OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 15-Jan-2003 16:31:42
Branch: HEAD Handle: 2003011515314200
Modified files:
openpkg-web/security OpenPKG-SA-0000.000-template.txt
Log:
backporting from latest SA
Summary:
Revision Changes Path
1.7 +41 -35 openpkg-web/security/OpenPKG-SA-0000.000-template.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-0000.000-template.txt
============================================================================
$ cvs diff -u -r1.6 -r1.7 OpenPKG-SA-0000.000-template.txt
--- openpkg-web/security/OpenPKG-SA-0000.000-template.txt 15 Jan 2003 12:52:01
-0000 1.6
+++ openpkg-web/security/OpenPKG-SA-0000.000-template.txt 15 Jan 2003 15:31:42
-0000 1.7
@@ -3,64 +3,70 @@
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
-OpenPKG-SA-2003.xxx xx-xxx-2003
+OpenPKG-SA-2003.### DD-Mmm-2003
________________________________________________________________________
Package: foo
-Vulnerability: local root exploit
+Vulnerability: crazy vulnerability
OpenPKG Specific: no
-Affected Releases: OpenPKG 1.0 OpenPKG 1.1
-Affected Packages: foo-1.2.0-1.0.0 foo-1.4.0-1.1.0
-Corrected Packages: foo-1.2.0-1.0.1 foo-1.4.0-1.1.1
-Dependent Packages: bar-1.0.0-1.0.0 bar-1.0.0-1.1.0
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= foo-1.2.5-20021003 >= foo-1.2.5-20030115
+OpenPKG 1.1 <= foo-1.2.4-1.1.0 >= foo-1.2.4-1.1.1
+OpenPKG 1.0 <= foo-1.2.0-1.0.0 >= foo-1.2.0-1.0.1
+
+Affected Releases: Dependent Packages:
+OpenPKG CURRENT bar quux
+OpenPKG 1.1 bar quux
+OpenPKG 1.0 bar
Description:
- According to ... [7] ...
+ According to a ... security advisory based on hints from ...
+ [0], a crazy vulnerability exists in the
+ ... [1] ....
+ The Common Vulnerabilities and Exposures (CVE) project
+ assigned the id CAN-... [2] to the problem.
- Please check whether you are affected by running "<prefix>/bin/rpm -qa
- foo". If you have the "foo" package installed and its version
+ Please check whether you are affected by running "<prefix>/bin/rpm
+ -qa foo". If you have the "foo" package installed and its version
is affected (see above), we recommend that you immediately upgrade
- it (see Solution). Additionally, we recommend that you rebuild and
- reinstall all dependent OpenPKG packages, too. [2]
-
-Workaround:
- Perform the following operations to temporarily workaround the
- security problem (be careful, it deactivates the whole service):
-
- $ su -
- # <prefix>/etc/rc foo stop
- # <prefix>/bin/rpm -e foo
+ it (see Solution) and it's dependent packages (see above), if any,
+ too. [3][4]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
- [5][6], fetch it from the OpenPKG FTP service [3][4] or a mirror
- location, verify its integrity [1], build a corresponding binary RPM
- from it and update your OpenPKG installation by applying the binary
- RPM [2]. For the latest OpenPKG 1.1 release, perform the following
+ [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
+ location, verify its integrity [9], build a corresponding binary RPM
+ from it [3] and update your OpenPKG installation by applying the binary
+ RPM [4]. For the current release OpenPKG 1.1, perform the following
operations to permanently fix the security problem (for other releases
adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
- ftp> cd release/1.0/UPD
- ftp> get foo-1.2.0-1.0.1.src.rpm
+ ftp> cd release/1.1/UPD
+ ftp> get foo-1.2.4-1.1.1.src.rpm
ftp> bye
- $ <prefix>/bin/rpm -v --checksig foo-1.2.1-1.0.1.src.rpm
- $ <prefix>/bin/rpm --rebuild foo-1.2.1-1.0.1.src.rpm
+ $ <prefix>/bin/rpm -v --checksig foo-1.2.4-1.1.1.src.rpm
+ $ <prefix>/bin/rpm --rebuild foo-1.2.4-1.1.1.src.rpm
$ su -
- # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/foo-1.2.1-1.0.1.*.rpm
- # <prefix>/etc/rc foo stop start
+ # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/foo-1.2.4-1.1.1.*.rpm
+
+ Additionally, we recommend that you rebuild and reinstall
+ all dependent packages (see above), if any, too. [3][4]
________________________________________________________________________
References:
- [1] http://www.openpkg.org/security.html#signature
- [2] http://www.openpkg.org/tutorial.html#regular-source
- [3] ftp://ftp.openpkg.org/release/1.0/UPD/
- [4] ftp://ftp.openpkg.org/release/1.1/UPD/
+ [0] http://www.example.com/bugfinder.html
+ [1] http://www.foo.org/
+ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-...
+ [3] http://www.openpkg.org/tutorial.html#regular-source
+ [4] http://www.openpkg.org/tutorial.html#regular-binary
[5] ftp://ftp.openpkg.org/release/1.0/UPD/foo-1.2.0-1.0.1.src.rpm
- [6] ftp://ftp.openpkg.org/release/1.1/UPD/foo-1.4.0-1.1.1.src.rpm
- [7] ... BugTraq ...
+ [6] ftp://ftp.openpkg.org/release/1.1/UPD/foo-1.2.4-1.1.1.src.rpm
+ [7] ftp://ftp.openpkg.org/release/1.0/UPD/
+ [8] ftp://ftp.openpkg.org/release/1.1/UPD/
+ [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
