OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 16-Apr-2004 18:48:58
Branch: HEAD Handle: 2004041617485700
Modified files:
openpkg-web/security OpenPKG-SA-2004.016-neon.txt
Log:
completely work-off NEON SA
Summary:
Revision Changes Path
1.2 +43 -28 openpkg-web/security/OpenPKG-SA-2004.016-neon.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2004.016-neon.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2004.016-neon.txt
--- openpkg-web/security/OpenPKG-SA-2004.016-neon.txt 16 Apr 2004 14:05:12 -0000
1.1
+++ openpkg-web/security/OpenPKG-SA-2004.016-neon.txt 16 Apr 2004 16:48:57 -0000
1.2
@@ -6,36 +6,45 @@
OpenPKG-SA-2004.016 16-Apr-2004
________________________________________________________________________
-Package: neon
+Package: neon, subversion, cadaver, sitecopy, tla
Vulnerability: remote code execution
OpenPKG Specific: no
-Affected Releases: Affected Packages: Corrected Packages:
-OpenPKG CURRENT <= neon-0.24.4-20040207 >= neon-0.24.5-20040414
-OpenPKG 2.0 <= neon-0.24.4-2.0.0 >= neon-0.24.4-2.0.1
-OpenPKG 1.3 <= neon-0.24.0-1.3.0 >= neon-0.24.0-1.3.1
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= neon-0.24.4-20040207 >= neon-0.24.5-20040414
+ <= subversion-1.0.1-20040313 >= subversion-1.0.1-20040416
+ <= cadaver-0.22.0-20040207 >= cadaver-0.22.1-20040415
+ <= sitecopy-0.13.4-20040207 >= sitecopy-0.13.4-20040416
+ <= tla-1.2-20040227 >= tla-1.2-20040416
+OpenPKG 2.0 <= neon-0.24.4-2.0.0 >= neon-0.24.4-2.0.1
+ <= subversion-1.0.0-2.0.0 >= subversion-1.0.0-2.0.1
+ <= cadaver-0.22.0-2.0.0 >= cadaver-0.22.0-2.0.1
+ <= sitecopy-0.13.4-2.0.0 >= sitecopy-0.13.4-2.0.1
+OpenPKG 1.3 <= neon-0.24.0-1.3.0 >= neon-0.24.0-1.3.1
+ <= sitecopy-0.13.3-1.3.0 >= sitecopy-0.13.3-1.3.1
Dependent Packages: none
Description:
- According to a SuSE security advisory [0], various format string
- vulnerabilities exist in error output handling routines of the neon HTTP
- and WebDAV client library [1]. The Common Vulnerabilities and Exposures
- (CVE) project assigned the id CAN-2004-0179 [2] to the problem.
+ Greuff of VOID.AT discovered various format string vulnerabilities in
+ the error output handling routines of the Neon HTTP and WebDAV client
+ library [1]. The Common Vulnerabilities and Exposures (CVE) project
+ assigned the id CAN-2004-0179 [2] to the problem.
Please check whether you are affected by running "<prefix>/bin/rpm
- -q neon". If you have the "neon" package installed and its version
- is affected (see above), we recommend that you immediately upgrade
- it (see Solution) [3][4].
+ -q neon" (respectively for "subversion", "cadaver", "sitecopy" and
+ "tla"). If you have one of the packages installed and its version is
+ affected (see above), we recommend that you immediately upgrade it
+ (see Solution) [3][4].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
- [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
- location, verify its integrity [9], build a corresponding binary RPM
- from it [3] and update your OpenPKG installation by applying the
- binary RPM [4]. For the most recent release OpenPKG 2.0, perform the
- following operations to permanently fix the security problem (for
- other releases adjust accordingly).
+ [5][6][7][8][9], fetch it from the OpenPKG FTP service [11][12] or
+ a mirror location, verify its integrity [13], build a corresponding
+ binary RPM from it [3] and update your OpenPKG installation by
+ applying the binary RPM [4]. For the most recent release OpenPKG 2.0,
+ perform the following operations to permanently fix the security
+ problem (for other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
@@ -46,19 +55,25 @@
$ <prefix>/bin/openpkg rpm --rebuild neon-0.24.4-2.0.1.src.rpm
$ su -
# <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/neon-0.24.4-2.0.1.*.rpm
+
+ Additionally, perform similar steps for the "subversion", "cadaver",
+ "sitecopy" and "tla" packages.
________________________________________________________________________
References:
- [0] http://www.suse.de/de/security/2004_08_cvs.html
- [1] http://www.webdav.org/neon/
- [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0179
- [3] http://www.openpkg.org/tutorial.html#regular-source
- [4] http://www.openpkg.org/tutorial.html#regular-binary
- [5] ftp://ftp.openpkg.org/release/1.3/UPD/neon-0.24.4-2.0.1.src.rpm
- [6] ftp://ftp.openpkg.org/release/2.0/UPD/neon-0.24.4-2.0.1.src.rpm
- [7] ftp://ftp.openpkg.org/release/1.3/UPD/
- [8] ftp://ftp.openpkg.org/release/2.0/UPD/
- [9] http://www.openpkg.org/security.html#signature
+ [1] http://www.webdav.org/neon/
+ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0179
+ [3] http://www.openpkg.org/tutorial.html#regular-source
+ [4] http://www.openpkg.org/tutorial.html#regular-binary
+ [5] ftp://ftp.openpkg.org/release/1.3/UPD/neon-0.24.0-1.3.1.src.rpm
+ [6] ftp://ftp.openpkg.org/release/1.3/UPD/sitecopy-0.13.3-1.3.1.src.rpm
+ [7] ftp://ftp.openpkg.org/release/2.0/UPD/neon-0.24.4-2.0.1.src.rpm
+ [8] ftp://ftp.openpkg.org/release/2.0/UPD/subversion-1.0.0-2.0.1.src.rpm
+ [9] ftp://ftp.openpkg.org/release/2.0/UPD/cadaver-0.22.0-2.0.1.src.rpm
+ [10] ftp://ftp.openpkg.org/release/2.0/UPD/sitecopy-0.13.4-2.0.1.src.rpm
+ [11] ftp://ftp.openpkg.org/release/1.3/UPD/
+ [12] ftp://ftp.openpkg.org/release/2.0/UPD/
+ [13] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
