[SECURITY] [DSA 247-1] New courier packages fix SQL injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 247-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 30th, 2003 http://www.debian.org/security/faq - -- Package: courier Vulnerability : missing input sanitizing Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0040 The developers of courier, an integrated user side mail server, discovered a problem in the PostgreSQL auth module. Not all potentially malicious characters were sanitized before the username was passed to the PostgreSQL engine. An attacker could inject arbitrary SQL commands and queries exploiting this vulnerability. The MySQL auth module is not affected. For the stable distribution (woody) this problem has been fixed in version 0.37.3-3.3. The old stable distribution (potato) does not contain courier packages. For the unstable distribution (sid) this problem has been fixed in version 0.40.2-3. We recommend that you upgrade your courier-authpostgresql package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3.dsc Size/MD5 checksum: 846 06c98336ee0e40813eac24cb59574de8 http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3.diff.gz Size/MD5 checksum:12649 bac28bb29418f9d965aedeb819876ebc http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3.orig.tar.gz Size/MD5 checksum: 3238268 f5f742679ac97906fc306763e08e1ed8 Alpha architecture: http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_alpha.deb Size/MD5 checksum:43286 d73b6054896137f6593a4b438da54fdc http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_alpha.deb Size/MD5 checksum: 9970 f8141363587679a4badc7c1c7e714751 http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_alpha.deb Size/MD5 checksum: 7700 6b774c8584957bee71f0cf4f66aac69a http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_alpha.deb Size/MD5 checksum: 9748 d75800272a41656b4324131a8de3a47c http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_alpha.deb Size/MD5 checksum:93626 7cb6a750dfcd12d70cc792d6c0c25e44 ARM architecture: http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_arm.deb Size/MD5 checksum:31688 76f041c97200593230de7d75b74a27fa http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_arm.deb Size/MD5 checksum: 9982 0391cd8403375b732364729533195baa http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_arm.deb Size/MD5 checksum: 7710 39351976e1843f6c376864d578c88f8a http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_arm.deb Size/MD5 checksum: 9762 c012baa4e698f48e6e74562f6f626d83 http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_arm.deb Size/MD5 checksum:85796 b9ef96842ea07aa90f55e5ed9a22fcc6 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_i386.deb Size/MD5 checksum:31702 06f4eb45fef2f3bdc3240489e54ddb94 http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_i386.deb Size/MD5 checksum: 9986 584fe5ff49d360476ebf7ae799f55d78 http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_i386.deb Size/MD5 checksum: 7702 3deb08407cafe11d7f6560992aab1548 http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_i386.deb Size/MD5 checksum: 9754 8281e82d5e9a586d9f7c65e56cdb9d5e http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_i386.deb Size/MD5 checksum:85934 88583de865d2a8a71642c573a581b37c Intel IA-64 architecture:
Question about snort binaries..
Hi all, This may be a stupid question, but I'm going to ask anyway :) Debian 3.0 uses Snort 1.8.4beta1, and unstable uses 1.9.0. Is there a way to define that I only want to use the unstable packages just related to snort or do I have to change my entire distribution to unstable? Testing distribution has 1.8.7. The problem I have is the snort rules are updated for 1.9.0, but not for 1.8.4beta1 :( Also, if you look at snort-rules-default for the different releases, there is a BIG difference in sizes: 1.8.4 beta 1 58.1K 1.8.773.7k 1.9.0 rel 2 91.7 Any other suggestions or recommendations are also welcome. Thanks, -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ msg08524/pgp0.pgp Description: PGP signature
Re: Question about snort binaries..
On Thu, Jan 30, 2003 at 09:35:05AM -0800, Anne Carasik wrote: Is there a way to define that I only want to use the unstable packages just related to snort or do I have to change my entire distribution to unstable? Testing distribution has 1.8.7. No. You would have to pull in all the dependencies from unstable as well, so you'd get all sorts of fun stuff like libc upgraded. It's possible that you could try 'apt-get -b source snort' and have the right thing happen. But then again, depending on the package in unstable, this might not be buildable on something else. Any other suggestions or recommendations are also welcome. Go to www.snort.org, get the tarball, and install it in /usr/local/. That's what I've been doing. This was discussed at quite a bit of length a month or two ago. Check the archives. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08525/pgp0.pgp Description: PGP signature
Question about snort binaries..
Hi all, This may be a stupid question, but I'm going to ask anyway :) Debian 3.0 uses Snort 1.8.4beta1, and unstable uses 1.9.0. Is there a way to define that I only want to use the unstable packages just related to snort or do I have to change my entire distribution to unstable? Testing distribution has 1.8.7. The problem I have is the snort rules are updated for 1.9.0, but not for 1.8.4beta1 :( Also, if you look at snort-rules-default for the different releases, there is a BIG difference in sizes: 1.8.4 beta 1 58.1K 1.8.773.7k 1.9.0 rel 2 91.7 Any other suggestions or recommendations are also welcome. Thanks, -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgpLKsXaq8D2A.pgp Description: PGP signature
Re: Question about snort binaries..
On Thu, Jan 30, 2003 at 09:35:05AM -0800, Anne Carasik wrote: Is there a way to define that I only want to use the unstable packages just related to snort or do I have to change my entire distribution to unstable? Testing distribution has 1.8.7. No. You would have to pull in all the dependencies from unstable as well, so you'd get all sorts of fun stuff like libc upgraded. It's possible that you could try 'apt-get -b source snort' and have the right thing happen. But then again, depending on the package in unstable, this might not be buildable on something else. Any other suggestions or recommendations are also welcome. Go to www.snort.org, get the tarball, and install it in /usr/local/. That's what I've been doing. This was discussed at quite a bit of length a month or two ago. Check the archives. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpIzx3mrCUyU.pgp Description: PGP signature
RE: Sarge and Perl security holes
Please!!! erase my mail adress from your group! I have receiving this mails which is against the rules of my company and I have been aware to stop recevieng this king of mails, PLEASE!!! ERASE ME!!! Thank you very much! María Inés Radaelli Relaciones Laborales Kraft Foods Argentina S.A. (03327) 45-6055 [EMAIL PROTECTED] -Mensaje original- De: Matt Zimmerman [mailto:[EMAIL PROTECTED] Enviado el: Martes 28 de Enero de 2003 00:51 Para: List - Debian Security Asunto: Re: Sarge and Perl security holes On Mon, Jan 27, 2003 at 07:30:22PM -0600, Hanasaki JiJi wrote: Seems there that sarge is broke due to perl versions and a security bug in perl of sarge and version mismatches? Thats about all I know... Anyone have more info and a target date for sarge to be stabilized? Oh..I hear its in a freeze? Any rumours of a freeze are greatly exaggerated. sarge (testing) is simply stalled; bugfixes are not making their way into sarge because the new packages depend on new versions of other (buggy) packages such as glibc. This is a temporary situation. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Question about snort binaries..
* Anne Carasik [EMAIL PROTECTED] wrote: This may be a stupid question, but I'm going to ask anyway :) No problem at all. :-) Debian 3.0 uses Snort 1.8.4beta1, and unstable uses 1.9.0. Is there a way to define that I only want to use the unstable packages just related to snort or do I have to change my entire distribution to unstable? Testing distribution has 1.8.7. The problem I have is the snort rules are updated for 1.9.0, but not for 1.8.4beta1 :( Any other suggestions or recommendations are also welcome. So here is mine: Forget about apt-pinning and installing original Sid packages on Woody. You should better use backported versions and what you certainly want is this link: ,[ Current version of snort for Woody ] | http://debian.fluidsignal.com/dists/woody/updates/main/binary-i386/ ` Regards, Marcus -- I think I've reached that point where all the things you have to say and hopes for something more from me are just games to pass the time away. Please stop loving me, please stop loving me, I am none of these things...
Re: Sarge and Perl security holes
Maria, You can unsubscribe yourself at http://www.debian.org/MailingLists/unsubscribe. ~CJ Erickson On Thu, Jan 30, 2003 at 01:32:39PM -0500, [EMAIL PROTECTED] wrote: Please!!! erase my mail adress from your group! I have receiving this mails which is against the rules of my company and I have been aware to stop recevieng this king of mails, PLEASE!!! ERASE ME!!! Thank you very much! Mar?a In?s Radaelli Relaciones Laborales Kraft Foods Argentina S.A. (03327) 45-6055 [EMAIL PROTECTED] -Mensaje original- De: Matt Zimmerman [mailto:[EMAIL PROTECTED] Enviado el: Martes 28 de Enero de 2003 00:51 Para: List - Debian Security Asunto: Re: Sarge and Perl security holes On Mon, Jan 27, 2003 at 07:30:22PM -0600, Hanasaki JiJi wrote: Seems there that sarge is broke due to perl versions and a security bug in perl of sarge and version mismatches? Thats about all I know... Anyone have more info and a target date for sarge to be stabilized? Oh..I hear its in a freeze? Any rumours of a freeze are greatly exaggerated. sarge (testing) is simply stalled; bugfixes are not making their way into sarge because the new packages depend on new versions of other (buggy) packages such as glibc. This is a temporary situation. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Question about snort binaries..
Noah L. Meyerhans grabbed a keyboard and typed... On Thu, Jan 30, 2003 at 09:35:05AM -0800, Anne Carasik wrote: Is there a way to define that I only want to use the unstable packages just related to snort or do I have to change my entire distribution to unstable? Testing distribution has 1.8.7. No. You would have to pull in all the dependencies from unstable as well, so you'd get all sorts of fun stuff like libc upgraded. Yeah, I realized that, then I figured out what to do :) It's possible that you could try 'apt-get -b source snort' and have the right thing happen. But then again, depending on the package in unstable, this might not be buildable on something else. Right. So, here's what I've been doing: edit /etc/apt/apt.conf to have the following: APT::Default-Release testing; (I'm using testing instead of stable). And, for the packages I want the latest release for, I've been doing this: apt-get -t unstable install snort apt-get -t unstable install ssh etc. So far, I haven't had any problems :) Any other suggestions or recommendations are also welcome. Go to www.snort.org, get the tarball, and install it in /usr/local/. That's what I've been doing. That would have been my next step if the above didn't work. This was discussed at quite a bit of length a month or two ago. Check the archives. I saw something on snort-current about keeping rules up to date, but I don't remember anything about the binaries. I'll go poke through the archives. Thanks for your help :) -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgpnqGgMs3sIe.pgp Description: PGP signature