Your message dated Sat, 27 Jan 2007 10:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#406628: fixed in geoip 1.3.17-1.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libgeoip1
Severity: important
A vulnerability has been identified in GeoIP, which could be exploited
to conduct directory traversal attacks. This issue is due to an input
validation error in the "GeoIP_update_database_general()"
[GeoIPUpdate.c] function when handling the database filename, which
could be exploited by malicious update servers to overwrite arbitrary
files by sending specially crafted HTTP requests to the
"app/update_getfilename" script.
Affected Products
GeoIP version 1.4.0 and prior
Solution
Apply patch :
http://arctic.org/~dean/patches/GeoIP-1.4.0-update-vulnerability.patch
References
http://www.frsirt.com/english/advisories/2007/0117
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-486
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
regards,
--
.''`.
: :' : Alex de Oliveira Silva | enerv
`. `' www.enerv.net
`-
--- End Message ---
--- Begin Message ---
Source: geoip
Source-Version: 1.3.17-1.1
We believe that the bug you reported is fixed in the latest version of
geoip, which is due to be installed in the Debian FTP archive:
geoip-bin_1.3.17-1.1_i386.deb
to pool/main/g/geoip/geoip-bin_1.3.17-1.1_i386.deb
geoip_1.3.17-1.1.diff.gz
to pool/main/g/geoip/geoip_1.3.17-1.1.diff.gz
geoip_1.3.17-1.1.dsc
to pool/main/g/geoip/geoip_1.3.17-1.1.dsc
libgeoip-dev_1.3.17-1.1_i386.deb
to pool/main/g/geoip/libgeoip-dev_1.3.17-1.1_i386.deb
libgeoip1_1.3.17-1.1_i386.deb
to pool/main/g/geoip/libgeoip1_1.3.17-1.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Neil McGovern <[EMAIL PROTECTED]> (supplier of updated geoip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 27 Jan 2007 10:23:23 +0000
Source: geoip
Binary: libgeoip-dev geoip-bin libgeoip1
Architecture: source i386
Version: 1.3.17-1.1
Distribution: unstable
Urgency: high
Maintainer: Marek Habersack <[EMAIL PROTECTED]>
Changed-By: Neil McGovern <[EMAIL PROTECTED]>
Description:
geoip-bin - IP lookup command line tools that use the GeoIP library
libgeoip-dev - Development files for the GeoIP library
libgeoip1 - A non-DNS IP-to-country resolver library
Closes: 406628
Changes:
geoip (1.3.17-1.1) unstable; urgency=high
.
* Non-maintainer upload by security team.
* Added patch for CVE-2007-0159: libgeoip1:
"GeoIP_update_database_general()" Remote Directory Traversal Vulnerability
(Closes: #406628)
* Removed automatically copying of config.status and config.sub - this
creates a bloated diff for security updates.
Files:
98626d21b823c30061e6a897cbb8a255 607 - optional geoip_1.3.17-1.1.dsc
5ff5a8bbe16dd4dac3980c7c8bdbbe99 32099 - optional geoip_1.3.17-1.1.diff.gz
3b821f49d190bb10888d68dfee3b7c2a 475652 libs optional
libgeoip1_1.3.17-1.1_i386.deb
1d7d2175355b56333f7745fa7c928174 46930 devel optional
libgeoip-dev_1.3.17-1.1_i386.deb
4658fa082b80e88232966f61ee2f4932 17106 net optional
geoip-bin_1.3.17-1.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFuyiX97LBwbNFvdMRAvY9AJwMTJx074bNIRfUI7UyeiZrAU36BgCfUGlr
DrQdqt4Eu36Fmo6mBtvJcG4=
=m7rK
-----END PGP SIGNATURE-----
--- End Message ---