Domain: cert.fi
Stories and comments across the archive that link to cert.fi.
Comments · 6
-
Re:Hey things take time.
Yes, than God it does not affect Linux!
https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.htmlOops
... well, at least Linux fixed it promptly!http://kbase.redhat.com/faq/docs/DOC-18730
"Due to upstream's decision not to release updates, Red Hat do not plan to release updates to resolve these issues"Oops
... well, anyway Windows suck! -
Re:Article??
More details are now available:
http://www.codenomicon.com/labs/xml/Also the CERT advisory is finally out:
https://www.cert.fi/en/reports/2009/vulnerability2009085.htmlYou call that more details?!
I assume you want the dirty details, i.e. full disclosure?
Come on, this is open source. Read the code. You are not going to get any more help than that from the good guys. There will soon be a wide range of exploits and demos that you can use, though. I am not sure anyone but you actually wants that.
;)Check out how many Linux distributions have issued an advisory on this problem. Look at the number of vulnerable software projects. Pick your side guy! Are you working for your own interest and trying to find a way to make your own profit from this flaw or trying to motivate all those open source software projects (that do not have a clue on security) into updating... finally!
If your comment is not a troll, then nothing here is. There is no other comment here that is more counter-productive, with my quick read of the things discussed here. I am not sure who do you want to help with comments like that.
-
Re:Article??
More details are now available:
http://www.codenomicon.com/labs/xml/Also the CERT advisory is finally out:
https://www.cert.fi/en/reports/2009/vulnerability2009085.htmlYou call that more details?! The first link tells me nothing much other than "OMG! XML is used in lots of places!" and the second is unclear about which libraries actually have the problem (e.g., is expat itself vulnerable or just the version that Python uses?) This is important because it determines who else has to worry about these things. If there are fundamental problems, it's important that they get fixed right back at the root and then the fixes pushed out. Otherwise you just have duplication of effort, warring developers, and people who are vulnerable and don't know it.
-
Re:Which XML libraries?
From CERT-FI report:
Vendor Information:
* Python libexpat
* Apache Xerces, all versions
* Sun JDK and JRE 6 Update 14 and earlier
* Sun JDK and JRE 5.0 Update 19 and earlier -
Re:Naptha all over again
Can you guarantee that the fix will be rolled out to everyone at the same time?
The fix has already been rolled out long ago.
Do you know what the fix is? Source address level filtering. It's that simple.
This attack is less of a threat than SYN flooding attacks, because the attacker's address can't be spoofed. More information from Fyodor.
-
Re:Secure Platform without Anti-virus
Looking back at the original link it does list Symantec as not being affected, so maybe I'm thinking of another vulnerability. Their were two actual security releases based on this, one involving a buffer overflow, and another involving uncaught exceptions that lead to program crashes, so maybe it's only vulnerable to one of those. Or maybe I'm just confused and it's an entirely different security advisory I'm thinking of. This link does list 7-zip, and bzip2 (and tar, but it will depend on which version of bzip2 it's compiled against) as vulnerable but fixed in versions 4.5.7 and 1.0.5 respectively.