unsubscribe
Re: [SECURITY] [DSA 819-1] New python2.1 packages fix arbitrary code execution
I wrote: > I just noticed that python2.1 on my woody system no longer knows about the > symbol False: I investigated further, and get the impression that the symbol False was not introduced until python2.2. In other words, it was a problem specific to my system and y'all didn't do anything wrong. Apologies for the wasted bandwidth... Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 819-1] New python2.1 packages fix arbitrary code execution
I just noticed that python2.1 on my woody system no longer knows about the symbol False: [EMAIL PROTECTED]:~$ python2.1 Python 2.1.3 (#1, Sep 15 2005, 09:09:06) [GCC 2.95.4 20011002 (Debian prerelease)] on linux2 Type "copyright", "credits" or "license" for more information. >>> False Traceback (most recent call last): File "", line 1, in ? NameError: name 'False' is not defined >>> [EMAIL PROTECTED]:~$ dpkg -l python2.1 Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name VersionDescription +++-==-==- ii python2.1 2.1.3-3.4 An interactive object-oriented scripting lan [EMAIL PROTECTED]:~$ I discovered this because a rarely-used python cgi-bin script on my woody system stopped working. Based on my logs, this script worked properly on 19 Sept 2005 (4 days before this security advisory). The next time it was used (today) it failed because "False" is not defined. I have not modified the script since May 2005. I've worked around the problem for now by switching to python2.2, which still works properly. Could you please verify that you didn't break python2.1 on woody with this security upgrade? Thanks, Mark On Fri, Sep 23, 2005 at 11:29:05AM +0200, Martin Schulze wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- > Debian Security Advisory DSA 819-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > September 23rd, 2005http://www.debian.org/security/faq > - -- > > Package: python2.1 > Vulnerability : integer overflow > Problem type : remote > Debian-specific: no > CVE ID : CAN-2005-2491 > BugTraq ID : 14620 > Debian Bug : 324531 > > An integer overflow with a subsequent buffer overflow has been detected > in PCRE, the Perl Compatible Regular Expressions library, which allows > an attacker to execute arbitrary code, and is also present in Python. > Exploiting this vulnerability requires an attacker to specify the used > regular expression. > > For the old stable distribution (woody) this problem has been fixed in > version 2.1.3-3.4. > > For the stable distribution (sarge) this problem has been fixed in > version 2.1.3dfsg-1sarge1. > > For the unstable distribution (sid) this problem has been fixed in > version 2.1.3dfsg-3. > > We recommend that you upgrade your python2.1 packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 846-1] New cpio packages fix several vulnerabilities
FIXED Martin Schulze schrieb am 07.10.2005 17:51: > -- > Debian Security Advisory DSA 846-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > October 7th, 2005 http://www.debian.org/security/faq > -- > > Package: cpio > Vulnerability : several > Problem type : local (remote) > Debian-specific: no > CVE ID : CAN-2005- CAN-2005-1229 > Debian Bug : 306693 305372 > > Two vulnerabilities have been discovered in cpio, a program to manage > archives of files. The Common Vulnerabilities and Exposures project > identifies the following problems: > > CAN-2005- > > Imran Ghory discovered a race condition in setting the file > permissions of files extracted from cpio archives. A local > attacker with write access to the target directory could exploit > this to alter the permissions of arbitrary files the extracting > user has write permissions for. > > CAN-2005-1229 > > Imran Ghory discovered that cpio does not sanitise the path of > extracted files even if the --no-absolute-filenames option was > specified. This can be exploited to install files in arbitrary > locations where the extracting user has write permissions to. > > For the old stable distribution (woody) these problems have been fixed in > version 2.4.2-39woody2. > > For the stable distribution (sarge) these problems have been fixed in > version 2.5-1.3. > > For the unstable distribution (sid) these problems have been fixed in > version 2.6-6. > > We recommend that you upgrade your cpio package. > > > Upgrade Instructions > > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 3.0 alias woody > > > Source archives: > > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2.dsc > Size/MD5 checksum: 549 15ede7cbecf63993116b4e6a6565a52a > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2.diff.gz > Size/MD5 checksum:23977 58175edde016c3ddb92804479697288f > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2.orig.tar.gz > Size/MD5 checksum: 181728 3e976db71229d52a8a135540698052df > > Alpha architecture: > > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_alpha.deb > Size/MD5 checksum:72916 8a3c436670b93fe9d6c0d7b9c6620826 > > ARM architecture: > > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_arm.deb > Size/MD5 checksum:64050 96781e9c208d4629c9bad9fd489a6752 > > Intel IA-32 architecture: > > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_i386.deb > Size/MD5 checksum:61704 c4fd8a026047cd14a9516224d8319e13 > > Intel IA-64 architecture: > > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_ia64.deb > Size/MD5 checksum:84576 5d9d925c312a5a9f141949c134fd23d3 > > HP Precision architecture: > > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_hppa.deb > Size/MD5 checksum:69922 219bd8e8d9de88975eca8c8df4e9ddd9 > > Motorola 680x0 architecture: > > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_m68k.deb > Size/MD5 checksum:59998 b4ef64480db82238635e1c7f5b851eee > > Big endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_mips.deb > Size/MD5 checksum:69160 a3f333c7b10c4f06a37de29de89844c1 > > Little endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_mipsel.deb > Size/MD5 checksum:68852 d704acf1b5d5c82ab024f6d45eab5686 > > PowerPC architecture: > > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_powerpc.deb > Size/MD5 checksum:64284 4227c627aa48dc40cacdde9cb866322a > > IBM S/390 architecture: > > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_s390.deb > Size/MD5 checksum:64190 975304691e816ea35e5b1a1edbaca8fc > > Sun Sparc architecture: > > > http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_sparc.deb > Size/MD5 checksum:65916 e9fcc403a99fa3c930c9a7ede7daeef4 > > > D
Re: [SECURITY] [DSA 847-1] New dia packages fix arbitrary code execution
Out of office until 17 Oct. Please contact [EMAIL PROTECTED] instead. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Unsubscribe
signature.asc Description: Digital signature
