-----BEGIN PGP SIGNED MESSAGE-----

各位
JPCERT-AT-2007-0020
JPCERT/CC
2007-09-21

<<< JPCERT/CC Alert 2007-09-21 >>>

ファイル圧縮・解凍ソフト Lhaplus の脆弱性に関する注意喚起

Vulnerability in file archiver Lhaplus

http://www.jpcert.or.jp/at/2007/at070020.txt

I. 概要

国内で広く利用されているファイル圧縮・解凍ソフト Lhaplus には ARJ 形
式のアーカイブ展開処理にバッファオーバーフローの脆弱性があります。遠隔
の第三者によって細工されたアーカイブを、ユーザが展開することで任意のコー
ドが実行される可能性があります。


II. 対象

対象となる製品とバージョンは以下の通りです。

- Lhaplus for Windows 1.54 beta 1 およびそれ以前

詳しくは製品開発者が提供する情報をご確認下さい。


III. 対策

この問題を解決するためには、製品開発者が提供する対策済みのソフトウェ
アに更新してください。詳細に関しては、下記の情報を参照してください。

Lhaplus 配布ページ
http://www7a.biglobe.ne.jp/~schezo/


IV. 参考情報

Japan Vulnerability Notes JVN#70734805
Lhaplus におけるバッファオーバーフローの脆弱性
http://jvn.jp/jp/JVN%2370734805/index.html

独立行政法人 情報処理推進機構 セキュリティセンター(IPA)
「Lhaplus」におけるセキュリティ上の弱点（脆弱性）の注意喚起について
http://www.ipa.go.jp/security/vuln/200709_Lhaplus.html

ARJ 展開時のバッファオーバーフロー
http://www7a.biglobe.ne.jp/~schezo/arj_vul.html


今回の件につきまして当方まで提供いただける情報がございましたら、ご連
絡ください。

======================================================================
JPCERT コーディネーションセンター (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: 03-3518-4600 FAX: 03-3518-4602
http://www.jpcert.or.jp/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBRvNwcIx1ay4slNTtAQGllgP/W4IRF8RWjJkJDncg7UqFugTzZn7iAtMq
rRsDCK1jEaPRXbRUzLyo40eWiZ6Tw8AetoiaB7XJ6h1ZdFPpl0JdRGb/lNJfq1PS
vqS+kfs3cFfEbR46hyf0BXAjUHP4XijSTTlJMu0FiRY0lYhGzWtc80TR45cl9ltX
PSnFMQAuc+0=
=SYIB
-----END PGP SIGNATURE-----

Hi,

MySQL Connector/Net 5.1.3 a new version of the all-managed .NET driver
for MySQL has been released.

************* IMPORTANT ********************
Connector/Net 5.1 represents a change in how we package our products.
Until now, we've shipped our core provider and the Visual Studio
integration bits as separate downloads. This has become a bit of a
problem. Often we would fix a bug that involved changing code both in
the VS package and in the core provider. This provided a versioning
problem where users would need to upgrade both products to see the
benefit of the bug fix. To solve this, we've decided to discontinue
Tools for Visual Studio as a separate product and have, instead,
integrated it into a new Connector/Net installer. We hope this provides
a better "out of box" experience for our users.

All previous versions of Tools for Visual Studio should be uninstalled
prior to installing this product.
********************************************

Version 5.1.3 works with all versions of MySQL including MySQL-4.1,
MySQL-5.0, MySQL-5.1 beta or the MySQL-6.0 Falcon "Preview". Please be
aware that this version is beta quality software and should not be used
in production environments.

It is now available in source and binary form from
[http://dev.mysql.com/downloads/connector/net/5.1.html] and mirror sites
(note that not all mirror sites may be up to date at this point of time
- if you can't find this version on some mirror, please try again later
or choose another download site.)

== Issues fixed ==
* Fixed problem with using a stored procedure that takes a parameter as
a select routine for a TableAdapter wizard. (Bug #29098)
* Fixed problem with creating users using hashed passwords when
machineKey is set to AutoGenerate. We now correctly throw an exception
if you are requesting encrypted passwords but it works ok for hashed
passwords. (Bug #29235)
* Fixed problem with selecting users for roles in the web admin tool.
The problem was that we had a simple syntax error in our database lookup
code. (Bug #29236)
* Added AutoEnlist connection string option. Setting it to false will
prevent the connectionfrom automatically enlisting in any current
transaction
* Changed membership schema to allow null values for email. This allows
all the overrides for Membership.CreateUser to work. * Added 'Respect
Binary Flags' connection string option to allow existing applications to
select the old behavior of not always respecting the binary flags of a
columns.
* Added ability to use blobs to store true UTF-8 data (see help)
* Help is now integrated into Visual Studio 2005 and includes content
other than the API
* Fixed problem reported by user where MySqlMembershipProvider.GetUser
was attempting to reuse the connection to update a table while a reader
was open on it. * Fixed problem with membership schema where the
password key column was not large enough
* Added feature where bit columns that have the value 0 or 1 are
returned as bool
* Added Foreign Key Columns metadata collection
* Reworked how foreign key metadata is collected to make it more robust
and faster
* Changed DDEX provider to use the core providers schema routines for
foreign keys and foreign key columns
* Fixed index and foreign key enumerators inside the DDEX provider to
work with the new binary respect behavior of 5.1
* Added code to implement better TransactionScope support. This code is
brand new and will be heavily refactored in 5.2. (bug #28709)
* Fixed problem where connecting to pre-4.1 servers would result in a
crash. This was caused by the Field object referring to metadata columns
that are not populated on pre-4.1 servers. (bug #29476)
* Commandbuilder now defaults ReturnGeneratedIdentifiers to true. This
means that autogenerated columns will be returned in the default case.
* Exceptions generated during BeginExecuteReader and
BeginExecuteNonQuery will now be thrown once the End versions of those
methods are called.

== Changes integrated from 5.0.8 ==

* Log messages are no longer truncated at 300 characters (bug #28706)
* Fixed a problem with compression over a network. We were letting the
inflate stream read directly from the network stream. Under certain
situations, two bytes were being left unread and this messed up our byte
counts. Now we are using a WeakReference to an internal buffer
that we read the compressed data into before inflating. (Bug #28204)
* Fixed problem where we were not closing prepared statement handles
when commands are disposed.
* Fixed problem where any attempt to not read all the records returned
from a select where each row of the select is greater than 1024 bytes
would hang the driver.
* Fixed problem where usage advisor warnings for unnecessary field
conversions and not reading all rows of a resultset would output even if you
did not request usage advisor warnings. (Bug #29124)
* Changed behavior of ConnectionString property. It now only returns
the connection string given to it. It will not attempt to track changes
to the current database when the users uses the ChangeDatabase method.
(Bug #29123)
* Fixed problem with calling stored procedures in databases that have
hyphens in their names. We were not using backticks to quote the
database and sproc name when querying for metadata. (Bug #29526)
* Fixed problem where a statement that has parameters that is executed
without defining those parameters would throw a System.FormatException
rather than a MySqlException (bug #29312) * Fixed problem where a
command timing out just after it actually finished would cause an
exception to be thrown on the command timeout thread which would then be
seen as an unhandled exception.
* Fixed bug where Connecor/Net was hand building some date time patterns
rather than using the patterns provided under CultureInfo. This caused
problems with some calendars that do not support the same ranges as
Gregorian. (Bug #29931)
* Fixed problem where MySqlConnection.BeginTransaction checked the
drivers status var before checking if the connection was open. The
result was that the driver could report an invalid condition on a
previously opened connection. * Fixed problem where an attempt to open
a connection max pool size times while the server is down will prevent
any further attempts due to the pool semaphore being full. (Bug
#29409) * Fixed some serious issues with command timeout and cancel
that could present as exceptions about thread ownership. The issue was
that not all queries cancel the same. Some produce resultsets while
others don't. ExecuteReader had to be changed to check for this.
* Fixed problem where date columns that appear in keys caused updates to
fail (bug #30077)
* Added code to suppress finalizers for low level socket objects and
then added a finalizer to the protocol object so pooled connections will
get closed on process exit * Fixed problem where attempting to
load a reader into a datatable using a table with a multi-column primary
key would result in multiple constraints being added to the datatable.
No test case added to the 1.0 tree as loading a datatable with a reader
is a .Net 2.0 thing. (Bug #30204)
* Fixed the database schema collection so that it works on servers that
are not properly respecting the lower_case_table_names setting.

Enjoy and thanks for the support!
Reggie


--
MySQL Announce Mailing List
For list archives: http://lists.mysql.com/announce
To unsubscribe: http://lists.mysql.com/announce?unsub=yuzo@jinjin.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

GLPK 4.22 -- Release Information
********************************

Release date: Sep 19, 2007

GLPK (GNU Linear Programming Kit) is intended for solving large-scale
linear programming (LP), mixed integer linear programming (MIP), and
other related problems. It is a set of routines written in ANSI C and
organized as a callable library.

This is a maintainer release.

A bug was fixed in the MIP preprocessor (ios_preprocess_node).
Thanks to Roberto Bagnara <bagnara@cs.unipr.it> (Department of
Mathematics, University of Parma, Italy) for the bug report.

A bug was fixed in the MIP preprocessor (col_implied_bounds),
due to which constraint coefficients with small magnitude could
lead to wrong implied bounds of structural variables.

A similar bug was fixed in the routine reduce_bounds.

A bug was fixed in the routines glp_set_mat_row and
glp_set_mat_col. (The bug appeared due to incorrect removing
zero elements from the row/column lists.)

A bug was fixed in the API routines lpx_read_mps and
lpx_read_freemps, due to which bounds of type LI specified in
BOUNDS section were incorrectly processed.

A call to standard function vsprintf was replaced by a call to
vsnprintf for security reasons. Many thanks to Peter T. Breuer
<ptb@inv.it.uc3m.es> and Rafael Laboissiere <rafael@debian.org>.

See GLPK web page at <http://www.gnu.org/software/glpk/glpk.html>.

GLPK distribution can be ftp'ed from <ftp://ftp.gnu.org/gnu/glpk/> or
from some mirror ftp sites; see <http://www.gnu.org/order/ftp.html>.

MD5 check-sum is the following:

43b4adef981cb5d2d1320c6540a93aa0 *glpk-4.22.tar.gz

GLPK is also available as a Debian GNU/Linux package. See its web page
at <http://packages.debian.org/stable/math/glpk.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)

iD8DBQFG8QHB0XvyMFmB6BgRAhfrAJ4n/QrlPjmpv0Jn0rgmPFf6hrRGcQCeMRCA
9Iij5/TSx8025W9gsAt3a+c=
=qfqK
-----END PGP SIGNATURE-----



_______________________________________________
GNU Announcement mailing list <info-gnu@gnu.org>
http://lists.gnu.org/mailman/listinfo/info-gnu

*** From dhcp-announce -- To unsubscribe, see the end of this message. ***

ISC DHCP 4.0.0a3 is now available for download. ISC DHCP 4.0.0
is a development track engineered primarily for the purpose of
developing DHCPv6 features.

This third ALPHA release is aimed primarily at improving DHCPv6 client
Option Request Option processing through the addition of 'request',
'require', 'also request', and 'also require' configuration syntaxes,
but a number of other bugs and issues have been tweaked. A list of
changes in this release are included below.

For a complete list of changes from any previous release, please
consult the RELNOTES file within the source distribution, or on our
website:

http://www.isc.org/sw/dhcp/dhcp4_0.php

This release, and its OpenPGP-signatures are available now from:

ftp://ftp.isc.org/isc/dhcp/dhcp-4.0.0a3.tar.gz
ftp://ftp.isc.org/isc/dhcp/dhcp-4.0.0a3.tar.gz.sha512.asc
ftp://ftp.isc.org/isc/dhcp/dhcp-4.0.0a3.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/dhcp/dhcp-4.0.0a3.tar.gz.sha1.asc

ISC's Release Signing Key can be obtained at:

http://www.isc.org/about/openpgp/


Changes since 4.0.0a2

- Fix for startup where there are no IPv4 addresses on an interface.
Thanks to Marcus Goller for reporting the bug.

- Fixed file descriptor leak on listen failure. Thanks to Tom Clark.

- Bug in server configuration parser caused server to get stuck on
startup for certain bad pool declarations. Thanks to Guillaume
Knispel for the bug report and fix.

- Code cleaned to remove warnings reported by "gcc -Wall".

- DHCPv6 is now the default. You can disable DHCPv6 support using the
"--disable-dhcpv6" flag when you run the configure script.

- An internal database inconsistency bug was repaired where the server
would segfault if a client attempted to renew a lease that had been
loaded from persistent storage.

- 'request' and 'also request' syntaxes have been added to accommodate
the DHCPv6 client configuration. 'send dhcp6.oro' is no longer
necessary.

- Bug fixed where configuration file parsing did not work with
zero-length options; this made it impossible to set the
rapid-commit option.

- Bogus messages about host records with IPv4 fixed-addresses being of
non-128-bits in length were removed.

--
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
-----------------------------------------------------------------------
To unsubscribe from this list, visit http://www.isc.org/dhcp-lists.html
or send mail to dhcp-announce-request@isc.org with the subject line of
'unsubscribe'.
-----------------------------------------------------------------------

Hello,

I just released diction 1.11. Beside minor bugfixes, this release
adds support for Dutch as document language and is released under
GPL 3 (or later).

Regards,

Michael


_______________________________________________
GNU Announcement mailing list <info-gnu@gnu.org>
http://lists.gnu.org/mailman/listinfo/info-gnu