From dzimi at pld.org.pl Sat Jan 4 13:19:26 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:10 2005 Subject: PLDSA [3-1] New wget packages fix directory traversal Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 3-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 22 December 2002 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : wget prior to 1.8.2-1 Vulnerability : directory traversal PLD-specific : no CVE : CAN-2002-1344 Steven M. Christey discovered that wget did not verify the FTP server response to a NLST command: it must not contain any directory information, since that can be used to make a FTP client overwrite arbitrary files. The above problems have been fixed in version 1.8.2-2 for the current stable distribution (ra). We recommend that you upgrade your wget packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'wget*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'wget*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/wget-1.8.2-2.src.rpm MD5 checksum: 83f108b10c874a78c4b41eaa6952e78f I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/wget-1.8.2-2.i386.rpm MD5 checksum: 7112b87f0eada7ff19bc7cce68c7b681 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/wget-1.8.2-2.i586.rpm MD5 checksum: 00fbe6d783905b8edb4011639e92b4c3 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/wget-1.8.2-2.i686.rpm MD5 checksum: f192bf834d7398d55c39f462102f1147 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/wget-1.8.2-2.ppc.rpm MD5 checksum: 2493a967054a5d3a17967efc07f42064 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sat Jan 4 13:20:02 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:10 2005 Subject: PLDSA [4-1] New fetchmail packages fix buffer overflow Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 4-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 22 December 2002 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : fetchmail prior to 6.1.2-2 Vulnerability : buffer overflow Problem-Type : remote PLD-specific : no Upstream URL : http://security.e-matters.de/advisories/052002.html Stefan Esser discovered another bufferoverflow within the default configuration. This heap overflow can be used by remote attackers to crash it or to execute arbitrary code with the privileges of the user running fetchmail. Depending on the configuration this allows a remote root compromise. The above problems have been fixed in version 6.2.0-1 for the current stable distribution (ra). We recommend that you upgrade your fetchmail packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'fetchmail*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'fetchmail*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/fetchmail-6.2.0-1.src.rpm MD5 checksum: f55bc41db865bd84ec715bc9d7691738 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/fetchmail-6.2.0-1.i386.rpm MD5 checksum: b01670f48a2931ebee3e7f54943d3a6a ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/fetchmail-daemon-6.2.0-1.i386.rpm MD5 checksum: 882f18388cd0702450f8f57d76ed31c0 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/fetchmailconf-6.2.0-1.i386.rpm MD5 checksum: f07b119e641528a65b24d1f27fae2a65 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/fetchmail-6.2.0-1.i586.rpm MD5 checksum: 6dd441b245604f86c41eeb15fa717ece ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/fetchmail-daemon-6.2.0-1.i586.rpm MD5 checksum: 4413c5a0da0adf5379c505b1fd1d6a00 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/fetchmailconf-6.2.0-1.i586.rpm MD5 checksum: 2e653227e2f6da04eefd0b151432dc54 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/fetchmail-6.2.0-1.i686.rpm MD5 checksum: 752df5229bd5b7cfa3cc7d88ea5e461c ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/fetchmail-daemon-6.2.0-1.i686.rpm MD5 checksum: 5c03b7c4383e792a45fced4dbdd5d0b0 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/fetchmailconf-6.2.0-1.i686.rpm MD5 checksum: 947769056a593572a7dc87f32c421802 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/fetchmail-6.2.0-1.ppc.rpm MD5 checksum: e3c93e286fb52b93b97fda1908a3b612 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/fetchmail-daemon-6.2.0-1.ppc.rpm MD5 checksum: eb77792c0a9596e8075f160dc51eaf0e ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/fetchmailconf-6.2.0-1.ppc.rpm MD5 checksum: 9e3a8aba300304704dccfa77cd4dd8fe - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sat Jan 4 13:20:32 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:10 2005 Subject: PLDSA [5-1] New masqmail packages fix buffer overflows Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 5-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 22 December 2002 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : masqmail prior to 0.2.6-2 Vulnerability : buffer overflows Problem-Type : local PLD-specific : no A set of buffer overflows have been discovered in masqmail, a mail transport agent for hosts without permanent internet connection. In addition to this privileges were dropped only after reading a user supplied configuration file. Together this could be exploited to gain unauthorized root access to the machine on which masqmail is installed. The above problems have been fixed in version 0.2.17-1 for the current stable distribution (ra). We recommend that you upgrade your masqmail packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'masqmail*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'masqmail*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/masqmail-0.2.17-1.src.rpm MD5 checksum: ba4b09fc812566f86d4753057e6f0805 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/masqmail-0.2.17-1.i386.rpm MD5 checksum: e85ac1665347f3051c2251ccfe1063c2 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/masqmail-0.2.17-1.i586.rpm MD5 checksum: dd362f17d6912ab33dc9168ea1071a74 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/masqmail-0.2.17-1.i686.rpm MD5 checksum: 499bba3ce0579ee7fe72a20a5c472c43 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/masqmail-0.2.17-1.ppc.rpm MD5 checksum: 46542c48dda0218e906b5875ddba470c - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sat Jan 4 14:46:51 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:10 2005 Subject: [PLDSA 6-1] New squirrelmail packages fix cross site scripting bugs Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 6-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 04 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : squirrelmail-1.2.9-1 Vulnerability : cross site scripting Problem-Type : remote PLD-specific : no BugTraq ID : 5949 Several cross site scripting vulnerabilities have been found in squirrelmail, a feature-rich webmail package written in PHP4. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: 1. CAN-2002-1131: User input is not always sanitized so execution of arbitrary code on a client computer is possible. This can happen after following a malicious URL or by viewing a malicious addressbook entry. 2. CAN-2002-1132: Another problem could make it possible for an attacker to gain sensitive information under some conditions. When a malformed argument is appended to a link, an error page will be generated which contains the absolute pathname of the script. However, this information is available through the Contents file of the distribution anyway. The above problems have been fixed in version 1.2.10-1 for the current stable distribution (ra). We recommend that you upgrade your squirrelmail packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'squirrelmail*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'squirrelmail*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/squirrelmail-1.2.10-1.src.rpm MD5 checksum: ce85d46bc7f34555870ad2d589fc9024 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-1.2.10-1.i386.rpm MD5 checksum: 277724118c626db296359743ed29eeac ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-ispell-1.2.10-1.i386.rpm MD5 checksum: b1de8e8d04417e4750bc1e2e4ab4f3e8 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-mail_fwd-1.2.10-1.i386.rpm MD5 checksum: cce0ce20150da437c4f0abe1c8b8b92f ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-mailfetch-1.2.10-1.i386.rpm MD5 checksum: ae1fff54a112da532e826963a216d112 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-newmail-1.2.10-1.i386.rpm MD5 checksum: 533a057f7d752bc4b02bdb1f9e021022 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-1.2.10-1.i586.rpm MD5 checksum: a76fac661545ef10b2b39d42274bbebb ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-ispell-1.2.10-1.i586.rpm MD5 checksum: 946200b19145c5ce5acffe24bd99ffb0 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-mail_fwd-1.2.10-1.i586.rpm MD5 checksum: a1e29cbee0ab13aa11ea821f022c0316 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-mailfetch-1.2.10-1.i586.rpm MD5 checksum: 5286b9fe0742314e4c895328f2356246 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-newmail-1.2.10-1.i586.rpm MD5 checksum: 85355606b4f642cbacd8fc86b7c0fb69 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-1.2.10-1.i686.rpm MD5 checksum: b71a2e943f069be85e125480531fc246 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-ispell-1.2.10-1.i686.rpm MD5 checksum: df55071720fff5a62c9bd2fd343ff585 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-mail_fwd-1.2.10-1.i686.rpm MD5 checksum: 75193011e7f6961b91f6d15345aff258 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-mailfetch-1.2.10-1.i686.rpm MD5 checksum: 47cb065b8fb29072c4e469ddfdd24f45 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-newmail-1.2.10-1.i686.rpm MD5 checksum: d799e3f6835bdd0a13dcadeb819dea3b PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-1.2.10-1.ppc.rpm MD5 checksum: 3c6062224f9db9c83e49e456fb299949 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-ispell-1.2.10-1.ppc.rpm MD5 checksum: a6ecce54f8339c02f62a83afff86cdbb ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-mail_fwd-1.2.10-1.ppc.rpm MD5 checksum: 40440e0276ca0b38fc66e02e549a2035 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-mailfetch-1.2.10-1.ppc.rpm MD5 checksum: 38a8411bc5e8d1429388787b57e4554a ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-newmail-1.2.10-1.ppc.rpm MD5 checksum: ba57f3d0391d62b031fc9156edf75471 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sat Jan 4 16:57:14 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:10 2005 Subject: [PLDSA 7-1] Multiple MySQL vulnerabilities Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 7-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 04 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : mysql-3.23.53-1 Vulnerability : remote DOS and arbitrary code execution Problem-Type : remote PLD-specific : no CVE references : CAN-2002-1373, CAN-2002-1374, CAN-2002-1375, CAN-2002-1376 Two vulnerabilities were discovered in all versions of MySQL prior to 3.23.53a and 4.0.5a by Stefan Esser. The first can be used by any valid MySQL user to crash the MySQL server, the other allows anyone to bypass the MySQL password check or execute arbitraty code with the privilege of the user running mysqld. Another two vulnerabilities were found, one an arbitrary size heap overflow in the mysql client library and another that allows one to write '\0' to any memory address. Both of these flaws could allow DOS attacks or arbitary code execution within anything linked against libmysqlclient. The above problems and other security problems have been fixed in version 3.23.54a-1 for the current stable distribution (ra). We recommend that you upgrade your mysql packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'mysql*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'mysql*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/mysql-3.23.54a-1.src.rpm MD5 checksum: 536fc89687d9080450c8bbb372cd44c8 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-3.23.54a-1.i386.rpm MD5 checksum: f0ac3eb68947c2087d7ae36862e45ca3 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-bench-3.23.54a-1.i386.rpm MD5 checksum: 8e63731ec657a4b1f9de67e10db16704 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-client-3.23.54a-1.i386.rpm MD5 checksum: 46d06540dcfe6c2dcf19c46e5fa690b6 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-devel-3.23.54a-1.i386.rpm MD5 checksum: 7d9eb35ea4be5d398db7fcfe44780800 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-extras-3.23.54a-1.i386.rpm MD5 checksum: c148410afffdd6fd688416177e5e4bb9 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-extras-perl-3.23.54a-1.i386.rpm MD5 checksum: c0ddab0f3bd98364bcf975a9fb837886 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-libs-3.23.54a-1.i386.rpm MD5 checksum: caf84b0460814e44be9a93cd09e3b186 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-static-3.23.54a-1.i386.rpm MD5 checksum: 4bdb4d985642b5338dd5ef9d079beae3 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-3.23.54a-1.i586.rpm MD5 checksum: 1b66c77e866d986a1151feca494c1c46 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-bench-3.23.54a-1.i586.rpm MD5 checksum: 167d509a348e4190db8b367122b257b2 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-client-3.23.54a-1.i586.rpm MD5 checksum: bc0f4585c71fdfa114420c2afcc8fceb ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-devel-3.23.54a-1.i586.rpm MD5 checksum: fc7106bcfe9682a26c601a20a6219eca ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-extras-3.23.54a-1.i586.rpm MD5 checksum: 29dd002e8aecac23fc86b185e42b6b2f ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-extras-perl-3.23.54a-1.i586.rpm MD5 checksum: acabbd169d9882ec2b160b85f10753f5 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-libs-3.23.54a-1.i586.rpm MD5 checksum: c501aa55ef858e80398ccdd4d5bef6f2 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-static-3.23.54a-1.i586.rpm MD5 checksum: 92ce44b71829a8c01754b5d77828de97 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-3.23.54a-1.i686.rpm MD5 checksum: 36445933287f4fe380cb3ba6e28048b7 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-bench-3.23.54a-1.i686.rpm MD5 checksum: 5715387ba2de8e5676b1fa43b0200684 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-client-3.23.54a-1.i686.rpm MD5 checksum: b5ca9700eae3701c86ff8a38971a1925 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-devel-3.23.54a-1.i686.rpm MD5 checksum: 6cfe23c77711247a0d3bf3f92a3a39b6 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-extras-3.23.54a-1.i686.rpm MD5 checksum: 9eeb787c483ad7239e7df9297600b63e ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-extras-perl-3.23.54a-1.i686.rpm MD5 checksum: 07b20cb5fab1658e2651e7e48eda173e ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-libs-3.23.54a-1.i686.rpm MD5 checksum: f3b6149b7002094af28fcf9f5e1e92da ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-static-3.23.54a-1.i686.rpm MD5 checksum: e56d93f9f90da7c9913b939f166d898d PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-3.23.54a-1.ppc.rpm MD5 checksum: f035de90d75f7d94c3b703d2396d105c ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-bench-3.23.54a-1.ppc.rpm MD5 checksum: da1a228a797def9578431dc595fe7fde ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-client-3.23.54a-1.ppc.rpm MD5 checksum: 23869dad78948902f6e8e4cb800acc46 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-devel-3.23.54a-1.ppc.rpm MD5 checksum: fae98cf58222702c3880f2449c63c3f0 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-extras-3.23.54a-1.ppc.rpm MD5 checksum: a0cb864b2cf98ea6a9192b0eb2383be6 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-extras-perl-3.23.54a-1.ppc.rpm MD5 checksum: 19ac1fbfb7041b6c6eb01e759392bf94 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-libs-3.23.54a-1.ppc.rpm MD5 checksum: 2cb147b8637af709c970a1d2402aaea1 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-static-3.23.54a-1.ppc.rpm MD5 checksum: 87a2801b3038a929e359d29cbb141c24 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sat Jan 4 18:52:55 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 8-1] New phpBB packages fix execution of arbitrary code via network Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 8-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 04 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : phpBB-2.0.3-4 Vulnerability : Execution of arbitrary code via network Problem-Type : remote PLD-specific : no An input validation vulnerability was reported in the Advanced Quick Reply hack for the phpBB forum. A remote user can execute shell commands on the server. It is reported that a remote user can cause remotely located PHP scripts to be executed on the target server because of a flaw in specifying the target directory for the '$phpbb_root_path' variable. To exploit this, the user must create malicious PHP code on an arbitrary remote server (a server that the remote user controls or has access to). Then, the remote user can send a specially crafted URL to the target web server to cause the target web server to execute the malicious PHP code. The code will be executed with the privileges of the web server process. The above problems have been fixed in version 2.0.3-5 for the current stable distribution (ra). Other vulnerability was found to. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running phpBB2, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. No solution was available at the time of this entry. PLD Security Team suggests that you disable the ability to post messages containing HTML and require users to use BBCode instead. We recommend that you upgrade your phpBB packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'phpBB*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'phpBB*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/phpBB-2.0.3-5.src.rpm MD5 checksum: 06e3dfcf7fb9467831fb5ca964a596a0 Noarch components (in i386 tree): ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/phpBB-2.0.3-5.noarch.rpm MD5 checksum: 0f6f41eebb4e95e320844877becc91d3 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/phpBB-install-2.0.3-5.noarch.rpm MD5 checksum: 1cf428ebbcbf60d86ecc1e9aa9835387 Noarch components (in i586 tree): ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/phpBB-2.0.3-5.noarch.rpm MD5 checksum: e1ec2b717a5192e50f6f913633704f3c ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/phpBB-install-2.0.3-5.noarch.rpm MD5 checksum: 2648098c6b0c4752b4bbb381163e62fc Noarch components (in i686 tree): ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/phpBB-2.0.3-5.noarch.rpm MD5 checksum: 26dead08e953dcece19a9f250fb2a666 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/phpBB-install-2.0.3-5.noarch.rpm MD5 checksum: 291797cc993524e7c0813eb032a0fc4a Noarch components (in ppc tree): ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/phpBB-2.0.3-5.noarch.rpm MD5 checksum: 0bd15a2b85082f3461647293c520dc29 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/phpBB-install-2.0.3-5.noarch.rpm MD5 checksum: 02bbb287ac28c41053e3af8b6db5475e - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sat Jan 4 19:58:22 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 9-1] New xpdf packages fix integer overflow Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 9-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 04 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : xpdf-1.01-5 Vulnerability : integer overflow Problem-Type : local and remote PLD-specific : no CVE references : CAN-2002-1384 The pdftops filter in the Xpdf and CUPS packages contains an integer overflow that can be exploited to gain the privileges of the target user or in some cases the increased privileges of the 'lp' user if installed setuid. There are multiple ways of exploiting this vulnerability. The above problems have been fixed in version 1.01-6 for the current stable distribution (ra). We recommend that you upgrade your xpdf packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'xpdf*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'xpdf*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/xpdf-1.01-6.src.rpm MD5 checksum: 2e1c7e311d43e128c83713d86de3db2b I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/xpdf-1.01-6.i386.rpm MD5 checksum: b7b39a26b92e2a9112e6e86cd5562b33 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/xpdf-1.01-6.i586.rpm MD5 checksum: 67d5a8475725f1181f0f4e199a3771c2 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/xpdf-1.01-6.i686.rpm MD5 checksum: e6ab4cea8121136efbdc34c5534eca15 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/xpdf-1.01-6.ppc.rpm MD5 checksum: c6be9fd0fb771a1c21c6d102e333343e - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sun Jan 5 13:01:34 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 6-1] New squirrelmail packages fix cross site scripting bugs Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 6-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 04 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : squirrelmail prior to 1.2.9-1 Vulnerability : cross site scripting Problem-Type : remote PLD-specific : no BugTraq ID : 5949 CVE references : CAN-2002-1131, CAN-2002-1132 [ Previous mail was broken by Announcer. This mail fix previous announcer bugs ] Several cross site scripting vulnerabilities have been found in squirrelmail, a feature-rich webmail package written in PHP4. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: 1. CAN-2002-1131: User input is not always sanitized so execution of arbitrary code on a client computer is possible. This can happen after following a malicious URL or by viewing a malicious addressbook entry. 2. CAN-2002-1132: Another problem could make it possible for an attacker to gain sensitive information under some conditions. When a malformed argument is appended to a link, an error page will be generated which contains the absolute pathname of the script. However, this information is available through the Contents file of the distribution anyway. The above problems have been fixed in version 1.2.10-1 for the current stable distribution (ra). We recommend that you upgrade your squirrelmail packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'squirrelmail*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'squirrelmail*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/squirrelmail-1.2.10-1.src.rpm MD5 checksum: ce85d46bc7f34555870ad2d589fc9024 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-1.2.10-1.i386.rpm MD5 checksum: 277724118c626db296359743ed29eeac ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-ispell-1.2.10-1.i386.rpm MD5 checksum: b1de8e8d04417e4750bc1e2e4ab4f3e8 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-mail_fwd-1.2.10-1.i386.rpm MD5 checksum: cce0ce20150da437c4f0abe1c8b8b92f ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-mailfetch-1.2.10-1.i386.rpm MD5 checksum: ae1fff54a112da532e826963a216d112 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-newmail-1.2.10-1.i386.rpm MD5 checksum: 533a057f7d752bc4b02bdb1f9e021022 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-1.2.10-1.i586.rpm MD5 checksum: a76fac661545ef10b2b39d42274bbebb ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-ispell-1.2.10-1.i586.rpm MD5 checksum: 946200b19145c5ce5acffe24bd99ffb0 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-mail_fwd-1.2.10-1.i586.rpm MD5 checksum: a1e29cbee0ab13aa11ea821f022c0316 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-mailfetch-1.2.10-1.i586.rpm MD5 checksum: 5286b9fe0742314e4c895328f2356246 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-newmail-1.2.10-1.i586.rpm MD5 checksum: 85355606b4f642cbacd8fc86b7c0fb69 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-1.2.10-1.i686.rpm MD5 checksum: b71a2e943f069be85e125480531fc246 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-ispell-1.2.10-1.i686.rpm MD5 checksum: df55071720fff5a62c9bd2fd343ff585 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-mail_fwd-1.2.10-1.i686.rpm MD5 checksum: 75193011e7f6961b91f6d15345aff258 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-mailfetch-1.2.10-1.i686.rpm MD5 checksum: 47cb065b8fb29072c4e469ddfdd24f45 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-newmail-1.2.10-1.i686.rpm MD5 checksum: d799e3f6835bdd0a13dcadeb819dea3b PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-1.2.10-1.ppc.rpm MD5 checksum: 3c6062224f9db9c83e49e456fb299949 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-ispell-1.2.10-1.ppc.rpm MD5 checksum: a6ecce54f8339c02f62a83afff86cdbb ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-mail_fwd-1.2.10-1.ppc.rpm MD5 checksum: 40440e0276ca0b38fc66e02e549a2035 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-mailfetch-1.2.10-1.ppc.rpm MD5 checksum: 38a8411bc5e8d1429388787b57e4554a ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-newmail-1.2.10-1.ppc.rpm MD5 checksum: ba57f3d0391d62b031fc9156edf75471 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sun Jan 5 13:02:56 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 7-1] Multiple MySQL vulnerabilities Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 7-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 04 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : mysql prior to 3.23.53-1 Vulnerability : remote DOS and arbitrary code execution Problem-Type : remote PLD-specific : no CVE references : CAN-2002-1373, CAN-2002-1374, CAN-2002-1375, CAN-2002-1376 [ Previous mail was broken by Announcer. This mail fix previous announcer bugs ] Two vulnerabilities were discovered in all versions of MySQL prior to 3.23.53a and 4.0.5a by Stefan Esser. The first can be used by any valid MySQL user to crash the MySQL server, the other allows anyone to bypass the MySQL password check or execute arbitraty code with the privilege of the user running mysqld. Another two vulnerabilities were found, one an arbitrary size heap overflow in the mysql client library and another that allows one to write '\0' to any memory address. Both of these flaws could allow DOS attacks or arbitary code execution within anything linked against libmysqlclient. The above problems and other security problems have been fixed in version 3.23.54a-1 for the current stable distribution (ra). We recommend that you upgrade your mysql packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'mysql*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'mysql*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/mysql-3.23.54a-1.src.rpm MD5 checksum: 536fc89687d9080450c8bbb372cd44c8 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-3.23.54a-1.i386.rpm MD5 checksum: f0ac3eb68947c2087d7ae36862e45ca3 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-bench-3.23.54a-1.i386.rpm MD5 checksum: 8e63731ec657a4b1f9de67e10db16704 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-client-3.23.54a-1.i386.rpm MD5 checksum: 46d06540dcfe6c2dcf19c46e5fa690b6 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-devel-3.23.54a-1.i386.rpm MD5 checksum: 7d9eb35ea4be5d398db7fcfe44780800 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-extras-3.23.54a-1.i386.rpm MD5 checksum: c148410afffdd6fd688416177e5e4bb9 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-extras-perl-3.23.54a-1.i386.rpm MD5 checksum: c0ddab0f3bd98364bcf975a9fb837886 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-libs-3.23.54a-1.i386.rpm MD5 checksum: caf84b0460814e44be9a93cd09e3b186 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-static-3.23.54a-1.i386.rpm MD5 checksum: 4bdb4d985642b5338dd5ef9d079beae3 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-3.23.54a-1.i586.rpm MD5 checksum: 1b66c77e866d986a1151feca494c1c46 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-bench-3.23.54a-1.i586.rpm MD5 checksum: 167d509a348e4190db8b367122b257b2 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-client-3.23.54a-1.i586.rpm MD5 checksum: bc0f4585c71fdfa114420c2afcc8fceb ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-devel-3.23.54a-1.i586.rpm MD5 checksum: fc7106bcfe9682a26c601a20a6219eca ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-extras-3.23.54a-1.i586.rpm MD5 checksum: 29dd002e8aecac23fc86b185e42b6b2f ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-extras-perl-3.23.54a-1.i586.rpm MD5 checksum: acabbd169d9882ec2b160b85f10753f5 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-libs-3.23.54a-1.i586.rpm MD5 checksum: c501aa55ef858e80398ccdd4d5bef6f2 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-static-3.23.54a-1.i586.rpm MD5 checksum: 92ce44b71829a8c01754b5d77828de97 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-3.23.54a-1.i686.rpm MD5 checksum: 36445933287f4fe380cb3ba6e28048b7 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-bench-3.23.54a-1.i686.rpm MD5 checksum: 5715387ba2de8e5676b1fa43b0200684 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-client-3.23.54a-1.i686.rpm MD5 checksum: b5ca9700eae3701c86ff8a38971a1925 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-devel-3.23.54a-1.i686.rpm MD5 checksum: 6cfe23c77711247a0d3bf3f92a3a39b6 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-extras-3.23.54a-1.i686.rpm MD5 checksum: 9eeb787c483ad7239e7df9297600b63e ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-extras-perl-3.23.54a-1.i686.rpm MD5 checksum: 07b20cb5fab1658e2651e7e48eda173e ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-libs-3.23.54a-1.i686.rpm MD5 checksum: f3b6149b7002094af28fcf9f5e1e92da ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-static-3.23.54a-1.i686.rpm MD5 checksum: e56d93f9f90da7c9913b939f166d898d PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-3.23.54a-1.ppc.rpm MD5 checksum: f035de90d75f7d94c3b703d2396d105c ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-bench-3.23.54a-1.ppc.rpm MD5 checksum: da1a228a797def9578431dc595fe7fde ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-client-3.23.54a-1.ppc.rpm MD5 checksum: 23869dad78948902f6e8e4cb800acc46 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-devel-3.23.54a-1.ppc.rpm MD5 checksum: fae98cf58222702c3880f2449c63c3f0 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-extras-3.23.54a-1.ppc.rpm MD5 checksum: a0cb864b2cf98ea6a9192b0eb2383be6 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-extras-perl-3.23.54a-1.ppc.rpm MD5 checksum: 19ac1fbfb7041b6c6eb01e759392bf94 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-libs-3.23.54a-1.ppc.rpm MD5 checksum: 2cb147b8637af709c970a1d2402aaea1 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-static-3.23.54a-1.ppc.rpm MD5 checksum: 87a2801b3038a929e359d29cbb141c24 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sun Jan 5 13:04:38 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 8-1] New phpBB packages fix execution of arbitrary code via network Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 8-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 04 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : phpBB prior to 2.0.3-3 Vulnerability : Execution of arbitrary code via network Problem-Type : remote PLD-specific : no [ Previous mail was broken by Announcer. This mail fix previous announcer bugs ] An input validation vulnerability was reported in the Advanced Quick Reply hack for the phpBB forum. A remote user can execute shell commands on the server. It is reported that a remote user can cause remotely located PHP scripts to be executed on the target server because of a flaw in specifying the target directory for the '$phpbb_root_path' variable. To exploit this, the user must create malicious PHP code on an arbitrary remote server (a server that the remote user controls or has access to). Then, the remote user can send a specially crafted URL to the target web server to cause the target web server to execute the malicious PHP code. The code will be executed with the privileges of the web server process. The above problems have been fixed in version 2.0.3-5 for the current stable distribution (ra). Other vulnerability was found to. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running phpBB2, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. No solution was available at the time of this entry. PLD Security Team suggests that you disable the ability to post messages containing HTML and require users to use BBCode instead. We recommend that you upgrade your phpBB packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'phpBB*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'phpBB*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/phpBB-2.0.3-5.src.rpm MD5 checksum: 06e3dfcf7fb9467831fb5ca964a596a0 Noarch components (in i386 tree): ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/phpBB-2.0.3-5.noarch.rpm MD5 checksum: 0f6f41eebb4e95e320844877becc91d3 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/phpBB-install-2.0.3-5.noarch.rpm MD5 checksum: 1cf428ebbcbf60d86ecc1e9aa9835387 Noarch components (in i586 tree): ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/phpBB-2.0.3-5.noarch.rpm MD5 checksum: e1ec2b717a5192e50f6f913633704f3c ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/phpBB-install-2.0.3-5.noarch.rpm MD5 checksum: 2648098c6b0c4752b4bbb381163e62fc Noarch components (in i686 tree): ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/phpBB-2.0.3-5.noarch.rpm MD5 checksum: 26dead08e953dcece19a9f250fb2a666 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/phpBB-install-2.0.3-5.noarch.rpm MD5 checksum: 291797cc993524e7c0813eb032a0fc4a Noarch components (in ppc tree): ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/phpBB-2.0.3-5.noarch.rpm MD5 checksum: 0bd15a2b85082f3461647293c520dc29 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/phpBB-install-2.0.3-5.noarch.rpm MD5 checksum: 02bbb287ac28c41053e3af8b6db5475e - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Sun Jan 5 13:05:22 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 9-1] New xpdf packages fix integer overflow Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 9-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 04 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : xpdf prior to 1.01-5 Vulnerability : integer overflow Problem-Type : local and remote PLD-specific : no CVE references : CAN-2002-1384 [ Previous mail was broken by Announcer. This mail fix previous announcer bugs ] The pdftops filter in the Xpdf and CUPS packages contains an integer overflow that can be exploited to gain the privileges of the target user or in some cases the increased privileges of the 'lp' user if installed setuid. There are multiple ways of exploiting this vulnerability. The above problems have been fixed in version 1.01-6 for the current stable distribution (ra). We recommend that you upgrade your xpdf packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'xpdf*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'xpdf*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/xpdf-1.01-6.src.rpm MD5 checksum: 2e1c7e311d43e128c83713d86de3db2b I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/xpdf-1.01-6.i386.rpm MD5 checksum: b7b39a26b92e2a9112e6e86cd5562b33 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/xpdf-1.01-6.i586.rpm MD5 checksum: 67d5a8475725f1181f0f4e199a3771c2 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/xpdf-1.01-6.i686.rpm MD5 checksum: e6ab4cea8121136efbdc34c5534eca15 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/xpdf-1.01-6.ppc.rpm MD5 checksum: c6be9fd0fb771a1c21c6d102e333343e - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:09:55 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 10-1] New sendmail packages fix smrsh insecurities Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 10-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 04 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to sendmail-8.12.6-2 Vulnerability : smrsh insecurities Problem-Type : local PLD-specific : no Upstream URL : http://www.sendmail.org/smrsh.adv.txt A vulnerability was discovered by zen-parse and Pedram Amini in the sendmail MTA. They found two ways to exploit smrsh, an application intended as a replacement for the sh shell for use with sendmail; the first by inserting specially formatted commands in the ~/.forward file and secondly by calling smrsh directly with special options. These can be exploited to give users with no shell account, or those not permitted to execute certain programs or commands, the ability to bypass these restrictions. The above problems have been fixed in version 8.12.7-1 for the current stable distribution (ra). We recommend that you upgrade your sendmail packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'sendmail*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'sendmail*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/sendmail-8.12.7-1.src.rpm MD5 checksum: 28fe640d4516ecd29c69d9f3ab039b4e I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/sendmail-8.12.7-1.i386.rpm MD5 checksum: f4e0ba713551acd269e99f800cfd0a88 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/sendmail-8.12.7-1.i586.rpm MD5 checksum: a34e578eba1f42d3953d514a484679e6 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/sendmail-8.12.7-1.i686.rpm MD5 checksum: fa97220d237e7bade66f03fe9db6e015 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/sendmail-8.12.7-1.ppc.rpm MD5 checksum: 91dc622ae16b98079b41a0ba2e8aef89 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:10:08 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 11-1] New dhcpcd packages fix remote command execution vulnerability Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 11-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 11 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to dhcpcd-1.3.22pl1-15 Vulnerability : remote command execution Problem-Type : remote PLD-specific : no BugTraq ID : 6200 Simon Kelly discovered a vulnerability in dhcpcd, an RFC2131 and RFC1541 compliant DHCP client daemon, that runs with root privileges on client machines. A malicious administrator of the regular or an untrusted DHCP server may execute any command with root privileges on the DHCP client machine by sending the command enclosed in shell metacharacters in one of the options provided by the DHCP server. The above problems have been fixed in version 1.3.22pl4-1 for the current stable distribution (ra). We recommend that you upgrade your dhcpcd packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'dhcpcd*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'dhcpcd*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/dhcpcd-1.3.22pl4-1.src.rpm MD5 checksum: 6fc3326c082b1dbc82b5ec37181d7587 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/dhcpcd-1.3.22pl4-1.i386.rpm MD5 checksum: 5769cc5052ee3c31a3d85fc47f375df1 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/dhcpcd-1.3.22pl4-1.i586.rpm MD5 checksum: 31e05b47ea7e4cedbf35765ed92acd14 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/dhcpcd-1.3.22pl4-1.i686.rpm MD5 checksum: 14a90f4dd6ddfcf174130d4e7db7df83 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/dhcpcd-1.3.22pl4-1.ppc.rpm MD5 checksum: c0712995dc22a770e69cced69980af88 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:10:21 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 12-1] New cups packages fix several vulnerabilities Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 12-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 11 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to cups-1.1.14-21 Vulnerability : several Problem-Type : remote PLD-specific : no CVE references : CAN-2002-1366, CAN-2002-1367, CAN-2002-1368, CAN-2002-1369, CAN-2002-1371, CAN-2002-1372, CAN-2002-1383, CAN-2002-1384 Multiple vulnerabilities were discovered in the Common Unix Printing System (CUPS). Several of these issues represent the potential for a remote compromise or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: . CAN-2002-1366: Race conditions in connection with /etc/cups/certs/ allow local users with lp privileges to create or overwrite arbitrary files. . CAN-2002-1367: This vulnerabilities allows a remote attacker to add printers without authentication via a certain UDP packet, which can then be used to perform unauthorized activities such as stealing the local root certificate for the administration server via a "need authorization" page. . CAN-2002-1368: Negative lengths fed into memcpy() can cause a denial of service and possibly execute arbitrary code. . CAN-2002-1369: An unsafe strncat() function call processing the options string allows a remote attacker to execute arbitrary code via a buffer overflow. . CAN-2002-1371: Zero width images allows a remote attacker to execute arbitrary code via modified chunk headers. . CAN-2002-1372: CUPS does not properly check the return values of various file and socket operations, which could allow a remote attacker to cause a denial of service. . CAN-2002-1383: Multiple integer overflows allow a remote attacker to execute arbitrary code via the CUPSd HTTP interface and the image handling code in CUPS filters. . CAN-2002-1384: The cupsys package contains some code from the xpdf package, used to convert PDF files for printing, which contains an exploitable integer overflow bug. The above problems have been fixed in version 1.1.14-22 for the current stable distribution (ra). We recommend that you upgrade your cups packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'cups*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'cups*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/cups-1.1.14-22.src.rpm MD5 checksum: eaad706536733bb5016bafcf026de651 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cups-1.1.14-22.i386.rpm MD5 checksum: e0e906dfa0a054d5d953857f3fb83437 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cups-clients-1.1.14-22.i386.rpm MD5 checksum: 1d6d70828db0548362d611839e14b08d ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cups-devel-1.1.14-22.i386.rpm MD5 checksum: 883115ac579765f48cdcf02176867424 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cups-image-lib-1.1.14-22.i386.rpm MD5 checksum: 56388fa68e3c6868f293aac69f0c3472 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cups-lib-1.1.14-22.i386.rpm MD5 checksum: c64efe08b059390290a92337af06f30a ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cups-static-1.1.14-22.i386.rpm MD5 checksum: d969097a4c23ecac5e2f0e465db41184 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cups-1.1.14-22.i586.rpm MD5 checksum: d1efaf1328e27a867af9b2c528ed8eec ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cups-clients-1.1.14-22.i586.rpm MD5 checksum: 9e7471bfdd4306db402e667d33f36cd9 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cups-devel-1.1.14-22.i586.rpm MD5 checksum: 0722464d3ab6da79888fcccefe9ca64d ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cups-image-lib-1.1.14-22.i586.rpm MD5 checksum: a695fb82367df3384b70576bd1f782e3 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cups-lib-1.1.14-22.i586.rpm MD5 checksum: b2b84c5a773f7ad454cce82dd7d90147 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cups-static-1.1.14-22.i586.rpm MD5 checksum: 17fcbe0367f966b104918129e2fee1db I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cups-1.1.14-22.i686.rpm MD5 checksum: a80675bf0c3ebe2c70182abbd558423f ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cups-clients-1.1.14-22.i686.rpm MD5 checksum: 768b830b3b8e1d4e8d916f223ee66943 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cups-devel-1.1.14-22.i686.rpm MD5 checksum: 868ce98d028ca2481634ea593c9f1401 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cups-image-lib-1.1.14-22.i686.rpm MD5 checksum: 67528a07af150b9a2f946b555a246540 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cups-lib-1.1.14-22.i686.rpm MD5 checksum: c17b4adef73a8344cba4b204a0d0fed3 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cups-static-1.1.14-22.i686.rpm MD5 checksum: 65fd8ab1e014cf139d7df587715bcf09 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cups-1.1.14-22.ppc.rpm MD5 checksum: 50234d4867bf02fa6140cde160858f8a ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cups-clients-1.1.14-22.ppc.rpm MD5 checksum: 47593a0c1a7891989dc2cf635cbc9a1e ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cups-devel-1.1.14-22.ppc.rpm MD5 checksum: 40ce0d745505b3a3f1994f002bd5c4c0 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cups-image-lib-1.1.14-22.ppc.rpm MD5 checksum: 42d9e4a6cbb985c28397f29940e8ca28 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cups-lib-1.1.14-22.ppc.rpm MD5 checksum: bd389690f29f7c3fa3b065c1a00fec91 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cups-static-1.1.14-22.ppc.rpm MD5 checksum: fc67e944260d6ec81d855ecd87b15bbd - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:10:48 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 14-1] New libmcrypt packages fix buffer overflows and memory leak Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 14-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 13 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to libmcrypt-2.4.22-1 Vulnerability : buffer overflows and memory leak Problem-Type : remote PLD-specific : no CVE references : CAN-2003-0031, CAN-2003-0032 limbcrypt versions prior to 2.5.5 contain a number of buffer overflow vulnerabilities that stem from imporper or lacking input validation. By passing a longer then expected input to a number of functions (multiple functions are affected) the user can successful make libmcrypt crash. Another vulnerability is due to the way libmcrypt loads algorithms via libtool. When the algorithms are loaded dynamically the each time the algorithm is loaded a small (few kilobytes) of memory are leaked. In a persistant enviroment (web server) this could lead to a memory exhaustion attack that will exhaust all avaliable memory by launching repeated requests at an application utilizing the mcrypt library. The above problems have been fixed in version 2.5.5-1 for the current stable distribution (ra). We recommend that you upgrade your libmcrypt packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'libmcrypt*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'libmcrypt*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/libmcrypt-2.5.5-1.src.rpm MD5 checksum: 3d12feb2f6f344da98527a46f985c0b6 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libmcrypt-2.5.5-1.i386.rpm MD5 checksum: f6df9265e85478648c80e345388a9271 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libmcrypt-devel-2.5.5-1.i386.rpm MD5 checksum: 29bf30db6d41e02d5b7d62590eec5446 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libmcrypt-static-2.5.5-1.i386.rpm MD5 checksum: f570b98f5a3b36cab6ac0a5fb2ea8ca4 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libmcrypt-2.5.5-1.i586.rpm MD5 checksum: 2a021edfd264150c670b224d75186c75 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libmcrypt-devel-2.5.5-1.i586.rpm MD5 checksum: 6c31f7e9fb025eab8242b510a2707afe ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libmcrypt-static-2.5.5-1.i586.rpm MD5 checksum: d2c814ab0a9574049c12945cea1a27c4 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libmcrypt-2.5.5-1.i686.rpm MD5 checksum: 9e811c37acc56379fae9ed44f5bb5a73 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libmcrypt-devel-2.5.5-1.i686.rpm MD5 checksum: d5e9899a13094362de1bf1a2cb78e726 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libmcrypt-static-2.5.5-1.i686.rpm MD5 checksum: 2990643f43973dec9e9c1b88f3c3d1ad PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libmcrypt-2.5.5-1.ppc.rpm MD5 checksum: 3969e586391dbf08484fd214c9c9ac52 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libmcrypt-devel-2.5.5-1.ppc.rpm MD5 checksum: a7263e9857c8fa891ae60d4369ed61e4 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libmcrypt-static-2.5.5-1.ppc.rpm MD5 checksum: 5b4cf6081a702988eef631ba0bcaccea - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:10:35 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 13-1] New libpng packages fix buffer overflow Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 13-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 11 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to libpng-1.0.14-1 Vulnerability : buffer overflow Problem-Type : remote PLD-specific : no CVE references : CAN-2002-1363 Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. The above problems have been fixed in version 1.0.15-1 for the current stable distribution (ra). We recommend that you upgrade your libpng packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'libpng*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'libpng*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/libpng-1.0.15-1.src.rpm MD5 checksum: 1888de40c274682215e798d51584753e I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libpng-1.0.15-1.i386.rpm MD5 checksum: 3e76d9998894e419d70eb7bca696729c ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libpng-devel-1.0.15-1.i386.rpm MD5 checksum: 3266ce79f894a8edd94e549f6db02ae9 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libpng-progs-1.0.15-1.i386.rpm MD5 checksum: 5002d3104d589d831f13e9ae18aedd4f ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libpng-static-1.0.15-1.i386.rpm MD5 checksum: 71d4276ea3516eab1c7a6d41d38c5fde I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libpng-1.0.15-1.i586.rpm MD5 checksum: 6e4842919474563b19c4eb6559513cc7 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libpng-devel-1.0.15-1.i586.rpm MD5 checksum: 50396c3a4606a01a3389603d657bfbc8 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libpng-progs-1.0.15-1.i586.rpm MD5 checksum: 6274d85c33b714d871b32faf7388b446 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libpng-static-1.0.15-1.i586.rpm MD5 checksum: aad18b0f230f18df1c70431c6e1bc0eb I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libpng-1.0.15-1.i686.rpm MD5 checksum: 6521672aaaeedc21c562276e59c1075e ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libpng-devel-1.0.15-1.i686.rpm MD5 checksum: 4e847cc870e32f8db5ef62c3f3b89eb7 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libpng-progs-1.0.15-1.i686.rpm MD5 checksum: fe39d8e65508918d84fa08cc8c53fcaa ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libpng-static-1.0.15-1.i686.rpm MD5 checksum: 54d192584667197d635fb2f8aca6596b PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libpng-1.0.15-1.ppc.rpm MD5 checksum: 0fe78c7ddcebd7260866870097db980c ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libpng-devel-1.0.15-1.ppc.rpm MD5 checksum: 197844a8efef5fa77d233da9edf9f3ea ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libpng-progs-1.0.15-1.ppc.rpm MD5 checksum: ffabc69618e09cdefab65a39b1d7c695 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libpng-static-1.0.15-1.ppc.rpm MD5 checksum: 9a4cec1fcd79b3971b09b1525c8bd143 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:11:13 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 16-1] New perl packages correct Safe handling Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 16-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 13 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to perl-5.6.1-63 Vulnerability : broken safe compartment Problem-Type : local PLD-specific : no CVE references : CAN-2002-1323 A security hole has been discovered in Safe.pm which is used in all versions of Perl. The Safe extension module allows the creation of compartments in which perl code can be evaluated in a new namespace and the code evaluated in the compartment cannot refer to variables outside this namespace. However, when a Safe compartment has already been used, there's no guarantee that it is Safe any longer, because there's a way for code to be executed within the Safe compartment to alter its operation mask. Thus, programs that use a Safe compartment only once aren't affected by this bug. The above problems have been fixed in version 5.6.1-64 for the current stable distribution (ra). We recommend that you upgrade your perl packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'perl*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'perl*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/perl-5.6.1-64.src.rpm MD5 checksum: 3c9bbe1bbc108a32f6b7085d54220b32 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/mysql-extras-perl-3.23.54a-1.i386.rpm MD5 checksum: c0ddab0f3bd98364bcf975a9fb837886 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/perl-5.6.1-64.i386.rpm MD5 checksum: 65e04e09ac233998dc0f627b6c3e7c36 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/perl-devel-5.6.1-64.i386.rpm MD5 checksum: d0bc3b90b8eaed0ae2d1920049a872b6 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/perl-modules-5.6.1-64.i386.rpm MD5 checksum: 477d6f431222ee67820053b86e283c7d ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/perl-pod-5.6.1-64.i386.rpm MD5 checksum: 7971c7da10d5f7fbf61ea88cedbfa218 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/sperl-5.6.1-64.i386.rpm MD5 checksum: 3af7722e0a89697ddd0c5b91e9904ae0 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/mysql-extras-perl-3.23.54a-1.i586.rpm MD5 checksum: acabbd169d9882ec2b160b85f10753f5 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/perl-5.6.1-64.i586.rpm MD5 checksum: ef82e0a54cc09f5e3e3a6dc072391053 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/perl-devel-5.6.1-64.i586.rpm MD5 checksum: 6b57bde37402d99d03458abfeea2b2ac ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/perl-modules-5.6.1-64.i586.rpm MD5 checksum: bab11b1b1408c840e6dd9b2ea50159b5 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/perl-pod-5.6.1-64.i586.rpm MD5 checksum: 48363162b109c6b06c6f0663cb4da04a ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/sperl-5.6.1-64.i586.rpm MD5 checksum: d4ce4bcd2b8cfa231c0f06ce011f752b I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/mysql-extras-perl-3.23.54a-1.i686.rpm MD5 checksum: 07b20cb5fab1658e2651e7e48eda173e ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/perl-5.6.1-64.i686.rpm MD5 checksum: 014435d865669b06b3ca971b757e3e50 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/perl-devel-5.6.1-64.i686.rpm MD5 checksum: 52190c2c905b5caf23414bf62ab29055 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/perl-modules-5.6.1-64.i686.rpm MD5 checksum: 27f9bbec8ea3d72dfd19c567f46486d2 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/perl-pod-5.6.1-64.i686.rpm MD5 checksum: b35d0c7877ad88d21538aeff769bce0d ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/sperl-5.6.1-64.i686.rpm MD5 checksum: 45a4cfd96d55bb872e66fa4d5991c25f PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/mysql-extras-perl-3.23.54a-1.ppc.rpm MD5 checksum: 19ac1fbfb7041b6c6eb01e759392bf94 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/perl-5.6.1-64.ppc.rpm MD5 checksum: 888311952090c297268ab30ade083665 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/perl-devel-5.6.1-64.ppc.rpm MD5 checksum: 71af57e5acbcaaf434d2601c6313c12e ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/perl-modules-5.6.1-64.ppc.rpm MD5 checksum: ec35ff3dfb3195247a8e3d67309712cf ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/perl-pod-5.6.1-64.ppc.rpm MD5 checksum: 1f9ab11db098b98cff0cabf9de77aeb3 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/sperl-5.6.1-64.ppc.rpm MD5 checksum: 61ef4a26af543fe4363954beb9c1c425 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:11:23 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 17-1] New ethereal packages fix multiple vulnerabilities Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 17-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 13 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to ethereal-0.9.6-4 Vulnerability : multiple issues Problem-Type : local PLD-specific : no Upstream URL : www.ethereal.com/appnotes/enpa-sa-00007.html It may be possible to make Ethereal crash or hang by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. It may be possible to make Ethereal run arbitrary code by exploiting the buffer and pointer problems. The above problems have been fixed in version 0.9.8-1 for the current stable distribution (ra). We recommend that you upgrade your ethereal packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'ethereal*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'ethereal*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/ethereal-0.9.8-1.src.rpm MD5 checksum: 9a3541166a56fc1febedac79987d8cdd ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/tethereal-0.9.8-1.src.rpm MD5 checksum: 6510047ad9bdba7f503c4428bb036811 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ethereal-0.9.8-1.i386.rpm MD5 checksum: e8dafd122f4722d8917a15fb5de799b8 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ethereal-common-0.9.8-1.i386.rpm MD5 checksum: bb010466f441a2b8bb87f8af030f7304 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ethereal-tools-0.9.8-1.i386.rpm MD5 checksum: d64c3df6d62be1ab338ab6e2face28b7 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/tethereal-0.9.8-1.i386.rpm MD5 checksum: ec79d450a1746a769d0f31922692b827 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ethereal-0.9.8-1.i586.rpm MD5 checksum: 0b0279933452f9eab7670d242aa12089 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ethereal-common-0.9.8-1.i586.rpm MD5 checksum: dc43d49e2e4eb6b5ff72296829e37b75 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ethereal-tools-0.9.8-1.i586.rpm MD5 checksum: 83efd793674a6740a69a4a026ab194e9 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/tethereal-0.9.8-1.i586.rpm MD5 checksum: 762df25f2539418825b660dda1b4dde6 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ethereal-0.9.8-1.i686.rpm MD5 checksum: 01b6fc734b186fc76e100227c9ce35f1 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ethereal-common-0.9.8-1.i686.rpm MD5 checksum: 3e60f100c82bfb14807417aa617744ce ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ethereal-tools-0.9.8-1.i686.rpm MD5 checksum: 8d377ab897f9403526d5369d454bb26b ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/tethereal-0.9.8-1.i686.rpm MD5 checksum: ff5cb198405e5f0100bc29cc50089004 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ethereal-0.9.8-1.ppc.rpm MD5 checksum: e714fbcd4b4eb01a48eec0bef0ea9de9 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ethereal-common-0.9.8-1.ppc.rpm MD5 checksum: e9aad146d4642cb8e331ef36bc4eac1e ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ethereal-tools-0.9.8-1.ppc.rpm MD5 checksum: 21db82d2f94890110e8eb7113f412756 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/tethereal-0.9.8-1.ppc.rpm MD5 checksum: be16c8bd2994050555a590a53c45a3c9 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:11:01 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 15-1] New MHonArc packages fix cross site scripting Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 15-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 13 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to MHonArc-2.5.3-1 Vulnerability : cross site scripting Problem-Type : remote PLD-specific : no CVE references : CAN-2002-1307, CAN-2002-1388 CAN-2002-1307: Steven Christey discovered a cross site scripting vulnerability in mhonarc, a mail to HTML converter. Carefully crafted message headers can introduce cross site scripting when mhonarc is configured to display all headers lines on the web. However, it is often useful to restrict the displayed header lines to To, From and Subject, in which case the vulnerability cannot be exploited. CAN-2002-1388: Earl Hood, author of mhonarc, a mail to HTML converter, discovered a cross site scripting vulnerability in this package. A specially crafted HTML mail message can introduce foreign scripting content in archives, by-passing MHonArc's HTML script filtering. The above problems have been fixed in version 2.5.14-1 for the current stable distribution (ra). We recommend that you upgrade your MHonArc packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'MHonArc*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'MHonArc*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/MHonArc-2.5.14-1.src.rpm MD5 checksum: 6489ed316c78c0f70bf0c47cb092e420 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/MHonArc-2.5.14-1.noarch.rpm MD5 checksum: 71b42be78171a3ee96be40db5e2e37ba I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/MHonArc-2.5.14-1.noarch.rpm MD5 checksum: 039581b7111b2ff2a1792d7a76f0ff78 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/MHonArc-2.5.14-1.noarch.rpm MD5 checksum: b69281c6cd69957f8452148bad51c03d PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/MHonArc-2.5.14-1.noarch.rpm MD5 checksum: eb0d5d8ae7b2d9aa132d58f635fb447e - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:11:33 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 18-1] New html2ps packages fix arbitrary code execution Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 18-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 14 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to html2ps-1.0b3-3 Vulnerability : arbitrary code execution Problem-Type : local PLD-specific : no The SuSE Security Team found a vulnerability in html2ps, a HTML to PostScript converter, that opened files based on unsanitized input insecurely. This problem can be exploited when html2ps is installed as filter within lrpng and the attacker has previously gained access to the lp account. The above problems have been fixed in version 1.0b3-4 for the current stable distribution (ra). We recommend that you upgrade your html2ps packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'html2ps*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'html2ps*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/html2ps-1.0b3-4.src.rpm MD5 checksum: 08794ed538fc045718d42302b2de8746 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/html2ps-1.0b3-4.i386.rpm MD5 checksum: 8beb5a37333eb68a184e1fe9d8824c57 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/xhtml2ps-1.0b3-4.i386.rpm MD5 checksum: b8e069e16e7d03146a8fc1101e80d4f4 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/html2ps-1.0b3-4.i586.rpm MD5 checksum: af23485670cd2f1cd799bf54dc8afdab ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/xhtml2ps-1.0b3-4.i586.rpm MD5 checksum: 4ce92b281efbbc03e44ee056a1f2163f I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/html2ps-1.0b3-4.i686.rpm MD5 checksum: ef105d984f31640c91991aa76026ad55 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/xhtml2ps-1.0b3-4.i686.rpm MD5 checksum: 29eece0d55eb5bbe31d0a097c71fa816 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/html2ps-1.0b3-4.ppc.rpm MD5 checksum: faf72742d287531fb1b5e9e361b47f15 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/xhtml2ps-1.0b3-4.ppc.rpm MD5 checksum: b48e8644b5de30502b8d39fc36c51167 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:11:45 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 19-1] New dhcp packages fix arbitrary code execution Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 19-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 16 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to dhcp-3.0pl1-2 Vulnerability : stack overflows Problem-Type : remote PLD-specific : no CVE references : CAN-2003-0026 CERT advisory : VU#284857 CA-2003-01 The Internet Software Consortium discoverd several vulnerabilities during an audit of the ISC DHCP Daemon. The vulnerabilities exist in error handling routines within the minires library and may be exploitable as stack overflows. This could allow a remote attacker to execute arbitrary code under the user id the dhcpd runs under, usually root. Other DHCP servers than dhcp3 doesn't seem to be affected. The above problems have been fixed in version 3.0pl2-1 for the current stable distribution (ra). We recommend that you upgrade your dhcp packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'dhcp*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'dhcp*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/dhcp-3.0pl2-1.src.rpm MD5 checksum: 8db9b5e4458636760716abb3aebeea5c I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/dhcp-3.0pl2-1.i386.rpm MD5 checksum: 10afe57c7a76846fd7ebdba9b1c28957 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/dhcp-client-3.0pl2-1.i386.rpm MD5 checksum: 07d1515ac8ade6534ca862e42f1f0946 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/dhcp-devel-3.0pl2-1.i386.rpm MD5 checksum: 746f73f3f929734f588717184737d1b0 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/dhcp-relay-3.0pl2-1.i386.rpm MD5 checksum: 0c770dc69e4f8be5f2ea54c88c9f3cd4 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/dhcp-3.0pl2-1.i586.rpm MD5 checksum: 5ca6a565e8c37a2e2a9f664557e42251 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/dhcp-client-3.0pl2-1.i586.rpm MD5 checksum: be6444f7511850428f158e5c82fbfca8 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/dhcp-devel-3.0pl2-1.i586.rpm MD5 checksum: 6b52f7b148fe219ac13768e2689884d2 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/dhcp-relay-3.0pl2-1.i586.rpm MD5 checksum: fc5a4f30b4a318dd25099f34af23a45d I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/dhcp-3.0pl2-1.i686.rpm MD5 checksum: 4d7704c2cd83092153b4ea0ef3129f25 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/dhcp-client-3.0pl2-1.i686.rpm MD5 checksum: 9c103ecfa0d11062d0c87f6634d44ff0 ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/dhcp-devel-3.0pl2-1.i686.rpm MD5 checksum: 574fa0da99837267464df8d473e79bec ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/dhcp-relay-3.0pl2-1.i686.rpm MD5 checksum: f1a63a2b3345e49b9c1dd7b1be386e98 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/dhcp-3.0pl2-1.ppc.rpm MD5 checksum: d11491773d31789f849f620eec18bccf ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/dhcp-client-3.0pl2-1.ppc.rpm MD5 checksum: 2b812423fbf975ea17e53cb2272f98cc ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/dhcp-devel-3.0pl2-1.ppc.rpm MD5 checksum: 81a977172ba728dc76e7540da40c768a ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/dhcp-relay-3.0pl2-1.ppc.rpm MD5 checksum: b695b698607876dfdc124ad63e0c95e8 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:11:57 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 20-1] New lynx packages fix CRLF injection Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 20-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 16 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to lynx-2.8.5dev.3-5 Problem-Type : CRLF injection PLD-specific : no lynx (a text-only web browser) did not properly check for illegal characters in all places, including processing of command line options, which could be used to insert extra HTTP headers in a request. The above problems have been fixed in version 2.8.5dev.12-1 for the current stable distribution (ra). We recommend that you upgrade your lynx packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'lynx*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'lynx*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/lynx-2.8.5dev.12-1.src.rpm MD5 checksum: 09db660eaf33fdd7c4959901e75005a1 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/lynx-2.8.5dev.12-1.i386.rpm MD5 checksum: 6d6700814b5296d2f13e0722c9462445 I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/lynx-2.8.5dev.12-1.i586.rpm MD5 checksum: 74a34fa86446321396e0409eb3e516a8 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/lynx-2.8.5dev.12-1.i686.rpm MD5 checksum: b1587e6a26b93a006f76e197ba9d0163 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/lynx-2.8.5dev.12-1.ppc.rpm MD5 checksum: cbf46046ee31ae609b2319b4d3495d9b - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:12:16 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 21-1] New cvs packages fix arbitrary code execution Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 21-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 26 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to cvs-1.11.2-6 Vulnerability : doubly freed memory Problem-Type : remote PLD-specific : no CVE references : CAN-2003-0015 Stefan Esser discovered a problem in cvs, a concurrent versions system, which is used for many Free Software projects. The current version contais a flaw that can be used by a remote attacker to execute arbitrary code on the CVS server under the user id the CVS server runs as. Anonymous read-only access is sufficient to exploit this problem. The above problems have been fixed in version 1.11.5-2 for the current stable distribution (ra). We recommend that you upgrade your cvs packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'cvs*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'cvs*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/cvs-1.11.5-2.src.rpm MD5 checksum: 76e0d795392dd0285b078c6322cb781a I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cvs-1.11.5-2.i386.rpm MD5 checksum: 633b7064fc709b448101e2649aa33767 ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cvs-pserver-1.11.5-2.i386.rpm MD5 checksum: 7cee26911e833b4249a84ab751477b1d I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cvs-1.11.5-2.i586.rpm MD5 checksum: 639a3caec4ca47d3bdc8b7dcb9c8d261 ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cvs-pserver-1.11.5-2.i586.rpm MD5 checksum: 1004a3b488b2e6783ab14535d76dfa24 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cvs-1.11.5-2.i686.rpm MD5 checksum: e80d3c15b00f909b5dbc2726a9c9184a ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cvs-pserver-1.11.5-2.i686.rpm MD5 checksum: c6cabebd92ee7e1425dd70df93d5ec38 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cvs-1.11.5-2.ppc.rpm MD5 checksum: fe3d54a05221386ef73de61b4be2147f ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cvs-pserver-1.11.5-2.ppc.rpm MD5 checksum: 8f45a3adceaf79508315c7ed04d83be7 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security From dzimi at pld.org.pl Thu Jan 30 14:12:35 2003 From: dzimi at pld.org.pl (Krzysiek Taraszka) Date: Tue Dec 20 11:03:11 2005 Subject: [PLDSA 22-1] New phpBB packages fix insecure private messages Message-ID: - -------------------------------------------------------------------------- PLD Security Advisory PLDSA 22-1 security@pld.org.pl http://www.pld.org.pl/security/ PLD Security Team 29 January 2003 http://www.pld.org.pl/security/faq - -------------------------------------------------------------------------- Package : prior to phpBB-2.0.3-5 Vulnerability : insecure private messages Problem-Type : remote PLD-specific : no phpBB users can send private messages to each other. The program has got a security hole, making it possible for a user to delete the text of all private messages stored in the system. The above problems have been fixed in version 2.0.4-1 for the current stable distribution (ra). We recommend that you upgrade your phpBB packages. wget -c url will fetch the file for you rpm -Uhv file(s)*.rpm will upgrade the referenced file. If you are using "poldek" - the package manager, use the line as given below for upgrade packages poldek --update will update the internal database poldek --upgrade 'phpBB*' will install corrected packages If you are using "apt" - the package manager, use the line as given below for upgrade packages apt-get update will update the internal database apt-get upgrade 'phpBB*' will install corrected packages PLD Linux 1.0 alias ra - -------------------- Source archives: ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/phpBB-2.0.4-1.src.rpm MD5 checksum: d3adaa3e8467864935a2003380e924e0 I386 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/phpBB-2.0.4-1.noarch.rpm MD5 checksum: 26a1604f8859f67f7e8e8da6d5cc703f ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/phpBB-install-2.0.4-1.noarch.rpm MD5 checksum: ab5c29d682fec4afd566a07efe38752d I586 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/phpBB-2.0.4-1.noarch.rpm MD5 checksum: 82233c8d0d545c855aa1e1b74cd79d6f ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/phpBB-install-2.0.4-1.noarch.rpm MD5 checksum: 74f2442baeb8fc62c512278854320ac7 I686 Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/phpBB-2.0.4-1.noarch.rpm MD5 checksum: c5693a83ae11361c808eec26e4eb99bb ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/phpBB-install-2.0.4-1.noarch.rpm MD5 checksum: 0b6c350c8d29780a00e51b6ce06cf825 PowerPC Architecture components: ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/phpBB-2.0.4-1.noarch.rpm MD5 checksum: ed62d34a172a98701fe4155e71c77d53 ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/phpBB-install-2.0.4-1.noarch.rpm MD5 checksum: a7ddb61bf037bc1131d81954a72f33a8 - -------------------------------------------------------------------------------- - If you are using poldek add this line to poldek.conf. If you are using apt-get add this line to sources.list. For i386 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security For i586 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security For i686 architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security For ppc architecture poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security