OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 17-Dec-2003 12:58:49
Branch: HEAD Handle: 2003121711584800
Added files:
openpkg-web/security OpenPKG-SA-2003.053-lftp.txt
Modified files:
openpkg-web/security OpenPKG-SA-2003.052-cvs.txt page.pl
Log:
final polishing and signing of SA lftp and SA cvs
Summary:
Revision Changes Path
1.4 +30 -20 openpkg-web/security/OpenPKG-SA-2003.052-cvs.txt
1.1 +84 -0 openpkg-web/security/OpenPKG-SA-2003.053-lftp.txt
1.35 +1 -1 openpkg-web/security/page.pl
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.052-cvs.txt
============================================================================
$ cvs diff -u -r1.3 -r1.4 OpenPKG-SA-2003.052-cvs.txt
--- openpkg-web/security/OpenPKG-SA-2003.052-cvs.txt 17 Dec 2003 11:19:47 -0000
1.3
+++ openpkg-web/security/OpenPKG-SA-2003.052-cvs.txt 17 Dec 2003 11:58:48 -0000
1.4
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -7,39 +10,39 @@
________________________________________________________________________
Package: cvs
-Vulnerability: filesystem violation
+Vulnerability: filesystem intrusion
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
-OpenPKG CURRENT <= cvs-1.11.6-20030527 >= cvs-1.12.3-20031205
+OpenPKG CURRENT <= cvs-1.12.2-20031027 >= cvs-1.12.3-20031205
OpenPKG 1.3 <= cvs-1.12.1-1.3.0 >= cvs-1.12.1-1.3.1
OpenPKG 1.2 <= cvs-1.11.5-1.2.2 >= cvs-1.11.5-1.2.3
Dependent Packages: none
Description:
- According to a cvs security update [0], a malformed module request can
- cause the CVS server [1] to attempt to create directories and possibly
- files at the root of the filesystem holding the CVS repository. Even
- though filesystem permissions usually prevent the creation of these
- misplaced directories, the corrected OpenPKG packages include a CVS
- server which rejects such malformed requests. The Common Vulnerabilities
- and Exposures (CVE) project assigned the id CAN-2003-0977 [2] to the
- problem.
-
- Please check whether you are affected by running "<prefix>/bin/rpm -q
- cvs". If the "cvs" package is indeed installed and its version is
- affected (see above), please upgrade it immediately according to
+ According to a CVS [0] security update [1], a malformed module
+ request can cause the CVS server to attempt to create directories
+ and possibly files at the root of the filesystem holding the CVS
+ repository. Even though filesystem permissions usually prevent the
+ creation of these misplaced directories, the corrected OpenPKG
+ packages include a CVS server which rejects such malformed requests.
+ The Common Vulnerabilities and Exposures (CVE) project assigned the id
+ CAN-2003-0977 [2] to the problem.
+
+ Please check whether you are affected by running "<prefix>/bin/rpm
+ -q cvs". If the "cvs" package is indeed installed and its version
+ is affected (see above), please upgrade it immediately according to
OpenPKG recommendations (see Solution). [3][4]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
location, verify its integrity [9], build a corresponding binary RPM
- from it [3] and update your OpenPKG installation by applying the binary
- RPM [4]. For the current release OpenPKG 1.3, perform the following
- operations to permanently fix the security problem (for other releases
- adjust accordingly).
+ from it [3] and update your OpenPKG installation by applying the
+ binary RPM [4]. For the current release OpenPKG 1.3, perform the
+ following operations to permanently fix the security problem (for
+ other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
@@ -53,8 +56,8 @@
________________________________________________________________________
References:
- [0] http://ccvs.cvshome.org/servlets/NewsItemView?newsID=85
- [1] http://www.cvshome.org/
+ [0] http://www.cvshome.org/
+ [1] http://ccvs.cvshome.org/servlets/NewsItemView?newsID=85
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
[3] http://www.openpkg.org/tutorial.html#regular-source
[4] http://www.openpkg.org/tutorial.html#regular-binary
@@ -72,3 +75,10 @@
for details on how to verify the integrity of this advisory.
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE/4ESigHWT4GPEy58RAqlHAKDWNcptxAw/fBrCZlCt9EB3oOZYHQCg4/yJ
+2L2AHtnVJFxsDz7DosQUeeI=
+=NJuM
+-----END PGP SIGNATURE-----
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.053-lftp.txt
============================================================================
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.053-lftp.txt
--- /dev/null 2003-12-17 12:58:48.000000000 +0100
+++ OpenPKG-SA-2003.053-lftp.txt 2003-12-17 12:58:49.000000000 +0100
@@ -0,0 +1,84 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+________________________________________________________________________
+
+OpenPKG Security Advisory The OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2003.053 17-Dec-2003
+________________________________________________________________________
+
+Package: lftp
+Vulnerability: arbitrary code execution
+OpenPKG Specific: no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= lftp-2.6.9-20031120 >= lftp-2.6.10-20031211
+OpenPKG 1.3 <= lftp-2.6.6-1.3.0 >= lftp-2.6.6-1.3.1
+OpenPKG 1.2 <= lftp-2.6.4-1.2.0 >= lftp-2.6.4-1.2.1
+
+Dependent Packages: none
+
+Description:
+ According to a security advisory from Ulf H�rnhammar [0], a buffer
+ overflow bug exists in the FTP/HTTP/HTTPS client LFTP [1] bug in
+ versions up to and including 2.6.9. An attacker could create a
+ carefully crafted directory on a website such that, if a user connects
+ to that directory using the LFTP client and subsequently issues a "ls"
+ or "rels" command, the attacker could execute arbitrary code on the
+ users machine. The Common Vulnerabilities and Exposures (CVE) project
+ assigned the id CAN-2003-0963 [2] to the problem.
+
+ Please check whether you are affected by running "<prefix>/bin/rpm -q
+ lftp". If you have the "lftp" package installed and its version is
+ affected (see above), we recommend that you immediately upgrade it
+ (see Solution) [3][4].
+
+Solution:
+ Select the updated source RPM appropriate for your OpenPKG release
+ [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
+ location, verify its integrity [9], build a corresponding binary RPM
+ from it [3] and update your OpenPKG installation by applying the binary
+ RPM [4]. For the current release OpenPKG 1.3, perform the following
+ operations to permanently fix the security problem (for other releases
+ adjust accordingly).
+
+ $ ftp ftp.openpkg.org
+ ftp> bin
+ ftp> cd release/1.3/UPD
+ ftp> get lftp-2.6.6-1.3.1.src.rpm
+ ftp> bye
+ $ <prefix>/bin/rpm -v --checksig lftp-2.6.6-1.3.1.src.rpm
+ $ <prefix>/bin/rpm --rebuild lftp-2.6.6-1.3.1.src.rpm
+ $ su -
+ # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/lftp-2.6.6-1.3.1.*.rpm
+________________________________________________________________________
+
+References:
+ [0] http://www.securityfocus.com/archive/1/347587/2003-12-13/2003-12-19/0
+ [1] http://lftp.yar.ru/
+ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0963
+ [3] http://www.openpkg.org/tutorial.html#regular-source
+ [4] http://www.openpkg.org/tutorial.html#regular-binary
+ [5] ftp://ftp.openpkg.org/release/1.2/UPD/lftp-2.6.4-1.2.1.src.rpm
+ [6] ftp://ftp.openpkg.org/release/1.3/UPD/lftp-2.6.6-1.3.1.src.rpm
+ [7] ftp://ftp.openpkg.org/release/1.2/UPD/
+ [8] ftp://ftp.openpkg.org/release/1.3/UPD/
+ [9] http://www.openpkg.org/security.html#signature
+________________________________________________________________________
+
+For security reasons, this advisory was digitally signed with the
+OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
+OpenPKG project which you can retrieve from http://pgp.openpkg.org and
+hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
+for details on how to verify the integrity of this advisory.
+________________________________________________________________________
+
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE/4ES3gHWT4GPEy58RAhWvAJ0XtJea7vqBrAx9OfsWiUNlLBVn0QCgub7I
+eKC4m/yFGSRs+3syLFg26U0=
+=5dTH
+-----END PGP SIGNATURE-----
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/page.pl
============================================================================
$ cvs diff -u -r1.34 -r1.35 page.pl
--- openpkg-web/security/page.pl 4 Dec 2003 15:21:13 -0000 1.34
+++ openpkg-web/security/page.pl 17 Dec 2003 11:58:48 -0000 1.35
@@ -13,7 +13,7 @@
foreach my $sa (reverse sort @SA) {
my ($base, $name, $year) = ($sa =~ m|^(OpenPKG-SA-((\d+)\..+))\.txt$|);
next if ($name =~ m|^0000|);
- next if ($name =~ m|^2003\.05[2-9]|);
+ next if ($name =~ m|^2003\.05[4-9]|);
if ($this_year ne $year) {
$sidebar .= "<br>\n";
$this_year = $year;
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
