[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 03-Dec-2005 13:38:22 Branch: HEAD Handle: 2005120312382200 Added files: openpkg-web/securityOpenPKG-SA-2005.024-mysql.txt Modified files: openpkg-web security.txt security.wml Log: add MySQL SA into website Summary: RevisionChanges Path 1.115 +2 -0 openpkg-web/security.txt 1.144 +2 -0 openpkg-web/security.wml 1.1 +40 -0 openpkg-web/security/OpenPKG-SA-2005.024-mysql.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.114 -r1.115 security.txt --- openpkg-web/security.txt 17 Oct 2005 16:11:22 - 1.114 +++ openpkg-web/security.txt 3 Dec 2005 12:38:22 - 1.115 @@ -1,3 +1,5 @@ +03-Dec-2005: Security Advisory: S +02-Nov-2005: Security Advisory: S 17-Oct-2005: Security Advisory: S 10-Sep-2005: Security Advisory: S 06-Sep-2005: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.143 -r1.144 security.wml --- openpkg-web/security.wml 19 Oct 2005 09:20:04 - 1.143 +++ openpkg-web/security.wml 3 Dec 2005 12:38:22 - 1.144 @@ -90,6 +90,8 @@ + + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.024-mysql.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.024-mysql.txt --- /dev/null 2005-12-03 13:38:13 +0100 +++ OpenPKG-SA-2005.024-mysql.txt 2005-12-03 13:38:22 +0100 @@ -0,0 +1,40 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2005.024 03-Dec-2005 + + +Package: mysql +Vulnerability: buffer overflow, arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages:Corrected Packages: +OpenPKG CURRENT <= mysql-4.1.12-20050617 >= mysql-4.1.13-20050721 +OpenPKG 2.5 N.A. N.A. +OpenPKG 2.4 <= mysql-4.1.12-2.4.0 >= mysql-4.1.12-2.4.1 + +Description: + According to a security advisory from Reid Borsuk of Application + Security Inc [0], a stack-based buffer overflow exists in the MySQL + RDBMS [1]. The buffer overflow allows remote authenticated users + who can create user-defined database functions to execute arbitrary + code via a long "function_name" field. The Common Vulnerabilities + and Exposures (CVE) project assigned the id CVE-2005-2558 [2] to the + problem. + + +References: + [0] http://www.appsecinc.com/resources/alerts/mysql/2005-002.html + [1] http://www.mysql.com/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2558 + + +For security reasons, this advisory was digitally signed with the +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the +OpenPKG project which you can retrieve from http://pgp.openpkg.org and +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ +for details on how to verify the integrity of this advisory. + + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 28-Jul-2005 14:09:47 Branch: HEAD Handle: 2005072813094600 Added files: openpkg-web/securityOpenPKG-SA-2005.016-fetchmail.txt Modified files: openpkg-web security.txt security.wml Log: SA-2005.016-fetchmail; CAN-2005-2335 Summary: RevisionChanges Path 1.109 +1 -0 openpkg-web/security.txt 1.137 +1 -0 openpkg-web/security.wml 1.1 +72 -0 openpkg-web/security/OpenPKG-SA-2005.016-fetchmail.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.108 -r1.109 security.txt --- openpkg-web/security.txt 28 Jul 2005 11:11:43 - 1.108 +++ openpkg-web/security.txt 28 Jul 2005 12:09:46 - 1.109 @@ -1,3 +1,4 @@ +28-Jul-2005: Security Advisory: S 28-Jul-2005: Security Advisory: S 28-Jul-2005: Security Advisory: S 07-Jul-2005: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.136 -r1.137 security.wml --- openpkg-web/security.wml 28 Jul 2005 11:11:43 - 1.136 +++ openpkg-web/security.wml 28 Jul 2005 12:09:46 - 1.137 @@ -90,6 +90,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.016-fetchmail.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.016-fetchmail.txt --- /dev/null 2005-07-28 14:09:46 +0200 +++ OpenPKG-SA-2005.016-fetchmail.txt 2005-07-28 14:09:47 +0200 @@ -0,0 +1,72 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2005.016 28-Jul-2005 + + +Package: fetchmail +Vulnerability: denial of service +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= fetchmail-6.2.5-20050311 >= fetchmail-6.2.5-20050728 +OpenPKG 2.4 <= fetchmail-6.2.5-2.4.0>= fetchmail-6.2.5-2.4.1 +OpenPKG 2.3 <= fetchmail-6.2.5-2.3.0>= fetchmail-6.2.5-2.3.1 + +Dependent Packages: none + +Description: + Ross Boylan reported a bug [0] in fetchmail [1] which turned out + being a remote buffer overflow vulnerability. A malicious POP3 server + could send a carefully crafted message and cause a denial of service + and possibly execute arbitrary code via long UIDL responses. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2005-2335 [2] to the problem. + + Please check whether you are affected by running "/bin/openpkg + rpm -q fetchmail". If you have the "fetchmail" package installed and + its version is affected (see above), we recommend that you immediately + upgrade it (see Solution) [3][4]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.4, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.4/UPD + ftp> get fetchmail-6.2.5-2.4.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig fetchmail-6.2.5-2.4.1.src.rpm + $ /bin/openpkg rpm --rebuild fetchmail-6.2.5-2.4.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/fetchmail-6.2.5-2.4.1.*.rpm + + +References: + [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762 + [1] http://www.catb.org/~esr/fetchmail/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2335 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/2.4/UPD/f
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 11-Jan-2005 15:58:05 Branch: HEAD Handle: 200504580400 Added files: openpkg-web/securityOpenPKG-SA-2005.001-perl.txt Modified files: openpkg-web security.txt security.wml Log: SA-2005.001-perl; CAN-2004-0452, CAN-2004-0976 Summary: RevisionChanges Path 1.100 +1 -0 openpkg-web/security.txt 1.123 +1 -0 openpkg-web/security.wml 1.1 +77 -0 openpkg-web/security/OpenPKG-SA-2005.001-perl.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.99 -r1.100 security.txt --- openpkg-web/security.txt 17 Dec 2004 16:01:47 - 1.99 +++ openpkg-web/security.txt 11 Jan 2005 14:58:04 - 1.100 @@ -1,3 +1,4 @@ +11-Jan-2005: Security Advisory: S 17-Dec-2004: Security Advisory: S 16-Dec-2004: Security Advisory: S 15-Dec-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.122 -r1.123 security.wml --- openpkg-web/security.wml 17 Dec 2004 16:01:47 - 1.122 +++ openpkg-web/security.wml 11 Jan 2005 14:58:04 - 1.123 @@ -75,6 +75,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.001-perl.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.001-perl.txt --- /dev/null 2005-01-11 15:58:05 +0100 +++ OpenPKG-SA-2005.001-perl.txt 2005-01-11 15:58:05 +0100 @@ -0,0 +1,77 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2005.001 11-Jan-2005 + + +Package: perl +Vulnerability: information disclosure, insecure permissions +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= perl-5.8.6-20041129 >= perl-5.8.6-20050111 +OpenPKG 2.2 <= perl-5.8.5-2.2.0 >= perl-5.8.5-2.2.1 +OpenPKG 2.1 <= perl-5.8.4-2.1.0 >= perl-5.8.4-2.1.1 + +Dependent Packages: none + +Description: + Jeroen van Wolffelaar discovered that the rmtree() function in the + Perl [0] File::Path module removes directory trees in an insecure + manner which could lead to the removal of arbitrary files and + directories through a symlink attack. The Common Vulnerabilities and + Exposures (CVE) project assigned the id CAN-2004-0452 [1] to the + problem. + + Trustix developers discovered several insecure uses of temporary files + in many modules which allow a local attacker to overwrite files via a + symlink attack. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2004-0976 [2] to the problem. + + Please check whether you are affected by running "/bin/openpkg + rpm -q perl". If you have the "perl" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution) [3][4]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.2, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.2/UPD + ftp> get perl-5.8.5-2.2.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig perl-5.8.5-2.2.1.src.rpm + $ /bin/openpkg rpm --rebuild perl-5.8.5-2.2.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/perl-5.8.5-2.2.1.*.rpm + + +References: + [0] http://www.perl.com/ + [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452 + [2] http://cve.mitre.org/cgi
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 17-Dec-2004 17:01:49 Branch: HEAD Handle: 2004121716014701 Added files: openpkg-web/securityOpenPKG-SA-2004.054-samba.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.054-samba; CAN-2004-0882, CAN-2004-0930, CAN-2004-1154 Summary: RevisionChanges Path 1.99+1 -0 openpkg-web/security.txt 1.122 +1 -0 openpkg-web/security.wml 1.1 +91 -0 openpkg-web/security/OpenPKG-SA-2004.054-samba.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.98 -r1.99 security.txt --- openpkg-web/security.txt 16 Dec 2004 21:00:58 - 1.98 +++ openpkg-web/security.txt 17 Dec 2004 16:01:47 - 1.99 @@ -1,3 +1,4 @@ +17-Dec-2004: Security Advisory: S 16-Dec-2004: Security Advisory: S 15-Dec-2004: Security Advisory: S 29-Nov-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.121 -r1.122 security.wml --- openpkg-web/security.wml 16 Dec 2004 21:00:58 - 1.121 +++ openpkg-web/security.wml 17 Dec 2004 16:01:47 - 1.122 @@ -75,6 +75,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.054-samba.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.054-samba.txt --- /dev/null 2004-12-17 17:01:49 +0100 +++ OpenPKG-SA-2004.054-samba.txt 2004-12-17 17:01:49 +0100 @@ -0,0 +1,91 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.054 17-Dec-2004 + + +Package: samba +Vulnerability: denial of service, arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= samba-3.0.9-20041119 >= samba-3.0.10-20041216 +OpenPKG 2.2 <= samba-3.0.7-2.2.0>= samba-3.0.7-2.2.1 +OpenPKG 2.1 <= samba-3.0.4-2.1.2>= samba-3.0.4-2.1.3 + +Dependent Packages: none + +Description: + Several vulnerabilities exist in the Samba SMB/CIFS server [1]. The + OpenPKG team applied official patches where available and backported + others to address all known issues. + + According to a security advisory [2] from Stefan Esser a + unicode filename buffer overflow within the handling of + TRANSACT2_QFILEPATHINFO replies was discovered that allows remote + execution of arbitrary code. The Common Vulnerabilities and Exposures + (CVE) project assigned the id CAN-2004-0882 [4] to the problem. + + A problem in the ms_fnmatch function allows remote authenticated users + to consume excessive CPU horsepower and cause a denial of service + via a SMB request that contains multiple asterisks characters. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2004-0930 [5] to the problem. + + According to a security advisory [3] from the Samba team an integer + overflow vulnerability in the smbd daemon could allow an attacker + to cause controllable heap corruption, leading to execution of + arbitrary commands with root privileges. The Common Vulnerabilities + and Exposures (CVE) project assigned the id CAN-2004-1154 [6] to the + problem. + + Please check whether you are affected by running "/bin/openpkg + rpm -q samba". If you have the "samba" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution) [7][8]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [9][10], fetch it from the OpenPKG FTP service [11][12] or a mirror + location, verify its integrity [13], build a corresponding binary RPM + from it [7] and update your OpenPKG installation by applying the + binary RPM [8]. For the most recent release OpenPKG 2.2, perform the + following operations to permanently fix t
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 16-Dec-2004 22:00:59 Branch: HEAD Handle: 2004121621005801 Added files: openpkg-web/securityOpenPKG-SA-2004.053-php.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.053-php; CAN-2004-1018, CAN-2004-1018, CAN-2004-1019, CAN-2004-1020, CAN-2004-1063, CAN-2004-1064, CAN-2004-1065 Summary: RevisionChanges Path 1.98+1 -0 openpkg-web/security.txt 1.121 +1 -0 openpkg-web/security.wml 1.1 +108 -0 openpkg-web/security/OpenPKG-SA-2004.053-php.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.97 -r1.98 security.txt --- openpkg-web/security.txt 15 Dec 2004 16:53:28 - 1.97 +++ openpkg-web/security.txt 16 Dec 2004 21:00:58 - 1.98 @@ -1,3 +1,4 @@ +16-Dec-2004: Security Advisory: S 15-Dec-2004: Security Advisory: S 29-Nov-2004: Security Advisory: S 31-Oct-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.120 -r1.121 security.wml --- openpkg-web/security.wml 15 Dec 2004 16:53:28 - 1.120 +++ openpkg-web/security.wml 16 Dec 2004 21:00:58 - 1.121 @@ -75,6 +75,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.053-php.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.053-php.txt --- /dev/null 2004-12-16 22:00:59 +0100 +++ OpenPKG-SA-2004.053-php.txt 2004-12-16 22:00:59 +0100 @@ -0,0 +1,108 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.053 16-Dec-2004 + + +Package: php +Vulnerability: local and remote execution of arbitrary code +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= php-4.3.9-20041130 >= php-4.3.10-20041215 + <= apache-1.3.33-20041215 >= apache-1.3.33-20041215 +OpenPKG 2.2 <= php-4.3.9-2.2.0 >= php-4.3.9-2.2.2 + <= apache-1.3.31-2.2.1 >= apache-1.3.31-2.2.3 +OpenPKG 2.1 <= php-4.3.8-2.1.2 >= php-4.3.8-2.1.4 + <= apache-1.3.31-2.1.6 >= apache-1.3.31-2.1.8 + +Dependent Packages: none + +Description: + According to a PHP [0] PHP Release Announcement [1] and a security + advisory [2] from Stefan Esser of the Hardened-PHP Project several + very serious security issues were fixed in the 4.3.10 maintenance + release. The OpenPKG project extracted and backported the fixes. + + Shortly after releasing the initial php-4.3.9-2.2.1 and + php-4.3.8-2.1.3 fixes an early adopter reported a bug related to + the with_pear option and optimization. At the same time one more + security issue was discovered. Also rumors were afloat the Common + Vulnerabilities and Exposures (CVE) project is going to withdraw some + CANs. The most recent OpenPKG packages have all known issues addressed + and use the CVE CAN ids in alignment with the original PHP advisory. + + Out of bounds memory write access in shmop_write() and integer + overflow/underflow in pack() and unpack() functions. CAN-2004-1018 + [3]. + + Possible information disclosure, double free and negative reference + index array underflow in deserialization code. CAN-2004-1019 [4]. + + The addslashes() function does not escape \0 correctly. CAN-2004-1020 + [5]. + + Directory bypass in safe_mode execution. CAN-2004-1063 [6]. + + Arbitrary file access through path truncation CAN-2004-1064 [7]. + + Function exif_read_data() suffers from overflow on long sectionname. + CAN-2004-1065 [2]. + + The magic_quotes_gpc functionality could lead to one level directory + traversal with file uploads. No CVE. + + Newly discovered TSRM issue. No CVE. + + Please check whether you are affected by r
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 15-Dec-2004 17:53:29 Branch: HEAD Handle: 2004121516532801 Added files: openpkg-web/securityOpenPKG-SA-2004.052-vim.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.052-vim; CAN-2004-1138 Summary: RevisionChanges Path 1.97+1 -0 openpkg-web/security.txt 1.120 +1 -0 openpkg-web/security.wml 1.1 +78 -0 openpkg-web/security/OpenPKG-SA-2004.052-vim.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.96 -r1.97 security.txt --- openpkg-web/security.txt 29 Nov 2004 15:35:08 - 1.96 +++ openpkg-web/security.txt 15 Dec 2004 16:53:28 - 1.97 @@ -1,3 +1,4 @@ +15-Dec-2004: Security Advisory: S 29-Nov-2004: Security Advisory: S 31-Oct-2004: Security Advisory: S 30-Oct-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.119 -r1.120 security.wml --- openpkg-web/security.wml 29 Nov 2004 15:35:08 - 1.119 +++ openpkg-web/security.wml 15 Dec 2004 16:53:28 - 1.120 @@ -75,6 +75,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.052-vim.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.052-vim.txt --- /dev/null 2004-12-15 17:53:29 +0100 +++ OpenPKG-SA-2004.052-vim.txt 2004-12-15 17:53:29 +0100 @@ -0,0 +1,78 @@ + + + + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.052 15-Dec-2004 + + +Package: vim +Vulnerability: source arbitrary scripts +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= vim-6.3.44-20041209 >= vim-6.3.45-20041210 +OpenPKG 2.2 <= vim-6.3.30-2.2.0 >= vim-6.3.30-2.2.1 +OpenPKG 2.1 <= vim-6.3.11-2.1.0 >= vim-6.3.11-2.1.1 + +Affected Releases: Dependent Packages: none + +Description: + The Gentoo vim maintainer Ciaran McCreesh found several + modeline-related vulnerabilities in vim [1] and reported them to the + vendor. Bram Moolenaar created patch 6.3.045 that fixes the reported + vulnerabilities and adds more conservative modeline rights. + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2004-1138 [2] to the problem. + + Please check whether you are affected by running "/bin/openpkg + rpm -q vim". If you have the "vim" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution) [3][4]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.2, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.2/UPD + ftp> get vim-6.3.30-2.2.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig vim-6.3.30-2.2.1.src.rpm + $ /bin/openpkg rpm --rebuild vim-6.3.30-2.2.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/vim-6.3.30-2.2.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too [3][4]. + + +References: + [1] http://www.vim.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1138 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/2.2/UPD/vi
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 29-Nov-2004 16:35:09 Branch: HEAD Handle: 2004112915350801 Added files: openpkg-web/securityOpenPKG-SA-2004.051-imapd.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.051-imapd; CAN-2004-1011, CAN-2004-1012, CAN-2004-1013, CAN-2004-1015 and more Summary: RevisionChanges Path 1.96+1 -0 openpkg-web/security.txt 1.119 +1 -0 openpkg-web/security.wml 1.1 +103 -0 openpkg-web/security/OpenPKG-SA-2004.051-imapd.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.95 -r1.96 security.txt --- openpkg-web/security.txt 29 Nov 2004 14:51:12 - 1.95 +++ openpkg-web/security.txt 29 Nov 2004 15:35:08 - 1.96 @@ -1,3 +1,4 @@ +29-Nov-2004: Security Advisory: S 31-Oct-2004: Security Advisory: S 30-Oct-2004: Security Advisory: S 29-Oct-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.118 -r1.119 security.wml --- openpkg-web/security.wml 29 Nov 2004 14:51:12 - 1.118 +++ openpkg-web/security.wml 29 Nov 2004 15:35:08 - 1.119 @@ -75,6 +75,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.051-imapd.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.051-imapd.txt --- /dev/null 2004-11-29 16:35:09 +0100 +++ OpenPKG-SA-2004.051-imapd.txt 2004-11-29 16:35:09 +0100 @@ -0,0 +1,103 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.051 29-Nov-2004 + + +Package: imapd +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= imapd-2.2.9-20041123 >= imapd-2.2.10-20041124 +OpenPKG 2.2 <= imapd-2.2.8-2.2.0>= imapd-2.2.8-2.2.1 +OpenPKG 2.1 <= imapd-2.2.6-2.1.0>= imapd-2.2.6-2.1.1 + +Affected Releases: Dependent Packages: none + +Description: + According to a security advisory from Stefan Esser [0] several + vulnerabilities in imapd. The updated OpenPKG packages fix all these + problems. + + When the option IMAPMAGICPLUS is activated on a server the PROXY and + LOGIN commands suffer a standard stack overflow, because the username + is not checked against a maximum length. The Common Vulnerabilities + and Exposures (CVE) project assigned the id CAN-2004-1011 [2] to the + problem. + + Due to a bug within the argument parser of the PARTIAL command + bufferpositions outside the allocated memory buffer may be accessed. + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2004-1012 [3] to the problem. + + The argument parser of the FETCH command suffers a similar bug. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2004-1013 [4] to the problem. + + Under memory allocation failure conditions the cmd_append handler + supporting MULTIAPPENDS may enter code pathes doing post increments + whose behavior is undefined in ANSI C. The same function also suffers + from a integer wrap. No CVE. + + Another IMAPMAGICPLUS overflow was later discovered by Thomas Klaeger + in proxyd.c proxyd_canon_user function. The Common Vulnerabilities + and Exposures (CVE) project assigned the id CAN-2004-1015 [5] to the + problem. + + Sebastian Krahmer mentioned a missing 0-termination in global.c and + provided a patch. No CVE. + + Please check whether you are affected by running "/bin/openpkg + rpm -q imapd". If you have the "imapd" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it [6][7]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [8][9], fetch it from the Ope
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 14-Oct-2004 17:25:05 Branch: HEAD Handle: 2004101416250401 Added files: openpkg-web/securityOpenPKG-SA-2004.043-tiff.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.043-tiff; CAN-2004-0803, CAN-2004-0886 Summary: RevisionChanges Path 1.93+2 -0 openpkg-web/security.txt 1.115 +2 -0 openpkg-web/security.wml 1.1 +88 -0 openpkg-web/security/OpenPKG-SA-2004.043-tiff.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.92 -r1.93 security.txt --- openpkg-web/security.txt 15 Sep 2004 12:55:56 - 1.92 +++ openpkg-web/security.txt 14 Oct 2004 15:25:04 - 1.93 @@ -1,3 +1,5 @@ +13-Oct-2004: Security Advisory: S +15-Sep-2004: Security Advisory: S 15-Sep-2004: Security Advisory: S 15-Sep-2004: Security Advisory: S 13-Sep-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.114 -r1.115 security.wml --- openpkg-web/security.wml 13 Oct 2004 06:58:31 - 1.114 +++ openpkg-web/security.wml 14 Oct 2004 15:25:04 - 1.115 @@ -75,6 +75,8 @@ + + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.043-tiff.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.043-tiff.txt --- /dev/null 2004-10-14 17:25:05 +0200 +++ OpenPKG-SA-2004.043-tiff.txt 2004-10-14 17:25:05 +0200 @@ -0,0 +1,88 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.043 14-Oct-2004 + + +Package: tiff +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= tiff-3.6.1-20040714 >= tiff-3.6.1-20041013 +OpenPKG 2.1 <= tiff-3.6.1-2.1.0 >= tiff-3.6.1-2.1.1 +OpenPKG 2.0 <= tiff-3.6.1-2.0.0 >= tiff-3.6.1-2.0.1 + +Affected Releases: Dependent Packages: +OpenPKG CURRENT cups emacs gdk-pixbuf gimp gtk2 imagemagick imlib + lcms lyx netpbm perl-tk povray scribus wx xemacs + xplanet xv + +OpenPKG 2.1 emacs gdk-pixbuf gimp gtk2 imagemagick imlib lcms + netpbm perl-tk xv + +OpenPKG 2.0 emacs gdk-pixbuf gimp gtk2 imagemagick imlib netpbm + perl-tk xv + +Description: + + According to security advisory CESA-2004-006 from Chris Evans the + libtiff [0] image en-/decoder suffers from several heap based buffer + overflows. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2004-0803 [1] to the problem. + + Other code reviewers found integer overflows which affect memory + allocation. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2004-0886 [2] to the problem. + + Please check whether you are affected by running "/bin/openpkg + rpm -q tiff". If you have the "tiff" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution) and its dependent packages (see above), if any, too + [3][4]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.1, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.1/UPD + ftp> get tiff-3.6.1-2.1.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig tiff-3.6.1-2.1.1.src.rpm + $ /bin/openpkg rpm -
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 04-Aug-2004 16:00:20 Branch: HEAD Handle: 2004080415001603 Added files: openpkg-web/securityOpenPKG-SA-2004.035-png.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 Summary: RevisionChanges Path 1.89+1 -0 openpkg-web/security.txt 1.110 +1 -0 openpkg-web/security.wml 1.1 +130 -0 openpkg-web/security/OpenPKG-SA-2004.035-png.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.88 -r1.89 security.txt --- openpkg-web/security.txt 22 Jul 2004 14:34:44 - 1.88 +++ openpkg-web/security.txt 4 Aug 2004 14:00:16 - 1.89 @@ -1,3 +1,4 @@ +04-Aug-2004: Security Advisory: S 22-Jul-2004: Security Advisory: S 22-Jul-2004: Security Advisory: S 16-Jul-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.109 -r1.110 security.wml --- openpkg-web/security.wml 22 Jul 2004 14:34:44 - 1.109 +++ openpkg-web/security.wml 4 Aug 2004 14:00:16 - 1.110 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.035-png.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.035-png.txt --- /dev/null 2004-08-04 16:00:20 +0200 +++ OpenPKG-SA-2004.035-png.txt 2004-08-04 16:00:20 +0200 @@ -0,0 +1,130 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.035 04-Aug-2004 + + +Package: png +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: # PNG embedded +OpenPKG CURRENT <= png-1.2.5-20040629>= png-1.2.5-20040804 #1.2.5 + <= doxygen-1.3.8-20040725>= doxygen-1.3.8-20040804 #1.2.1 + <= ghostscript-8.14-20040630 >= ghostscript-8.14-20040804 #1.2.5 + <= kde-qt-3.2.3-20040702 >= kde-qt-3.2.3-20040804 #1.2.5 + <= pdflib-6.0.0p1-20040713 >= pdflib-6.0.0p1-20040804 #1.2.5 -pngpread.c + <= perl-tk-5.8.5-20040720>= perl-tk-5.8.5-20040804 #1.0.5, 1.2.5 + <= qt-3.3.2-20040702 >= qt-3.3.2-20040804 #1.2.5 +png doxygen ghostscript kde-qt pdflib perl-tk qt + +OpenPKG 2.1 <= png-1.2.5-2.1.0 >= png-1.2.5-2.1.1 #1.2.5 + <= doxygen-1.3.7-2.1.0 >= doxygen-1.3.7-2.1.1 #1.2.1 + <= ghostscript-8.14-2.1.0>= ghostscript-8.14-2.1.1 #1.2.5 + <= pdflib-6.0.0-2.1.0>= pdflib-6.0.0-2.1.1 #1.2.5 -pngpread.c + <= perl-tk-5.8.4-2.1.0 >= perl-tk-5.8.4-2.1.1 #1.0.5, 1.2.5 + <= qt-3.3.2-2.1.0>= qt-3.3.2-2.1.1 #1.2.5 +png doxygen ghostscript pdflib perl-tk qt + +OpenPKG 2.0 <= png-1.2.5-2.0.2 >= png-1.2.5-2.0.3 #1.2.5 + <= doxygen-1.3.6-2.0.2 >= doxygen-1.3.6-2.0.3 #1.2.1 + <= ghostscript-8.13-2.0.2>= ghostscript-8.13-2.0.3 #1.2.5 + <= pdflib-5.0.3-2.0.2>= pdflib-5.0.3-2.0.3 #1.2.5 + <= perl-tk-5.8.3-2.0.2 >= perl-tk-5.8.3-2.0.3 #1.0.5, 1.2.5 + <= qt-3.2.3-2.0.2>= qt-3.2.3-2.0.3 #1.2.5 + <= rrdtool-1.0.46-2.0.2 >= rrdtool-1.0.46-2.0.3 #1.0.9 + <= tetex-2.0.2-2.0.2 >= tetex-2.0.2-2.0.3 #1.2.5 +png doxygen ghostscript pdflib perl-tk qt rrdtool tetex + +Affected Releases: Dependent Packages: +OpenPKG CURRENT abiword analog apache autotrac
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 22-Jul-2004 16:34:46 Branch: HEAD Handle: 2004072215344401 Added files: openpkg-web/securityOpenPKG-SA-2004.034-php.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.034-php; CAN-2004-0594, CAN-2004-0595 Summary: RevisionChanges Path 1.88+2 -0 openpkg-web/security.txt 1.109 +2 -0 openpkg-web/security.wml 1.1 +85 -0 openpkg-web/security/OpenPKG-SA-2004.034-php.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.87 -r1.88 security.txt --- openpkg-web/security.txt 20 Jul 2004 07:59:49 - 1.87 +++ openpkg-web/security.txt 22 Jul 2004 14:34:44 - 1.88 @@ -1,3 +1,5 @@ +22-Jul-2004: Security Advisory: S +22-Jul-2004: Security Advisory: S 16-Jul-2004: Security Advisory: S 08-Jul-2004: Security Advisory: S 06-Jul-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.108 -r1.109 security.wml --- openpkg-web/security.wml 20 Jul 2004 07:59:49 - 1.108 +++ openpkg-web/security.wml 22 Jul 2004 14:34:44 - 1.109 @@ -76,6 +76,8 @@ + + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.034-php.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.034-php.txt --- /dev/null 2004-07-22 16:34:45 +0200 +++ OpenPKG-SA-2004.034-php.txt 2004-07-22 16:34:45 +0200 @@ -0,0 +1,85 @@ +#FIXME, this is a template +#FIXME, the first three lines are just dummies +#FIXME, to help comparing this against sibling signed documents + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.034 22-Jul-2004 + + +Package: php, apache (option "with_mod_php" only) +Vulnerability: XSS; remote code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= php-4.3.7-20040611 >= php-4.3.8-20040714 + <= apache-1.3.31-20040713 >= apache-1.3.31-20040714 +OpenPKG 2.1 noneN.A. +OpenPKG 2.0 <= php-4.3.4-2.0.0 >= php-4.3.4-2.0.1 + <= apache-1.3.29-2.0.4 >= apache-1.3.29-2.0.5 + +Dependent Packages: none + +Description: + According to a PHP [0] security advisory [1] from Stefan Esser the + commonly used memory_limit functionality in PHP 4.x up to 4.3.7 under + certain conditions allows remote attackers to execute arbitrary + code by triggering a memory_limit abort during execution of the + zend_hash_init function. The Common Vulnerabilities and Exposures + (CVE) project assigned the id CAN-2004-0594 [2] to the problem. + + According to another security advisory [3] from Stefan Esser the + strip_tags function in PHP 4.x up to 4.3.7 does not filter NUL + characters within tag names, allowing dangerous tags to be processed + by certain web browsers and facilitate the exploitation of cross-site + scripting (XSS) vulnerabilities. The Common Vulnerabilities and + Exposures (CVE) project assigned the id CAN-2004-0595 [4] to the + problem. + + Please check whether you are affected by running "/bin/rpm + -q php". If you have the "php" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution) [5][6]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [7], fetch it from the OpenPKG FTP service [8] or a mirror location, + verify its integrity [9], build a corresponding binary RPM from it [5] + and update your OpenPKG installation by applying the binary RPM [6]. + For the affected release OpenPKG 2.0, perform the following operations + to permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp f
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 08-Jul-2004 15:14:45 Branch: HEAD Handle: 2004070814144401 Added files: openpkg-web/securityOpenPKG-SA-2004.031-dhcpd.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.031-dhcpd; CAN-2004-0460, CAN-2004-0461 Summary: RevisionChanges Path 1.86+1 -0 openpkg-web/security.txt 1.106 +1 -0 openpkg-web/security.wml 1.1 +84 -0 openpkg-web/security/OpenPKG-SA-2004.031-dhcpd.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.85 -r1.86 security.txt --- openpkg-web/security.txt 6 Jul 2004 14:04:55 - 1.85 +++ openpkg-web/security.txt 8 Jul 2004 13:14:44 - 1.86 @@ -1,3 +1,4 @@ +08-Jul-2004: Security Advisory: S 06-Jul-2004: Security Advisory: S 11-Jun-2004: Security Advisory: S 11-Jun-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.105 -r1.106 security.wml --- openpkg-web/security.wml 6 Jul 2004 14:04:55 - 1.105 +++ openpkg-web/security.wml 8 Jul 2004 13:14:44 - 1.106 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.031-dhcpd.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.031-dhcpd.txt --- /dev/null 2004-07-08 15:14:45.0 +0200 +++ OpenPKG-SA-2004.031-dhcpd.txt 2004-07-08 15:14:45.0 +0200 @@ -0,0 +1,84 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.031 08-Jul-2004 + + +Package: dhcpd +Vulnerability: denial of service, arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= dhcpd-3.0.1rc13-20040524 >= dhcpd-3.0.1rc14-20040623 +OpenPKG 2.0 <= dhcpd-3.0.1rc13-2.0.0>= dhcpd-3.0.1rc13-2.0.1 +OpenPKG 1.3 <= dhcpd-3.0.1rc11-1.3.0>= dhcpd-3.0.1rc11-1.3.1 + +Affected Releases: Dependent Packages: none + +Description: + As reported by US-CERT [0] Gregory Duchemin discovered several + vulnerabilities in ISC DHCP Distribution [1] and helped fixing them. + + Several buffer overflows were closed in logging messages with + excessively long hostnames provided by the clients. The Common + Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2004-0460 [2] to the problem. + + Another issue was evident on some specific platforms where the dhcpd + build mechanism ignored the existence of [v]snprintf(3) functions and + used the weaker [v]sprintf(3) which lack bounds checking. The RELEASE + updates enforces use of the favorable functions as it was verified + they exist on all platforms supported by OpenPKG. The CURRENT update + contains a vendor fix explicitly providing a suitable function. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2004-0461 [3] to the problem. + + Please check whether you are affected by running "/bin/rpm + -q dhcpd". If you have the "dhcpd" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution) and its dependent packages (see above), if any, + too [4][5]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror + location, verify its integrity [10], build a corresponding binary RPM + from it [4] and update your OpenPKG installation by applying the + binary RPM [5]. For the most recent release OpenPKG 2.0, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get dhcpd-3.0.1rc13-2.0.1.src.rpm + ftp> bye + $ /bin/openpk
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 11-Jun-2004 16:43:18 Branch: HEAD Handle: -NONE- Added files: openpkg-web/securityOpenPKG-SA-2004.029-apache.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.029-apache; CAN-2004-0492 Summary: RevisionChanges Path 1.84+0 -0 openpkg-web/security.txt 1.104 +0 -0 openpkg-web/security.wml 1.1 +73 -0 openpkg-web/security/OpenPKG-SA-2004.029-apache.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.83 -r1.84 security.txt --- openpkg-web/security.txt 11 Jun 2004 12:08:07 - 1.83 +++ openpkg-web/security.txt 11 Jun 2004 14:43:17 - 1.84 @@ -1,3 +1,4 @@ +11-Jun-2004: Security Advisory: S 11-Jun-2004: Security Advisory: S 11-Jun-2004: Security Advisory: S 27-May-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.103 -r1.104 security.wml --- openpkg-web/security.wml 11 Jun 2004 12:08:07 - 1.103 +++ openpkg-web/security.wml 11 Jun 2004 14:43:17 - 1.104 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.029-apache.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.029-apache.txt --- /dev/null 2004-06-11 16:43:18.0 +0200 +++ OpenPKG-SA-2004.029-apache.txt2004-06-11 16:43:18.0 +0200 @@ -0,0 +1,73 @@ +#FIXME, this is a template +#FIXME, the first three lines are just dummies +#FIXME, to help comparing this against sibling signed documents + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.029 11-Jun-2004 + + +Package: apache +Vulnerability: denial of service +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= apache-1.3.31-20040608 >= apache-1.3.31-20040611 +OpenPKG 2.0 <= apache-1.3.29-2.0.2 >= apache-1.3.29-2.0.3 +OpenPKG 1.3 <= apache-1.3.28-1.3.4 >= apache-1.3.28-1.3.5 + +Dependent Packages: none + +Description: + According to a security advisory from Georgi Guninski [0] there + is a buffer overflow in Apache's modproxy module. The Common + Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2004-0492 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + apache". If you have the "apache" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution) [3][4]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.0, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get apache-1.3.29-2.0.3.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig apache-1.3.29-2.0.3.src.rpm + $ /bin/openpkg rpm --rebuild apache-1.3.29-2.0.3.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/apache-1.3.29-2.0.3.*.rpm + + +References: + [0] http://www.guninski.com/modproxy1.html + [1] http://httpd.apache.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.5.src.rpm + [6] ftp://ftp.openpkg.org/release/2.0/UPD/apache-1.3
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 11-Jun-2004 14:08:09 Branch: HEAD Handle: -NONE- Added files: openpkg-web/securityOpenPKG-SA-2004.028-subversion.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.028-subversion; CAN-2004-0413 Summary: RevisionChanges Path 1.83+0 -0 openpkg-web/security.txt 1.103 +0 -0 openpkg-web/security.wml 1.1 +72 -0 openpkg-web/security/OpenPKG-SA-2004.028-subversion.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.82 -r1.83 security.txt --- openpkg-web/security.txt 11 Jun 2004 08:12:38 - 1.82 +++ openpkg-web/security.txt 11 Jun 2004 12:08:07 - 1.83 @@ -1,4 +1,5 @@ -10-Jun-2004: Security Advisory: S +11-Jun-2004: Security Advisory: S +11-Jun-2004: Security Advisory: S 27-May-2004: Security Advisory: S 21-May-2004: Security Advisory: S 19-May-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.102 -r1.103 security.wml --- openpkg-web/security.wml 11 Jun 2004 08:12:38 - 1.102 +++ openpkg-web/security.wml 11 Jun 2004 12:08:07 - 1.103 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.028-subversion.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.028-subversion.txt --- /dev/null 2004-06-11 14:08:09.0 +0200 +++ OpenPKG-SA-2004.028-subversion.txt2004-06-11 14:08:09.0 +0200 @@ -0,0 +1,72 @@ +#FIXME, this is a template +#FIXME, the first three lines are just dummies +#FIXME, to help comparing this against sibling signed documents + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.028 11-Jun-2004 + + +Package: subversion +Vulnerability: denial of service, arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= subversion-1.0.4-20040522 >= subversion-1.0.5-20040611 +OpenPKG 2.0 <= subversion-1.0.0-2.0.2>= subversion-1.0.0-2.0.3 +OpenPKG 1.3 N.A. N.A. + +Dependent Packages: none + +Description: + Subversion [1] versions up to and including 1.0.4 have a potential + Denial of Service and Heap Overflow issue related to the parsing of + strings in the 'svn://' family of access protocols. This affects only + sites running svnserve. It does not affect 'http://' access. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2004-0413 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + subversion". If you have the "subversion" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution) [3][4]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it + [3] and update your OpenPKG installation by applying the binary RPM + [4]. For the most recent release OpenPKG 2.0, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get subversion-1.0.0-2.0.3.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig subversion-1.0.0-2.0.3.src.rpm + $ /bin/openpkg rpm --rebuild subversion-1.0.0-2.0.3.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/subversion-1.0.0-2.0.3.*.rpm + + +References: + [1] http://subversion.tigris.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-04
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 11-Jun-2004 10:12:39 Branch: HEAD Handle: -NONE- Added files: openpkg-web/securityOpenPKG-SA-2004.027-cvs.txt Modified files: openpkg-web security.txt security.wml Log: OpenPKG-SA-2004.027-cvs, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418 Summary: RevisionChanges Path 1.82+0 -0 openpkg-web/security.txt 1.102 +0 -0 openpkg-web/security.wml 1.1 +79 -0 openpkg-web/security/OpenPKG-SA-2004.027-cvs.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.81 -r1.82 security.txt --- openpkg-web/security.txt 5 Jun 2004 11:33:51 - 1.81 +++ openpkg-web/security.txt 11 Jun 2004 08:12:38 - 1.82 @@ -1,3 +1,4 @@ +10-Jun-2004: Security Advisory: S 27-May-2004: Security Advisory: S 21-May-2004: Security Advisory: S 19-May-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.101 -r1.102 security.wml --- openpkg-web/security.wml 5 Jun 2004 11:33:51 - 1.101 +++ openpkg-web/security.wml 11 Jun 2004 08:12:38 - 1.102 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.027-cvs.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.027-cvs.txt --- /dev/null 2004-06-11 10:12:39.0 +0200 +++ OpenPKG-SA-2004.027-cvs.txt 2004-06-11 10:12:39.0 +0200 @@ -0,0 +1,79 @@ +#FIXME, this is a template +#FIXME, the first three lines are just dummies +#FIXME, to help comparing this against sibling signed documents + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.027 11-Jun-2004 + + +Package: cvs +Vulnerability: multiple remote compromises +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= cvs-1.12.8-20040607 >= cvs-1.12.9-20040609 +OpenPKG 2.0 <= cvs-1.12.5-2.0.2 >= cvs-1.12.5-2.0.3 +OpenPKG 1.3 <= cvs-1.12.1-1.3.5 >= cvs-1.12.1-1.3.6 + +Affected Releases: Dependent Packages: none + +Description: + According to an e-matters Security Advisory [0] multiple remote + vulnerabilities exists in the Concurrent Versions System (CVS) [1] + which allow remote compromise of CVS servers. Derek Price, Stefan + Esser and Sebastian Krahmer discovered and fixed several security + issues. The Common Vulnerabilities and Exposures (CVE) project + assigned the ids CAN-2004-0414 [2], CAN-2004-0416 [3], CAN-2004-0417 + [4] and CAN-2004-0418 [5] to the problems. + + Please check whether you are affected by running "/bin/rpm -q + cvs". If you have the "cvs" package installed and its version is + affected (see above), we recommend that you immediately upgrade + it (see Solution). [6][7] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [8][9], fetch it from the OpenPKG FTP service [10][11] or a mirror + location, verify its integrity [12], build a corresponding binary RPM + from it [6] and update your OpenPKG installation by applying the + binary RPM [7]. For the most recent release OpenPKG 2.0, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get cvs-1.12.5-2.0.3.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig cvs-1.12.5-2.0.3.src.rpm + $ /bin/openpkg rpm --rebuild cvs-1.12.5-2.0.3.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/cvs-1.12.5-2.0.3.*.rpm + + +References: + [0] http://security.e-matters.de/advisories/092004.html + [1] http://www.cvshome.org/ + [2] http://cve.mitre.org/cg
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 21-May-2004 18:06:28 Branch: HEAD Handle: 2004052117062601 Added files: openpkg-web/securityOpenPKG-SA-2004.025-rsync.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.025-rsync; CAN-2004-0426 Summary: RevisionChanges Path 1.80+1 -0 openpkg-web/security.txt 1.100 +1 -0 openpkg-web/security.wml 1.1 +73 -0 openpkg-web/security/OpenPKG-SA-2004.025-rsync.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.79 -r1.80 security.txt --- openpkg-web/security.txt 19 May 2004 21:03:24 - 1.79 +++ openpkg-web/security.txt 21 May 2004 16:06:26 - 1.80 @@ -1,3 +1,4 @@ +21-May-2004: Security Advisory: S 19-May-2004: Security Advisory: S 19-May-2004: Security Advisory: S 19-May-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.99 -r1.100 security.wml --- openpkg-web/security.wml 19 May 2004 21:03:24 - 1.99 +++ openpkg-web/security.wml 21 May 2004 16:06:26 - 1.100 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.025-rsync.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.025-rsync.txt --- /dev/null 2004-05-21 18:06:28.0 +0200 +++ OpenPKG-SA-2004.025-rsync.txt 2004-05-21 18:06:28.0 +0200 @@ -0,0 +1,73 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.025 21-May-2004 + + +Package: rsync +Vulnerability: filesystem intrusion +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= rsync-2.6.0-20040324 >= rsync-2.6.1-20040428 +OpenPKG 2.0 <= rsync-2.6.0-2.0.0>= rsync-2.6.0-2.0.1 +OpenPKG 1.3 <= rsync-2.5.6-1.3.1>= rsync-2.5.6-1.3.2 + +Dependent Packages: none + +Description: + According to a rsync [0] security advisory [1] versions before + 2.6.1 do not properly sanitize paths when running as a read/write + daemon without using chroot. This allows remote attackers to write + files outside of the module's path. The OpenPKG default is to run + a read-only daemon using chroot. The Common Vulnerabilities and + Exposures (CVE) project assigned the id CAN-2004-0426 [2] to the + problem. + + Please check whether you are affected by running "/bin/rpm -q + rsync". If you have the "rsync" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution) [3][4]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.0, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get rsync-2.6.0-2.0.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig rsync-2.6.0-2.0.1.src.rpm + $ /bin/openpkg rpm --rebuild rsync-2.6.0-2.0.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/rsync-2.6.0-2.0.1.*.rpm + + +References: + [0] http://rsync.samba.org/ + [1] http://rsync.samba.org/index.html#security_apr04 + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.3/UPD/rsync-2.5.6-1.3.2.src.rpm + [6] ftp
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 05-May-2004 15:18:56 Branch: HEAD Handle: 2004050514185501 Added files: openpkg-web/securityOpenPKG-SA-2004.019-kolab.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.019-kolab Summary: RevisionChanges Path 1.75+1 -0 openpkg-web/security.txt 1.95+1 -0 openpkg-web/security.wml 1.1 +79 -0 openpkg-web/security/OpenPKG-SA-2004.019-kolab.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.74 -r1.75 security.txt --- openpkg-web/security.txt 3 May 2004 08:42:55 - 1.74 +++ openpkg-web/security.txt 5 May 2004 13:18:55 - 1.75 @@ -1,3 +1,4 @@ +05-May-2004: Security Advisory: S 30-Apr-2004: Security Advisory: S 29-Apr-2004: Security Advisory: S 16-Apr-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.94 -r1.95 security.wml --- openpkg-web/security.wml 3 May 2004 08:42:55 - 1.94 +++ openpkg-web/security.wml 5 May 2004 13:18:55 - 1.95 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.019-kolab.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.019-kolab.txt --- /dev/null 2004-05-05 15:18:56.0 +0200 +++ OpenPKG-SA-2004.019-kolab.txt 2004-05-05 15:18:56.0 +0200 @@ -0,0 +1,79 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.019 05-May-2004 + + +Package: kolab +Vulnerability: information leakage, privilege escalation +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= kolab-20040426-20040426 >= kolab-20040503-20040503 + <= perl-kolab-5.8.4-20040503 >= perl-kolab-5.8.4-20040505 +OpenPKG 2.0 <= kolab-20040217-2.0.1 >= kolab-20040217-2.0.2 + <= perl-kolab-5.8.3-2.0.1>= perl-kolab-5.8.3-2.0.2 +OpenPKG 1.3 none N.A. + +Dependent Packages: none + +Description: + Luca Villani reported [1] disclosure of critical configuration + information within Kolab [2], the KDE Groupware server. The affected + versions store OpenLDAP passwords in plain text. The heart of Kolab + is an engine written in Perl that rewrites configuration for certain + applications based on templates. OpenPKG packages come with both + the genuine and a modular replacement engine, both creating wrong + permissions. The genuine engine is part of the kolab package and the + replacement engine is a module in the perl-kolab package. The build() + function in both engines left slapd.conf world-readable exhibiting + the rootpw. + + Please check whether you are affected by running "/bin/rpm -q + kolab". If you have the "kolab" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution) and its dependent packages (see above), if any, too + [3][4]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][5], fetch it from the OpenPKG FTP service [7][6] or a mirror + location, verify its integrity [7], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.0, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get kolab-20040217-2.0.2.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig kolab-20040217-2.0.2.src.rpm + $ /bin/openpkg rpm --rebuild kolab-20040217-2.0.2.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/kolab-20040217-2.0.2.*.rpm
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 29-Apr-2004 22:04:08 Branch: HEAD Handle: 2004042921040701 Added files: openpkg-web/securityOpenPKG-SA-2004.017-png.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.017-png Summary: RevisionChanges Path 1.73+1 -0 openpkg-web/security.txt 1.93+1 -0 openpkg-web/security.wml 1.1 +125 -0 openpkg-web/security/OpenPKG-SA-2004.017-png.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.72 -r1.73 security.txt --- openpkg-web/security.txt 19 Apr 2004 08:06:35 - 1.72 +++ openpkg-web/security.txt 29 Apr 2004 20:04:07 - 1.73 @@ -1,3 +1,4 @@ +29-Apr-2004: Security Advisory: S 16-Apr-2004: Security Advisory: S 16-Apr-2004: Security Advisory: S 14-Apr-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.92 -r1.93 security.wml --- openpkg-web/security.wml 19 Apr 2004 08:06:35 - 1.92 +++ openpkg-web/security.wml 29 Apr 2004 20:04:07 - 1.93 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.017-png.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.017-png.txt --- /dev/null 2004-04-29 22:04:08.0 +0200 +++ OpenPKG-SA-2004.017-png.txt 2004-04-29 22:04:08.0 +0200 @@ -0,0 +1,125 @@ +#FIXME, this is a template +#FIXME, the first three lines are just dummies +#FIXME, to help comparing this against sibling signed documents + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.017 29-Apr-2004 + + +Package: png +Vulnerability: denial of service, program crash +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= abiword- >= abiword-2.1.2-20040429 + <= analog- >= analog-5.32-20040429 + <= doxygen- >= doxygen-1.3.6-20040429 + <= firefox- >= firefox-0.8-20040429 + <= ghostscript- >= ghostscript-8.14-20040429 + <= kde- >= kde-qt-3.2.3-20040429 + <= mozilla- >= mozilla-1.7rc1-20040429 + <= pdflib- >= pdflib-5.0.3-20040429 + <= perl->= perl-tk-5.8.4-20040429 + <= png- >= png-1.2.5-20040429 + <= qt- >= qt-3.3.2-20040429 + <= rrdtool- >= rrdtool-1.0.48-20040429 + <= tetex- >= tetex-2.0.2-20040429 + <= wx- >= wx-2.4.2-20040429 + +OpenPKG 2.0 <= analog-5.32-2.0.0>= analog-5.32-2.0.1 + <= doxygen-1.3.6-2.0.0 >= doxygen-1.3.6-2.0.1 + <= ghostscript-8.13-2.0.0 >= ghostscript-8.13-2.0.1 + <= mozilla-1.6-2.0.0>= mozilla-1.6-2.0.1 + <= pdflib-5.0.3-2.0.0 >= pdflib-5.0.3-2.0.1 + <= perl-tk-5.8.3-2.0.0 >= perl-tk-5.8.3-2.0.1 + <= png-1.2.5-2.0.0 >= png-1.2.5-2.0.1 + <= qt-3.2.3-2.0.0 >= qt-3.2.3-2.0.1 + <= rrdtool-1.0.46-2.0.0 >= rrdtool-1.0.46-2.0.1 + <= tetex-2.0.2-2.0.0>= tetex-2.0.2-2.0.1 + +OpenPKG 1.3 <= analog-5.32-1.3.0>= analog-5.32-1.3.1 + <= doxygen-1.3.3-1.3.0 >= doxygen-1.3.3-1.3.1 + <= ghostscript-8.10-1.3.0 >= ghostscript-8.10-1.3.1 + <= pdflib-5.0.1-1.3.0 >=