----- Forwarded message from Joe Little <[EMAIL PROTECTED]> ----- > From: Joe Little <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Tue, 1 Aug 2000 11:08:12 -0700 > To: [EMAIL PROTECTED] > Subject: [TL-Security-Announce] cvsweb TLSA2000016-1 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ___________________________________________________________________________ > > TurboLinux Security Announcement > > Package: cvsweb-1.90 and earlier > Date: Tuesday August 1 11:00 PDT 2000 > > Affected TurboLinux versions: 6.0.5 and earlier > Vulnerability Type: remote shell exploit > TurboLinux Advisory ID#: TLSA2000016-1 > Credits: > > ___________________________________________________________________________ > > A security hole was discovered in the package mentioned above. Please > update the package in your installation as soon as possible or disable the > service. > ___________________________________________________________________________ > > 1. Problem Summary > > Current and previous version of cvsweb allow remote users to access/write > files as the default web user via the cvsweb.cgi script. > > 2. Impact > > remote read/write access to arbitrary files owned by the default web user > is possible via this exploit. > > 3. Solution > > Please upgrade both the cvsweb package to match the new revision > > Update the packages from our ftp server by running the following command: > > rpm -Fv ftp_path_to_filename > > Where ftp_path_to_filename is the following: > > ftp://ftp.turbolinux.com/pub/updates/6.0/security/cvsweb-1.91-3.noarch.rpm > > The source RPM can be downloaded here: > > ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/cvsweb-1.91-3.src.rpm > > **Note: You must rebuild and install the RPM if you choose to download > and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE > THE SECURITY HOLE. > > Please verify the MD5 checksum of the update before you install: > > MD5 sum Package Name > - - --------------------------------------------------------------------------- > a9983e6d1fa2fae00f136a0b9c1708a2 cvsweb-1.91-3.noarch.rpm > e1a178d0280d56334922b533b6413db7 cvsweb-1.91-3.src.rpm > ___________________________________________________________________________ > > These packages are GPG signed by Turbolinux for security. Our key > is available here: > > http://www.turbolinux.com/security/tlgpgkey.asc > > To verify a package, use the following command: > > rpm --checksig name_of_rpm > > To examine only the md5sum, use the following command: > > rpm --checksig --nogpg name_of_rpm > > **Note: Checking GPG keys requires RPM 3.0 or higher. > > ___________________________________________________________________________ > You can find more updates on our ftp server: > > ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.0 Workstation > and Server security updates > ftp://ftp.turbolinux.com/pub/updates/4.0/security/ for TL4.0 Workstation > and Server security updates > > Our webpage for security announcements: > > http://www.turbolinux.com/security > > If you want to report vulnerabilities, please contact: > > [EMAIL PROTECTED] > ___________________________________________________________________________ > > Subscribe to the TurboLinux Security Mailing lists: > > TL-security - A moderated list for discussing security issues in TurboLinux > products. > Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security > > TL-security-announce - An announce-only mailing list for security updates > and alerts. > Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security-announce > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.2 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE5hxGF7eR7bnHQKeQRAuMiAJ9l/8WU9Leu3Ccm7YOJGhEmQG9BJgCeJCP0 > TybkFkNFjF4/ntaSlr2RcAU= > =Vx6a > -----END PGP SIGNATURE----- > > > > _______________________________________________ > TL-Security-Announce mailing list > [EMAIL PROTECTED] > http://www.turbolinux.com/mailman/listinfo/tl-security-announce > > ----- End forwarded message ----- -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
