From dzimi at pld.org.pl Sun Feb 9 12:49:17 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 23-1] New apache-mod_ssl packages fix cross site scripting Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 23-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 03 February 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to apache-mod_ssl-2.8.11_1.3.27-1 Vulnerability : cross site scripting Problem-Type : remote PLD-specific : no CVE references : CAN-2002-1157 A cross-site scripting vulnerability was discovered in mod_ssl by Joe Orton. This only affects servers using a combination of wildcard DNS and "UseCanonicalName off". With this setting turned off, Apache will attempt to use the hostname:port that the client supplies, which is where the problem comes into play. With this setting turned on, Apache constructs a self-referencing URL and will use ServerName and Port to form the canonical name. The above problems have been fixed in version 2.8.12_1.3.27-1 for the current stable distribution (ra). We recommend that you upgrade your apache-mod_ssl packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'apache-mod_ssl*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'apache-mod_ssl*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/apache-mod_ssl-2.8.12_1.3.27-1.src.rpm MD5 checksum: ee4adecfd8a4cb75952fab0072d515f8 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/apache-mod_ssl-2.8.12_1.3.27-1.i386.rpm MD5 checksum: 6d103e0598bff9e9559c9ae24230c0ae ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/apache-mod_sxnet-2.8.12_1.3.27-1.i386.rpm MD5 checksum: 84d7baa30e718294ec29770d98176b67 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/apache-mod_ssl-2.8.12_1.3.27-1.i586.rpm MD5 checksum: 0cf9460bf3d8655a09de2b05e4abd8fd ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/apache-mod_sxnet-2.8.12_1.3.27-1.i586.rpm MD5 checksum: 9085e4886988bfea61eb2b472c5f119f I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/apache-mod_ssl-2.8.12_1.3.27-1.i686.rpm MD5 checksum: 6d4adab2bbdd2e435cf7ee8714004c3b ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/apache-mod_sxnet-2.8.12_1.3.27-1.i686.rpm MD5 checksum: 8fa6cf8da19cd2e96101340fa3377282 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/apache-mod_ssl-2.8.12_1.3.27-1.ppc.rpm MD5 checksum: 757773d2dc7688ba960ad12b1cee6c20 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/apache-mod_sxnet-2.8.12_1.3.27-1.ppc.rpm MD5 checksum: 022281cd0b8eda61494b552a0791b393 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sun Feb 9 13:09:29 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 24-1] New spamassassin packages fix buffer overflow Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 24-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 03 February 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to spamassassin-2.43-2 Vulnerability : buffer overflow Problem-Type : remote PLD-specific : no Attacker may be able to execute arbitrary code by sending a specially crafted e-mail to a system using SpamAssassin's spamc program in BSMTP mode (-B option). The above problems have been fixed in version 2.44-1 for the current stable distribution (ra). We recommend that you upgrade your spamassassin packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'spamassassin*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'spamassassin*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/spamassassin-2.44-1.src.rpm MD5 checksum: 29454e48961229eddaa820a25039c9f0 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/perl-Mail-SpamAssassin-2.44-1.i386.rpm MD5 checksum: 3119af38d3c286aab8d1747ee8e02edb ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/spamassassin-2.44-1.i386.rpm MD5 checksum: 0b1233a1b1fd03b9eb05c6b3fb7aae28 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/spamassassin-spamc-2.44-1.i386.rpm MD5 checksum: 0b7c8459c6cd35be5d530d4ac3036c21 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/spamassassin-spamd-2.44-1.i386.rpm MD5 checksum: c3843e98320766f20ed0b798f2a2c6f9 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/spamassassin-tools-2.44-1.i386.rpm MD5 checksum: 83abe9fded1e3ca5b64607fd52c1d45f I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/perl-Mail-SpamAssassin-2.44-1.i586.rpm MD5 checksum: 9455166ed644df04024c9914f9ef40ca ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/spamassassin-2.44-1.i586.rpm MD5 checksum: 6e8d7dd178af7833c3b724424e72b05c ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/spamassassin-spamc-2.44-1.i586.rpm MD5 checksum: cadf6cef4f73f2c76c45fff46334950a ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/spamassassin-spamd-2.44-1.i586.rpm MD5 checksum: b1dd36063488c1e1be9991527efb9975 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/spamassassin-tools-2.44-1.i586.rpm MD5 checksum: 7fb1bd78b7a0b354f11778180e4db82f I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/perl-Mail-SpamAssassin-2.44-1.i686.rpm MD5 checksum: 7c0a06fa9952d4b243591573d440d85c ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/spamassassin-2.44-1.i686.rpm MD5 checksum: 62bb35a1ede6177f133ff186e3f22c5f ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/spamassassin-spamc-2.44-1.i686.rpm MD5 checksum: fd8f7f4cf64699deeffde45a2d6976da ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/spamassassin-spamd-2.44-1.i686.rpm MD5 checksum: e31b031be2f6fed169ac93edccceda48 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/spamassassin-tools-2.44-1.i686.rpm MD5 checksum: 0f6478ca13ce7dace4fe8418211df094 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/spamassassin-2.44-1.ppc.rpm MD5 checksum: 28353f0988eb98acadf6d1051f8467d2 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/spamassassin-spamc-2.44-1.ppc.rpm MD5 checksum: f8ba674e6aa26356266152309f778fa4 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/spamassassin-spamd-2.44-1.ppc.rpm MD5 checksum: 406b6a39afb4de1f6087cc8b7549f2a5 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/spamassassin-tools-2.44-1.ppc.rpm MD5 checksum: 1e8077bc27b5af0121284e97c7b0b05b - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sun Feb 9 13:31:43 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 25-1] New vim packages fix arbitrary code execution Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 25-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 03 February 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to vim-6.1.212-4 Vulnerability : arbitrary code execution Problem-Type : local PLD-specific : no CVE references : CAN-2002-1377 A vulnerability was discovered in vim by Georgi Guninski that allows arbitrary command execution using the libcall feature found in modelines. A patch to fix this problem was introduced in vim 6.1 patchlevel 265. The above problems have been fixed in version 6.1.300-2 for the current stable distribution (ra). We recommend that you upgrade your vim packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'vim*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'vim*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/vim-6.1.300-2.src.rpm MD5 checksum: 8bf75c87969d9f243b2c555879c10549 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/gvim-athena-6.1.300-2.i386.rpm MD5 checksum: 3a0a0987b7bdca5fab3afa46ec6be6d3 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/gvim-gnome-6.1.300-2.i386.rpm MD5 checksum: fe9b09b2a1d7f2ba05f0d09c1dcd22f6 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/gvim-gtk-6.1.300-2.i386.rpm MD5 checksum: 2733d5b29b1ee844e0c4eb79150a006f ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/gvim-motif-6.1.300-2.i386.rpm MD5 checksum: 31045679e32630a3284347b04e743451 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/vim-6.1.300-2.i386.rpm MD5 checksum: cf7b37c3186a57d8666c75cea98b68ac ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/vim-ispell-6.1.300-2.i386.rpm MD5 checksum: 452ff0732bc42314167ddc53c6f0ca90 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/vim-rt-6.1.300-2.i386.rpm MD5 checksum: 599df278c9fb24953e65abcf70df3dfd ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/vim-static-6.1.300-2.i386.rpm MD5 checksum: 410e1f0fc18b6010208b302bb66e5f9f ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/xxd-6.1.300-2.i386.rpm MD5 checksum: 0f4c45bd0ca3bfc01c17a8ac76547465 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/gvim-athena-6.1.300-2.i586.rpm MD5 checksum: 87b814de9c407fee65c46c2533ecb611 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/gvim-gnome-6.1.300-2.i586.rpm MD5 checksum: 7d5985b000cb8b9cacebd7fe7b7c9f7f ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/gvim-gtk-6.1.300-2.i586.rpm MD5 checksum: fa9aa7857cd84b075dcb230e7bcd8e77 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/gvim-motif-6.1.300-2.i586.rpm MD5 checksum: d82ca091179958372a8d1eaeca534506 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/vim-6.1.300-2.i586.rpm MD5 checksum: 1ebcca347a33fb7d272ba3c8edbce5c2 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/vim-ispell-6.1.300-2.i586.rpm MD5 checksum: 85d64824e1fdc3e71c8272db719b57ee ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/vim-rt-6.1.300-2.i586.rpm MD5 checksum: f137f7f225c8ff65fba0a7634f976dd2 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/vim-static-6.1.300-2.i586.rpm MD5 checksum: 787c4b9f60a6b6e2bfb27510b4f28069 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/xxd-6.1.300-2.i586.rpm MD5 checksum: f34f5020023c3cf4e65f7751cdfd48d4 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/gvim-athena-6.1.300-2.i686.rpm MD5 checksum: 04b331a11e629327be6a912e7c08a735 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/gvim-gnome-6.1.300-2.i686.rpm MD5 checksum: 99b2cb4bcc6d60b68a720fd0705d8dc7 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/gvim-gtk-6.1.300-2.i686.rpm MD5 checksum: 4607205e8670d0baaf3d639f98af2fb5 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/gvim-motif-6.1.300-2.i686.rpm MD5 checksum: 4e0a270ed3cbd8e4e9f3e6e2c5414303 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/vim-6.1.300-2.i686.rpm MD5 checksum: 5c831cec83c293818d4a49322b2eceae ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/vim-ispell-6.1.300-2.i686.rpm MD5 checksum: 4288f1ff8e7abb7c7c9fbf5cfa9b325c ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/vim-rt-6.1.300-2.i686.rpm MD5 checksum: 565a7bdc35d5788ac62c5e16b4189114 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/vim-static-6.1.300-2.i686.rpm MD5 checksum: 28876baf52b6b2a44bbf8787f481f3a7 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/xxd-6.1.300-2.i686.rpm MD5 checksum: 2001cd4597279a1ecfe82eb8a3264eec PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/gvim-athena-6.1.300-2.ppc.rpm MD5 checksum: 1ad5c1dd9c4942b4b76bc439ec5be819 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/gvim-gnome-6.1.300-2.ppc.rpm MD5 checksum: ad19150d6bcf0464b8f802ceb9bc3deb ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/gvim-gtk-6.1.300-2.ppc.rpm MD5 checksum: a92230bffadd206ed3567120ffe7d363 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/gvim-motif-6.1.300-2.ppc.rpm MD5 checksum: 78f09d0c5da21503b5386eafdc1827aa ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/vim-6.1.300-2.ppc.rpm MD5 checksum: e88ba87d445017cd89d985735cc40f4e ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/vim-ispell-6.1.300-2.ppc.rpm MD5 checksum: ae394b2f07dfd3ff127422867bddccec ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/vim-rt-6.1.300-2.ppc.rpm MD5 checksum: deebe0bae3d805105d5f147ba32220ac ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/vim-static-6.1.300-2.ppc.rpm MD5 checksum: 3a0ccf79a575f673f68388f78a9b7997 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/xxd-6.1.300-2.ppc.rpm MD5 checksum: a05a42ee918e3d48d1cc18beb779524a - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sun Feb 9 13:47:56 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 26-1] New bladeenc packages fix arbitrary code execution Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 26-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 03 February 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to bladeenc-0.94.2-3 Vulnerability : arbitrary code execution Problem-Type : local PLD-specific : no Upstream URL : www.pivx.com/luigi/adv/blade942-adv.txt Auriemma Luigi discovered a bug in the bladeenc. A wave file let the attacker to execute all the code he want on the victim. The above problems have been fixed in version 0.94.2-4 for the current stable distribution (ra). We recommend that you upgrade your bladeenc packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'bladeenc*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'bladeenc*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/bladeenc-0.94.2-4.src.rpm MD5 checksum: ff436c90acf6c4c24ab33fc5b6a4e269 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/bladeenc-0.94.2-4.i386.rpm MD5 checksum: 996d6f92a7f7e527be8c11c3a9c6702b I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/bladeenc-0.94.2-4.i586.rpm MD5 checksum: 4ae70baaabd3fec1dd6bd22a58b0a0e9 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/bladeenc-0.94.2-4.i686.rpm MD5 checksum: 50e12ba25e4cbbe1a0e1b51430f0567f PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/bladeenc-0.94.2-4.ppc.rpm MD5 checksum: 08802a753ebc8bba68e263b90a401615 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sun Feb 9 14:03:52 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 27-1] New slocate packages fix buffer overflow Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 27-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 03 February 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to slocate-2.6-4 Vulnerability : buffer overflow Problem-Type : local PLD-specific : no CVE references : CAN-2003-0056 Upstream URL : www.usg.org.uk/advisories/2003.001.txt A buffer overflow vulnerability was discovered in slocate by team USG. The overflow appears when slocate is used with the -c and -r parameters, using a 1024 (or 10240) byte string. The above problems have been fixed in version 2.7-1 for the current stable distribution (ra). We recommend that you upgrade your slocate packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'slocate*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'slocate*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/slocate-2.7-1.src.rpm MD5 checksum: d6ea744a7b43a9075910fb8949fbf644 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/slocate-2.7-1.i386.rpm MD5 checksum: d7c16b1c548f7fb1d64d776be80fbcc2 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/slocate-2.7-1.i586.rpm MD5 checksum: 0de590acfdc1daf41ec9a5efef367f87 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/slocate-2.7-1.i686.rpm MD5 checksum: dae764c4361bdfbb02aff0097c40751a PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/slocate-2.7-1.ppc.rpm MD5 checksum: 6db576ed43768f54c4d85157146258a2 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security