headers
Karel Gardas | 9 Jul 2006 00:43
Favicon

[SECURITY FIX 001]: MICO 2.3.12 _non_existent call vulnerability


Folks,

we have been notified about possible DoS attack which involves calling 
_non_existent operation on the application server side with corrupted 
target object ID. We have successfully duplicated this issue and prepared 
a fix. The fix has been tested for regressions and it is regression free. 
If you are using MICO application on the public network, we strongly 
recommend you to apply it. It is against the MICO 2.3.12 release.

See http://mico.org/down.html or get it directly from 
http://mico.org/errata/mico-2.3.12-secfix1.diff

Cheers,
Karel
------------------------------------------------------------------------
Karel Gardas, Principal Software Engineer, ObjectSecurity Ltd.
St John's Innovation Centre, Cowley Rd., Cambridge CB4 0WS, UK
Tel. +44 1223 420252, Fax. +44 870 762 6041 
USA: Tel.+1-800-898-9148, Fax +1-360-933-9591
kgardas <at> objectsecurity.com, www.objectsecurity.com
------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
Irvine, Chuck R [LTD] | 10 Jul 2006 20:44

Best source of up-to-date mico documentation?

I've just downloaded, built, and installed Mico and am ready to start
digging in. Looking at the included doc file, doc.ps, it seems to be out
of date. I looked through the email archive and saw mention of forth
coming documentation published by Morgan Kaufmann. Whatever became of
that? In any case, what would folks recommend as the best source of
documentation for mico specific functionality? Thanks

Chuck
Permalink | Reply | 2 comments |
headers
Chen YewMing-CYC033 | 11 Jul 2006 05:18

RE: Best source of up-to-date mico documentation?

Hi Chuck,

I also realized that the docs are not really helpful.
For me, I used the included demo sample codes.
Try digging around the demo directory.

Regards,
YewMing

-----Original Message-----
From: mico-devel-bounces <at> mico.org [mailto:mico-devel-bounces <at> mico.org]
On Behalf Of Irvine, Chuck R [LTD]
Sent: Tuesday, July 11, 2006 2:44 AM
To: mico-devel <at> mico.org
Subject: [mico-devel] Best source of up-to-date mico documentation?

I've just downloaded, built, and installed Mico and am ready to start
digging in. Looking at the included doc file, doc.ps, it seems to be out
of date. I looked through the email archive and saw mention of forth
coming documentation published by Morgan Kaufmann. Whatever became of
that? In any case, what would folks recommend as the best source of
documentation for mico specific functionality? Thanks

Chuck

_______________________________________________
Mico-devel mailing list
Mico-devel <at> mico.org
http://www.mico.org/mailman/listinfo/mico-devel
(Continue reading)

Permalink | Reply | 0 comments |
headers
Karel Gardas | 11 Jul 2006 12:00
Favicon

Re: Best source of up-to-date mico documentation?


Hello,

new MICO book is already out and using "Distributed Systems Architecture" 
title. Please check your local book store or preferred e-shop.

If it does not fulfill your needs, you can also order MICO/CORBA training 
provided by ObjectSecurity. In this case please contact me off-list.

Cheers,
Karel

On Mon, 10 Jul 2006, Irvine, Chuck R [LTD] wrote:

> I've just downloaded, built, and installed Mico and am ready to start
> digging in. Looking at the included doc file, doc.ps, it seems to be out
> of date. I looked through the email archive and saw mention of forth
> coming documentation published by Morgan Kaufmann. Whatever became of
> that? In any case, what would folks recommend as the best source of
> documentation for mico specific functionality? Thanks
>
> Chuck
>
>
> _______________________________________________
> Mico-devel mailing list
> Mico-devel <at> mico.org
> http://www.mico.org/mailman/listinfo/mico-devel
>
--
(Continue reading)

Permalink | Reply | 1 comment |
headers
Raimund Mettendorf DE-HILDEN | 12 Jul 2006 09:25
Favicon

RE: Mico-devel Digest, Vol 35, Issue 3

Hi YewMing, 

yes, I did it in the same way. 
But even demos are not up-to-date. 
Some, e.g., still use the boa approach, 
which is not supported by mico-2.3.12 any more. 

Is someone able to provide an update of the "README-WIN32" 
section "How to compile mico as a static library with VC++"?

Kind regards,
Raimund

> -----Original Message-----
> From: mico-devel-bounces <at> mico.org 
> [mailto:mico-devel-bounces <at> mico.org] On Behalf Of 
> mico-devel-request <at> mico.org
> Sent: Dienstag, 11. Juli 2006 21:00
> To: mico-devel <at> mico.org
> Subject: Mico-devel Digest, Vol 35, Issue 3
> 
> Send Mico-devel mailing list submissions to
> 	mico-devel <at> mico.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://www.mico.org/mailman/listinfo/mico-devel
> or, via email, send a message with subject or body 'help' to
> 	mico-devel-request <at> mico.org
> 
> You can reach the person managing the list at
(Continue reading)

Permalink | Reply | 1 comment |
headers
Karel Gardas | 12 Jul 2006 10:38
Favicon

Re: RE: Mico-devel Digest, Vol 35, Issue 3


Hi Raimund,

On Wed, 12 Jul 2006, Raimund Mettendorf DE-HILDEN wrote:

> Hi YewMing,
>
> yes, I did it in the same way.
> But even demos are not up-to-date.
> Some, e.g., still use the boa approach,
> which is not supported by mico-2.3.12 any more.

please let me know any demo which is still using BOA. It should certainly 
be removed.

> Is someone able to provide an update of the "README-WIN32"
> section "How to compile mico as a static library with VC++"?

Isn't MICO compiled for both DLL and LIB by default? Please check your 
mico/win32-bin directory to see which files are there.

Thanks,
Karel
--
Karel Gardas                  kgardas <at> objectsecurity.com
ObjectSecurity Ltd.           http://www.objectsecurity.com
---
Need experienced, fast, reliable technical MICO support?
---> http://www.objectsecurity.com/mico_commsup_referral.html <---
---
(Continue reading)

Permalink | Reply | 0 comments |
headers
Raimund Mettendorf DE-HILDEN | 13 Jul 2006 09:17
Favicon

RE: RE: Mico-devel Digest, Vol 35, Issue 3

Hi Karel, 

thank you for your fast reply. 
(1) E.g., demo\mfc\server.cpp line 158 still uses the boa approach. 
(2) Yes you are right, they are compiled by default. But for instructive 
    purposes I would like to debug into the mico code. For this reason 
    I´m interested in the section stated below. 

Kind regards, 
Raimund

> -----Original Message-----
> From: Karel Gardas [mailto:kgardas <at> objectsecurity.com] 
> Sent: Mittwoch, 12. Juli 2006 10:38
> To: Raimund Mettendorf DE-HILDEN
> Cc: mico-devel <at> mico.org
> Subject: Re: [mico-devel] RE: Mico-devel Digest, Vol 35, Issue 3
> 
> 
> Hi Raimund,
> 
> On Wed, 12 Jul 2006, Raimund Mettendorf DE-HILDEN wrote:
> 
> > Hi YewMing,
> >
> > yes, I did it in the same way.
> > But even demos are not up-to-date.
> > Some, e.g., still use the boa approach,
> > which is not supported by mico-2.3.12 any more.
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Nikhil Bedagkar | 13 Jul 2006 19:41
Picon
Favicon

symbol lookup error

Hello,

I just compiled mico 2.3.12 on a fedora core 5 machine with gcc 3.4.6. I also compiled CORBA-MICO 0.6.6.

When I run any perl script or when the perl script encounters statement
$orb = CORBA::ORB_init("mico-local-orb") it gives errors related to symbols:
perl: symbol lookup error: /usr/local/lib/libmico2.3.12.so: undefined symbol: CRYPTO_num_locks

Also while I did the 'perl Makefile.PL' to make the CORBA::MICO module it gave an error that libperl.a could not be found.

Can somebody please help me with this?



--Have a nice Day
Nikhil

I want to know God’s thoughts. The rest are details.

Do you Yahoo!?
Next-gen email? Have it all with the all-new Yahoo! Mail Beta. 
_______________________________________________
Mico-devel mailing list
Mico-devel <at> mico.org
http://www.mico.org/mailman/listinfo/mico-devel
Permalink | Reply | 0 comments |
headers
Irvine, Chuck R [LTD] | 14 Jul 2006 16:49

Connecting to an Orbix name service

I'm new to Corba (and Mico) and could sure use a little help ....

I'm writing a Corba client using Mico 2.3.12 which will talk to an Orbix
6.x server. First, can anyone verify that this should work?

The first thing I need to do is connect to the Orbix naming service and
I'm getting a segfault. I'm probably not doing something right. My call
to "orb->resolve_initial_references ("NameService")" returns without
error, but when I call "CosNaming::NamingContext::_narrow (nsobj)" on
the name service object, I get a segfault. I call my code thus: 

./get-orbix-name-service -ORBInitRef
NameService=corbaloc::10.77.83.35:3075/NameService

My sample code is given below. Any help would be hugely appreciated. 

Thanks,
Chuck

--------------get-orbix-name-service--------------------

#include <CORBA.h>
#include <coss/CosNaming.h>

using namespace std;

int main (int argc, char *argv[])
{
  // ORB initialization
  CORBA::ORB_var orb = CORBA::ORB_init (argc, argv, "mico-local-orb" );

  CORBA::Object_var nsobj =
    orb->resolve_initial_references ("NameService");

	if (CORBA::is_nil(nsobj)) {
		cerr << "oops, name service is nil" << endl;
		exit(1);
	}

  CosNaming::NamingContext_var nc = 
    CosNaming::NamingContext::_narrow (nsobj);

  if (CORBA::is_nil (nc)) {
    cerr << "oops, I cannot access the Naming Service!" << endl;
    exit (1);
  }

  cout << "acquired naming service" << endl;

  return 0;
}

-------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
Irvine, Chuck R [LTD] | 14 Jul 2006 17:53

RE: Connecting to an Orbix name service

After turning on mico debug output, I discovered the problem. I was
using a raw ip address rather than a host name to talk to the name
service. I was using the ip address because the hostname isn't visible
to my workstation. After inserting an appropriate entry into my
ect/hosts file, things are working now. 

However, I would think that mico shouldn't core dump on this kind of
error. Thoughts?

Thanks,
Chuck

-----Original Message-----
From: mico-devel-bounces <at> mico.org [mailto:mico-devel-bounces <at> mico.org]
On Behalf Of Irvine, Chuck R [LTD]
Sent: Friday, July 14, 2006 9:49 AM
To: mico-devel <at> mico.org
Subject: [mico-devel] Connecting to an Orbix name service

I'm new to Corba (and Mico) and could sure use a little help ....

I'm writing a Corba client using Mico 2.3.12 which will talk to an Orbix
6.x server. First, can anyone verify that this should work?

The first thing I need to do is connect to the Orbix naming service and
I'm getting a segfault. I'm probably not doing something right. My call
to "orb->resolve_initial_references ("NameService")" returns without
error, but when I call "CosNaming::NamingContext::_narrow (nsobj)" on
the name service object, I get a segfault. I call my code thus: 

./get-orbix-name-service -ORBInitRef
NameService=corbaloc::10.77.83.35:3075/NameService

My sample code is given below. Any help would be hugely appreciated. 

Thanks,
Chuck

--------------get-orbix-name-service--------------------

#include <CORBA.h>
#include <coss/CosNaming.h>

using namespace std;

int main (int argc, char *argv[])
{
  // ORB initialization
  CORBA::ORB_var orb = CORBA::ORB_init (argc, argv, "mico-local-orb" );

  CORBA::Object_var nsobj =
    orb->resolve_initial_references ("NameService");

	if (CORBA::is_nil(nsobj)) {
		cerr << "oops, name service is nil" << endl;
		exit(1);
	}

  CosNaming::NamingContext_var nc = 
    CosNaming::NamingContext::_narrow (nsobj);

  if (CORBA::is_nil (nc)) {
    cerr << "oops, I cannot access the Naming Service!" << endl;
    exit (1);
  }

  cout << "acquired naming service" << endl;

  return 0;
}

-------------------------------------------------------------

_______________________________________________
Mico-devel mailing list
Mico-devel <at> mico.org http://www.mico.org/mailman/listinfo/mico-devel
Permalink | Reply | 2 comments |

Gmane