OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 10-Jun-2005 15:28:42
Branch: HEAD Handle: 2005061014284200
Modified files:
openpkg-web/security OpenPKG-SA-2005.008-bzip2.txt
Log:
replace text regarding the affected bootstrap package with a reference to
OpenPKG-SA-2005.010-openpkg, where it is treated separately
Summary:
Revision Changes Path
1.3 +19 -18 openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt
============================================================================
$ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2005.008-bzip2.txt
--- openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt 8 Jun 2005
12:40:47 -0000 1.2
+++ openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt 10 Jun 2005
13:28:42 -0000 1.3
@@ -3,22 +3,19 @@
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
-OpenPKG-SA-2005.008 08-June-2005
+OpenPKG-SA-2005.008 10-June-2005
________________________________________________________________________
-Package: bzip2, openpkg, analog
+Package: bzip2
Vulnerability: arbitrary file mode modification, denial of service
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= bzip2-1.0.2-20050324 >= bzip2-1.0.3-20050506
- <= openpkg-20050527-20050527 >=
openpkg-20050606-20050606
<= analog-6.0-20041220 >= analog-6.0-20050608
OpenPKG 2.3 <= bzip2-1.0.2-2.3.0 >= bzip2-1.0.2-2.3.1
- <= openpkg-2.2.2-2.2.2 >= openpkg-2.2.3-2.2.3
<= analog-6.0-2.3.0 >= analog-6.0-2.3.1
OpenPKG 2.2 <= bzip2-1.0.2-2.2.0 >= bzip2-1.0.2-2.2.1
- <= openpkg-2.3.1-2.3.1 >= openpkg-2.3.2-2.3.2
Affected Releases: Dependent Packages:
OpenPKG CURRENT apache::with_mod_php_bzip2 bsdtar clamav gnupg
@@ -47,17 +44,20 @@
Vulnerabilities and Exposures (CVE) project assigned the identifier
CAN-2005-1260 [3] to this problem.
+ Because the openpkg bootstrap package embeds bzip2, it may be affected
+ as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4].
+
Please check whether you are affected by running "<prefix>/bin/openpkg
rpm -q bzip2". If you have the "bzip2" package installed and its
version is affected (see above), we recommend that you immediately
- upgrade it (see Solution) and any dependent packages as well [4][5].
+ upgrade it (see Solution) and any dependent packages as well [5][6].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
- [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror
- location, verify its integrity [10], build a corresponding binary
- RPM from it [4] and update your OpenPKG installation by applying the
- binary RPM [5]. For the most recent release OpenPKG 2.3, perform the
+ [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror
+ location, verify its integrity [11], build a corresponding binary
+ RPM from it [5] and update your OpenPKG installation by applying the
+ binary RPM [6]. For the most recent release OpenPKG 2.3, perform the
following operations to permanently fix the security problem (for
other releases adjust accordingly).
@@ -72,7 +72,7 @@
# <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/bzip2-1.0.2-2.3.1.*.rpm
We recommend that you rebuild and reinstall any dependent packages
- (see above) as well [4][5]. The openpkg build tool can be instrumental
+ (see above) as well [5][6]. The openpkg build tool can be instrumental
in consistently updating and securing the entire OpenPKG instance.
________________________________________________________________________
@@ -81,13 +81,14 @@
[1] http://sources.redhat.com/bzip2/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260
- [4] http://www.openpkg.org/tutorial.html#regular-source
- [5] http://www.openpkg.org/tutorial.html#regular-binary
- [6] ftp://ftp.openpkg.org/release/2.3/UPD/bzip2-1.0.2-2.3.1.src.rpm
- [7] ftp://ftp.openpkg.org/release/2.2/UPD/bzip2-1.0.2-2.2.1.src.rpm
- [8] ftp://ftp.openpkg.org/release/2.3/UPD/
- [9] ftp://ftp.openpkg.org/release/2.2/UPD/
- [10] http://www.openpkg.org/security.html#signature
+ [4] http://www.openpkg.org/security/OpenPKG-SA-2005.010-openpkg.html
+ [5] http://www.openpkg.org/tutorial.html#regular-source
+ [6] http://www.openpkg.org/tutorial.html#regular-binary
+ [7] ftp://ftp.openpkg.org/release/2.3/UPD/bzip2-1.0.2-2.3.1.src.rpm
+ [8] ftp://ftp.openpkg.org/release/2.2/UPD/bzip2-1.0.2-2.2.1.src.rpm
+ [9] ftp://ftp.openpkg.org/release/2.3/UPD/
+ [10] ftp://ftp.openpkg.org/release/2.2/UPD/
+ [11] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List openpkg-cvs@openpkg.org
