[SECURITY] [DSA 2795-1] lighttpd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2795-1 secur...@debian.org http://www.debian.org/security/ Michael Gilbert November 13, 2013 http://www.debian.org/security/faq - - Package: lighttpd Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-4508 CVE-2013-4559 CVE-2013-4560 Debian Bug : 729453 Several vulnerabilities have been discovered in the lighttpd web server. CVE-2013-4508 It was discovered that lighttpd uses weak ssl ciphers when SNI (Server Name Indication) is enabled. This issue was solved by ensuring that stronger ssl ciphers are used when SNI is selected. CVE-2013-4559 The clang static analyzer was used to discover privilege escalation issues due to missing checks around lighttpd's setuid, setgid, and setgroups calls. Those are now appropriately checked. CVE-2013-4560 The clang static analyzer was used to discover a use-after-free issue when the FAM stat cache engine is enabled, which is now fixed. For the oldstable distribution (squeeze), these problems have been fixed in version 1.4.28-2+squeeze1.4. For the stable distribution (wheezy), these problems have been fixed in version 1.4.31-4+deb7u1. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version lighttpd_1.4.33-1+nmu1. We recommend that you upgrade your lighttpd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQQcBAEBCgAGBQJSgxenAAoJELjWss0C1vRzHPsgALdWQO7rsEWwjjP8fbQxsnTb 7iNsBV66hCZ6W2xlSo8rVysE1QDqAptwwX3Xq0JHteM9edFlSUTyR8ir6P7Y1ISY RnBJBj3b52m+Ni/9itsiCsO+nxTwy7YI9E/mFX4/fqHBsBZ/bm/cLOcdE9pnBTyx GHMR4i1IsvrBNH0hcfnAWf2mlvX24Mvu2ViLJsPN9pjJIVtmuMFAh1LLfKvwJ104 cBAMocie4KW7UtWTt6/cdXd306Sd4UbR/X5QVenvBLeFqoTStftXf91SvNjKzfO4 up23uZ+CADam0mGoqDf5YnvUeCNjvKIDgHUFKMWcQ3lJgX1vOwkUP5+3WDHUI5Y+ EFGYzf2/k2XL7cHykFXjHgIYrbpRHSru6attY2cC8dqMkPB6bkqXkErC3bZL67TX 7Gfdm/ruVpjE3JUrxGbA9nfXYr2L2lysouTgkuP7BDB4gPYRQvmVNIaj9QXbQ66D s89PfkkHM1jqBM7+mhzanBcntf4c0buB2FwWZV9tKBel2Q0fxOTCpn1seerJzWwR WF7Ivl234rqm8AQil/KOFfx5LEd2hnfLEm04na9ujy6dzHEIP5jQ5qlckJYWj6br 0bF5UnQu1I+A8z67NFdBdWgyzar0XNXkgGALPM1/59OquVKuWbqUrsZvxxv288ku FXuNnzkCs8eXGGJIl5CKABfTh7AfOXMd9dCYyDw6sA7ZlTjW/tebjrFGbyUqv5Ny ZA6aweTymAzXLZ7md7hHHYDuVMLJQuLRel3DPlbThhrxa8sMsn7r51CnMS9WDxnY mwX1xpWdykttmWad6cv4K3sr73+N5SDQfaxES/Q0QVUvWjsmFYEF7aibcobaiRoO 1lpZe1ThsCokR7l/o+Ja2X+sSC6mA8M+SJ83u8sfFC/Z40r3+l0sV8W7a8dQNXdt s3mGMZsFpBqcvbHNmqL11eziNekuB7W+Tngk/5cJQ07f149JtvW7yJs7X64nSmER p9smvZWC0CwKuWw8U6YwvIwcZgfGjfzUlcgMmD0n+jNtymVXbDDWyxBKuGXc1JMJ 6SFw59/0YgidhP8SVvQ+a2BcgO7c+Ks7uz2dcuSPvsU8CCn1XLDzApcWNzkuUjsz 7oYf10AkJ770BeMg7OzmZV1lHP3JXTZeM13ae9Y+14nq0ykY4hPGcEJN15K7Esnk 1uNrI8cmAK+5IkgsjEkUidF7xvsfrMX/Fu3f0uMXZCOl+Rest5yHzncqe3V/CfG6 OpLsHr+unMRZ107p8xSmV/CpzWuuR9rRNdH9Cle7omjF066nP/J8KskS5zWTJoPw zmJuow5+H2uiffE+Q29u6WgCNOEp2XXrgXNLxH6RXJiSIHk//3vwrw+tPRe8D+M= =cCF1 -END PGP SIGNATURE-
Cross-Site Scripting (XSS) in Zikula Application Framework
Advisory ID: HTB23178 Product: Zikula Application Framework Vendor: Zikula Software Foundation Vulnerable Version(s): 1.3.5 build 20 and probably prior Tested Version: 1.3.5 build 20 Advisory Publication: October 16, 2013 [without technical details] Vendor Notification: October 16, 2013 Vendor Patch: October 31, 2013 Public Disclosure: November 13, 2013 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2013-6168 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in Zikula Application Framework, which can be exploited to perform Cross-Site Scripting (XSS) attacks. 1) Cross-Site Scripting (XSS) in Zikula Application Framework: CVE-2013-6168 1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in returnpage HTTP GET parameter passed to /index.php script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the alert() JavaScript function to display ImmuniWeb word: http://[host]/index.php?module=userstype=userfunc=loginreturnpage=%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E --- Solution: Update to Zikula 1.3.6 build 19 More Information: https://github.com/zikula/core/issues/1364 http://community.zikula.org/index.php?module=Newsfunc=displaysid=3132 --- References: [1] High-Tech Bridge Advisory HTB23178 - https://www.htbridge.com/advisory/HTB23178 - Cross-Site Scripting (XSS) in Zikula Application Framework. [2] Zikula - http://zikula.org - Zikula is an open source MVC web application framework, released under the LGPLv3, that allows you to rapidly build websites for any application. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
[SECURITY] [DSA 2796-1] torque security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2796-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso November 13, 2013 http://www.debian.org/security/faq - - Package: torque Vulnerability : arbitrary code execution Problem type : remote Debian-specific: no CVE ID : CVE-2013-4495 Debian Bug : 729333 Matt Ezell from Oak Ridge National Labs reported a vulnerability in torque, a PBS-derived batch processing queueing system. A user could submit executable shell commands on the tail of what is passed with the -M switch for qsub. This was later passed to a pipe, making it possible for these commands to be executed as root on the pbs_server. For the oldstable distribution (squeeze), this problem has been fixed in version 2.4.8+dfsg-9squeeze3. For the stable distribution (wheezy), this problem has been fixed in version 2.4.16+dfsg-1+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 2.4.16+dfsg-1.3. We recommend that you upgrade your torque packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSg9JgAAoJEAVMuPMTQ89EqOIP/Au7xN2tw30qBBOtnlyDxonv Dqn5FxfAyxvsrBuD4uB4wOELNR8UiqHn1xWcRBLHTP5DJonhAHMH3VeCFJIjfj0a vUcnzu0SnChvrT1OaZEF7M7RzOzT03ylSKwA5ED6U7ZuXOPqWPSXI+hzDhjLuThf S6hrw4yAc9RI6uoMQIK5HHbPf8EwjhO+ep/cXPH7KizCw64xdpqBrkEqNvPS851C m7CjfiGp2nOMLcdr0MUA62P/tRn9PYcCrNLcVge+2TXAtZ4gWctCxd3iud4R8Abt EYnzv8uckW1/yhTyd4l2wc5U34Xbf6O6ZbuQwt9ZzF/s4XNCaX26BLcwTNWYYOmy +YnRW+QqBsiTXIS3W2uTW9w93iwgkP7t087tZx6enllxplqkkI8GNX7bWNXA2lcY iQuCLfxzsNYkhNiGkuf4NgglUbcMEw4D8V4vuHoTAVSwemLLY2ghkwSCLW1ZUHTb wI0gDJPSFp10Z3CORSHJghFX5LH25HgrKDJ4S0Waz5WjBRT21r4Li/bsYHGOMht2 jAyQ3H1Ahfk4KK/IKu5V/q6UoYMtX5On2ozCfTdUa/fLvvQHzDj6zHLmWa+ob3Xg yH+T0Fsj+laxky1N+QeYnN2uMPiAsxKsR1RLvoZk2dniStdldkwR37Pmv9jlFjnf RFqk8VMbBlX9kb5qxPdq =z3T1 -END PGP SIGNATURE-
Android Superuser shell character escape vulnerability
Vulnerable releases of two common Android Superuser packages may allow malicious Android applications to execute arbitrary commands as root, either without prompting the user or after the user has denied the request: - CyanogenMod/ClockWorkMod/Koush Superuser (current releases, including v1.0.2.1) - Chainfire SuperSU prior to v1.69 The majority of recent third-party ROMs include one of these packages. Older ROMs may use the ChainsDD Superuser package, which is not affected but is no longer maintained. On a rooted Android = 4.2.x device, /system/xbin/su is a setuid root binary which performs a number of privilege checks in order to determine whether the operation requested by the caller should be allowed. If any of these checks fail, the denial is recorded by broadcasting an intent to the Superuser app through the Android Activity Manager binary, /system/bin/am. /system/bin/am is invoked as root, and user-supplied arguments to the su command can be included on the am command line. On a rooted Android = 4.3 device, due to changes in Android's security model, /system/xbin/su functions as an unprivileged client which connects to a su daemon started early in the boot process. The client passes the request over a UNIX socket, and the daemon reads the caller's credentials using SO_PEERCRED. As described above, /system/bin/am is called (now from the daemon) to communicate with the app that implements the user interface. If the user invokes su -c 'COMMAND' and the request is denied (or approved), ClockWorkMod Superuser constructs a command line to pass to a root shell: snprintf(user_result_command, sizeof(user_result_command), exec /system/bin/am ACTION_RESULT --ei binary_version %d --es from_name '%s' --es desired_name '%s' --ei uid %d --ei desired_uid %d --es command '%s' --es action %s --user %d, VERSION_CODE, ctx-from.name, ctx-to.name, ctx-from.uid, ctx-to.uid, get_command(ctx-to), policy == ALLOW ? allow : deny, ctx-user.android_user_id); get_command() would return COMMAND, unescaped, through /system/bin/sh -c. By adding shell metacharacters to the command, the root subshell can be tricked into running arbitrary command lines as root: su -c 'touch /data/abc;' Upon denial by the operator, touch /data/abc will be executed with root privileges. The Superuser variant of this problem is being tracked under CVE-2013-6769. SuperSU prior to v1.69 removes quote and backslash characters from the string passed to /system/bin/sh, but backticks or $() can be used instead for the same effect: su -c '`touch /data/abc`' su -c '$(touch /data/abc)' The SuperSU variant of this problem is being tracked under CVE-2013-6775. ChainsDD Superuser v3.1.3 does not appear to pass the user-supplied input on the /system/bin/am command line.
Superuser su --daemon vulnerability on Android = 4.3
Current releases of the CyanogenMod/ClockWorkMod/Koush Superuser package may allow restricted local users to execute arbitrary commands as root in certain, non-default device configurations. Android 4.3 introduced the concept of restricted profiles, created through the Settings - Users menu. A restricted profile can be configured to allow access to only a minimal set of applications, and has extremely limited abilities to change settings on the device. This is often used to enforce parental controls, or to protect shared devices set up in public places. The OS requires an unlock code to be entered in order to access the owner's profile to administer the system. /system/xbin/su is a setuid root executable, and any user may invoke it in client mode (su -c 'foo' or just su), or in daemon mode (su --daemon). In either mode of operation, the user who invokes this program has the ability to manipulate its environment variables, file descriptors, signals, rlimits, tty/stdin/stdout/stderr, and possibly other items. By adding new entries at the front of the PATH for commonly-executed root commands, then re-invoking su --daemon, an attacker may be able to hijack legitimate root sessions subsequently started by other applications on the device. su --daemon is normally started up very early in the boot process, as root, from /init.superuser.rc (CM) or from /system/etc/install-recovery.sh (other ROMs). The fact that unprivileged users are allowed to restart the daemon later, under EUID 0, appears to be an oversight. Successful exploitation requires a number of conditions to be met: - The attacker must have ADB shell access, e.g. over USB. This is disabled by default, and normally restricted to trusted ADB clients whose RSA key fingerprints have been accepted by the device administrator. Root access via ADB (i.e. Settings - Developer Options - Root access - Apps and ADB) is not required. Note that ADB shell access is typically considered a security risk, even in the absence of this problem. - The attacker must have a way to assume a non-shell (non-2000), suid-capable Linux UID in order to prevent /system/xbin/su from creating infinitely recursive connections to itself through the daemon client UID check in main(). One way to do this would involve uploading an app with the debuggable flag and using /system/bin/run-as to assume this UID. adb install can probably used for this purpose. However, due to a bug in Android 4.3's run-as implementation[1], this does not currently work. This bug was fixed in Android 4.4, so CM11 will probably be able to satisfy this requirement. - The device owner must have granted root permissions to one or more applications via Superuser. The restricted profile does not need to be able to run this app from the launcher. Sample exploit: The restricted local user can reboot the tablet, run adb shell when the boot animation shows up, then invoke the following commands: echo -e '#!/system/bin/sh\nexport PATH=/system/bin:$PATH\ntouch /data/trojan.out\nexec $0 $@' /data/local/tmp/trojan chmod 755 /data/local/tmp/trojan for x in id ls cp cat touch chmod chown iptables dmesg; do ln -s trojan /data/local/tmp/$x ; done PATH=/data/local/tmp:$PATH setsid run-as.422 my.debuggable.package /system/xbin/su --daemon (Note the use of run-as.422 as a proxy for a working Android 4.3 run-as binary, and the installation of my.debuggable.package with the debuggable flag set.) At this point the USB cable may be disconnected. The next time a root application successfully passes the Superuser check and invokes one of the trojaned shell commands, /data/local/tmp/trojan will be executed under UID 0. An ideal candidate for exploitation is a package which runs privileged commands on boot, e.g. AdBlock Plus or AFWall+, as this allows for instant access. Another possibility is to hijack an app which the device's operator runs frequently, such as Titanium Backup. Note that this can NOT be exploited by malicious applications, as zygote-spawned processes (apps) always access /system in nosuid mode[2] on Android 4.3+. The ADB shell was used as the attack vector as it is not subject to this restriction. ChainsDD Superuser v3.1.3 does not have an Android 4.3+ client/server mode at all, and SuperSU aborts if an existing daemonsu instance is already bound to the abstract @eu.chainfire.supersu socket. Proposed resolution: on Android 4.3 and higher, install all Superuser-related binaries with mode 0755 (setuid bit unset). This problem is being tracked under CVE-2013-6770. [1] https://code.google.com/p/android/issues/detail?id=58373 [2] http://source.android.com/devices/tech/security/enhancements43.html
Superuser unsanitized environment vulnerability on Android = 4.2.x
Vulnerable releases of several common Android Superuser packages may allow malicious Android applications to execute arbitrary commands as root without notifying the device owner: - ChainsDD Superuser (current releases, including v3.1.3) - CyanogenMod/ClockWorkMod/Koush Superuser (current releases, including v1.0.2.1) - Chainfire SuperSU prior to v1.69 The majority of third-party ROMs include one of these packages. On a rooted Android = 4.2.x device, /system/xbin/su is a setuid root binary which performs a number of privilege checks in order to determine whether the operation requested by the caller should be allowed. In the course of its normal duties, and prior to making the allow/deny decision, /system/xbin/su invokes external programs under a privileged UID, typically root (0) or system (1000): - /system/bin/log, to record activity to logcat - /system/bin/am, to send intents to the Superuser Java app - /system/bin/sh, to execute the /system/bin/am wrapper script - /system/bin/app_process, the Dalvik VM The user who invokes /system/xbin/su may have the ability to manipulate the environment variables, file descriptors, signals, rlimits, tty/stdin/stdout/stderr, and possibly other items belonging to any of these subprocesses. At least two vulnerabilities are readily apparent: - On ClockWorkMod Superuser, /system/xbin/su does not set PATH to a known-good value, so a malicious user could trick /system/bin/am into using a trojaned app_process binary: echo -e '#!/system/bin/sh\nexport PATH=/system/bin:$PATH\ntouch /data/trojan.out\nexec $0 $@' app_process ; chmod 755 app_process PATH=`pwd`:$PATH su -c 'true' The PATH vulnerability is being tracked under CVE-2013-6768. - Other environment variables could be used to affect the behavior of the (moderately complex) subprocesses. For instance, manipulation of BOOTCLASSPATH could cause a malicious .jar file to be loaded into the privileged Dalvik VM instance. All three Superuser implementations allowed Dalvik's BOOTCLASSPATH to be supplied by the attacker. The BOOTCLASSPATH vulnerability is being tracked under CVE-2013-6774.
[SECURITY] [DSA 2797-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2797-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff November 13, 2013 http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-5590 CVE-2013-5595 CVE-2013-5597 CVE-2013-5599 CVE-2013-5600 CVE-2013-5601 CVE-2013-5602 CVE-2013-5604 Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors, and other implementation errors may lead to the execution of arbitrary code. The Icedove version in the oldstable distribution (squeeze) is no longer supported with full security updates. However, it should be noted that almost all security issues in Icedove stem from the included browser engine. These security problems only affect Icedove if scripting and HTML mails are enabled. If there are security issues specific to Icedove (e.g. a hypothetical buffer overflow in the IMAP implementation) we'll make an effort to backport such fixes to oldstable. For the stable distribution (wheezy), these problems have been fixed in version 17.0.10-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.10-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKD8mcACgkQXm3vHE4uyloeHwCfWWO3MfAFcAEkE8o0vhKz5Yg1 jXIAoLqGrMpnsOHhE3A1PUMl/QxpVKWN =SP2m -END PGP SIGNATURE-
Dahua DVR Authentication Bypass - CVE-2013-6117
Dahua DVR Authentication Bypass - CVE-2013-6117 --Summary-- Dahua web-enabled DVRs and rebranded versions do not enforce authentication on their administrative services. # Zhejiang Dahua Technology Co., Ltd. # http://www.dahuasecurity.com --Affects-- # Dahua web-enabled DVRs # Dahua-rebranded web-enabled DVRs # Verified on v2.608..0 and 2.608.GV00.0 --Details-- Dahua web-enabled DVRs utilize fat-client utilities like PSS, mobile client interfaces like iDMSS, and an ActiveX control, webrec.cab for browser-based access. These clients communicate with an administrative service which runs on TCP port 3 by default and can be changed. At least in the case of the ActiveX control, a simple binary protocol is used. The various commands supported by the server are not authorized in any way. Authentication simply serves as a way to let the client transition past the login screen. Various commands can be replayed to any DVR sans authentication. These include: # Get the firmware version # Get the serial number # Get the email settings (includes username, SMTP server, and cleartext creds) # Get the DDNS settings (includes the DDNS service, server, and cleartext creds) # Get the NAS settings (again, cleartext creds) # Get the users (username, group membership, and hashed passwords) # Get the user groups (group name, description, etc) # Get the channels (camera channel names, e.g. bedroom cocina) # Clear the logs (handy) # Change a user's password (unauthorized access) More Details: http://blog.depthsecurity.com/2013/11/dahua-dvr-authentication-bypass-cve.html --MetaSploit Module-- We wrote a MetaSploit scanner module as a proof of concept. It is multithreaded and can look for a specified port, scan networks, find DVRs, get all the above info, change a user's password, and clear the logs when it's through. # GIT Repo: https://github.com/depthsecurity/dahua_dvr_auth_bypass.git --Other Concerns-- # Some nearly simultaneous research independent of mine: http://www.kb.cert.org/vuls/id/800094 # CVE-2013-3612: DVRs listen for telnet by default and the root password is static and publicly known on all devices. (http://www.cctvforum.com/viewtopic.php?f=3t=32408) # Other backdoor accounts exist, including one with a revolving password that is a simple date hash. # CVE-2013-3613: UPnP requests from untrusted addresses is supported and could be used to get publicly accessible telnet on a DVR. # CVE-2013-3614: Passwords are limited to 6 chars. # CVE-2013-3615: A weak 48-bit hash is utilized to protect DVR account passwords. # We admittedly did not perform any serious fuzzing of the vulnerable service so there is a large potential for more serious vulnerabilities that allow RCE. # Also, the DVRs listen on many different ports including telnet besides those necessary for web access (TCP/80,3,37778 by default). # SMTP, NAS, and DDNS credentials were all stored and transferred in cleartext. --Mitigation-- The best advice for now is to make sure these devices are not publicly accessible to the internet. Dahua initially stated they would work on fixing the issues but went radio silent afterwards. --Timeline-- # 8/26/2013: Identified authorization flaw # 8/27/2013: Wrote proof of concept tool/scanner # 8/28/2013: Disclosed issue to Dahua # 8/30/2013: Received initial response from Dahua including request for more info # 8/30/2013: Responded to Dahua with requested info # 9/2/2013: Received confirmation that Dahua RD is working to fix the issue # 10/2/2013: Requested status update from Dahua # 10/10/2013: Re-requested status update from Dahua after no response from 10/2/2013 # 11/13/2013: Publicly disclosed vulnerability Jake Reynolds - Partner / Principal Consultant
Re: DS3 Authentication Server - Multiple Issues
.: [ Summary }:. Fixes has been released and/or planned for reported issues. Please contact supp...@ds3global.com for more information. .: [ ISSUE #1 }:. Fix patch available. .: [ ISSUE #2 }:. Fix patch available. .: [ ISSUE #3 }:. Fix patch planned in Q4 2014.