While I was trying to check my instalation for update needed with openpk where I got:
[EMAIL PROTECTED] root]# openpkg build -Ua > /tmp/bua.sh no element found at line 1, column 0, byte 0 at /opkg/lib/perl/vendor_perl/5.8.5/i686-linux/XML/Parser.pm line 187 Recently my openpkg was upgraded after issuing the same comand above. Could it be that the openpkg-2.2.2-2.2.2 introduced some error ? What else could be wrong causing that problem ? Thanks, Alex Citando OpenPKG <[EMAIL PROTECTED]>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ________________________________________________________________________ > > OpenPKG Security Advisory The OpenPKG Project > http://www.openpkg.org/security.html http://www.openpkg.org > [EMAIL PROTECTED] [EMAIL PROTECTED] > OpenPKG-SA-2004.055 23-Dec-2004 > ________________________________________________________________________ > > Package: gettext > Vulnerability: insecure temporary file generation > OpenPKG Specific: no > > Affected Releases: Affected Packages: Corrected Packages: > OpenPKG CURRENT <= gettext-0.14.1-20041006 >= gettext-0.14.1-20041217 > OpenPKG 2.2 <= gettext-0.14.1-2.2.0 >= gettext-0.14.1-2.2.1 > OpenPKG 2.1 <= gettext-0.14.1-2.1.0 >= gettext-0.14.1-2.1.1 > > Affected Releases: Dependent Packages: > OpenPKG CURRENT aegis, apache, doodle, giftoxic, gimp, glib2, gpa, > gqview, gtk2, heartbeat, indent, kcd, kde-base, > kde-libs, kolab, libextractor, lyx, openjade, > orbit, papyrus, perl-locale, php, php5, popt, > smbc, subversion, xine-lib, xine-ui, yodl > OpenPKG 2.2 aegis, apache, giftoxic, gimp, glib2, gqview, > gtk2, indent, kolab, openjade, orbit, perl-locale, > php, popt, yodl > OpenPKG 2.1 aegis, apache, gimp, glib2, gqview, gtk2, indent, > kolab, openjade, orbit, perl-locale, php, popt, yodl > > Description: > Trustix security engineers discovered vulnerabilities [0] in the > "autopoint" and "gettextize" scripts of GNU gettext [1]. The scripts > in question insecurely generate temporary files which could allow > a malicious user to overwrite another user's files via a "symlink > attack". Software only using GNU gettext's headers and libraries is > not affected by this problem, however. The Common Vulnerabilities and > Exposures (CVE) project assigned the identifier CAN-2004-0966 [2] to > the problem. > > Please check whether you are affected by running "<prefix>/bin/openpkg > rpm -q gettext". If you have the "gettext" package installed and its > version is affected (see above), we recommend that you immediately > upgrade it (see Solution) and its dependent packages (see above) [3][4]. > > Solution: > Select the updated source RPM appropriate for your OpenPKG release > [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror > location, verify its integrity [9], build a corresponding binary RPM > from it [3] and update your OpenPKG installation by applying the > binary RPM [4]. For the most recent release OpenPKG 2.2, perform the > following operations to permanently fix the security problem (for > other releases adjust accordingly). > > $ ftp ftp.openpkg.org > ftp> bin > ftp> cd release/2.2/UPD > ftp> get gettext-0.14.1-2.2.1.src.rpm > ftp> bye > $ <prefix>/bin/openpkg rpm -v --checksig gettext-0.14.1-2.2.1.src.rpm > $ <prefix>/bin/openpkg rpm --rebuild gettext-0.14.1-2.2.1.src.rpm > $ su - > # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/gettext-0.14.1-2.2.1.*.rpm > > Additionally, we recommend rebuilding and reinstalling all dependent > packages (see above) as well [3][4]. > ________________________________________________________________________ > > References: > [0] http://www.trustix.org/errata/2004/0050 > [1] http://www.gnu.org/software/gettext/ > [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0966 > [3] http://www.openpkg.org/tutorial.html#regular-source > [4] http://www.openpkg.org/tutorial.html#regular-binary > [5] ftp://ftp.openpkg.org/release/2.2/UPD/gettext-0.14.1-2.2.1.src.rpm > [6] ftp://ftp.openpkg.org/release/2.1/UPD/gettext-0.14.1-2.1.1.src.rpm > [7] ftp://ftp.openpkg.org/release/2.2/UPD/ > [8] ftp://ftp.openpkg.org/release/2.1/UPD/ > [9] http://www.openpkg.org/security.html#signature > ________________________________________________________________________ > > For security reasons, this advisory was digitally signed with the > OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the > OpenPKG project which you can retrieve from http://pgp.openpkg.org and > hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ > for details on how to verify the integrity of this advisory. > ________________________________________________________________________ > > -----BEGIN PGP SIGNATURE----- > Comment: OpenPKG <[EMAIL PROTECTED]> > > iD8DBQFBytgqgHWT4GPEy58RAhuGAKDpeqcGekb2uYC6ng+MxUK2KMemgACeJSin > dAYcOAONTykpMwG4C7routM= > =EWyA > -----END PGP SIGNATURE----- > ______________________________________________________________________ > The OpenPKG Project www.openpkg.org > Project Announcement List openpkg-announce@openpkg.org > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ______________________________________________________________________ The OpenPKG Project www.openpkg.org User Communication List openpkg-users@openpkg.org
