OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 05-Sep-2005 18:10:34
Branch: HEAD Handle: 2005090517103300
Added files:
openpkg-web/security OpenPKG-SA-2005.018-pcre.txt
Log:
release OpenPKG Security Advisory 2005.018 (pcre)
Summary:
Revision Changes Path
1.1 +121 -0 openpkg-web/security/OpenPKG-SA-2005.018-pcre.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2005.018-pcre.txt
============================================================================
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.018-pcre.txt
--- /dev/null 2005-09-05 18:10:32 +0200
+++ OpenPKG-SA-2005.018-pcre.txt 2005-09-05 18:10:34 +0200
@@ -0,0 +1,121 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+________________________________________________________________________
+
+OpenPKG Security Advisory The OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2005.018 05-Sep-2005
+________________________________________________________________________
+
+Package: pcre
+Vulnerability: arbitrary code execution
+OpenPKG Specific: no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= pcre-6.1-20050622 >= pcre-6.2-20050802
+ <= exim-4.52-20050701 >= exim-4.52-20050905
+ <= fsl-1.6.0-20050808 >= fsl-1.6.0-20050905
+ <= hypermail-2.1.8-20050324 >= hypermail-2.1.8-20050905
+ <= l2-0.9.10-20050615 >= l2-0.9.10-20050905
+ <= str-0.9.10-20050615 >= str-0.9.10-20050905
+ <= lmtp2nntp-1.3.0-20050615 >= lmtp2nntp-1.3.0-20050905
+ <= tin-1.6.2-20040207 >= tin-1.6.2-20050905
+ <= wml-2.0.9-20050617 >= wml-2.0.9-20050905
+OpenPKG 2.4 <= pcre-6.0-2.4.0 >= pcre-6.0-2.4.1
+ <= exim-4.51-2.4.0 >= exim-4.51-2.4.1
+ <= fsl-1.6.0-2.4.0 >= fsl-1.6.0-2.4.1
+ <= hypermail-2.1.8-2.4.0 >= hypermail-2.1.8-2.4.1
+ <= l2-0.9.10-2.4.0 >= l2-0.9.10-2.4.1
+ <= str-0.9.10-2.4.0 >= str-0.9.10-2.4.1
+ <= lmtp2nntp-1.3.0-2.4.0 >= lmtp2nntp-1.3.0-2.4.1
+ <= tin-1.6.2-2.4.0 >= tin-1.6.2-2.4.1
+ <= wml-2.0.9-2.4.0 >= wml-2.0.9-2.4.1
+OpenPKG 2.3 <= pcre-5.0-2.3.0 >= pcre-5.0-2.3.1
+ <= exim-4.50-2.3.0 >= exim-4.50-2.3.1
+ <= fsl-1.6.0-2.3.2 >= fsl-1.6.0-2.3.3
+ <= hypermail-2.1.8-2.3.0 >= hypermail-2.1.8-2.3.1
+ <= l2-0.9.10-2.3.1 >= l2-0.9.10-2.3.2
+ <= str-0.9.10-2.3.1 >= str-0.9.10-2.3.2
+ <= lmtp2nntp-1.3.0-2.3.1 >= lmtp2nntp-1.3.0-2.3.2
+ <= tin-1.6.2-2.3.0 >= tin-1.6.2-2.3.1
+ <= wml-2.0.9-2.3.1 >= wml-2.0.9-2.3.2
+
+Dependent Packages: aide analog apache apachetop arpd cfengine cvs
+ cvsd dbtool dhcp-agent dhcpd diogene87 dnrd
+ drac ethereal ettercap flowd flowtools gated
+ grep honeyd imapd inetutils inn ircd kde-libs
+ kerberos kermit lighttpd mixmaster monit msntp
+ nagios nessus-tool ngircd nntpcache nsd ntp
+ openldap openssh openvpn petidomo php php5 pks
+ portfwd portsentry postfix pound powerdns privoxy
+ prngd procmail pureftpd qpopper r rbldnsd rdist
+ samhain sasl scponly sendmail smtpfeed snmp snort
+ softflowd sophie spamassassin squid ssmtp stunnel
+ sudo sysmon tacacs teapop tftp thttpd tinyproxy
+ tripwire ucarp whoson
+
+Description:
+ An integer overflow problem was discovered in the Perl Compatible
+ Regular Expressions (PCRE) [1] library, version 6.2 and earlier.
+ The problem allows a remote or local attacker to execute arbitrary
+ code by causing a heap-based buffer overflow via quantifier values
+ in regular expressions. As PCRE is a popular library, this problem
+ affects many applications. The Common Vulnerabilities and Exposures
+ (CVE) project assigned the id CAN-2005-2491 [2] to the problem.
+
+ Please check whether you are affected by running "<prefix>/bin/openpkg
+ rpm -q pcre". If you have the "pcre" package installed and its version
+ is affected (see above), we recommend that you immediately upgrade it
+ (see Solution) and its dependent packages (see above), too [3][4].
+
+Solution:
+ Select the updated source RPM appropriate for your OpenPKG release
+ [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
+ location, verify its integrity [9], build a corresponding binary RPM
+ from it [3] and update your OpenPKG installation by applying the
+ binary RPM [4]. For the most recent release OpenPKG 2.4, perform the
+ following operations to permanently fix the security problem (for
+ other releases adjust accordingly).
+
+ $ ftp ftp.openpkg.org
+ ftp> bin
+ ftp> cd release/2.4/UPD
+ ftp> get pcre-6.0-2.4.1.src.rpm
+ ftp> bye
+ $ <prefix>/bin/openpkg rpm -v --checksig pcre-6.0-2.4.1.src.rpm
+ $ <prefix>/bin/openpkg rpm --rebuild pcre-6.0-2.4.1.src.rpm
+ $ su -
+ # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/pcre-6.0-2.4.1.*.rpm
+
+ Additionally, we recommend that you rebuild and reinstall
+ all dependent packages (see above), too [3][4].
+________________________________________________________________________
+
+References:
+ [1] http://www.pcre.org/
+ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
+ [3] http://www.openpkg.org/tutorial.html#regular-source
+ [4] http://www.openpkg.org/tutorial.html#regular-binary
+ [5] ftp://ftp.openpkg.org/release/2.4/UPD/pcre-6.0-2.4.1.src.rpm
+ [6] ftp://ftp.openpkg.org/release/2.3/UPD/pcre-5.0-2.3.1.src.rpm
+ [7] ftp://ftp.openpkg.org/release/2.4/UPD/
+ [8] ftp://ftp.openpkg.org/release/2.3/UPD/
+ [9] http://www.openpkg.org/security.html#signature
+________________________________________________________________________
+
+For security reasons, this advisory was digitally signed with the
+OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
+OpenPKG project which you can retrieve from http://pgp.openpkg.org and
+hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
+for details on how to verify the integrity of this advisory.
+________________________________________________________________________
+
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQFDHG3jgHWT4GPEy58RAlJ6AKCRpeXSjDgtyjThecNIWmFY+kLWqwCg5tR0
+TboY1Zy6BjvYZzjPLE4dH6Q=
+=mj3k
+-----END PGP SIGNATURE-----
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
