lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87wttfcsqy.fsf@it029205.massey.ac.nz>
Date: Fri, 11 Feb 2005 23:09:57 +1300
From: James Riden <j.riden@...sey.ac.nz>
To: Neil Watson <bugtraq@...son-wilson.ca>
Cc: bugtraq@...urityfocus.com
Subject: Re: Symantec UPX Parsing Engine Heap Overflow


Neil Watson <bugtraq@...son-wilson.ca> writes:

> There is an article about a vulnerability in Symantec's NAV and other
> products:
> http://securityresponse.symantec.com/avcenter/security/Content/2005.02.08.html
>
> The details are somewhat lacking on what specifically needs to be
> updated.  We are running several NAV servers from 7.5 to 8.1 and I can't
> tell whether or not I need to patch or if LiveUpdate is taking care of
> this.  There are mixed comments (as always) on Slashdot:
> http://it.slashdot.org/article.pl?sid=05/02/10/1327220&tid=172
>
> Does anyone have information or experiences to share?

This is from Slashdot and consistent with what Symantec phone support
have told me:

"If you're running Corporate Edition, you won't be getting the patch
via LiveUpdate. You need to call their tech support line with your
serial number or contact/contract number, and they'll give you the
information (FTP site and password) for obtaining the 9.0 MR3 update
for SAV Corporate Edition. This updates the software to version
9.0.3.1000" --SethB

Also Symantec Mail Security for Exchange v. 4.5.x should be updated to
4.5.4 at least. 

There seems to be a great deal of confusion and it's very hard to
actually get an update from Symantec even after you've talked to tech
support (servers are down or busy atm.). In general Symantec's
response is somewhat disappointing, though the techs are clearly doing
their best under difficult circumstances right now.

-- 
James Riden / j.riden@...sey.ac.nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ