[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.018-pcre.txt

Mon, 05 Sep 2005 09:10:35 -0700 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /v/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   05-Sep-2005 18:10:34
  Branch: HEAD                             Handle: 2005090517103300

  Added files:
    openpkg-web/security    OpenPKG-SA-2005.018-pcre.txt

  Log:
    release OpenPKG Security Advisory 2005.018 (pcre)

  Summary:
    Revision    Changes     Path
    1.1         +121 -0     openpkg-web/security/OpenPKG-SA-2005.018-pcre.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2005.018-pcre.txt
  ============================================================================
  $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.018-pcre.txt
  --- /dev/null 2005-09-05 18:10:32 +0200
  +++ OpenPKG-SA-2005.018-pcre.txt      2005-09-05 18:10:34 +0200
  @@ -0,0 +1,121 @@
  +-----BEGIN PGP SIGNED MESSAGE-----
  +Hash: SHA1
  +
  +________________________________________________________________________
  +
  +OpenPKG Security Advisory                            The OpenPKG Project
  +http://www.openpkg.org/security.html              http://www.openpkg.org
  [EMAIL PROTECTED]                         [EMAIL PROTECTED]
  +OpenPKG-SA-2005.018                                          05-Sep-2005
  +________________________________________________________________________
  +
  +Package:             pcre
  +Vulnerability:       arbitrary code execution
  +OpenPKG Specific:    no
  +
  +Affected Releases:   Affected Packages:          Corrected Packages:
  +OpenPKG CURRENT      <= pcre-6.1-20050622        >= pcre-6.2-20050802
  +                     <= exim-4.52-20050701       >= exim-4.52-20050905
  +                     <= fsl-1.6.0-20050808       >= fsl-1.6.0-20050905
  +                     <= hypermail-2.1.8-20050324 >= hypermail-2.1.8-20050905
  +                     <= l2-0.9.10-20050615       >= l2-0.9.10-20050905
  +                     <= str-0.9.10-20050615      >= str-0.9.10-20050905
  +                     <= lmtp2nntp-1.3.0-20050615 >= lmtp2nntp-1.3.0-20050905
  +                     <= tin-1.6.2-20040207       >= tin-1.6.2-20050905
  +                     <= wml-2.0.9-20050617       >= wml-2.0.9-20050905
  +OpenPKG 2.4          <= pcre-6.0-2.4.0           >= pcre-6.0-2.4.1        
  +                     <= exim-4.51-2.4.0          >= exim-4.51-2.4.1       
  +                     <= fsl-1.6.0-2.4.0          >= fsl-1.6.0-2.4.1       
  +                     <= hypermail-2.1.8-2.4.0    >= hypermail-2.1.8-2.4.1 
  +                     <= l2-0.9.10-2.4.0          >= l2-0.9.10-2.4.1       
  +                     <= str-0.9.10-2.4.0         >= str-0.9.10-2.4.1      
  +                     <= lmtp2nntp-1.3.0-2.4.0    >= lmtp2nntp-1.3.0-2.4.1 
  +                     <= tin-1.6.2-2.4.0          >= tin-1.6.2-2.4.1       
  +                     <= wml-2.0.9-2.4.0          >= wml-2.0.9-2.4.1       
  +OpenPKG 2.3          <= pcre-5.0-2.3.0           >= pcre-5.0-2.3.1
  +                     <= exim-4.50-2.3.0          >= exim-4.50-2.3.1
  +                     <= fsl-1.6.0-2.3.2          >= fsl-1.6.0-2.3.3
  +                     <= hypermail-2.1.8-2.3.0    >= hypermail-2.1.8-2.3.1
  +                     <= l2-0.9.10-2.3.1          >= l2-0.9.10-2.3.2
  +                     <= str-0.9.10-2.3.1         >= str-0.9.10-2.3.2
  +                     <= lmtp2nntp-1.3.0-2.3.1    >= lmtp2nntp-1.3.0-2.3.2
  +                     <= tin-1.6.2-2.3.0          >= tin-1.6.2-2.3.1
  +                     <= wml-2.0.9-2.3.1          >= wml-2.0.9-2.3.2
  +
  +Dependent Packages:  aide analog apache apachetop arpd cfengine cvs
  +                     cvsd dbtool dhcp-agent dhcpd diogene87 dnrd
  +                     drac ethereal ettercap flowd flowtools gated
  +                     grep honeyd imapd inetutils inn ircd kde-libs
  +                     kerberos kermit lighttpd mixmaster monit msntp
  +                     nagios nessus-tool ngircd nntpcache nsd ntp
  +                     openldap openssh openvpn petidomo php php5 pks
  +                     portfwd portsentry postfix pound powerdns privoxy
  +                     prngd procmail pureftpd qpopper r rbldnsd rdist
  +                     samhain sasl scponly sendmail smtpfeed snmp snort
  +                     softflowd sophie spamassassin squid ssmtp stunnel
  +                     sudo sysmon tacacs teapop tftp thttpd tinyproxy
  +                     tripwire ucarp whoson
  +
  +Description:
  +  An integer overflow problem was discovered in the Perl Compatible
  +  Regular Expressions (PCRE) [1] library, version 6.2 and earlier.
  +  The problem allows a remote or local attacker to execute arbitrary
  +  code by causing a heap-based buffer overflow via quantifier values
  +  in regular expressions. As PCRE is a popular library, this problem
  +  affects many applications. The Common Vulnerabilities and Exposures
  +  (CVE) project assigned the id CAN-2005-2491 [2] to the problem.
  +
  +  Please check whether you are affected by running "<prefix>/bin/openpkg
  +  rpm -q pcre". If you have the "pcre" package installed and its version
  +  is affected (see above), we recommend that you immediately upgrade it
  +  (see Solution) and its dependent packages (see above), too [3][4].
  +
  +Solution:
  +  Select the updated source RPM appropriate for your OpenPKG release
  +  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  +  location, verify its integrity [9], build a corresponding binary RPM
  +  from it [3] and update your OpenPKG installation by applying the
  +  binary RPM [4]. For the most recent release OpenPKG 2.4, perform the
  +  following operations to permanently fix the security problem (for
  +  other releases adjust accordingly).
  +
  +  $ ftp ftp.openpkg.org
  +  ftp> bin
  +  ftp> cd release/2.4/UPD
  +  ftp> get pcre-6.0-2.4.1.src.rpm
  +  ftp> bye
  +  $ <prefix>/bin/openpkg rpm -v --checksig pcre-6.0-2.4.1.src.rpm
  +  $ <prefix>/bin/openpkg rpm --rebuild pcre-6.0-2.4.1.src.rpm
  +  $ su -
  +  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/pcre-6.0-2.4.1.*.rpm
  +
  +  Additionally, we recommend that you rebuild and reinstall
  +  all dependent packages (see above), too [3][4].
  +________________________________________________________________________
  +
  +References:
  +  [1] http://www.pcre.org/
  +  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
  +  [3] http://www.openpkg.org/tutorial.html#regular-source
  +  [4] http://www.openpkg.org/tutorial.html#regular-binary
  +  [5] ftp://ftp.openpkg.org/release/2.4/UPD/pcre-6.0-2.4.1.src.rpm
  +  [6] ftp://ftp.openpkg.org/release/2.3/UPD/pcre-5.0-2.3.1.src.rpm
  +  [7] ftp://ftp.openpkg.org/release/2.4/UPD/
  +  [8] ftp://ftp.openpkg.org/release/2.3/UPD/
  +  [9] http://www.openpkg.org/security.html#signature
  +________________________________________________________________________
  +
  +For security reasons, this advisory was digitally signed with the
  +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
  +OpenPKG project which you can retrieve from http://pgp.openpkg.org and
  +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
  +for details on how to verify the integrity of this advisory.
  +________________________________________________________________________
  +
  +-----BEGIN PGP SIGNATURE-----
  +Comment: OpenPKG <[EMAIL PROTECTED]>
  +
  +iD8DBQFDHG3jgHWT4GPEy58RAlJ6AKCRpeXSjDgtyjThecNIWmFY+kLWqwCg5tR0
  +TboY1Zy6BjvYZzjPLE4dH6Q=
  +=mj3k
  +-----END PGP SIGNATURE-----
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     openpkg-cvs@openpkg.org

Reply via email to