[PLDSA 56-1] New ecartis packages fix password change vulnerability
Krzysiek Taraszka
dzimi at pld.org.pl
Sat May 3 15:47:03 CEST 2003
- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 56-1 security at pld.org.pl
http://www.pld.org.pl/security/ PLD Security Team
17 April 2003 http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------
Package : prior to ecartis-1.0.0-20020718.1
Vulnerability : unauthorized password change
Problem-Type : remote
PLD-specific : no
CVE references : CAN-2003-0162
A problem has been discovered in ecartis, a mailing list manager,
formerly known as listar. This vulnerability enables an attacker to
reset the password of any user defined on the list server, including
the list admins.
The above problems have been fixed in version 1.0.0-20030303.2 for the
current stable distribution (ra).
We recommend that you upgrade your ecartis packages.
wget -c url
will fetch the file for you
rpm -Uhv file(s)*.rpm
will upgrade the referenced file.
If you are using "poldek" - the package manager, use the line as given below
for upgrade packages
poldek --update
will update the internal database
poldek --upgrade 'ecartis*'
will install corrected packages
If you are using "apt" - the package manager, use the line as given below
for upgrade packages
apt-get update
will update the internal database
apt-get upgrade 'ecartis*'
will install corrected packages
PLD Linux 1.0 alias ra
- --------------------
Source archives:
ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/ecartis-1.0.0-20030303.2.src.rpm
MD5 checksum: feedc2714bc5bf72d7a2013cfe506cd7
I386 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ecartis-1.0.0-20030303.2.i386.rpm
MD5 checksum: fbcb6f2d00375173d7d1260552d3085e
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/ecartis-cgi-1.0.0-20030303.2.i386.rpm
MD5 checksum: 9d57330ee337a3fecaabaf90abd0730e
I586 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ecartis-1.0.0-20030303.2.i586.rpm
MD5 checksum: 00f1f58848677fc02ffb3af5b9456d03
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/ecartis-cgi-1.0.0-20030303.2.i586.rpm
MD5 checksum: 9ecb77a41d3a69006f42cefcd8c65762
I686 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ecartis-1.0.0-20030303.2.i686.rpm
MD5 checksum: 70e83e00fb4ed57816692bed312c809e
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/ecartis-cgi-1.0.0-20030303.2.i686.rpm
MD5 checksum: 6a2b5282fba5d4e46bd062e3169a9f41
PowerPC Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ecartis-1.0.0-20030303.2.ppc.rpm
MD5 checksum: f3f87e3d8525cf64e31475f220e8602c
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/ecartis-cgi-1.0.0-20030303.2.ppc.rpm
MD5 checksum: fe81e2133164990dd2d7e9a0a5ec0d66
-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.
For i386 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security
More information about the pld-security-announce
mailing list