CVE-2009-1417 (gnutls)

gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup.

URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1417

[SECURITY] [DSA 1758-1] New nss-ldapd packages fix information disclosure

<!– Envelope-to: email@address Delivery-date: Tue, 31 Mar 2009 16:30:11 +0100 Received: from outgoing.securityfocus.com ([205.206.231.27] helo=outgoing3.securityfocus.com) by lt.network5.net with esmtp (Exim 4.43) id 1Loful-0002kK-BI for email@address; Tue, 31 Mar 2009 16:30:11 +0100 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing3.securityfocus.com (Postfix) with QMQP id 85B18237372; Tue, 31 Mar 2009 08:14:10 -0700 (MST) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq@securityfocus.com> List-Help: <mailto:bugtraq-help@securityfocus.com> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 23072 invoked from network); 30 Mar 2009 21:44:10 -0000 Resent-Cc: recipient list not shown: ; Old-Return-Path: <jmm@inutil.org> X-Original-To: lists-debian-security-announce@liszt.debian.org Delivered-To: lists-debian-security-announce@liszt.debian.org X-policyd-weight: DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=ERR CL_IP_EQ_FROM_MX=-3.1 <client=83.151.30.8> <helo=inutil.org> <from=jmm@inutil.org> <to=debian-security-announce@lists.debian.org>, rate: -6.1 Message-ID: <20090330214700.GA3699@galadriel.inutil.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) X-SA-Exim-Connect-IP: 82.83.180.59 X-SA-Exim-Mail-From: jmm@inutil.org X-SA-Exim-Scanned: No (on inutil.org); SAEximRunCond expanded to false X-Virus-Scanned: at lists.debian.org with policy bank moderated X-Spam-Status: No, score=-8.68 tagged_above=3.6 required=5.3 tests=[FOURLA=0.1, FVGT_m_MULTI_ODD=0.02, IMPRONONCABLE_2=1, LDO_WHITELIST=-5, MURPHY_WRONG_WORD2=0.2, PGPSIGNATURE=-5] X-Spam-Level: X-Debian: PGP check passed for security officers Priority: urgent Resent-Message-ID: <ZH4icUGVyLB.A.UdF.t3T0JB@liszt> Reply-To: listadmin@securityfocus.com Mail-Followup-To: bugtraq@securityfocus.com Resent-Date: Mon, 30 Mar 2009 21:47:25 +0000 (UTC) Resent-From: list@liszt.debian.org (Mailing List Manager) X-IMAPbase: 1176125385 8623 Status: O X-UID: 8622 Content-Length: 5035 X-Keywords:

]]> http://sechero.com/new-nss-ldapd-packages-fix-information-disclosure-2/feed/ 0 http://sechero.com/new-nss-ldapd-packages-fix-information-disclosure/ http://sechero.com/new-nss-ldapd-packages-fix-information-disclosure/#comments Mon, 30 Mar 2009 21:47:00 +0000 invalid string http://sechero.com/new-nss-ldapd-packages-fix-information-disclosure/

[SECURITY] [DSA 1758-1] New nss-ldapd packages fix information disclosure

Posted by Moritz Muehlenhoff on Mar 30

————————————————————————
Debian Security Advisory DSA-1758-1 security_at_debian.org
www.debian.org/security/ Moritz Muehlenhoff
March 30, 2009 …

URL: http://seclists.org/fulldisclosure/2009/Mar/0440.html

Vuln: PADL nss_ldap ‘/etc/nss_ldapd.conf’ Local Information Disclosure Vulnerability

PADL nss_ldap ‘/etc/nss_ldapd.conf’ Local Information Disclosure Vulnerability

URL: http://www.securityfocus.com/bid/34211

CVE-2009-1094 (jdk, jre)

Unspecified vulnerability in the LDAP implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier allows remote LDAP servers to execute arbitrary code via unknown vectors related to serialized data.

URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1094

CVE-2009-1093 (jdk, jre)

LdapCtx in the LDAP service in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier does not close the connection when initialization fails, which allows remote attackers to cause a denial of service (LDAP service hang).

URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1093

RE: LDAP Injection

Posted by Erez Metula on Mar 18

Hey Jon,
Give a try to the "Ldap Injector" tool (Alonso/Parada), capable of performing blind ldap injection attacks.

Cheers,
Erez.
________________________________

Erez Metula, CISSP
Application Security Department Manager, 2BSecure
Mobile: 972-54-2108830 Office:…

URL: http://seclists.org/pen-test/2009/Mar/0094.html

Infoblox Secures $21 Million Investment

Infoblox, a developer of appliances for core network identity services, today announced that it has closed $21 million in additional funding, reinforcing the company’s position as the market leader for network identity appliances that address network protocols like DNS, DHCP, RADIUS, and LDAP.

URL: http://feedproxy.google.com/~r/InfobloxNewsFeed/~3/5afAjCuP4SA/release.cfm

Cricket Liu Joins Infoblox

Infoblox, a leading developer of appliances for core network services, today announced the appointment of Cricket Liu. Best known for its award-winning DNS One appliance, Infoblox develops products that simplify deployment and administration of core network services like DNS, DHCP, RADIUS, and LDAP. Cricket will provide strategic guidance on the development of the companyˇ¦s product and service offerings to enterprise customers, while expanding Infobloxˇ¦s strategic partnerships throughout the networking industry.

URL: http://feedproxy.google.com/~r/InfobloxNewsFeed/~3/Vnc5GQU9bhk/release.cfm

Infoblox Partners with Terilogy to Expand Sales in Japan

Infoblox, a leading network appliances developer, announced today a partnership agreement with Japanese network infrastructure integrator, Terilogy, to provide direct sales and sales support for Infobloxˇ¦s line of appliances in Japan. Best known for its flagship appliance, DNS One, Infoblox offers task-specific appliances for the following network protocols: DNS, DHCP, LDAP, and RADIUS.

URL: http://feedproxy.google.com/~r/InfobloxNewsFeed/~3/TrC6Un9S18c/release.cfm