[PLDSA 42-1] New w3m packages fix cookie information leak
Krzysiek Taraszka
dzimi at pld.org.pl
Sat May 3 15:44:17 CEST 2003
- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 42-1 security at pld.org.pl
http://www.pld.org.pl/security/ PLD Security Team
11 March 2003 http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------
Package : prior to w3m-0.3.1-2
Vulnerability : missing HTML quoting
Problem-Type : remote
PLD-specific : no
CVE references : CAN-2002-1335, CAN-2002-1348
Hironori Sakamoto, one of the w3m developers, found two security
vulnerabilities in w3m and associated programs. The w3m browser does
not properly escape HTML tags in frame contents and img alt
attributes. A malicious HTML frame or img alt attribute may deceive a
user to send his local cookies which are used for configuration.
The information is not leaked automatically, though.
The above problems have been fixed in version 0.3.1-3 for the
current stable distribution (ra).
We recommend that you upgrade your w3m packages.
wget -c url
will fetch the file for you
rpm -Uhv file(s)*.rpm
will upgrade the referenced file.
If you are using "poldek" - the package manager, use the line as given below
for upgrade packages
poldek --update
will update the internal database
poldek --upgrade 'w3m*'
will install corrected packages
If you are using "apt" - the package manager, use the line as given below
for upgrade packages
apt-get update
will update the internal database
apt-get upgrade 'w3m*'
will install corrected packages
PLD Linux 1.0 alias ra
- --------------------
Source archives:
ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/w3m-0.3.1-3.src.rpm
MD5 checksum: 867862e313ca0c22fc5db67236a927e5
I386 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/w3m-0.3.1-3.i386.rpm
MD5 checksum: ddcc5f22b9b274d2bfbbbb43724b7148
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/w3m-imgdisplay-0.3.1-3.i386.rpm
MD5 checksum: d94d236ce7d0fc6de53b55db760bbb88
I586 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/w3m-0.3.1-3.i586.rpm
MD5 checksum: 455e1ebf9e0220e0cccda1cb801a97c6
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/w3m-imgdisplay-0.3.1-3.i586.rpm
MD5 checksum: f8195ea5ddf5cade4877576fc62b1784
I686 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/w3m-0.3.1-3.i686.rpm
MD5 checksum: bafc80fe0a404f9a05efea7d97d9a5a5
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/w3m-imgdisplay-0.3.1-3.i686.rpm
MD5 checksum: 773fb5f1f775f063a1b3a8dd6c96f801
PowerPC Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/w3m-0.3.1-3.ppc.rpm
MD5 checksum: 3bfcedf6a8ea3c90413b487618509430
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/w3m-imgdisplay-0.3.1-3.ppc.rpm
MD5 checksum: 7ead2cf261753a060b0f36be15922210
-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.
For i386 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security
More information about the pld-security-announce
mailing list