[PLDSA 28-1] New analog packages fix remote denial of service
Krzysiek Taraszka
dzimi at pld.org.pl
Sat May 3 14:44:31 CEST 2003
- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 28-1 security at pld.org.pl
http://www.pld.org.pl/security/ PLD Security Team
06 February 2003 http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------
Package : prior to analog-5.22-1
Vulnerability : denial of service
Problem-Type : remote
PLD-specific : no
Upstream URL : www.analog.cx/security5.html
This advisory _only_ affects users who have installed the optional
form interface to analog, anlgform.pl, and made it available to
untrusted users. Please note that it's not usually a good idea to do
this anyway. There are other obvious denial-of-service attacks
available to untrusted users who can run CPU-intensive programs on
your system, which this advisory cannot and does not attempt to
address.
anlgform.pl is the CGI front end to analog, allowing analog to be
controlled from a web form. As a security precaution, anlgform refuses
to pass on to analog certain commands which should not be available to
untrusted users.
The above problems have been fixed in version 5.31-1 for the
current stable distribution (ra).
We recommend that you upgrade your analog packages.
wget -c url
will fetch the file for you
rpm -Uhv file(s)*.rpm
will upgrade the referenced file.
If you are using "poldek" - the package manager, use the line as given below
for upgrade packages
poldek --update
will update the internal database
poldek --upgrade 'analog*'
will install corrected packages
If you are using "apt" - the package manager, use the line as given below
for upgrade packages
apt-get update
will update the internal database
apt-get upgrade 'analog*'
will install corrected packages
PLD Linux 1.0 alias ra
- --------------------
Source archives:
ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/analog-5.31-1.src.rpm
MD5 checksum: 4b755985594431a2080fb7b83e238510
I386 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/analog-5.31-1.i386.rpm
MD5 checksum: 8c271729d104f25980ff6c7ccbec56c5
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/analog-form-5.31-1.i386.rpm
MD5 checksum: 9dadbae5e7acc884d371076f0c563b6b
I586 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/analog-5.31-1.i586.rpm
MD5 checksum: 8100e2459cb28d41bbc9ad1fd8c10134
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/analog-form-5.31-1.i586.rpm
MD5 checksum: ef0e14b8531a0bed9dc7aa01957b1b13
I686 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/analog-5.31-1.i686.rpm
MD5 checksum: 8f01e96674b98a8164ee7fb1bb986df1
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/analog-form-5.31-1.i686.rpm
MD5 checksum: cdf06b89fe6e814e686d8b98ffa0646b
PowerPC Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/analog-5.31-1.ppc.rpm
MD5 checksum: f81f9a054a6821db9170d85036fb8957
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/analog-form-5.31-1.ppc.rpm
MD5 checksum: c76e286a82e76f8878ea4dcccf8ddf3d
-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.
For i386 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security
More information about the pld-security-announce
mailing list