OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 16-Dec-2002 17:36:15
Branch: HEAD Handle: 2002121616361400
Added files:
openpkg-web/security OpenPKG-SA-2002.015-tetex.txt
Modified files:
openpkg-web/security OpenPKG-SA-2002.014-perl.txt
Log:
fix bugs, resign
Summary:
Revision Changes Path
1.2 +8 -9 openpkg-web/security/OpenPKG-SA-2002.014-perl.txt
1.1 +79 -0 openpkg-web/security/OpenPKG-SA-2002.015-tetex.txt
____________________________________________________________________________
Index: openpkg-web/security/OpenPKG-SA-2002.014-perl.txt
============================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2002.014-perl.txt
--- openpkg-web/security/OpenPKG-SA-2002.014-perl.txt 16 Dec 2002 12:20:32 -0000
1.1
+++ openpkg-web/security/OpenPKG-SA-2002.014-perl.txt 16 Dec 2002 16:36:14 -0000
1.2
@@ -29,7 +29,7 @@
bug.
Check whether you are affected by running "<prefix>/bin/rpm -q perl".
- If you have an affected version of the samba package (see above),
+ If you have an affected version of the Perl package (see above),
please upgrade it according to the solution below.
Solution:
@@ -44,13 +44,12 @@
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.1/UPD
- ftp> get samba-5.6.1-1.1.1.src.rpm
+ ftp> get perl-5.6.1-1.1.1.src.rpm
ftp> bye
- $ <prefix>/bin/rpm -v --checksig samba-5.6.1-1.1.1.src.rpm
- $ <prefix>/bin/rpm --rebuild samba-5.6.1-1.1.1.src.rpm
+ $ <prefix>/bin/rpm -v --checksig perl-5.6.1-1.1.1.src.rpm
+ $ <prefix>/bin/rpm --rebuild perl-5.6.1-1.1.1.src.rpm
$ su -
- # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/samba-5.6.1-1.1.1.*.rpm
- # <prefix>/etc/rc samba stop start
+ # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/perl-5.6.1-1.1.1.*.rpm
________________________________________________________________________
References:
@@ -74,7 +73,7 @@
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <[EMAIL PROTECTED]>
-iEYEARECAAYFAj39xOAACgkQgHWT4GPEy5/N3gCgt8DdAlRJtndmSosumhN6WsMC
-nBAAoICrfgNzPpGKnuEZhXT/Ed7OnJyq
-=MeEU
+iEYEARECAAYFAj3+AJgACgkQgHWT4GPEy58V+gCg7izWdygkK12AbXPpY2izzuWb
+wA4AoMG3rg9EUfy1fkimlOl5zxoAsLho
+=ZxAt
-----END PGP SIGNATURE-----
Index: openpkg-web/security/OpenPKG-SA-2002.015-tetex.txt
============================================================
$ cvs update -p -r1.1 OpenPKG-SA-2002.015-tetex.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
OpenPKG-SA-2002.015 16-Dec-2002
________________________________________________________________________
Package: tetex
Vulnerability: remote command execution
OpenPKG Specific: no
Dependent Packages: none
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG 1.0 <= tetex-1.0.7-1.0.0 >= tetex-1.0.7-1.0.1
OpenPKG 1.1 <= tetex-1.0.7-1.1.0 >= tetex-1.0.7-1.1.1
OpenPKG CURRENT <= tetex-1.0.7-20021204 >= tetex-1.0.7-20021216
Description:
A vulnerability [1] in the kpathsea(3) library of teTeX was
discovered. This library is used by xdvi(1) and dvips(1). Both
programs call the system(3) function insecurely, which allows a remote
attacker to execute arbitrary commands via cleverly crafted DVI files.
If dvips(1) is used in a print filter, this allows a local or remote
attacker with print permission execute arbitrary code as the printing
system user.
Check whether you are affected by running "<prefix>/bin/rpm -q tetex".
If you have an affected version of the samba package (see above),
please upgrade it according to the solution below.
Solution:
Update existing packages to newly patched versions of teTeX. Select the
updated source RPM appropriate for your OpenPKG release [2][3][4], and
fetch it from the OpenPKG FTP service or a mirror location. Verify its
integrity [5], build a corresponding binary RPM from it and update your
OpenPKG installation by applying the binary RPM [6]. For the latest
OpenPKG 1.1 release, perform the following operations to permanently fix
the security problem (for other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.1/UPD
ftp> get tetex-1.0.7-1.1.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig tetex-1.0.7-1.1.1.src.rpm
$ <prefix>/bin/rpm --rebuild tetex-1.0.7-1.1.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/tetex-1.0.7-1.1.1.*.rpm
________________________________________________________________________
References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0836
[2] ftp://ftp.openpkg.org/release/1.0/UPD/
[3] ftp://ftp.openpkg.org/release/1.1/UPD/
[4] ftp://ftp.openpkg.org/current/SRC/
[5] http://www.openpkg.org/security.html#signature
[6] http://www.openpkg.org/tutorial.html#regular-source
________________________________________________________________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For example, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <[EMAIL PROTECTED]>
iEYEARECAAYFAj3+AOwACgkQgHWT4GPEy59EaQCg3nIl3ru+vU27i/Wcqm+cUH5N
/tAAn0QY3lN4bmUtNXIwMGsGitW2LMsz
=6F8t
-----END PGP SIGNATURE-----
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
