lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <27054271DFA940A483565889944BF451@localhost>
Date: Fri, 17 Jun 2011 02:17:09 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>,
	<full-disclosure@...ts.grok.org.uk>
Cc: epiminfo@...entialpim.com, epimsupport@...entialpim.com
Subject: Essential PIM 4.22: MANY vulnerabilities in 3rd
	party libraries

Hi @ll,

the current version of Essential PIM 4.22, available at
<http://www.astonsoft.com/epim_download/EssentialPIMPort4.zip>
with HTTP timestamp "Wed, 15 Jun 2011 13:20:12 GMT", comes with
VULNERABLE and COMPLETELY outdated 3rd party runtime libraries!


1. libeay32.dll and ssleay32.dll of OpenSSL 0.9.8i, from 2008-09-15

   updated 8 times due to fixed vulnerabilities, current release is
   0.9.8r; see <http://openssl.org/news/> and
   <http://openssl.org/news/vulnerabilities.html>


2. msvcrt80.dll version 8.0.50727.42, from 2005-09-23

   updated at least twice due to fixed vulnerabilities; see
   <http://support.microsoft.com/kb/973544>,
   <http://support.microsoft.com/kb/969706> and
   <http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx>
   plus
   <http://support.microsoft.com/kb/2467175>,
   <http://support.microsoft.com/kb/2500212> and
   <http://www.microsoft.com/technet/security/bulletin/MS11-025.mspx>.

   For general guidelines see <http://support.microsoft.com/kb/326922>


3. gds32.dll of FirebirdSQL 2.1.2.18118, from 2009-02-28

   updated at least once due to fixed vulnerabilities, current
   release is 2.1.4; see <http://firebirdsql.org/>


4. icudt30.dll and icuuc30.dll 3.0.0.0, from 2009-02-27

   updated quite some times and superseded with version 4 due to
   fixed vulnerabilities:
   CVE-2007-4770    CVE-2007-4771    CVE-2008-1036    CVE-2009-0153 

   current release is 4.8; see <http://site.icu-project.org/>


5. hunspelldll.dll <unknown version>, from 2009-06-26

   current release is 1.3.1; see <http://hunspell.sourceforge.net/>


It needs REAL chuzpe to build and distribute software with those
vulnerable and outdated libraries (and most probably a vulnerable
and outdated development environment too).


Timeline:

2011-05-28  vulnerability report sent to vendor after release of v4.21

2011-05-30  vendor reply:
            "We'll update them in the next version. Thanks for notice."

2011-06-15  vendor releases v4.22 with EXACT the same vulnerable libraries
            already included in v4.21
            vendor obviously doesn't care about security at all!

2011-06-17  vulnerability report published


Stefan Kanthak

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ