On 24.8.2010, at 23.54, Sebastien Delafond wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------ > Debian Security Advisory DSA-2096-1 [email protected] > http://www.debian.org/security/ Moritz Muehlenhoff > August 24, 2010 http://www.debian.org/security/faq > - ------------------------------------------------------------------------ > > Package : zope-ldapuserfolder > Vulnerability : missing input validation > Problem type : remote > Debian-specific: no > CVE Id : CVE-2010-2944 > Debian Bug : 593466 > > Jeremy James discovered that in zope-ldapuserfolder, a Zope extension > used to authenticate against an LDAP server, the authentication code > does not verify the password provided for the emergency user. Malicious > users that manage to get the emergency user login can use this flaw to > gain administrative access to the Zope instance, by providing an > arbitrary password. > > For the stable distribution (lenny), this problem has been fixed in > version 2.9-1+lenny1. > > The package no longer exists in the upcoming stable distribution > (squeeze) or the unstable distribution. > > We recommend that you upgrade your zope-ldapuserfolder package. > > Upgrade instructions > - -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 5.0 alias lenny > - -------------------------------- > > Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, > mips, mipsel, powerpc, s390 and sparc. > > Source archives: > > > http://security.debian.org/pool/updates/main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9.orig.tar.gz > Size/MD5 checksum: 106677 c380401e4de43c4aa5aad8c7af104ac5 > > http://security.debian.org/pool/updates/main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1.dsc > Size/MD5 checksum: 1122 65bc92834fb17c525b9c5a43589a05e6 > > http://security.debian.org/pool/updates/main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1.diff.gz > Size/MD5 checksum: 2635 fdfc884244f970d77f3da18a638a135c > > Architecture independent packages: > > > http://security.debian.org/pool/updates/main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1_all.deb > Size/MD5 checksum: 110686 44db774a6142e62e71ac0e0cb9e6fafa > > > These files will probably be moved into the stable distribution on > its next update. > > - > --------------------------------------------------------------------------------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main > Mailing list: [email protected] > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAkx0MVEACgkQXm3vHE4uylrJcACfb+YXHmXJRVT048+yEtxwLR/f > +AcAoJSOMNCmGLHCq9gdrR0jjsj60l6R > =Voz+ > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact [email protected] > Archive: http://lists.debian.org/[email protected] >
Arsi Hartikainen [email protected] 2055921-5 Punkkerikatu 1 B 3 53850 Lappeenranta puh: 044 0500528 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
