRC WAN server. Navigate to the
IBM HTTP Server installation directory (typically /opt/ibm/HTTPServer or
C:\Program Files (x86)\IBM\HTTPServer), then execute the script: bin/
versionInfo.sh (UNIX) or bin\versionInfo.bat (Windows). The output
includes a section "IBM HTTP Server for WebSphere Application Server".
Make note of the version listed in this section.
2. Review the following IHS security bulletin for the available fixes:
Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP
Server. Note: there may be newer security fixes for IBM HTTP Server.
Follow the link below (in the section "Get Notified about Future Security
Bulletins") to subscribe to WebSphere product support alerts for
additional security fixes.
3. Apply the relevant fixes to your IBM HTTP Server installation used on your
CCRC WAN server host. No ClearCase-specific steps are necessary.
For 7.0, 7.1, 8.0, and earlier releases, IBM recommends upgrading to a fixed,
supported version/release/platform of the product.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site. Security and integrity APARs and associated fixes
will be posted to this portal. IBM suggests reviewing the CVSS scores and
applying all security or integrity fixes as soon as possible to minimize any
potential risk.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
30 April 2018: Original version published
21 May 2018: Updated Affected Products and Remediation/Fixes for an IHS fix
and password re-stashing due to CVE-2018-1447
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWwS6Pox+lLeg9Ub1AQiyLg/+LW8G+LX9RlbSy85OXlXDpreZwVjlilpC
KkU50F6QDlazBIsDxuzJGOgo0LEzMeUStN4JYHljxyDyq0twSdOZ4EDGraHrAqA8
gzSSKNofE9gwIBatoCG+Lr3OKmGzmrX9SpVw7OcmFow9Ro//CW3qZ6BnZrnhNnsB
E0lDN1s+CX7pHpG8bZXebfeZDG7/rgGASUlSJBAEwjErHOk11BEY9htGz0YDZUWL
2bZQg0aStFCCyxrzSFLk7v60jVWUiQ0SMaGbK6y5fnAQwJRoUZujEGQixhBUIaEP
A+k8SqRY13mftcOhDaTq0bR9eTSdCNpJAZp/gX4iGkiVYDscCzERM09WL/VYTSdd
Nwr2arrSkx27pZpeJRt1BxWUEfPImQFytlieC8m0KMrZD4ht2juevdcibGirBWBC
pV2OLFOwBievxPpgkGxElrxXMCyu3UepXjXgcEGQa7iz5oL4UR0puseD/FpsPe2D
yZtto1ICjcCwunCrYZu6Jaq8/9XvrdoLlpif0t6KMldWaokSROqd2fC/PoHOdoNi
L/4r47rYlUXVMSF3d/c35wRicRXfwogeQ5r+s0khnYAriTdbG+Dlj81js4tLVgLi
e32HC34z9Kb74HLImv1eoBKfkai7cKvYjThMD69k9ARtkigY9pq7ULDGQmnkI4Rm
/H5i+RYTz4w=
=3gpD
-----END PGP SIGNATURE-----