OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 14-Mar-2003 22:28:25
Branch: HEAD Handle: 2003031421282400
Modified files:
openpkg-web/security OpenPKG-SA-2003.018-qpopper.txt
Log:
final polishing and signing
Summary:
Revision Changes Path
1.2 +23 -14 openpkg-web/security/OpenPKG-SA-2003.018-qpopper.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.018-qpopper.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.018-qpopper.txt
--- openpkg-web/security/OpenPKG-SA-2003.018-qpopper.txt 14 Mar 2003 10:23:29
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2003.018-qpopper.txt 14 Mar 2003 21:28:24
-0000 1.2
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -19,23 +22,23 @@
Description:
According to Florian Heinz [0] a remote code execution vulnerability
- exists in version 4.0.4 of the qpopper POP3 server [1]. Attackers may
- remotely exploit this vulnerability to execute arbitrary code under
- the user id of a mailbox owner and the 'mail' group id.
-
- Please check whether you are affected by running "<prefix>/bin/rpm
- -q qpopper". If you have the "qpopper" package installed and its version
- is affected (see above), we recommend that you immediately upgrade
- it (see Solution). [2][4]
+ exists in the QPopper POP3 server [1]. Attackers may remotely exploit
+ this vulnerability to execute arbitrary code under the user id of a
+ mailbox owner and the "mail" group id.
+
+ Please check whether you are affected by running "<prefix>/bin/rpm -q
+ qpopper". If you have the "qpopper" package installed and its version
+ is affected (see above), we recommend that you immediately upgrade it
+ (see Solution). [2][3]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
- [4][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
+ [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror
location, verify its integrity [8], build a corresponding binary RPM
- from it [2] and update your OpenPKG installation by applying the binary
- RPM [3]. For the current release OpenPKG 1.2, perform the following
- operations to permanently fix the security problem (for other releases
- adjust accordingly).
+ from it [2] and update your OpenPKG installation by applying the
+ binary RPM [3]. For the current release OpenPKG 1.2, perform the
+ following operations to permanently fix the security problem (for
+ other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
@@ -46,7 +49,6 @@
$ <prefix>/bin/rpm --rebuild qpopper-4.0.4-1.2.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/qpopper-4.0.4-1.2.1.*.rpm
-
________________________________________________________________________
References:
@@ -70,3 +72,10 @@
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE+ckkwgHWT4GPEy58RAosEAJ9ROxlBdCptZ096uBg1KF9eaFw6oQCgy7gT
+uzDTkM+4oxfNfMVrF0U+kcA=
+=NNhb
+-----END PGP SIGNATURE-----
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
