__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle Critical Patch Update - July 2005 [July 2005] July 13, 2005 18:00 GMT Number P-250 [REVISED 03 Aug 2005] ______________________________________________________________________________ PROBLEM: A Critical Patch Update is a collection of patches for multiple security vulnerabilities. PLATFORM: Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.4 Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6 Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS Oracle8i Database Server Release 3, version 8.1.7.4 Oracle8 Database Release 8.0.6, version 8.0.6.3 Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3 Oracle Enterprise Manager 10g Database Control, versions 10.1.0.2, 10.1.0.3, 10.1.0.4 Oracle Enterprise Manager Application Server Control, versions 9.0.4.0, 9.0.4.1 Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1 Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1 Oracle9i Application Server Release 1, version 1.0.2.2 Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2 Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10 Oracle E-Business Suite and Applications Release 11.0 Oracle Workflow, versions 11.5.1 through 11.5.9.5 Oracle Forms and Reports, versions 4.5.10.22, 6.0.8.25 Oracle JInitiator, versions 1.1.8, 1.3.1 Oracle Developer Suite, versions 9.0.2.3, 9.0.4, 9.0.4.1, 9.0.5, 10.1.2 Oracle Express Server, version 6.3.4.0 DAMAGE: Several vulnerabilities were reported in Oracle Database. A remote user may be able to cause denial of service conditions or gain access to the database. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A remote user may be able to gain access to ASSESSMENT: or modify the database. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-250.shtml ORIGINAL BULLETIN: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html ADDITIONAL LINK: Visit Hewlett Packard's Web Site for security bulletin: HPSBMA01211 / SSRT 4682 rev. 0 ______________________________________________________________________________ REVISION HISTORY: 8/3/05 - revised to add a link to HP's Security Bulletin HPSBMA01211. [***** Start July 2005 *****] Critical Patch Update - July 2005 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. The Oracle Database Server, Enterprise Manager, and the Oracle Application Server patches in the Updates are cumulative; each successive Critical Patch Update contains the fixes from the previous Critical Patch Updates. Supported Products Affected The following supported product releases and versions are affected by the security vulnerabilities addressed by this Critical Patch Update: Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.4 Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6 Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS Oracle8i Database Server Release 3, version 8.1.7.4 Oracle8 Database Release 8.0.6, version 8.0.6.3 Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3 Oracle Enterprise Manager 10g Database Control, versions 10.1.0.2, 10.1.0.3, 10.1.0.4 Oracle Enterprise Manager Application Server Control, versions 9.0.4.0, 9.0.4.1 Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1 Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1 Oracle9i Application Server Release 1, version 1.0.2.2 Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2 Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10 Oracle E-Business Suite and Applications Release 11.0 Oracle Workflow, versions 11.5.1 through 11.5.9.5 Oracle Forms and Reports, versions 4.5.10.22, 6.0.8.25 Oracle JInitiator, versions 1.1.8, 1.3.1 Oracle Developer Suite, versions 9.0.2.3, 9.0.4, 9.0.4.1, 9.0.5, 10.1.2 Oracle Express Server, version 6.3.4.0 All the products and versions listed above are affected by the vulnerabilities fixed in this Critical Patch Update. However, some of these products and versions are only supported in conjunction with other products, in specific configurations, or on certain platforms. Please consult each product's Pre-Installation Note for specific details concerning the support and availability of patches for the products listed above. Unsupported Products Unsupported products, releases and versions have neither been tested for the presence of vulnerabilities addressed by this Critical Patch Update, nor patched, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy, MetaLink Note 209768.1. However, it is likely that earlier patch set levels of the affected releases are affected by these vulnerabilities. Oracle Database Client-only Installations The new database vulnerabilities addressed by this Critical Patch Update do not affect Oracle Database Client-only installations (installations that do not have the Oracle Database Server installed). Therefore, it is not necessary to apply this Critical Patch Update to client-only installations if a prior Critical Patch Update, or Alert 68, has already been applied to the client-only installations. Patch Availability and Risk Matrices For each Oracle product that is being administered, please consult the associated Pre-Installation Note for patch availability information and installation instructions. For an overview of all the documents related to this Critical Patch Update, please see the Oracle Critical Patch Update Documentation Map, MetaLink Note 311088.1. Product Risk Matrix Pre-Installation Note Oracle Database Server Appendix A - Oracle Database Server Risk Matrix Pre-Installation Note for the Oracle Database Server, MetaLink Note 311062.1 Oracle Application Server Appendix B - Oracle Application Server Risk Matrix Pre-Installation Note for the Oracle Application Server, MetaLink Note 311038.1 Oracle Collaboration Suite Appendix C - Oracle Collaboration Suite Risk Matrix Pre-Installation Note for the Oracle Collaboration Suite, MetaLink Note 311039.1 Oracle E-Business and Applications Appendix D - Oracle E-Business Risk Matrix Pre-Installation Note for the Oracle E-Business Suite, MetaLink Note 311040.1 Oracle Enterprise Manager Appendix E - Enterprise Manager Risk Matrix Pre-Installation Note for the Oracle Enterprise Manager, MetaLink Note 311061.1 Risk Matrix Contents The risk matrices in this advisory list only the vulnerabilities that are new in this advisory. The Oracle Database Server, Enterprise Manager, and the Oracle Application Server patches for this Critical Patch Update are cumulative, and contain all the fixes from the previous Critical Patch Update. Risk matrices for these previous fixes can be found in the previous Critical Patch Update advisory. E-Business Suite patches are not cumulative, so E-Business Suite customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply. Oracle Collaboration Suite patches are not cumulative, so Oracle Collaboration Suite customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply. One vulnerability appearing in two Risk Matrices Several vulnerabilities addressed by this Critical Patch Update are in both the Database Server and Application Server products. The Risk Matrices show these shared vulnerabilities by specifying the Vuln #s from both matrices on a single vulnerability row. Risk Matrix Definitions MetaLink Note 293956.1 defines the terms used in the Risk Matrices. Risk Analysis and Blended Attacks Oracle has analyzed each potential vulnerability separately for risk of exploit and impact of exploit. Oracle has performed no analysis on the likelihood and impact of blended attacks (i.e. the exploitation of multiple vulnerabilities combined in a single attack). Policy Statement on Information Provided in Critical Patch Updates and Security Alerts Oracle Corporation conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Pre-Installation notes, the readme files, and FAQs. Oracle does not provide advance notification on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code nor “proof-of-concept” code for vulnerabilities in our products. Critical Patch Update Availability for De-Supported Versions Critical Patch Updates are available for customers who have purchased Extended Maintenance Support (EMS). De-support Notices indicate whether EMS is available for a particular release and platform, as well as the specific period during which EMS will be available. Customers with valid licenses for product versions covered by Extended Support (ES) are entitled to download existing fixes; however, new issues that may arise from the application of patches are not covered under ES. Therefore, ES customers should have comprehensive plans to enable removal of any applied patch. Oracle will not provide Critical Patch Updates for product versions which are no longer covered under the Extended Maintenance Support plan. We recommend that customers upgrade to the latest supported version of Oracle products in order to obtain Critical Patch Updates. Please review the "Extended Support" section within the Technical Support Policies for further guidelines regarding ES & EMS. References Critical Patch Update - July 2005 FAQ, MetaLink Note 311037.1 MetaLink Note 293956.1 defines the terms used in the Risk Matrix. Oracle Critical Patch Update Program General FAQ, MetaLink Note 290738.1 Oracle Critical Patch Update Documentation Map, MetaLink Note 311088.1 Security Alerts and Critical Patch Updates- Frequently Asked Questions, MetaLink Note 237007.1 Credits The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle’s attention: Gerhard Eschelbeck of Qualys, Inc., Esteban Martínez Fayó of Application Security, Inc., Alexander Kornbrust of Red Database Security, Stephen Kost of Integrigy, David Litchfield of NGSS Limited, Michael Murray of nCircle Network Security, Aaron C. Newman of Application Security, Inc., Mike Sues of Rigel Kent Security. Modification History 2005-JUL-12: Initial release, version 1 Appendix A Oracle Database Server Risk Matrix Critical Patch Update - July 2005 Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact DB01 Oracle Express Server Network None --- --- --- --- Easy Limited 6.3.4 6.3.4 --- DB02 Oracle OLAP SQL (Oracle Net) Database (execute on olapsys) --- --- --- --- Easy Wide 10g 10.1.0.4(10g) --- DB03 Component Registry SQL (Oracle Net) Database (execute on dbms_registry) Difficult Wide Difficult Wide --- --- 9iR2 9.2.0.6(9iR2), 10.1.0.3(10g) --- DB04 CORE SQL (Oracle Net) Database (execute on utl_file) Difficult Limited Difficult Limited --- --- 8i 8.1.7.4(8i), 9.0.1.4(9i), 9.2.0.5(9iR2), 10.1.0.3(10g) --- DB05 CORE SQL (Oracle Net) Database (ability to create database link) Difficult Limited Difficult Limited --- --- 9iR2 9.2.0.6(9iR2), 10.1.0.4(10g) --- DB06 XML Database Network (HTTP) Database Easy Limited --- --- --- --- 9iR2 9.2.0.6(9iR2), 10.1.0.3(10g) --- DB07 XML Database Network (FTP) None Difficult Limited Difficult Limited Easy Limited 9iR2 9.2.0.6(9iR2), 10.1.0.3(10g) --- DB08 iSQL*Plus Network (HTTP) None --- --- --- --- Easy Wide 9iR2 9.2.0.5(9iR2), 10.1.0.2(10g) Use a TNS listener password DB09 iSQL*Plus SQL (Oracle Net) Database Easy Limited --- --- --- --- 10g 10.1.0.2(10g) --- DB10 Single Sign-On Network (HTTP) None Easy Limited --- --- --- --- 8i 8.1.7.4(8i), 9.0.1.5(9i), 9.0.1.5FIPS(9i), 10.1.0.4(10g) --- DB11 AS07 Oracle HTTP Server (mod_ssl) Network (HTTPS) None Difficult Wide Difficult Wide --- --- 8i 8.1.7.4(8i), 9.0.1.5(9i), 9.2.0.6(9iR2), 10.1.0.4(10g) --- DB12 AS08 Oracle HTTP Server (mod_access) Network (HTTPS) None Difficult Wide Difficult Wide --- --- 8i 8.1.7.4(8i), 9.0.1.5(9i), 9.2.0.6(9iR2), 10.1.0.4(10g) --- If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Database Vulnerabilities section of this document. If a workaround is indicated, the Workarounds, Oracle Database Vulnerabilities section of this document describes a workaround for the Vuln# given above. Required Conditions, Oracle Database Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle Database Vulnerabilities DB08: Setting and using a TNS Listener password eliminates this vulnerability. Appendix B Application Server Risk Matrix Critical Patch Update - July 2005 Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact AS01 Oracle Containers for J2EE Network None Easy Limited --- --- --- --- 9.0.2.3 9.0.2.3, 9.0.3.1 --- AS02 Oracle Forms Local OS Easy Limited Easy Limited --- --- 4.5.10.22 4.5.10.22, 6.0.8.25 --- AS03 Oracle Forms Local OS Easy Limited --- --- --- --- 4.5.10.22 4.5.10.22, 6.0.8.25 --- AS04 Oracle Forms Local OS Easy Limited --- --- --- --- 4.5.10.22 4.5.10.22, 6.0.8.25 --- AS05 Oracle Forms Network (HTTP) None --- --- --- --- Easy Wide 4.5.10.22 4.5.10.22, 6.0.8.25 --- AS06 Oracle Forms Network (HTTP) Authenticated User Easy Wide Easy Wide --- --- 4.5.10.22 4.5.10.22, 6.0.8.25 --- AS07 DB11 Oracle HTTP Server (mod_ssl) Network (HTTPS) None Difficult Wide Difficult Wide --- --- 1.0.2.2 1.0.2.2, 9.0.2.3, 9.0.3.1, 9.0.4.1 --- AS08 DB12 Oracle HTTP Server (mod_access) Network (HTTPS) None Difficult Wide Difficult Wide --- --- 1.0.2.2 1.0.2.2, 9.0.2.3, 9.0.3.1, 9.0.4.1 --- AS09 Oracle JDeveloper Local OS Easy Limited Easy Limited --- --- 9.0.4 9.0.4, 10.1.2 --- AS10 Oracle JDeveloper Local OS Easy Wide Easy Wide --- --- 9.0.3 9.0.3, 10.1.2 --- AS11 Oracle Reports Developer Network (HTTP) None Difficult Limited Difficult Limited Easy Limited 9.0.2.3 9.0.2.3, 9.0.4.2 --- AS12 Oracle JInitiator Network (HTTP) None Difficult Limited Difficult Limited --- --- 1.1.8 1.1.8.24, 1.3.1.20 --- If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Application Server Vulnerabilities section of this document. If a workaround is indicated, the Workarounds, Oracle Application Server Vulnerabilities section of this document describes a workaround for the Vuln# given above. Required Conditions, Oracle Application Server Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle Application Server Vulnerabilities There are no recommended workarounds for the Oracle Application Server vulnerabilities described in the Oracle Application Server Risk Matrix. Appendix C Collaboration Suite Risk Matrix Critical Patch Update - July 2005 Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact OCS01 Email Server Network (SMTP) None --- --- --- --- Easy Limited --- OCS02 Email Server Network (SMTP) None --- --- --- --- Easy Wide --- OCS03 Email Server Network (IMAP) Authenticated OCS user Difficult Wide Difficult Wide Easy Wide --- OCS04 Email Server Network (HTTP) Authenticated OCS user --- --- --- --- Easy Wide --- OCS05 Oracle Web Conferencing Network (HTTP) None Easy Limited --- --- --- --- --- OCS06 Oracle Web Conferencing Network (HTTP) None Easy Limited --- --- --- --- --- If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Collaboration Suite Vulnerabilities section of this document. If a workaround is indicated, the Workarounds, Oracle Collaboration Suite Vulnerabilities section of this document describes a workaround for the Vuln# given above. Required Conditions, Oracle Collaboration Suite Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle Collaboration Suite Vulnerabilities There are no recommended workarounds for the Oracle Collaboration Suite vulnerabilities described in the Oracle Collaboration Suite Risk Matrix. Appendix D E-Business Suite Risk Matrix Critical Patch Update - July 2005 Vuln# Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact APPS01 Network (HTTP) Valid Session Difficult Wide Difficult Wide --- --- 11.5.0 11.5.9.5 --- APPS02 Network (HTTP) Valid Session Difficult Wide --- --- --- --- 11.5.0 11.5.9.5 --- APPS03 Network (HTTP) None Difficult Wide Difficult Wide --- --- 11.5.0 11.5.9.5 --- APPS04 SQL (Oracle Net) Database (execute on portal.wpg_session or owf_mgr.wf_event_html) Difficult Wide Difficult Wide --- --- 11.5.0 11.5.9.5 --- APPS05 Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.5.0 11.5.9.5 --- APPS06 Network (HTTP) Valid Session Easy Wide Easy Wide --- --- 11.5.7 11.5.10 --- APPS07 Network (HTTP) Valid Session Easy Wide Easy Wide --- --- 11.5.8 11.5.9 --- APPS08 Network (HTTP) Valid Session Easy Wide Easy Wide --- --- 11.5.8 11.5.10 --- APPS09 Network (HTTP) Valid Session Difficult Wide Difficult Wide --- --- 11.0 11.5.10 --- APPS10 Network (HTTP) Valid Session Easy Wide Difficult Wide --- --- 11.0 11.5.9 --- APPS11 Network (HTTP) None Easy Limited --- --- --- --- 11.5.6 11.5.10 --- APPS12 Network (HTTP) None Easy Limited --- --- --- --- 11.5.9 11.5.10 --- APPS13 Network (HTTP) None Easy Limited --- --- --- --- 11.5.8 11.5.10 --- APPS14 Network (HTTP) None Easy Limited --- --- --- --- 11.0 11.5.9 --- APPS15 Network (HTTP) None Easy Wide Easy Wide --- --- 11.5.4 11.5.10 --- APPS16 Network (HTTP) Valid Session Easy Limited Easy Limited --- --- 11.5.6 11.5.10.CU1 --- APPS17 Network (HTTP) None Easy Limited --- --- --- --- 6.0.8 6.0.8.25 --- If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle E-Business Suite Vulnerabilities section of this document. If a workaround is indicated, the Workarounds, Oracle E-Business Suite Vulnerabilities section of this document describes a workaround for the Vuln# given above. Required Conditions, Oracle E-Business Suite Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. An installed version of Oracle E-Business Suite and a connected session are sufficient. Workarounds, E-Business Suite Vulnerabilities There are no recommended workarounds for the Oracle E-Business Suite vulnerabilities described in the Oracle E-Business Suite Risk Matrix. Appendix E Enterprise Manager Risk Matrix Critical Patch Update - July 2005 Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact EM01 Instance Management SQL (Oracle Net) None Easy Limited Easy Limited --- --- 9iR2 9.2.0.6(9iR2), 10.1.0.4(10g) --- EM02 CORE: SDK Network None --- --- --- --- Difficult Wide 8i 8.1.7.4(8i), 9.0.1.4(9i), 9.0.1.5FIPS(9i), 9.2.0.6(9iR2) --- If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Enterprise Manager Vulnerabilities section of this document. If a workaround is indicated, the Workarounds, Oracle Enterprise Manager Vulnerabilities section of this document describes a workaround for the Vuln# given above. Required Conditions, Oracle Enterprise Manager Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Enterprise Manager Vulnerabilities There are no recommended workarounds for the Oracle Enterprise Manager vulnerabilities described in the Oracle Enterprise Manager Risk Matrix. [***** End July 2005 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Oracle for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-241: PHP Security Update P-242: Adobe Reader Vulnerability P-243: 'ruby 1.8' Vulnerability P-244: 'arshell' Vulnerability in 'arrayd' P-245: Cisco CallManager Vulnerabilities P-246: Microsoft Word Font Parsing Vulnerability P-247: Microsoft Vulnerability in JView Profiler P-248: Microsoft Color Management Module Vulnerability P-249: krb5 Security Update P-251: Mozilla Security Updates