Highway 20

Systems Affected

* Oracle Database 11g Release 2, versions 11.2.0.1, 11.2.0.2
* Oracle Database 11g Release 1, version 11.1.0.7
* Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
* Oracle Database 10g Release 1, version 10.1.0.5
* Oracle Secure Backup, version 10.3.0.3
* Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
* Oracle Application Server 10g Release 3, version 10.1.3.5.0
* Oracle Application Server 10g Release 2, version 10.1.2.3.0
* Oracle Business Intelligence Enterprise Edition, versions 10.1.3.4.1, 11.1.1.3
* Oracle Identity Management 10g, versions 10.1.4.0.1, 10.1.4.3
* Oracle JRockit, versions R27.6.9 and earlier (JDK/JRE 1.4.2, 5, 6), R28.1.3 and earlier (JDK/JRE 5, 6)
* Oracle Outside In Technology, versions 8.3.2.0, 8.3.5.0
* Oracle Enterprise Manager 10g Grid Control Release 1, version 10.1.0.6
* Oracle Enterprise Manager 10g Grid Control Release 2, version 10.2.0.5
* Oracle Enterprise Manager 11g Grid Control Release 1, version 11.1.0.1
* Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3
* Oracle E-Business Suite Release 11i, version 11.5.10.2
* Oracle Agile Technology Platform, versions 9.3.0.3, 9.3.1.1
* Oracle PeopleSoft Enterprise FIN, versions 9.0, 9.1
* Oracle PeopleSoft Enterprise FMS, versions 9.0, 9.1
* Oracle PeopleSoft Enterprise FSCM, versions 9.0, 9.1
* Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1
* Oracle PeopleSoft Enterprise SCM, versions 9.0, 9.1
* Oracle PeopleSoft Enterprise PeopleTools, versions 8.49, 8.50, 8.51
* Oracle Sun Product Suite

Overview

The Oracle products and components listed above are affected by
multiple vulnerabilities. The impacts of these vulnerabilities
include remote execution of arbitrary code, information disclosure,
and denial of service.

I. Description

The Oracle Critical Patch Update Advisory – July 2011 addresses 78
vulnerabilities in various Oracle products and components. The
advisory provides information about affected components, access,
and authorization required for successful exploitation and the
impact from the vulnerabilities on data confidentiality, integrity,
and availability.

Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. More detail about one of
the vulnerabilities is available in US-CERT Vulnerability Note
VU#103425.

II. Impact

The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.

III. Solution

Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory – July 2011. Note that this document
only lists newly corrected issues. Updates to patches for
previously known issues are not listed.

IV. References

* Oracle Critical Patch Update Advisory – July 2011 -
<http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html>

* Oracle Outside In CorelDRAW file parser stack buffer overflow -
<http://www.kb.cert.org/vuls/id/103425>

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
libkrb53                        1.4.3-5ubuntu0.12

Ubuntu 8.04 LTS:
libkrb53                        1.6.dfsg.3~beta1-2ubuntu1.6

Ubuntu 9.10:
libkrb5-3                       1.7dfsg~beta3-1ubuntu0.7

Ubuntu 10.04 LTS:
libkrb5-3                       1.8.1+dfsg-2ubuntu0.4

Ubuntu 10.10:
libkrb5-3                       1.8.1+dfsg-5ubuntu0.2

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that Kerberos did not properly determine the
acceptability of certain checksums. A remote attacker could use certain
checksums to alter the prompt message, modify a response to a Key
Distribution Center (KDC) or forge a KRB-SAFE message. (CVE-2010-1323)

It was discovered that Kerberos did not properly determine the
acceptability of certain checksums. A remote attacker could use certain
checksums to forge GSS tokens or gain privileges. This issue only affected
Ubuntu 9.10, 10.04 LTS and 10.10. (CVE-2010-1324)

It was discovered that Kerberos did not reject RC4 key-derivation
checksums. An authenticated remote user could use this issue to forge
AD-SIGNEDPATH or AD-KDC-ISSUED signatures and possibly gain privileges.
This issue only affected Ubuntu 10.04 LTS and 10.10. (CVE-2010-4020)

It was discovered that Kerberos did not properly restrict the use of TGT
credentials for armoring TGS requests. A remote authenticated user could
use this flaw to impersonate a client. This issue only affected Ubuntu
9.10. (CVE-2010-4021)

This is rather serious and fixed simply by applying the most recent updates to the above Ubuntu desktop and server flavors. If you are running one of the above version I strongly urge you make sure you have all of your updates applied.

Anyone who is involved in the world of computer vision has surely heard of OpenCV. I enjoy using this software (however complex it sometimes gets). However I recentely reinstalled OpenCV 2.1 and suddenly some of my projects began to break giving me errors while linking. I had forgot to setup the directories compleately in Visual Studio 2010…

For anyone else who uses OpenCV with Visual Studio 2010 there is a great guide from lovely people at Willow Garage.

http://opencv.willowgarage.com/wiki/VisualC%2B%2B_VS2010

I really enjoyed this collection of short audio clips from popular media:

http://instantsfun.es/

the cat really got a hang of it quick.

Hey everyone. So I was working on a project that involved injecting user accounts into a mediawiki database. The purpose of this was that an outside application was syncing user accounts between mediawiki, wordpress, and a couple other systems. Anyway, when it came to write the code to add the accounts to the mediawiki database I ran into trouble. I am not sure if anyone of you have ever looked at a mediawiki user table. It is unusually complicated. For some reason the userpass is stored into a blob filed instead of a typical varchar? Why, I have no idea… Also they have stupid user token stuff. Anyway, this post is to help some other poor soul who one day has to manual add accounts in a mediawiki user table. Here is the biggest issue with it…. the userpass is not just hashed with some common encryption scheme like MD5 or SHA1. So I went googling for what their encryption scheme was.. Yeah that was most useless 20 minutes of my life… There is no information anywhere out there about the mediawiki userpass encryption.. So I had to go forging through the jungle of mediawiki vines with only a rusted dull envelope opener to find the code myself. Anyway I survived and I came out with the encryption scheme. So here it is, in php code.

$p = md5( $password);
$enc = md5( “{$userid}-{$p}” );

So as you can see it is doubly hashed, and what is even more annoying it is seeded against the users own userid. This is annoying but very manageable.

One last note to save frustration by anyone who will be doing this themselves. Mediawiki only stores usernames with a capital first letter.. So if your manually adding usernames or from a script make sure that you run them through ucfirst() function so that when you try to login it will actually find you username

Loved seeing this, hope you enjoy it also!