[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...

Fri, 16 Jan 2004 05:45:21 -0800 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Thomas Lotterer
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   16-Jan-2004 13:43:45
  Branch: HEAD                             Handle: 2004011612434400

  Added files:
    openpkg-web/security    OpenPKG-SA-2004.002-tcpdump.txt
  Modified files:
    openpkg-web             security.txt security.wml

  Log:
    SA-2004.002-tcpdump; CAN-2002-0380, CAN-2002-1350, CAN-2003-0108,
    CAN-2003-0989, CAN-2003-1029, CAN-2004-0055, CAN-2004-0057

  Summary:
    Revision    Changes     Path
    1.61        +1  -0      openpkg-web/security.txt
    1.78        +1  -0      openpkg-web/security.wml
    1.1         +97 -0      openpkg-web/security/OpenPKG-SA-2004.002-tcpdump.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security.txt
  ============================================================================
  $ cvs diff -u -r1.60 -r1.61 security.txt
  --- openpkg-web/security.txt  8 Jan 2004 08:03:57 -0000       1.60
  +++ openpkg-web/security.txt  16 Jan 2004 12:43:44 -0000      1.61
  @@ -1,3 +1,4 @@
  +16-Jan-2004: Security Advisory: S<OpenPKG-SA-2004.002-tcpdump>
   08-Jan-2004: Security Advisory: S<OpenPKG-SA-2004.001-inn>
   17-Dec-2003: Security Advisory: S<OpenPKG-SA-2003.053-lftp>
   17-Dec-2003: Security Advisory: S<OpenPKG-SA-2003.052-cvs>
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-web/security.wml
  ============================================================================
  $ cvs diff -u -r1.77 -r1.78 security.wml
  --- openpkg-web/security.wml  8 Jan 2004 08:03:57 -0000       1.77
  +++ openpkg-web/security.wml  16 Jan 2004 12:43:44 -0000      1.78
  @@ -76,6 +76,7 @@
   </define-tag>
   <box bdwidth=1 bdcolor="#a5a095" bdspace=10 bgcolor="#e5e0d5">
   <table cellspacing=0 cellpadding=0 border=0>
  +  <sa 2004.002 tcpdump>
     <sa 2004.001 inn>
     <sa 2003.053 lftp>
     <sa 2003.052 cvs>
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2004.002-tcpdump.txt
  ============================================================================
  $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.002-tcpdump.txt
  --- /dev/null 2004-01-16 13:43:45.000000000 +0100
  +++ OpenPKG-SA-2004.002-tcpdump.txt   2004-01-16 13:43:45.000000000 +0100
  @@ -0,0 +1,97 @@
  +________________________________________________________________________
  +
  +OpenPKG Security Advisory                            The OpenPKG Project
  +http://www.openpkg.org/security.html              http://www.openpkg.org
  [EMAIL PROTECTED]                         [EMAIL PROTECTED]
  +OpenPKG-SA-2004.002                                          16-Jan-2004
  +________________________________________________________________________
  +
  +Package:             tcpdump
  +Vulnerability:       denial of service
  +OpenPKG Specific:    no
  +
  +Affected Releases:   Affected Packages:          Corrected Packages:
  +OpenPKG CURRENT      <= tcpdump-3.8.1-20040108   >= tcpdump-3.8.1-20040116
  +OpenPKG 1.3          <= tcpdump-3.7.2-1.3.0      >= tcpdump-3.7.2-1.3.1
  +OpenPKG 1.2          <= tcpdump-3.7.1-1.2.1      >= tcpdump-3.7.1-1.2.2
  +
  +Dependent Packages:  none
  +
  +Description:
  +  A bunch of vulnerabilities in tcpdump [0] were found and addressed
  +  in the past. All of them are in the area of packet decoding. Faulty
  +  decoder functions can result in denial of service attacks through
  +  infinite loops, memory starvation and application crashes. In the
  +  worst case arbitrary code execution is possible.
  +
  +  This OpenPKG update resolves all issues currently known, as shown in
  +  the following table:
  +
  +                  tcpdump   371 371 372 381
  +                  OpenPKG   120 121 130 20020822
  +                            --- --- --- ---
  +  CAN-2002-0380 [2] nfs      y   n   n   n   see past OpenPKG-SA [1]
  +  CAN-2002-1350 [3] bgp      y   n   n   n   see past OpenPKG-SA [1]
  +  CAN-2003-0108 [4] isakmp   y   n   n   n   see past OpenPKG-SA [1]
  +                    depth    y   y   y   n   (*)
  +  CAN-2003-0989 [5] isakmp   y   y   y   n   updates CAN-2003-0108-isakmp
  +  CAN-2003-1029 [6] l2tp     y   y   n   n
  +  CAN-2004-0055 [7] radius   y   y   y   y
  +  CAN-2004-0057 [8] isakmp   y   y   y   y
  +
  +  (*) the vendor code fix for CAN-2003-0108 had two other unrelated code
  +      changes piggybacked. We removed the cosmetics (constify) and
  +      extracted an enhancement (depth).
  +
  +  Please check whether you are affected by running "<prefix>/bin/rpm -q
  +  tcpdump". If you have the "tcpdump" package installed and its version
  +  is affected (see above), we recommend that you immediately upgrade it
  +  (see Solution) and it's dependent packages (see above), if any, too.
  +  [9][10]
  +
  +Solution:
  +  Select the updated source RPM appropriate for your OpenPKG release
  +  [11][12], fetch it from the OpenPKG FTP service [13][14] or a mirror
  +  location, verify its integrity [15], build a corresponding binary RPM
  +  from it [9] and update your OpenPKG installation by applying the
  +  binary RPM [10]. For the current release OpenPKG 1.3, perform the
  +  following operations to permanently fix the security problem (for
  +  other releases adjust accordingly).
  +
  +  $ ftp ftp.openpkg.org
  +  ftp> bin
  +  ftp> cd release/1.2/UPD
  +  ftp> get tcpdump-3.7.1-1.2.1.src.rpm
  +  ftp> bye
  +  $ <prefix>/bin/rpm -v --checksig tcpdump-3.7.1-1.2.1.src.rpm
  +  $ <prefix>/bin/rpm --rebuild tcpdump-3.7.1-1.2.1.src.rpm
  +  $ su -
  +  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/tcpdump-3.7.1-1.2.1.*.rpm
  +________________________________________________________________________
  +
  +References:
  +  [0] http://www.tcpdump.org/
  +  [1] http://www.openpkg.org/security/OpenPKG-SA-2003.014-tcpdump.html
  +  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0380
  +  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1350
  +  [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0108
  +  [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0989
  +  [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1029
  +  [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0055
  +  [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0057
  +  [9] http://www.openpkg.org/tutorial.html#regular-source
  +  [10] http://www.openpkg.org/tutorial.html#regular-binary
  +  [11] ftp://ftp.openpkg.org/release/1.2/UPD/tcpdump-3.7.1-1.2.2.src.rpm
  +  [12] ftp://ftp.openpkg.org/release/1.3/UPD/tcpdump-3.7.2-1.3.1.src.rpm
  +  [13] ftp://ftp.openpkg.org/release/1.2/UPD/
  +  [14] ftp://ftp.openpkg.org/release/1.3/UPD/
  +  [15] http://www.openpkg.org/security.html#signature
  +________________________________________________________________________
  +
  +For security reasons, this advisory was digitally signed with the
  +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
  +OpenPKG project which you can retrieve from http://pgp.openpkg.org and
  +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
  +for details on how to verify the integrity of this advisory.
  +________________________________________________________________________
  +
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to