OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 19-Mar-2003 15:53:07 Branch: HEAD Handle: 2003031914530700 Modified files: openpkg-web/security OpenPKG-SA-2003.023-delegate.txt page.pl Log: polish and sign DeleGate SA Summary: Revision Changes Path 1.3 +21 -12 openpkg-web/security/OpenPKG-SA-2003.023-delegate.txt 1.8 +1 -1 openpkg-web/security/page.pl ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.023-delegate.txt ============================================================================ $ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2003.023-delegate.txt --- openpkg-web/security/OpenPKG-SA-2003.023-delegate.txt 19 Mar 2003 14:31:13 -0000 1.2 +++ openpkg-web/security/OpenPKG-SA-2003.023-delegate.txt 19 Mar 2003 14:53:07 -0000 1.3 @@ -1,3 +1,6 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project @@ -7,7 +10,7 @@ ________________________________________________________________________ Package: delegate -Vulnerability: Remote Code Execution +Vulnerability: remote code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: @@ -21,21 +24,21 @@ According to a SNS security advisory [0], a remote code execution vulnerability exists in the application level gateway DeleGate [1] version 8.4.0 and earlier. Fetching a large robots.txt file through - DeleGate could result in a buffer overflow. + DeleGate HTTP proxy could result in a buffer overflow. Please check whether you are affected by running "<prefix>/bin/rpm - -q delegate". If you have the "delegate" package installed and its version - is affected (see above), we recommend that you immediately upgrade - it (see Solution). [2][3] + -q delegate". If you have the "delegate" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution). [2][3] Solution: Select the updated source RPM appropriate for your OpenPKG release [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror location, verify its integrity [8], build a corresponding binary RPM - from it [2] and update your OpenPKG installation by applying the binary - RPM [3]. For the current release OpenPKG 1.2, perform the following - operations to permanently fix the security problem (for other releases - adjust accordingly). + from it [2] and update your OpenPKG installation by applying the + binary RPM [3]. For the current release OpenPKG 1.2, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin @@ -46,7 +49,6 @@ $ <prefix>/bin/rpm --rebuild delegate-8.3.3-1.2.1.src.rpm $ su - # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/delegate-8.3.3-1.2.1.*.rpm - ________________________________________________________________________ References: @@ -54,8 +56,8 @@ [1] http://www.delegate.org/ [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary - [4] ftp://ftp.openpkg.org/release/1.1/UPD/delegate-7.9.11-1.1.0.src.rpm - [5] ftp://ftp.openpkg.org/release/1.2/UPD/delegate-8.3.3-1.2.0.src.rpm + [4] ftp://ftp.openpkg.org/release/1.1/UPD/delegate-7.9.11-1.1.1.src.rpm + [5] ftp://ftp.openpkg.org/release/1.2/UPD/delegate-8.3.3-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/ [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] http://www.openpkg.org/security.html#signature @@ -70,3 +72,10 @@ the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ +-----BEGIN PGP SIGNATURE----- +Comment: OpenPKG <[EMAIL PROTECTED]> + +iD8DBQE+eIPogHWT4GPEy58RAjk9AKCpX55H/+HUu2cpdmtM/SNdDNeA+ACgvMTE +Dh1C6hKWEKzhXj+k89E8CpI= +=6xux +-----END PGP SIGNATURE----- @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/page.pl ============================================================================ $ cvs diff -u -r1.7 -r1.8 page.pl --- openpkg-web/security/page.pl 18 Mar 2003 15:54:31 -0000 1.7 +++ openpkg-web/security/page.pl 19 Mar 2003 14:53:07 -0000 1.8 @@ -12,7 +12,7 @@ foreach my $sa (reverse sort @SA) { my ($base, $name) = ($sa =~ m|^(OpenPKG-SA-(.+))\.txt$|); next if ($name =~ m|^0000|); - next if ($name =~ m|^2003\.02[3-9]|); + next if ($name =~ m|^2003\.02[5-9]|); $sidebar .= "<a href=\"$base.html\">$name</a><br>"; } @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]