OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 15:28:42 Branch: HEAD Handle: 2005061014284200 Modified files: openpkg-web/security OpenPKG-SA-2005.008-bzip2.txt Log: replace text regarding the affected bootstrap package with a reference to OpenPKG-SA-2005.010-openpkg, where it is treated separately Summary: Revision Changes Path 1.3 +19 -18 openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt ============================================================================ $ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2005.008-bzip2.txt --- openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt 8 Jun 2005 12:40:47 -0000 1.2 +++ openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt 10 Jun 2005 13:28:42 -0000 1.3 @@ -3,22 +3,19 @@ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] -OpenPKG-SA-2005.008 08-June-2005 +OpenPKG-SA-2005.008 10-June-2005 ________________________________________________________________________ -Package: bzip2, openpkg, analog +Package: bzip2 Vulnerability: arbitrary file mode modification, denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= bzip2-1.0.2-20050324 >= bzip2-1.0.3-20050506 - <= openpkg-20050527-20050527 >= openpkg-20050606-20050606 <= analog-6.0-20041220 >= analog-6.0-20050608 OpenPKG 2.3 <= bzip2-1.0.2-2.3.0 >= bzip2-1.0.2-2.3.1 - <= openpkg-2.2.2-2.2.2 >= openpkg-2.2.3-2.2.3 <= analog-6.0-2.3.0 >= analog-6.0-2.3.1 OpenPKG 2.2 <= bzip2-1.0.2-2.2.0 >= bzip2-1.0.2-2.2.1 - <= openpkg-2.3.1-2.3.1 >= openpkg-2.3.2-2.3.2 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_bzip2 bsdtar clamav gnupg @@ -47,17 +44,20 @@ Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1260 [3] to this problem. + Because the openpkg bootstrap package embeds bzip2, it may be affected + as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4]. + Please check whether you are affected by running "<prefix>/bin/openpkg rpm -q bzip2". If you have the "bzip2" package installed and its version is affected (see above), we recommend that you immediately - upgrade it (see Solution) and any dependent packages as well [4][5]. + upgrade it (see Solution) and any dependent packages as well [5][6]. Solution: Select the updated source RPM appropriate for your OpenPKG release - [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror - location, verify its integrity [10], build a corresponding binary - RPM from it [4] and update your OpenPKG installation by applying the - binary RPM [5]. For the most recent release OpenPKG 2.3, perform the + [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror + location, verify its integrity [11], build a corresponding binary + RPM from it [5] and update your OpenPKG installation by applying the + binary RPM [6]. For the most recent release OpenPKG 2.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). @@ -72,7 +72,7 @@ # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/bzip2-1.0.2-2.3.1.*.rpm We recommend that you rebuild and reinstall any dependent packages - (see above) as well [4][5]. The openpkg build tool can be instrumental + (see above) as well [5][6]. The openpkg build tool can be instrumental in consistently updating and securing the entire OpenPKG instance. ________________________________________________________________________ @@ -81,13 +81,14 @@ [1] http://sources.redhat.com/bzip2/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260 - [4] http://www.openpkg.org/tutorial.html#regular-source - [5] http://www.openpkg.org/tutorial.html#regular-binary - [6] ftp://ftp.openpkg.org/release/2.3/UPD/bzip2-1.0.2-2.3.1.src.rpm - [7] ftp://ftp.openpkg.org/release/2.2/UPD/bzip2-1.0.2-2.2.1.src.rpm - [8] ftp://ftp.openpkg.org/release/2.3/UPD/ - [9] ftp://ftp.openpkg.org/release/2.2/UPD/ - [10] http://www.openpkg.org/security.html#signature + [4] http://www.openpkg.org/security/OpenPKG-SA-2005.010-openpkg.html + [5] http://www.openpkg.org/tutorial.html#regular-source + [6] http://www.openpkg.org/tutorial.html#regular-binary + [7] ftp://ftp.openpkg.org/release/2.3/UPD/bzip2-1.0.2-2.3.1.src.rpm + [8] ftp://ftp.openpkg.org/release/2.2/UPD/bzip2-1.0.2-2.2.1.src.rpm + [9] ftp://ftp.openpkg.org/release/2.3/UPD/ + [10] ftp://ftp.openpkg.org/release/2.2/UPD/ + [11] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org