OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 19-Mar-2003 15:53:07
Branch: HEAD Handle: 2003031914530700
Modified files:
openpkg-web/security OpenPKG-SA-2003.023-delegate.txt page.pl
Log:
polish and sign DeleGate SA
Summary:
Revision Changes Path
1.3 +21 -12 openpkg-web/security/OpenPKG-SA-2003.023-delegate.txt
1.8 +1 -1 openpkg-web/security/page.pl
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.023-delegate.txt
============================================================================
$ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2003.023-delegate.txt
--- openpkg-web/security/OpenPKG-SA-2003.023-delegate.txt 19 Mar 2003 14:31:13
-0000 1.2
+++ openpkg-web/security/OpenPKG-SA-2003.023-delegate.txt 19 Mar 2003 14:53:07
-0000 1.3
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -7,7 +10,7 @@
________________________________________________________________________
Package: delegate
-Vulnerability: Remote Code Execution
+Vulnerability: remote code execution
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
@@ -21,21 +24,21 @@
According to a SNS security advisory [0], a remote code execution
vulnerability exists in the application level gateway DeleGate [1]
version 8.4.0 and earlier. Fetching a large robots.txt file through
- DeleGate could result in a buffer overflow.
+ DeleGate HTTP proxy could result in a buffer overflow.
Please check whether you are affected by running "<prefix>/bin/rpm
- -q delegate". If you have the "delegate" package installed and its version
- is affected (see above), we recommend that you immediately upgrade
- it (see Solution). [2][3]
+ -q delegate". If you have the "delegate" package installed and its
+ version is affected (see above), we recommend that you immediately
+ upgrade it (see Solution). [2][3]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror
location, verify its integrity [8], build a corresponding binary RPM
- from it [2] and update your OpenPKG installation by applying the binary
- RPM [3]. For the current release OpenPKG 1.2, perform the following
- operations to permanently fix the security problem (for other releases
- adjust accordingly).
+ from it [2] and update your OpenPKG installation by applying the
+ binary RPM [3]. For the current release OpenPKG 1.2, perform the
+ following operations to permanently fix the security problem (for
+ other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
@@ -46,7 +49,6 @@
$ <prefix>/bin/rpm --rebuild delegate-8.3.3-1.2.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/delegate-8.3.3-1.2.1.*.rpm
-
________________________________________________________________________
References:
@@ -54,8 +56,8 @@
[1] http://www.delegate.org/
[2] http://www.openpkg.org/tutorial.html#regular-source
[3] http://www.openpkg.org/tutorial.html#regular-binary
- [4] ftp://ftp.openpkg.org/release/1.1/UPD/delegate-7.9.11-1.1.0.src.rpm
- [5] ftp://ftp.openpkg.org/release/1.2/UPD/delegate-8.3.3-1.2.0.src.rpm
+ [4] ftp://ftp.openpkg.org/release/1.1/UPD/delegate-7.9.11-1.1.1.src.rpm
+ [5] ftp://ftp.openpkg.org/release/1.2/UPD/delegate-8.3.3-1.2.1.src.rpm
[6] ftp://ftp.openpkg.org/release/1.1/UPD/
[7] ftp://ftp.openpkg.org/release/1.2/UPD/
[8] http://www.openpkg.org/security.html#signature
@@ -70,3 +72,10 @@
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE+eIPogHWT4GPEy58RAjk9AKCpX55H/+HUu2cpdmtM/SNdDNeA+ACgvMTE
+Dh1C6hKWEKzhXj+k89E8CpI=
+=6xux
+-----END PGP SIGNATURE-----
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/page.pl
============================================================================
$ cvs diff -u -r1.7 -r1.8 page.pl
--- openpkg-web/security/page.pl 18 Mar 2003 15:54:31 -0000 1.7
+++ openpkg-web/security/page.pl 19 Mar 2003 14:53:07 -0000 1.8
@@ -12,7 +12,7 @@
foreach my $sa (reverse sort @SA) {
my ($base, $name) = ($sa =~ m|^(OpenPKG-SA-(.+))\.txt$|);
next if ($name =~ m|^0000|);
- next if ($name =~ m|^2003\.02[3-9]|);
+ next if ($name =~ m|^2003\.02[5-9]|);
$sidebar .= "<a href=\"$base.html\">$name</a><br>";
}
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
