Hali! Kuldenel a listara is?
Thx: mP > -----Original Message----- > From: Martin Schulze [mailto:[EMAIL PROTECTED] > Sent: Friday, February 10, 2006 7:04 AM > To: Debian Security Announcements > Subject: [SECURITY] [DSA 967-1] New elog packages fix arbitrary code > execution > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------ > -- > Debian Security Advisory DSA 967-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Moritz Muehlenhoff > February 10th, 2006 http://www.debian.org/security/faq > - ------------------------------------------------------------------------ > -- > > Package : elog > Vulnerability : several > Problem-Type : remote > Debian-specific: no > CVE IDs : CVE-2006-4439 CVE-2006-0347 CVE-2006-0348 CVE-2006-0597 > CVE-2006-0598 CVE-2006-0599 CVE-2006-0600 > Debian Bug : 349528 > > Several security problems have been found in elog, an electonic logbook > to manage notes. The Common Vulnerabilities and Exposures Project > identifies the following problems: > > CVE-2005-4439 > > "GroundZero Security" discovered that elog insufficiently checks the > size of a buffer used for processing URL parameters, which might lead > to the execution of arbitrary code. > > CVE-2006-0347 > > It was discovered that elog contains a directory traveral > vulnerability > in the processing of "../" sequences in URLs, which might lead to > information disclosure. > > CVE-2006-0348 > > The code to write the log file contained a format string > vulnerability, > which might lead to the execution of arbitrary code. > > CVE-2006-0597 > > Overly long revision attributes might trigger a crash due to a buffer > overflow. > > CVE-2006-0598 > > The code to write the log file does not enforce bounds checks > properly, > which might lead to the execution of arbitrary code. > > CVE-2006-0599 > > elog emitted different errors messages for invalid passwords and > invalid > users, which allows an attacker to probe for valid user names. > > CVE-2006-0600 > > An attacker could be driven into infinite redirection with a crafted > "fail" request, which has denial of service potential. > > The old stable distribution (woody) does not contain elog packages. > > For the stable distribution (sarge) these problems have been fixed in > version 2.5.7+r1558-4+sarge2. > > For the unstable distribution (sid) these problems have been fixed in > version 2.6.1+r1642-1. > > We recommend that you upgrade your elog package. > > > Upgrade Instructions > - -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > Debian GNU/Linux 3.1 alias sarge > - -------------------------------- > > Source archives: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2.dsc > Size/MD5 checksum: 581 ed02ecef4eb70c7344532b1a75f893bc > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2.diff.gz > Size/MD5 checksum: 21652 ab45bff97bf2e7c42cd5ccca5a80103e > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558.orig. > tar.gz > Size/MD5 checksum: 538216 e05c9fdaa02692ce20c70a5fd2748fe3 > > Alpha architecture: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2_alpha.deb > Size/MD5 checksum: 555270 5cb3aba4fc1303a65984aab4acaf32da > > AMD64 architecture: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2_amd64.deb > Size/MD5 checksum: 511706 5e41b71ee6f3a42d5e7ac033b436c059 > > ARM architecture: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2_arm.deb > Size/MD5 checksum: 516094 95f2c045af860501a8e8bad54d0f6958 > > Intel IA-32 architecture: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2_i386.deb > Size/MD5 checksum: 513918 0dfe3628e07c5cea6f2609683104dbab > > Intel IA-64 architecture: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2_ia64.deb > Size/MD5 checksum: 597254 7f83bb7006849edf56411255e0b55e5f > > HP Precision architecture: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2_hppa.deb > Size/MD5 checksum: 543576 a09646d99c692e210164fb4a7f58c05a > > Motorola 680x0 architecture: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2_m68k.deb > Size/MD5 checksum: 482016 b92bbd85b3d1041cbf403070e4aa43c7 > > Big endian MIPS architecture: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2_mips.deb > Size/MD5 checksum: 521234 33f7d96179fa0b4bd7cd314a33c54e31 > > Little endian MIPS architecture: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2_mipsel.deb > Size/MD5 checksum: 524336 b30ef21a7a9a958839569cf548fffebb > > PowerPC architecture: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2_powerpc.deb > Size/MD5 checksum: 523540 823e5cb99e854a5ba0264259d7116deb > > IBM S/390 architecture: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2_s390.deb > Size/MD5 checksum: 514274 01f3ebd90422c9d94c109f60921c2634 > > Sun Sparc architecture: > > http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558- > 4+sarge2_sparc.deb > Size/MD5 checksum: 518960 661427182cad6ca5a08663ffa505e4ef > > > These files will probably be moved into the stable distribution on > its next update. > > - ------------------------------------------------------------------------ > --------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main > Mailing list: [email protected] > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > > iD8DBQFD7CzpW5ql+IAeqTIRAr7cAJwKu86gvdgW5UzWatM+8+EDiiSMdwCgnT2b > ttGvVBTdC3n7VV+RsftANhg= > =aKZq > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
