-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - --- english/security/2001/dsa-029.wml 2002-01-08 05:04:47.000000000 +0500 +++ russian/security/2001/dsa-029.wml 2015-12-30 13:50:50.248502648 +0500 @@ -1,22 +1,23 @@ - -<define-tag moreinfo>The following problems have been reported for the version - -of proftpd in Debian 2.2 (potato): +#use wml::debian::translation-check translation="1.4" maintainer="Lev Lamberov" +<define-tag moreinfo>ÐÑло ÑообÑено о ÑледÑÑÑÐ¸Ñ Ð¿ÑогÑÐ°Ð¼Ð°Ñ Ð² веÑÑии +proftpd, поÑÑавлÑемой в ÑоÑÑаве Debian 2.2 (potato): <ol> - -<li>There is a memory leak in the SIZE command which can result in a - -denial of service, as reported by Wojciech Purczynski. This is only a - -problem if proftpd cannot write to its scoreboard file; the default - -configuration of proftpd in Debian is not vulnerable. - -<li>A similar memory leak affects the USER command, also as reported by - -Wojciech Purczynski. The proftpd in Debian 2.2 is susceptible to this - -vulnerability; an attacker can cause the proftpd daemon to crash by - -exhausting its available memory. - -<li>There were some format string vulnerabilities reported by Przemyslaw - -Frasunek. These are not known to have exploits, but have been corrected - -as a precaution. +<li>ÐойÑÐ¸Ñ ÐÑÑжинÑки ÑообÑил об ÑÑеÑке памÑÑи в команде SIZE, коÑоÑÐ°Ñ +Ð¼Ð¾Ð¶ÐµÑ Ð¿ÑиводиÑÑ Ðº оÑÐºÐ°Ð·Ñ Ð² обÑлÑживании. ÐÑа пÑоблема Ð²Ð¾Ð·Ð½Ð¸ÐºÐ°ÐµÑ ÑолÑко в Ñом +ÑлÑÑае, еÑли proftpd не Ð¼Ð¾Ð¶ÐµÑ Ð²ÑполниÑÑ Ð·Ð°Ð¿Ð¸ÑÑ Ð² Ñайл доÑки ÑÑÑÑа; наÑÑÑойки +proftpd по ÑмолÑÐ°Ð½Ð¸Ñ Ð² Debian не подвеÑÐ¶ÐµÐ½Ñ ÑÑой пÑоблеме. +<li>ÐойÑÐ¸Ñ ÐÑÑжинÑки ÑообÑил о Ð¿Ð¾Ñ Ð¾Ð¶ÐµÐ¹ ÑÑеÑке памÑÑи в +команде USER. СÑиÑаеÑÑÑ, ÑÑо веÑÑÐ¸Ñ proftpd в Debian 2.2 ÑодеÑÐ¶Ð¸Ñ ÑÑÑ +ÑÑзвимоÑÑÑ; злоÑмÑÑленник Ð¼Ð¾Ð¶ÐµÑ Ð²ÑзваÑÑ Ð°Ð²Ð°Ñийное завеÑÑение ÑабоÑÑ ÑлÑÐ¶Ð±Ñ proftpd +пÑÑÑм иÑполÑÐ·Ð¾Ð²Ð°Ð½Ð¸Ñ Ð²Ñей доÑÑÑпной ей памÑÑи. +<li>ÐÑжемÑÑлав ФÑаÑÑнек ÑообÑил о неÑколÑÐºÐ¸Ñ ÑÑзвимоÑÑÑÑ +ÑоÑмаÑной ÑÑÑоки. Ð ÑÑÑеÑÑвовании ÑкÑплоиÑов ниÑего не извеÑÑно, но ÑÑи ÑÑзвимоÑÑи +вÑÑ Ñавно бÑли иÑпÑÐ°Ð²Ð»ÐµÐ½Ñ Ð² виде пÑедоÑÑоÑожноÑÑи. </ol> - -All three of the above vulnerabilities have been corrected in - -proftpd-1.2.0pre10-2potato1. We recommend you upgrade your proftpd - -package immediately.</define-tag> - -<define-tag description>remote DOS & potential buffer overflow</define-tag> +ÐÑе ÑÑи ÑказаннÑÑ ÑÑзвимоÑÑи бÑли иÑпÑÐ°Ð²Ð»ÐµÐ½Ñ Ð² пакеÑе +proftpd-1.2.0pre10-2potato1. РекомендÑеÑÑÑ ÐºÐ°Ðº можно ÑкоÑее обновиÑÑ +Ð¿Ð°ÐºÐµÑ proftpd.</define-tag> +<define-tag description>ÑдалÑннÑй оÑказ в обÑлÑживании и поÑенÑиалÑное пеÑеполнение бÑÑеÑа</define-tag> # do not modify the following line #include '$(ENGLISHDIR)/security/2001/dsa-029.data' - --- english/security/2001/dsa-042.wml 2002-04-23 12:22:44.000000000 +0600 +++ russian/security/2001/dsa-042.wml 2015-12-30 13:36:58.001052064 +0500 @@ -1,21 +1,22 @@ - -<define-tag moreinfo>Klaus Frank has found a vulnerability in the way gnuserv - -handled remote connections. Gnuserv is a remote control facility for Emacsen - -which is available as standalone program as well as included in XEmacs21. - -Gnuserv has a buffer for which insufficient boundary checks were made. - -Unfortunately this buffer affected access control to gnuserv which is using a - -MIT-MAGIC-COOCKIE based system. It is possible to overflow the buffer - -containing the cookie and foozle cookie comparison. +#use wml::debian::translation-check translation="1.4" maintainer="Lev Lamberov" +<define-tag moreinfo>ÐлаÑÑ Ð¤Ñанк обнаÑÑжил ÑÑзвимоÑÑÑ Ð² иÑполÑзÑемом gnuserv +ÑпоÑобе обÑабоÑки ÑдалÑннÑÑ Ð¿Ð¾Ð´ÐºÐ»ÑÑений. Gnuserv — ÑдалÑннÑй инÑÑÑÑÐ¼ÐµÐ½Ñ ÑпÑÐ°Ð²Ð»ÐµÐ½Ð¸Ñ Emacsen, +доÑÑÑпнÑй и как оÑделÑÐ½Ð°Ñ Ð¿ÑогÑамма, и как ÑаÑÑÑ XEmacs21. +Gnuserv иÑполÑзÑÐµÑ Ð±ÑÑеÑ, пÑи ÑабоÑе Ñ ÐºÐ¾ÑоÑÑм не вÑполнÑÑÑÑÑ Ð½ÐµÐ¾Ð±Ñ Ð¾Ð´Ð¸Ð¼Ñе пÑовеÑки гÑаниÑ. +Ð ÑожалениÑ, ÑÑÐ¾Ñ Ð±ÑÑÐµÑ ÐºÐ°ÑаеÑÑÑ ÑпÑÐ°Ð²Ð»ÐµÐ½Ð¸Ñ Ð´Ð¾ÑÑÑпом к gnuserv, коÑоÑÑй иÑполÑзÑÐµÑ +ÑиÑÑÐµÐ¼Ñ Ð½Ð° оÑнове MIT-MAGIC-COOCKIE. Ðожно вÑзваÑÑ Ð¿ÐµÑеполнение бÑÑеÑа, +ÑодеÑжаÑего кÑки и ÑÑавнение кÑки foozle. - -<p>Gnuserv was derived from emacsserver which is part of GNU Emacs. It was - -reworked completely and not much is left over from its time as part of - -GNU Emacs. Therefore the versions of emacsserver in both Emacs19 and Emacs20 - -doesn't look vulnerable to this bug, they don't even provide a MIT-MAGIC-COOKIE - -based mechanism. +<p>Gnuserv ÑвлÑеÑÑÑ Ð¿ÑоизводнÑм пÑоекÑом emacsserver, поÑледний Ð²Ñ Ð¾Ð´Ð¸Ñ Ð² GNU Emacs. Ðн бÑл +полноÑÑÑÑ Ð¿ÐµÑеÑабоÑан, и обÑего кода Ñ GNU Emacs поÑÑи не +оÑÑалоÑÑ. ÐоÑÑÐ¾Ð¼Ñ Ð²ÐµÑÑии emacsserver в Emacs19 и Emacs20, как кажеÑÑÑ, +не подвеÑÐ¶ÐµÐ½Ñ Ð´Ð°Ð½Ð½Ð¾Ð¹ оÑибке, Ñак как они даже не пÑедоÑÑавлÑÑÑ Ð¼ÐµÑ Ð°Ð½Ð¸Ð·Ð¼ на +оÑнове MIT-MAGIC-COOKIE. - -<p>This could lead into a remote user issue commands under the UID of the - -person running gnuserv. +<p>ÐÑа ÑÑзвимоÑÑÑ Ð¼Ð¾Ð¶ÐµÑ Ð¿ÑиводиÑÑ Ðº ÑомÑ, ÑÑо ÑдалÑннÑм полÑзоваÑÐµÐ»Ñ ÑÐ¼Ð¾Ð¶ÐµÑ Ð·Ð°Ð¿ÑÑÑиÑÑ ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ +Ð¾Ñ Ð»Ð¸Ñа полÑзоваÑелÑ, запÑÑÑивÑего gnuserv. </define-tag> - -<define-tag description>buffer overflow, weak security</define-tag> +<define-tag description>пеÑеполнение бÑÑеÑа, ÑÐ»Ð°Ð±Ð°Ñ Ð±ÐµÐ·Ð¾Ð¿Ð°ÑноÑÑи</define-tag> # do not modify the following line #include '$(ENGLISHDIR)/security/2001/dsa-042.data' - --- english/security/2001/dsa-061.wml 2001-06-17 17:38:05.000000000 +0600 +++ russian/security/2001/dsa-061.wml 2015-12-30 13:19:41.598723112 +0500 @@ -1,23 +1,24 @@ - -<define-tag description>printf format attack</define-tag> +#use wml::debian::translation-check translation="1.2" maintainer="Lev Lamberov" +<define-tag description>аÑака на ÑоÑмаÑнÑÑ ÑÑÑÐ¾ÐºÑ printf</define-tag> <define-tag moreinfo> - -The version of GnuPG (GNU Privacy Guard, an OpenPGP implementation) - -as distributed in Debian GNU/Linux 2.2 suffers from two problems: +ÐеÑÑÐ¸Ñ GnuPG (GNU Privacy Guard, ÑеализаÑÐ¸Ñ OpenPGP), +поÑÑавлÑÐµÐ¼Ð°Ñ Ð² ÑоÑÑаве Debian GNU/Linux 2.2, ÑодеÑÐ¶Ð¸Ñ Ð´Ð²Ðµ пÑоблемÑ: <ol> - -<li>fish stiqz reported on bugtraq that there was a printf format - -problem in the do_get() function: it printed a prompt which included - -the filename that was being decrypted without checking for - -possible printf format attacks. This could be exploited by tricking - -someone into decrypting a file with a specially crafted filename. +<li>fish stiqz ÑообÑил на bugtraq, ÑÑо в ÑÑнкÑии do_get() имееÑÑÑ Ð¿Ñоблема +Ñ ÑоÑмаÑной ÑÑÑокой printf: она вÑÐ²Ð¾Ð´Ð¸Ñ Ð¿ÑиглаÑение, коÑоÑое ÑодеÑÐ¶Ð¸Ñ +Ð¸Ð¼Ñ Ð´ÐµÐºÐ¾Ð´Ð¸ÑÑемого Ñайла, ÑÑо Ð¸Ð¼Ñ Ð½Ðµ пÑовеÑÑеÑÑÑ Ð½Ð° пÑÐµÐ´Ð¼ÐµÑ Ð²Ð¾Ð·Ð¼Ð¾Ð¶Ð½Ð¾Ð³Ð¾ +налиÑÐ¸Ñ Ð°Ñак на ÑоÑÐ¼Ð°Ñ printf. ÐÑо Ð¼Ð¾Ð¶ÐµÑ Ð¸ÑполÑзоваÑÑÑÑ Ð² Ñом ÑлÑÑае, еÑли +злоÑмÑÑленник заÑÑÐ°Ð²Ð¸Ñ ÐºÐ¾Ð³Ð¾-Ñо декодиÑоваÑÑ Ñайл, имеÑÑий ÑпеÑиалÑно ÑÑоÑмиÑованное имÑ. - -<li>The second bug is related to importing secret keys: when gnupg - -imported a secret key it would immediately make the associated - -public key fully trusted which changes your web of trust without - -asking for a confirmation. To fix this you now need a special - -option to import a secret key. +<li>ÐÑоÑÐ°Ñ Ð¾Ñибка ÑвÑзана Ñ Ð¸Ð¼Ð¿Ð¾ÑÑом закÑÑÑÑÑ ÐºÐ»ÑÑей: когда gnupg +импоÑÑиÑÑÐµÑ Ð·Ð°ÐºÑÑÑÑй клÑÑ, Ñо он ÑÑÐ°Ð·Ñ Ð¶Ðµ ÑвÑзÑваеÑÑÑ Ñ +абÑолÑÑно довеÑеннÑм оÑкÑÑÑÑм клÑÑом, ÑÑо изменÑÐµÑ Ð²Ð°ÑÑ ÑеÑÑ Ð´Ð¾Ð²ÐµÑÐ¸Ñ Ð±ÐµÐ· +запÑоÑа подÑвеÑждениÑ. ЧÑÐ¾Ð±Ñ ÑÑо иÑпÑавиÑÑ, вам ÑÑебÑеÑÑÑ Ð¸ÑполÑзоваÑÑÑÑ ÑпеÑиалÑнÑÑ +опÑÐ¸Ñ Ð´Ð»Ñ Ð¸Ð¼Ð¿Ð¾ÑÑа закÑÑÑого клÑÑа. </ol> - -<p>Both problems have been fixed in version 1.0.6-0potato1. +<p>Ðбе пÑÐ¾Ð±Ð»ÐµÐ¼Ñ Ð±Ñли иÑпÑÐ°Ð²Ð»ÐµÐ½Ñ Ð² веÑÑии 1.0.6-0potato1. </define-tag> # do not modify the following line - --- english/security/2001/dsa-075.wml 2002-03-20 20:04:58.000000000 +0500 +++ russian/security/2001/dsa-075.wml 2015-12-30 13:25:35.819057466 +0500 @@ -1,22 +1,23 @@ - -<define-tag description>remote exploit</define-tag> +#use wml::debian::translation-check translation="1.4" maintainer="Lev Lamberov" +<define-tag description>ÑдалÑÐ½Ð½Ð°Ñ ÑÑзвимоÑÑÑ</define-tag> <define-tag moreinfo> - -The telnet daemon contained in the netkit-telnet-ssl_0.16.3-1 package in - -the 'stable' (potato) distribution of Debian GNU/Linux is vulnerable to an - -exploitable overflow in its output handling. - -The original bug was found by <s...@nb.in-berlin.de>, and announced to - -bugtraq on Jul 18 2001. At that time, netkit-telnet versions after 0.14 were - -not believed to be vulnerable. +СлÑжба telnet, ÑодеÑжаÑаÑÑÑ Ð² пакеÑе netkit-telnet-ssl_0.16.3-1 в +'ÑÑабилÑном' (potato) вÑпÑÑке Debian GNU/Linux ÑÑзвима к +пеÑÐµÐ¿Ð¾Ð»Ð½ÐµÐ½Ð¸Ñ Ð±ÑÑеÑа в коде обÑабоÑки Ð²Ñ Ð¾Ð´Ð½ÑÑ Ð´Ð°Ð½Ð½ÑÑ . +ÐÑибка бÑла найдена <s...@nb.in-berlin.de>, и о ней ÑообÑили +в bugtraq 18 иÑÐ»Ñ 2001 года. Тогда ÑÑиÑалоÑÑ, ÑÑо веÑÑии netkit-telnet ÑÑаÑÑе 0.14 +не ÑодеÑÐ¶Ð°Ñ ÑÑÑ ÑÑзвимоÑÑÑ. - -<p>On Aug 10 2001, zen-parse posted an advisory based on the same problem, for - -all netkit-telnet versions below 0.17. +<p>10 авгÑÑÑа 2001 года пÑÐ¾ÐµÐºÑ zen-parse ÑазмеÑÑил ÑекомендаÑÐ¸Ñ (на оÑнове ÑÑой пÑоблемÑ) Ð´Ð»Ñ +вÑÐµÑ Ð²ÐµÑÑÐ¸Ñ netkit-telnet младÑе 0.17. - -<p>More details can be found on +<p>ÐополниÑелÑÐ½Ð°Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¼Ð¾Ð¶ÐµÑ Ð±ÑÑÑ Ð½Ð°Ð¹Ð´ÐµÐ½Ð° на <a href="http://online.securityfocus.com/archive/1/203000">SecurityFocus</a>. - -As Debian uses the 'telnetd' user to run in.telnetd, this is not a remote - -root compromise on Debian systems; the 'telnetd' user can be compromised. +ÐоÑколÑÐºÑ Ð² Debian Ð´Ð»Ñ Ñого, ÑÑÐ¾Ð±Ñ Ð·Ð°Ð¿ÑÑкаÑÑ in.telnetd, иÑполÑзÑеÑÑÑ Ð¿Ð¾Ð»ÑзоваÑÐµÐ»Ñ 'telnetd', в ÑиÑÑÐµÐ¼Ð°Ñ +Debian ÑÑа ÑÑзвимоÑÑÑ Ð½Ðµ Ð¼Ð¾Ð¶ÐµÑ Ð¸ÑполÑзоваÑÑÑÑ Ð´Ð»Ñ ÑдалÑнной компÑомеÑаÑии ÑÑпеÑполÑзоваÑелÑ; компÑомеÑиÑован Ð¼Ð¾Ð¶ÐµÑ Ð±ÑÑÑ Ð¿Ð¾Ð»ÑзоваÑÐµÐ»Ñ 'telnetd'. - -<p>We strongly advise you update your netkit-telnet-ssl packages to the versions - -listed below. +<p>ÐаÑÑоÑÑелÑно ÑекомендÑеÑÑÑ Ð¾Ð±Ð½Ð¾Ð²Ð¸ÑÑ Ð¿Ð°ÐºÐµÑÑ netkit-telnet-ssl до пÑиведÑннÑÑ Ð½Ð¸Ð¶Ðµ +веÑÑий. </define-tag> # do not modify the following line - --- english/security/2001/dsa-080.wml 2004-12-13 05:20:29.000000000 +0500 +++ russian/security/2001/dsa-080.wml 2015-12-30 13:30:05.921355494 +0500 @@ -1,24 +1,25 @@ - -<define-tag description>unauthorized gathering of data</define-tag> +#use wml::debian::translation-check translation="1.6" maintainer="Lev Lamberov" +<define-tag description>неавÑоÑизованнÑй ÑÐ±Ð¾Ñ Ð´Ð°Ð½Ð½ÑÑ </define-tag> <define-tag moreinfo> - -Nergal reported a <a +Nergal ÑообÑил об <a href="http://sourceforge.net/tracker/index.php?func=detail&aid=458013&group_id=4593&atid=104593">\ - -vulnerability</a> in the htsearch program which is - -distributed as part of the ht://Dig package, an indexing and searching - -system for small domains or intranets. Using former versions it was - -able to pass the parameter <kbd>-c</kbd> to the cgi program in order to use a - -different configuration file. +ÑÑзвимоÑÑи</a> в пÑогÑамме htsearch, коÑоÑÐ°Ñ Ð¿Ð¾ÑÑавлÑеÑÑÑ Ð² каÑеÑÑве ÑаÑÑи +пакеÑа ht://Dig, ÑиÑÑÐµÐ¼Ñ Ð¸Ð½Ð´ÐµÐºÑиÑÐ¾Ð²Ð°Ð½Ð¸Ñ Ð¸ поиÑка Ð´Ð»Ñ Ð½ÐµÐ±Ð¾Ð»ÑÑÐ¸Ñ +доменов и внÑÑÑÐµÐ½Ð½Ð¸Ñ ÑеÑей. ÐÑа пÑогÑамма Ð¼Ð¾Ð¶ÐµÑ +пеÑедаваÑÑ Ð¿Ð°ÑамеÑÑ <kbd>-c</kbd> cgi-пÑогÑамме Ñ ÑÐµÐ»Ñ Ð¸ÑполÑÐ·Ð¾Ð²Ð°Ð½Ð¸Ñ +дÑÑгого Ñайла наÑÑÑойки. - -<p>A malicious user could point htsearch to a file like - -<var>/dev/zero</var> and - -let the server run in an endless loop, trying to read config - -parameters. If the user has write permission on the server they can - -point the program to it and retrieve any file readable by the webserver - -user id. +<p>ÐлоÑмÑÑленник Ð¼Ð¾Ð¶ÐµÑ ÑказаÑÑ htsearch Ñайл Ñипа +<var>/dev/zero</var>, ÑÑо пÑиведÑÑ Ðº ÑомÑ, ÑÑо +ÑеÑÐ²ÐµÑ Ð²Ð¾Ð¹Ð´ÑÑ Ð² беÑконеÑнÑй Ñикл, пÑÑаÑÑÑ Ð¿ÑоÑеÑÑÑ Ð¿Ð°ÑамеÑÑÑ +наÑÑÑойки. ÐÑли полÑзоваÑÐµÐ»Ñ Ð¸Ð¼ÐµÐµÑ Ð¿Ñава на запиÑÑ Ð½Ð° ÑеÑвеÑе, Ñо он +Ð¼Ð¾Ð¶ÐµÑ ÑказаÑÑ Ð¿ÑогÑамме полÑÑиÑÑ Ð»Ñбой Ñайл, коÑоÑÑй Ð¼Ð¾Ð¶ÐµÑ Ð±ÑÑÑ Ð¿ÑоÑиÑан полÑзоваÑелем, Ð¾Ñ Ð»Ð¸Ñа коÑоÑого +запÑÑен веб-ÑеÑвеÑ. - -<p>This problem has been fixed in version 3.1.5-2.0potato.1 for Debian +<p>ÐÑа пÑоблема бÑла иÑпÑавлена в веÑÑии 3.1.5-2.0potato.1 Ð´Ð»Ñ GNU/Linux 2.2. - -<p>We recommend that you upgrade your htdig package immediately. +<p>РекомендÑеÑÑÑ ÐºÐ°Ðº можно ÑкоÑее обновиÑÑ Ð¿Ð°ÐºÐµÑ htdig. </define-tag> # do not modify the following line -----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWg5soAAoJEF7nbuICFtKlr9UP/i2sA4V570NfYWHgazbmygNL D73mp3dBOBbkthon7h6DPLg5kUwUr2iqNopDnkoybyMxmqBWnsupLafccC9aejkv Gj0v135JzsvnD+yk0Bp5K5ELesCeXx7T2ABF3O7KnBjqQICNf9WOBhneQBBux8IG dFVPUvEwdlqjeR6S6taFwZ043cKX8Ma28ei7rXrrQwhzTUoxdduhvjfYU01fcAtW LpWJPh1023wPNn7xAISS7IrnTaKAs2is8tPre4hcMRduYln+lsOcAsr0dOAT+L4n 9tS+hskuqcXyJV4aKURfRj/CH/yVnSwMqG4FD+xTAwFvgRTO7EhBnUTq2DxPPjc2 Cx9Bk8v/u2pxkMALsjhrZzIM8qxoRf6KVcLeitlV88J3LQreDbMBt+IQudmMMnjk pjKbMTKQ/YKqzr4XZIHEY9qyq9j5HWkZuV0Q/4lMEqrZUOZh4cVRa6qNPgqVWpri ULWpoNrH/aimPfuzE0ShTj4IUmCeew5oXVau52o8sKxzCcipGrk4hxQy+RmLl5gr 7AMtlQe7YZ+9+MH806m/QeDHj6Ez7CbUIkvYfviprySwkW3GZncTq3212e0Mg9KA yMmnMqOjO8oiYRaqB5Q4GK0n93JnNY7SFl2oMGxhoBOFQU01r1WCOFUnAPh4J2qV IF4+mr+mi5CstueVER+L =plLu -----END PGP SIGNATURE-----