1 |
Please see the attached advisory. |
2 |
|
3 |
Since we have openldap-2.0.11 in portage I recommend that we remove the |
4 |
older one based upon answers to the following questions. |
5 |
|
6 |
1.) does the openldap-2.0.11 packacke compile and work o.k.? |
7 |
2.) Is there a valid reason for leaving the older ebuilds in the tree? |
8 |
3.) Does anyone care? |
9 |
|
10 |
I'll wait for this thread to progress before removing / modifying the |
11 |
net-nds/openldap/ directory in portage. |
12 |
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
-----BEGIN PGP SIGNED MESSAGE----- |
18 |
|
19 |
CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several |
20 |
Implementations of the Lightweight Directory Access Protocol (LDAP) |
21 |
|
22 |
Original release date: July 16, 2001 |
23 |
Last revised: -- |
24 |
Source: CERT/CC |
25 |
|
26 |
A complete revision history can be found at the end of this file. |
27 |
|
28 |
Systems Affected |
29 |
|
30 |
* iPlanet Directory Server, version 5.0 Beta and versions up to and |
31 |
including 4.13 |
32 |
* Certain versions of IBM SecureWay running under Solaris and |
33 |
Windows 2000 |
34 |
* Lotus Domino R5 Servers (Enterprise, Application, and Mail), |
35 |
prior |
36 |
to 5.0.7a |
37 |
* Teamware Office for Windows NT and Solaris, prior to version |
38 |
5.3ed1 |
39 |
* Qualcomm Eudora WorldMail for Windows NT, version 2 |
40 |
* Microsoft Exchange 5.5 LDAP Service (Hotfix pending) |
41 |
* Network Associates PGP Keyserver 7.0, prior to Hotfix 2 |
42 |
* Oracle 8i Enterprise Edition |
43 |
* OpenLDAP, 1.x prior to 1.2.12 and 2.x prior to 2.0.8 |
44 |
|
45 |
Overview |
46 |
|
47 |
Several implementations of the Lightweight Directory Access Protocol |
48 |
(LDAP) protocol contain vulnerabilities that may allow |
49 |
denial-of-service attacks, unauthorized privileged access, or both. |
50 |
If |
51 |
your site uses any of the products listed in this advisory, the |
52 |
CERT/CC |
53 |
encourages you to follow the advice provided in the Solution section |
54 |
below. |
55 |
|
56 |
I. Description |
57 |
|
58 |
The LDAP protocol provides access to directories that support the |
59 |
X.500 |
60 |
directory semantics without requiring the additional resources of |
61 |
X.500. A directory is a collection of information such as names, |
62 |
addresses, access control lists, and cryptographic certificates. |
63 |
Because LDAP servers are widely used in maintaining corporate contact |
64 |
information and providing authentication services, any threats to |
65 |
their |
66 |
integrity or stability can jeopardize the security of an |
67 |
organization. |
68 |
|
69 |
To test the security of protocols like LDAP, the PROTOS project |
70 |
presents a server with a wide variety of sample packets containing |
71 |
unexpected values or illegally formatted data. This approach may |
72 |
reveal |
73 |
vulnerabilities that would not manifest themselves under normal |
74 |
conditions. As a member of the PROTOS project consortium, the Oulu |
75 |
University Secure Programming Group (OUSPG) co-developed and |
76 |
subsequently used the PROTOS LDAPv3 test suite to study several |
77 |
implementations of the LDAP protocol. |
78 |
|
79 |
The PROTOS LDAPv3 test suite is divided into two main sections: the |
80 |
"Encoding" section, which tests an LDAP server's response to packets |
81 |
that violate the Basic Encoding Rules (BER), and the "Application" |
82 |
section, which tests an LDAP server's response to packets that |
83 |
trigger |
84 |
LDAP-specific application anomalies. Each section is further divided |
85 |
into "groups" that collectively exercise a particular encoding or |
86 |
application feature. Finally, each group contains one or more "test |
87 |
cases," which represent the network packets that are used to test |
88 |
individual exceptional conditions. |
89 |
|
90 |
By applying the PROTOS LDAPv3 test suite to a variety of popular |
91 |
LDAP-enabled products, the OUSPG revealed the following |
92 |
vulnerabilities: |
93 |
|
94 |
VU#276944 - iPlanet Directory Server contains multiple |
95 |
vulnerabilities |
96 |
in LDAP handling code |
97 |
|
98 |
The iPlanet Directory Server contains multiple vulnerabilities in |
99 |
the code that processes LDAP requests. |
100 |
|
101 |
In the encoding section of the test suite, this product had an |
102 |
indeterminate number of failures in the group that tests invalid |
103 |
BER length of length fields. |
104 |
|
105 |
In the application section of the test suite, this product failed |
106 |
four groups and had inconclusive results for an additional five |
107 |
groups. The four failed groups indicate the presence of buffer |
108 |
overflow vulnerabilities. For the inconclusive groups, the |
109 |
product |
110 |
exhibited suspicious behavior while testing for format string |
111 |
vulnerabilities. |
112 |
|
113 |
VU#505564 - IBM SecureWay Directory is vulnerable to |
114 |
denial-of-service |
115 |
attacks via LDAP handling code |
116 |
|
117 |
The IBM SecureWay Directory server contains one or more |
118 |
vulnerabilities in the code that processes LDAP requests. These |
119 |
vulnerabilities were discovered independently by IBM using the |
120 |
PROTOS LDAPv3 test suite. The CERT/CC is not currently aware of |
121 |
the |
122 |
nature of these vulnerabilities. |
123 |
|
124 |
VU#583184 - Lotus Domino R5 Server Family contains multiple |
125 |
vulnerabilities in LDAP handling code |
126 |
|
127 |
The Lotus Domino R5 Server Family (including the Enterprise, |
128 |
Application, and Mail servers) contains multiple vulnerabilities |
129 |
in |
130 |
the code that processes LDAP requests. |
131 |
|
132 |
In the encoding section of the test suite, this product failed 1 |
133 |
of |
134 |
77 groups. The failed group tests a server's response to |
135 |
miscellaneous packets with semi-valid BER encodings. |
136 |
|
137 |
In the application section of the test suite, this product failed |
138 |
23 of 77 groups. These results suggest that both buffer overflow |
139 |
and format string vulnerabilities are likely to be present in a |
140 |
variety of application components. |
141 |
|
142 |
VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP |
143 |
handling code |
144 |
|
145 |
The Teamware Office suite is packaged with a combination |
146 |
X.500/LDAP |
147 |
server that provides directory services. Multiple versions of the |
148 |
Office product contain vulnerabilities that cause the LDAP server |
149 |
to crash in response to traffic sent by the PROTOS LDAPv3 test |
150 |
suite. |
151 |
|
152 |
In the encoding section of the test suite, this product failed 9 |
153 |
of |
154 |
16 groups involving invalid encodings for several BER object |
155 |
types. |
156 |
|
157 |
In the application section of the test suite, this product failed |
158 |
4 |
159 |
of 32 groups. The remaining 45 groups were not exercised during |
160 |
the |
161 |
test runs. The four failed groups indicate the presence of buffer |
162 |
overflow vulnerabilities. |
163 |
|
164 |
VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail |
165 |
Server LDAP handling code |
166 |
|
167 |
While investigating the vulnerabilities reported by OUSPG, it was |
168 |
brought to our attention that the Eudora WorldMail Server may |
169 |
contain vulnerabilities that can be triggered via the PROTOS test |
170 |
suite. The CERT/CC has reported this possibility to Qualcomm and |
171 |
an |
172 |
investigation is pending. |
173 |
|
174 |
VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to |
175 |
denial-of-service attacks |
176 |
|
177 |
The Microsoft Exchange 5.5 LDAP Service contains a vulnerability |
178 |
that causes the LDAP server to freeze in response to malformed |
179 |
LDAP |
180 |
requests generated by the PROTOS test suite. This only affects |
181 |
the |
182 |
LDAP service; all other Exchange services, including mail |
183 |
handling, |
184 |
continue normally. |
185 |
|
186 |
Although this product was not included in OUSPG's initial |
187 |
testing, |
188 |
subsequent informal testing revealed that the LDAP service of the |
189 |
Microsoft Exchange 5.5 became unresponsive while processing test |
190 |
cases containing exceptional BER encodings for the LDAP filter |
191 |
type |
192 |
field. |
193 |
|
194 |
VU#765256 - Network Associates PGP Keyserver contains multiple |
195 |
vulnerabilities in LDAP handling code |
196 |
|
197 |
The Network Associates PGP Keyserver 7.0 contains multiple |
198 |
vulnerabilities in the code that processes LDAP requests. |
199 |
|
200 |
In the encoding section of the test suite, this product failed 12 |
201 |
of 16 groups. |
202 |
|
203 |
In the application section of the test suite, this product failed |
204 |
1 |
205 |
of 77 groups. The failed group focused on out-of-bounds integer |
206 |
values for the messageID parameter. Due to a peculiarity of this |
207 |
test group, this failure may actually represent an encoding |
208 |
failure. |
209 |
|
210 |
VU#869184 - Oracle 8i Enterprise Edition contains multiple |
211 |
vulnerabilities in LDAP handling code |
212 |
|
213 |
The Oracle 8i Enterprise Edition server contains multiple |
214 |
vulnerabilities in the code used to process LDAP requests. |
215 |
|
216 |
In the encoding section of the test suite, this product failed an |
217 |
indeterminate number of test cases in the group that tests a |
218 |
server's response to invalid encodings of BER OBJECT-IDENTIFIER |
219 |
values. |
220 |
|
221 |
In the application section of the test suite, this product failed |
222 |
46 of 77 groups. These results suggest that both buffer overflow |
223 |
and format string vulnerabilities are likely to be present in a |
224 |
variety of application components. |
225 |
|
226 |
VU#935800 - Multiple versions of OpenLDAP are vulnerable to |
227 |
denial-of-service attacks |
228 |
|
229 |
There are multiple vulnerabilities in the OpenLDAP |
230 |
implementations |
231 |
of the LDAP protocol. These vulnerabilities exist in the code |
232 |
that |
233 |
translates network datagrams into application-specific |
234 |
information. |
235 |
|
236 |
In the encoding section of the test suite, this product failed |
237 |
the |
238 |
group that tests the handling of invalid BER length of length |
239 |
fields. |
240 |
|
241 |
In the application section of the test suite, this product passed |
242 |
all 6685 test cases. |
243 |
|
244 |
Additional Information |
245 |
|
246 |
For the most up-to-date information regarding these vulnerabilities, |
247 |
please visit the CERT/CC Vulnerability Notes Database at: |
248 |
|
249 |
http://www.kb.cert.org/vuls/ |
250 |
|
251 |
Please note that the test results summarized above should not be |
252 |
interpreted as a statement of overall software quality. However, the |
253 |
CERT/CC does believe that these results are useful in describing the |
254 |
characteristics of these vulnerabilities. For example, an application |
255 |
that fails multiple groups indicates that problems exist in different |
256 |
areas of the code, rather than in a specific code segment. |
257 |
|
258 |
II. Impact |
259 |
|
260 |
VU#276944 - iPlanet Directory Server contains multiple |
261 |
vulnerabilities |
262 |
in LDAP handling code |
263 |
|
264 |
One or more of these vulnerabilities allow a remote attacker to |
265 |
execute arbitrary code with the privileges of the Directory |
266 |
Server. |
267 |
The server typically runs with system privileges. At least one of |
268 |
these vulnerabilities has been successfully exploited in a |
269 |
laboratory environment under Windows NT 4.0, but they may affect |
270 |
other platforms as well. |
271 |
|
272 |
VU#505564 - IBM SecureWay Directory is vulnerable to |
273 |
denial-of-service |
274 |
attacks via LDAP handling code |
275 |
|
276 |
These vulnerabilities allow a remote attacker to crash affected |
277 |
SecureWay Directory servers, resulting in a denial-of-service |
278 |
condition. It is not known at this time whether these |
279 |
vulnerabilities will allow a remote attacker to execute arbitrary |
280 |
code. These vulnerabilities exist on the Solaris and Windows 2000 |
281 |
platforms but are not present under Windows NT, AIX, and AIX with |
282 |
SSL. |
283 |
|
284 |
VU#583184 - Lotus Domino R5 Server Family contains multiple |
285 |
vulnerabilities in LDAP handling code |
286 |
|
287 |
One or more of these vulnerabilities allow a remote attacker to |
288 |
execute arbitrary code with the privileges of the Domino |
289 |
server. The server typically runs with system privileges. At |
290 |
least |
291 |
one of these vulnerabilities has been successfully exploited in a |
292 |
laboratory environment. |
293 |
|
294 |
VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP |
295 |
handling code |
296 |
|
297 |
These vulnerabilities allow a remote attacker to crash affected |
298 |
Teamware LDAP servers, resulting in a denial-of-service |
299 |
condition. |
300 |
They may also allow a remote attacker to execute arbitrary code |
301 |
with the privileges of the Teamware server. The server typically |
302 |
runs with system privileges. |
303 |
|
304 |
VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail |
305 |
Server LDAP handling code |
306 |
|
307 |
The CERT/CC has not yet determined the impact of this |
308 |
vulnerability. |
309 |
|
310 |
VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to |
311 |
denial-of-service attacks |
312 |
|
313 |
This vulnerability allows a remote attacker to crash the LDAP |
314 |
component of vulnerable Exchange 5.5 servers, resulting in a |
315 |
denial-of-service condition within the LDAP component. |
316 |
|
317 |
VU#765256 - Network Associates PGP Keyserver contains multiple |
318 |
vulnerabilities in LDAP handling code |
319 |
|
320 |
One or more of these vulnerabilities allow a remote attacker to |
321 |
execute arbitrary code with the privileges of the Keyserver. The |
322 |
server typically runs with system privileges. At least one of |
323 |
these |
324 |
vulnerabilities has been successfully exploited in a laboratory |
325 |
environment. |
326 |
|
327 |
VU#869184 - Oracle 8i Enterprise Edition contains multiple |
328 |
vulnerabilities in LDAP handling code |
329 |
|
330 |
One or more of these vulnerabilities allow a remote attacker to |
331 |
execute arbitrary code with the privileges of the Oracle |
332 |
server. The server typically runs with system privileges. At |
333 |
least |
334 |
one of these vulnerabilities has been successfully exploited in a |
335 |
laboratory environment. |
336 |
|
337 |
VU#935800 - Multiple versions of OpenLDAP are vulnerable to |
338 |
denial-of-service attacks |
339 |
|
340 |
These vulnerabilities allow a remote attacker to crash affected |
341 |
OpenLDAP servers, resulting in a denial-of-service condition. |
342 |
|
343 |
III. Solution |
344 |
|
345 |
Apply a patch from your vendor |
346 |
|
347 |
Appendix A contains information provided by vendors for this |
348 |
advisory. |
349 |
Please consult this appendix to determine if you need to contact your |
350 |
vendor directly. |
351 |
|
352 |
Block access to directory services at network perimeter |
353 |
|
354 |
As a temporary measure, it is possible to limit the scope of these |
355 |
vulnerabilities by blocking access to directory services at the |
356 |
network perimeter. Please note that this workaround does not protect |
357 |
vulnerable products from internal attacks. |
358 |
|
359 |
ldap 389/tcp # Lightweight Directory Access Protocol |
360 |
ldap 389/udp # Lightweight Directory Access Protocol |
361 |
ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) |
362 |
ldaps 636/udp # ldap protocol over TLS/SSL (was sldap) |
363 |
|
364 |
Appendix A. - Vendor Information |
365 |
|
366 |
This appendix contains information provided by vendors for this |
367 |
advisory. As vendors report new information to the CERT/CC, we will |
368 |
update this section and note the changes in our revision history. If |
369 |
a |
370 |
particular vendor is not listed below, we have not received their |
371 |
comments. |
372 |
|
373 |
IBM Corporation |
374 |
|
375 |
IBM and Tivoli are currently investigating the details of the |
376 |
vulnerabilities in the various versions of the SecureWay product |
377 |
family. |
378 |
|
379 |
Fixes are being implemented as these details become known. |
380 |
|
381 |
Fixes will be posted to the download sites (IBM or Tivoli) for the |
382 |
affected platform. See http://www-1.ibm.com/support under "Server |
383 |
Downloads" or "Software Downloads" for links to the fix distribution |
384 |
sites. |
385 |
|
386 |
iPlanet E-Commerce Solutions |
387 |
|
388 |
[CERT/CC Addendum: These vulnerabilities were originally discovered |
389 |
in |
390 |
Directory Server 5.0 Beta and were later found to exist in versions |
391 |
up |
392 |
to and including version 4.13. These vulnerabilities have been |
393 |
addressed in the released version of Directory Server 5.0.] |
394 |
|
395 |
Lotus Development Corporation |
396 |
|
397 |
Lotus reproduced the problem as reported by OUSPG and documented it |
398 |
in |
399 |
SPR#DWUU4W6NC8. |
400 |
|
401 |
Lotus considers security issues as top priority, so we acted quickly |
402 |
to resolve the problem in a maintenance update to Domino. It was |
403 |
addressed in Domino R5.0.7a, which was released on May 18th, 2001. |
404 |
This release can be downloaded from Notes.net at |
405 |
|
406 |
http://www.notes.net/qmrdown.nsf/qmrwelcome. |
407 |
|
408 |
The fix is documented in the fix list at |
409 |
|
410 |
|
411 |
http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU |
412 |
4W6NC8 |
413 |
|
414 |
Microsoft Corporation |
415 |
|
416 |
Microsoft is developing a hotfix for this issue which will be |
417 |
available shortly. |
418 |
|
419 |
Customers can obtain this hotfix by contacting Product Support |
420 |
Services at no charge and asking for Q303448 and Q303450. Information |
421 |
on contacting Microsoft Product Support Services can be found at |
422 |
|
423 |
http://www.microsoft.com/support/ |
424 |
|
425 |
Network Associates, Inc. |
426 |
|
427 |
Network Associates has resolved these vulnerabilities in Hotfix 2 for |
428 |
both Solaris and Windows NT. All Network Associates Enterprise |
429 |
Support |
430 |
customers have been notified and have been provided access to the |
431 |
Hotfix. |
432 |
|
433 |
This Hotfix can be downloaded at |
434 |
|
435 |
http://www.pgp.com/downloads/default.asp |
436 |
|
437 |
The OpenLDAP Project |
438 |
|
439 |
[CERT/CC Addendum: To address these vulnerabilities, the OpenLDAP |
440 |
Project has released OpenLDAP 1.2.12 for use in LDAPv2 environments |
441 |
and OpenLDAP 2.0.8 for use in LDAPv3 environments. The CERT/CC |
442 |
recommends that users of OpenLDAP contact their software vendor or |
443 |
obtain the latest version, available at |
444 |
http://www.openLDAP.org/software/download/.] |
445 |
|
446 |
QUALCOMM Incorporated |
447 |
|
448 |
The LDAP service in WorldMail may be vulnerable to this exploit, but |
449 |
our tests so far have been inconclusive. At this time, we strongly |
450 |
urge all WorldMail customers to ensure that the LDAP service is not |
451 |
accessible from outside their organization nor by untrusted users. |
452 |
|
453 |
The Teamware Group |
454 |
|
455 |
An issue has been discovered with Teamware Office Enterprise |
456 |
Directory |
457 |
(LDAP server) that shows a abnormal termination or loop when the LDAP |
458 |
server encounters a maliciously or incorrectly created LDAP request |
459 |
data. |
460 |
|
461 |
If the maliciously formatted LDAP request data is requested, the LDAP |
462 |
server may excessively copy the LDAP request data to the stack area. |
463 |
|
464 |
This overflow is likely to cause execution of malicious code. In |
465 |
other |
466 |
case, the LDAP server may go into abnormal termination or infinite |
467 |
loop. |
468 |
|
469 |
[CERT/CC Addendum: Teamware has provided additional documentation of |
470 |
these issues in their "Teamware Solution Database," available at |
471 |
http://support.teamw.com/Online/s_database1.shtml. Registered users |
472 |
can find information on these vulnerabilities by searching for |
473 |
document #010703-0000 for Windows NT or document #010703-0001 for |
474 |
Solaris.] |
475 |
|
476 |
Appendix B. - Supplemental Information |
477 |
|
478 |
The PROTOS Project |
479 |
|
480 |
The PROTOS project is a research partnership between the University |
481 |
of |
482 |
Oulu and VTT Electronics, an independent research organization owned |
483 |
by the Finnish government. The project studies methods by which |
484 |
protocol implementations can be tested for information security |
485 |
defects. |
486 |
|
487 |
Although the vulnerabilities discussed in this advisory relate |
488 |
specifically to the LDAP protocol, the methodology used to research, |
489 |
develop, and deploy the PROTOS LDAPv3 test suite can be applied to |
490 |
any |
491 |
communications protocol. |
492 |
|
493 |
For more information on the PROTOS project and its collection of test |
494 |
suites, please visit |
495 |
|
496 |
http://www.ee.oulu.fi/research/ouspg/protos/ |
497 |
|
498 |
ASN.1 and the BER |
499 |
|
500 |
Abstract Syntax Notation One (ASN.1) is a flexible notation that |
501 |
allows one to define a variety data types. The Basic Encoding Rules |
502 |
(BER) describe how to represent or encode the values of each ASN.1 |
503 |
type as a string of octets. This allow programmers to encode and |
504 |
decode data for platform-independent transmission over a network. |
505 |
|
506 |
References |
507 |
|
508 |
The following is a list of URLs referenced in this advisory as well |
509 |
as |
510 |
other useful sources of information: |
511 |
|
512 |
http://www.cert.org/advisories/CA-2001-18.html |
513 |
http://www.ietf.org/rfc/rfc2116.txt |
514 |
http://www.ietf.org/rfc/rfc2251.txt |
515 |
http://www.ietf.org/rfc/rfc2252.txt |
516 |
http://www.ietf.org/rfc/rfc2253.txt |
517 |
http://www.ietf.org/rfc/rfc2254.txt |
518 |
http://www.ietf.org/rfc/rfc2255.txt |
519 |
http://www.ietf.org/rfc/rfc2256.txt |
520 |
http://www.ee.oulu.fi/research/ouspg/protos/ |
521 |
|
522 |
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ |
523 |
http://www.kb.cert.org/vuls/ |
524 |
http://www.kb.cert.org/vuls/id/276944 |
525 |
http://www.kb.cert.org/vuls/id/505564 |
526 |
http://www.kb.cert.org/vuls/id/583184 |
527 |
http://www.kb.cert.org/vuls/id/688960 |
528 |
http://www.kb.cert.org/vuls/id/717380 |
529 |
http://www.kb.cert.org/vuls/id/763400 |
530 |
http://www.kb.cert.org/vuls/id/765256 |
531 |
http://www.kb.cert.org/vuls/id/869184 |
532 |
http://www.kb.cert.org/vuls/id/935800 |
533 |
_________________________________________________________________ |
534 |
|
535 |
The CERT Coordination Center thanks the Oulu University Secure |
536 |
Programming Group for reporting these vulnerabilities to us, for |
537 |
their |
538 |
detailed technical analyses, and for their assistance in preparing |
539 |
this advisory. We also thank the many vendors who provided feedback |
540 |
regarding their respective vulnerabilities. |
541 |
_________________________________________________________________ |
542 |
|
543 |
Authors: Jeffrey P. Lanza and Cory F. Cohen. Feedback on this |
544 |
advisory |
545 |
is greatly appreciated. |
546 |
|
547 |
______________________________________________________________________ |
548 |
|
549 |
This document is available from: |
550 |
http://www.cert.org/advisories/CA-2001-18.html |
551 |
|
552 |
______________________________________________________________________ |
553 |
|
554 |
CERT/CC Contact Information |
555 |
|
556 |
Email: cert@××××.org |
557 |
Phone: +1 412-268-7090 (24-hour hotline) |
558 |
Fax: +1 412-268-6989 |
559 |
Postal address: |
560 |
CERT Coordination Center |
561 |
Software Engineering Institute |
562 |
Carnegie Mellon University |
563 |
Pittsburgh PA 15213-3890 |
564 |
U.S.A. |
565 |
|
566 |
CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) |
567 |
Monday through Friday; they are on call for emergencies during other |
568 |
hours, on U.S. holidays, and on weekends. |
569 |
|
570 |
Using encryption |
571 |
|
572 |
We strongly urge you to encrypt sensitive information sent by email. |
573 |
Our public PGP key is available from |
574 |
|
575 |
http://www.cert.org/CERT_PGP.key |
576 |
|
577 |
If you prefer to use DES, please call the CERT hotline for more |
578 |
information. |
579 |
|
580 |
Getting security information |
581 |
|
582 |
CERT publications and other security information are available from |
583 |
our web site |
584 |
|
585 |
http://www.cert.org/ |
586 |
|
587 |
To subscribe to the CERT mailing list for advisories and bulletins, |
588 |
send email to majordomo@××××.org. Please include in the body of your |
589 |
message |
590 |
|
591 |
subscribe cert-advisory |
592 |
|
593 |
* "CERT" and "CERT Coordination Center" are registered in the U.S. |
594 |
Patent and Trademark Office. |
595 |
|
596 |
______________________________________________________________________ |
597 |
|
598 |
NO WARRANTY |
599 |
Any material furnished by Carnegie Mellon University and the Software |
600 |
Engineering Institute is furnished on an "as is" basis. Carnegie |
601 |
Mellon University makes no warranties of any kind, either expressed |
602 |
or |
603 |
implied as to any matter including, but not limited to, warranty of |
604 |
fitness for a particular purpose or merchantability, exclusivity or |
605 |
results obtained from use of the material. Carnegie Mellon University |
606 |
does not make any warranty of any kind with respect to freedom from |
607 |
patent, trademark, or copyright infringement. |
608 |
_________________________________________________________________ |
609 |
|
610 |
Conditions for use, disclaimers, and sponsorship information |
611 |
|
612 |
Copyright 2001 Carnegie Mellon University. |
613 |
|
614 |
Revision History |
615 |
Jul 16, 2001: Initial release |
616 |
|
617 |
-----BEGIN PGP SIGNATURE----- |
618 |
Version: PGPfreeware 5.0i for non-commercial use |
619 |
Charset: noconv |
620 |
|
621 |
iQCVAwUBO1O5eQYcfu8gsZJZAQGupwQAikpVVn5wK0o9Kzdl3wjFf2jEhbyr3Ngz |
622 |
ycfKTYp8GfaKvKf9HzM/861WBmAkRIkChM+t9mQZ2FuH6nNMzfYRputHb3MK5w18 |
623 |
8EOE/stQbV0kDgXxi078ELkvZy4tqrNhd7KXNtsFCPvwo7XTrJJFLTpCS5Nltheq |
624 |
PaynurnhNrw= |
625 |
=mEjW |
626 |
-----END PGP SIGNATURE----- |
627 |
|
628 |
----- End forwarded message ----- |
629 |
|
630 |
-- |
631 |
Ben Lutgens |
632 |
Sistina Software Inc. |
633 |
Kernel panic: I have no root and I want to scream |