Package: libgeoip1 Severity: important A vulnerability has been identified in GeoIP, which could be exploited to conduct directory traversal attacks. This issue is due to an input validation error in the "GeoIP_update_database_general()" [GeoIPUpdate.c] function when handling the database filename, which could be exploited by malicious update servers to overwrite arbitrary files by sending specially crafted HTTP requests to the "app/update_getfilename" script.
Affected Products GeoIP version 1.4.0 and prior Solution Apply patch : http://arctic.org/~dean/patches/GeoIP-1.4.0-update-vulnerability.patch References http://www.frsirt.com/english/advisories/2007/0117 -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-3-486 Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) regards, -- .''`. : :' : Alex de Oliveira Silva | enerv `. `' www.enerv.net `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
