[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...

Thu, 08 Jul 2004 06:14:32 -0700 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Thomas Lotterer
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   08-Jul-2004 15:14:45
  Branch: HEAD                             Handle: 2004070814144401

  Added files:
    openpkg-web/security    OpenPKG-SA-2004.031-dhcpd.txt
  Modified files:
    openpkg-web             security.txt security.wml

  Log:
    SA-2004.031-dhcpd; CAN-2004-0460, CAN-2004-0461

  Summary:
    Revision    Changes     Path
    1.86        +1  -0      openpkg-web/security.txt
    1.106       +1  -0      openpkg-web/security.wml
    1.1         +84 -0      openpkg-web/security/OpenPKG-SA-2004.031-dhcpd.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security.txt
  ============================================================================
  $ cvs diff -u -r1.85 -r1.86 security.txt
  --- openpkg-web/security.txt  6 Jul 2004 14:04:55 -0000       1.85
  +++ openpkg-web/security.txt  8 Jul 2004 13:14:44 -0000       1.86
  @@ -1,3 +1,4 @@
  +08-Jul-2004: Security Advisory: S<OpenPKG-SA-2004.031-dhcpd>
   06-Jul-2004: Security Advisory: S<OpenPKG-SA-2004.030-png>
   11-Jun-2004: Security Advisory: S<OpenPKG-SA-2004.029-apache>
   11-Jun-2004: Security Advisory: S<OpenPKG-SA-2004.028-subversion>
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-web/security.wml
  ============================================================================
  $ cvs diff -u -r1.105 -r1.106 security.wml
  --- openpkg-web/security.wml  6 Jul 2004 14:04:55 -0000       1.105
  +++ openpkg-web/security.wml  8 Jul 2004 13:14:44 -0000       1.106
  @@ -76,6 +76,7 @@
   </define-tag>
   <box bdwidth=1 bdcolor="#a5a095" bdspace=10 bgcolor="#e5e0d5">
   <table cellspacing=0 cellpadding=0 border=0>
  +  <sa 2004.031 dhcpd>
     <sa 2004.030 png>
     <sa 2004.029 apache>
     <sa 2004.028 subversion>
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2004.031-dhcpd.txt
  ============================================================================
  $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.031-dhcpd.txt
  --- /dev/null 2004-07-08 15:14:45.000000000 +0200
  +++ OpenPKG-SA-2004.031-dhcpd.txt     2004-07-08 15:14:45.000000000 +0200
  @@ -0,0 +1,84 @@
  +________________________________________________________________________
  +
  +OpenPKG Security Advisory                            The OpenPKG Project
  +http://www.openpkg.org/security.html              http://www.openpkg.org
  [EMAIL PROTECTED]                         [EMAIL PROTECTED]
  +OpenPKG-SA-2004.031                                          08-Jul-2004
  +________________________________________________________________________
  +
  +Package:             dhcpd
  +Vulnerability:       denial of service, arbitrary code execution
  +OpenPKG Specific:    no
  +
  +Affected Releases:   Affected Packages:          Corrected Packages:
  +OpenPKG CURRENT      <= dhcpd-3.0.1rc13-20040524 >= dhcpd-3.0.1rc14-20040623
  +OpenPKG 2.0          <= dhcpd-3.0.1rc13-2.0.0    >= dhcpd-3.0.1rc13-2.0.1
  +OpenPKG 1.3          <= dhcpd-3.0.1rc11-1.3.0    >= dhcpd-3.0.1rc11-1.3.1
  +
  +Affected Releases:   Dependent Packages: none
  +
  +Description:
  +  As reported by US-CERT [0] Gregory Duchemin discovered several
  +  vulnerabilities in ISC DHCP Distribution [1] and helped fixing them.
  +
  +  Several buffer overflows were closed in logging messages with
  +  excessively long hostnames provided by the clients. The Common
  +  Vulnerabilities and Exposures (CVE) project assigned the id
  +  CAN-2004-0460 [2] to the problem.
  +
  +  Another issue was evident on some specific platforms where the dhcpd
  +  build mechanism ignored the existence of [v]snprintf(3) functions and
  +  used the weaker [v]sprintf(3) which lack bounds checking. The RELEASE
  +  updates enforces use of the favorable functions as it was verified
  +  they exist on all platforms supported by OpenPKG. The CURRENT update
  +  contains a vendor fix explicitly providing a suitable function. The
  +  Common Vulnerabilities and Exposures (CVE) project assigned the id
  +  CAN-2004-0461 [3] to the problem.
  +
  +  Please check whether you are affected by running "<prefix>/bin/rpm
  +  -q dhcpd". If you have the "dhcpd" package installed and its version
  +  is affected (see above), we recommend that you immediately upgrade
  +  it (see Solution) and its dependent packages (see above), if any,
  +  too [4][5].
  +
  +Solution:
  +  Select the updated source RPM appropriate for your OpenPKG release
  +  [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror
  +  location, verify its integrity [10], build a corresponding binary RPM
  +  from it [4] and update your OpenPKG installation by applying the
  +  binary RPM [5]. For the most recent release OpenPKG 2.0, perform the
  +  following operations to permanently fix the security problem (for
  +  other releases adjust accordingly).
  +
  +  $ ftp ftp.openpkg.org
  +  ftp> bin
  +  ftp> cd release/2.0/UPD
  +  ftp> get dhcpd-3.0.1rc13-2.0.1.src.rpm
  +  ftp> bye
  +  $ <prefix>/bin/openpkg rpm -v --checksig dhcpd-3.0.1rc13-2.0.1.src.rpm
  +  $ <prefix>/bin/openpkg rpm --rebuild dhcpd-3.0.1rc13-2.0.1.src.rpm
  +  $ su -
  +  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/dhcpd-3.0.1rc13-2.0.1.*.rpm
  +________________________________________________________________________
  +
  +References:
  +  [0] http://www.us-cert.gov/cas/techalerts/TA04-174A.html
  +  [1] http://www.isc.org/products/DHCP/dhcp-v3.html
  +  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0460
  +  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0461
  +  [4] http://www.openpkg.org/tutorial.html#regular-source
  +  [5] http://www.openpkg.org/tutorial.html#regular-binary
  +  [6] ftp://ftp.openpkg.org/release/1.3/UPD/dhcpd-3.0.1rc11-1.3.1.src.rpm
  +  [7] ftp://ftp.openpkg.org/release/2.0/UPD/dhcpd-3.0.1rc13-2.0.1.src.rpm
  +  [8] ftp://ftp.openpkg.org/release/1.3/UPD/
  +  [9] ftp://ftp.openpkg.org/release/2.0/UPD/
  +  [10] http://www.openpkg.org/security.html#signature
  +________________________________________________________________________
  +
  +For security reasons, this advisory was digitally signed with the
  +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
  +OpenPKG project which you can retrieve from http://pgp.openpkg.org and
  +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
  +for details on how to verify the integrity of this advisory.
  +________________________________________________________________________
  +
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to