[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 17-Dec-2003 12:59:24 Branch: HEAD Handle: 2003121711592301 Modified files: openpkg-web security.txt security.wml Log: link in SA lftp and SA cvs Summary: RevisionChanges Path 1.59+2 -0 openpkg-web/security.txt 1.76+2 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.58 -r1.59 security.txt --- openpkg-web/security.txt 4 Dec 2003 15:21:12 - 1.58 +++ openpkg-web/security.txt 17 Dec 2003 11:59:23 - 1.59 @@ -1,3 +1,5 @@ +17-Dec-2003: Security Advisory: S +17-Dec-2003: Security Advisory: S 04-Dec-2003: Security Advisory: S 28-Nov-2003: Security Advisory: S 25-Nov-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.75 -r1.76 security.wml --- openpkg-web/security.wml 4 Dec 2003 15:21:12 - 1.75 +++ openpkg-web/security.wml 17 Dec 2003 11:59:24 - 1.76 @@ -76,6 +76,8 @@ + + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 05-Mar-2004 17:07:15 Branch: HEAD Handle: 2004030516071400 Modified files: openpkg-web security.txt security.wml Log: SA-2004.003-libxml (CAN-2004-0110) Summary: RevisionChanges Path 1.62+1 -0 openpkg-web/security.txt 1.81+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.61 -r1.62 security.txt --- openpkg-web/security.txt 16 Jan 2004 12:43:44 - 1.61 +++ openpkg-web/security.txt 5 Mar 2004 16:07:14 - 1.62 @@ -1,3 +1,4 @@ +05-Mar-2004: Security Advisory: S 16-Jan-2004: Security Advisory: S 08-Jan-2004: Security Advisory: S 17-Dec-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.80 -r1.81 security.wml --- openpkg-web/security.wml 27 Feb 2004 14:59:15 - 1.80 +++ openpkg-web/security.wml 5 Mar 2004 16:07:14 - 1.81 @@ -76,6 +76,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 01-Apr-2004 23:01:13 Branch: HEAD Handle: 2004040122011300 Modified files: openpkg-web security.txt security.wml Log: make SA-2004.008-squid visible Summary: RevisionChanges Path 1.67+1 -0 openpkg-web/security.txt 1.86+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.66 -r1.67 security.txt --- openpkg-web/security.txt 18 Mar 2004 10:02:38 - 1.66 +++ openpkg-web/security.txt 1 Apr 2004 21:01:13 - 1.67 @@ -1,3 +1,4 @@ +01-Apr-2004: Security Advisory: S 18-Mar-2004: Security Advisory: S 12-Mar-2004: Security Advisory: S 09-Mar-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.85 -r1.86 security.wml --- openpkg-web/security.wml 18 Mar 2004 10:02:38 - 1.85 +++ openpkg-web/security.wml 1 Apr 2004 21:01:13 - 1.86 @@ -76,6 +76,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 07-Apr-2004 18:24:59 Branch: HEAD Handle: 2004040717245900 Modified files: openpkg-web security.txt security.wml Log: publish OpenPKG-SA-2004.010-tcpdump Summary: RevisionChanges Path 1.70+1 -0 openpkg-web/security.txt 1.90+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.69 -r1.70 security.txt --- openpkg-web/security.txt 7 Apr 2004 12:45:53 - 1.69 +++ openpkg-web/security.txt 7 Apr 2004 16:24:59 - 1.70 @@ -1,4 +1,5 @@ 07-Apr-2004: Security Advisory: S +07-Apr-2004: Security Advisory: S 05-Apr-2004: Security Advisory: S 01-Apr-2004: Security Advisory: S 18-Mar-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.89 -r1.90 security.wml --- openpkg-web/security.wml 7 Apr 2004 12:45:54 - 1.89 +++ openpkg-web/security.wml 7 Apr 2004 16:24:59 - 1.90 @@ -77,6 +77,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 15-Apr-2004 20:09:54 Branch: HEAD Handle: 2004041519095300 Modified files: openpkg-web security.txt security.wml Log: add missing SAs Summary: RevisionChanges Path 1.71+3 -0 openpkg-web/security.txt 1.91+3 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.70 -r1.71 security.txt --- openpkg-web/security.txt 7 Apr 2004 16:24:59 - 1.70 +++ openpkg-web/security.txt 15 Apr 2004 18:09:53 - 1.71 @@ -1,3 +1,6 @@ +14-Apr-2004: Security Advisory: S +14-Apr-2004: Security Advisory: S +08-Apr-2004: Security Advisory: S 07-Apr-2004: Security Advisory: S 07-Apr-2004: Security Advisory: S 05-Apr-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.90 -r1.91 security.wml --- openpkg-web/security.wml 7 Apr 2004 16:24:59 - 1.90 +++ openpkg-web/security.wml 15 Apr 2004 18:09:53 - 1.91 @@ -76,6 +76,9 @@ + + + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 19-Apr-2004 10:06:35 Branch: HEAD Handle: 2004041909063500 Modified files: openpkg-web security.txt security.wml Log: link in OpenPKG-SA-2004.015-ethereal and OpenPKG-SA-2004.016-neon Summary: RevisionChanges Path 1.72+2 -0 openpkg-web/security.txt 1.92+2 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.71 -r1.72 security.txt --- openpkg-web/security.txt 15 Apr 2004 18:09:53 - 1.71 +++ openpkg-web/security.txt 19 Apr 2004 08:06:35 - 1.72 @@ -1,3 +1,5 @@ +16-Apr-2004: Security Advisory: S +16-Apr-2004: Security Advisory: S 14-Apr-2004: Security Advisory: S 14-Apr-2004: Security Advisory: S 08-Apr-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.91 -r1.92 security.wml --- openpkg-web/security.wml 15 Apr 2004 18:09:53 - 1.91 +++ openpkg-web/security.wml 19 Apr 2004 08:06:35 - 1.92 @@ -76,6 +76,8 @@ + + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 04-Oct-2002 21:47:18 Branch: HEAD Handle: 2002100420471800 Modified files: openpkg-web security.txt security.wml Log: add security advisory Summary: RevisionChanges Path 1.5 +3 -0 openpkg-web/security.txt 1.21+10 -8 openpkg-web/security.wml Index: openpkg-web/security.txt $ cvs diff -u -r1.4 -r1.5 security.txt --- openpkg-web/security.txt 4 Jul 2002 13:48:22 - 1.4 +++ openpkg-web/security.txt 4 Oct 2002 19:47:18 - 1.5 @@ -1,3 +1,6 @@ +04-Oct-2002: Security Advisory: S +30-Jul-2002: Security Advisory: S +30-Jul-2002: Security Advisory: S 04-Jul-2002: Security Advisory: S 26-Jun-2002: Security Advisory: S 19-Jun-2002: Security Advisory: S Index: openpkg-web/security.wml $ cvs diff -u -r1.20 -r1.21 security.wml --- openpkg-web/security.wml 27 Aug 2002 13:02:32 - 1.20 +++ openpkg-web/security.wml 4 Oct 2002 19:47:18 - 1.21 @@ -44,6 +44,7 @@ At this time, security advisories are being released for: + OpenPKG 1.1 (CORE and BASE class packages only) OpenPKG 1.0 @@ -69,14 +70,15 @@ TXT) - - - - - - - + + + + + + + + @@ -97,7 +99,7 @@ This is the preferred tool for working with OpenPGP. We recommend you to install it by using the OpenPKG ftp://ftp.openpkg.org/release/1.0/SRC/gnupg-1.0.6-1.0.0.src.rpm";> +href="ftp://ftp.openpkg.org/release/1.1/SRC/gnupg-1.0.7-1.1.0.src.rpm";> gnupg package. Alternatively you can fetch it from its official homepage http://www.gnupg.org/";>http://www.gnupg.org/ and build/install __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 17-Dec-2002 17:24:45 Branch: HEAD Handle: 2002121716244400 Modified files: openpkg-web security.txt security.wml Log: add SAs Summary: RevisionChanges Path 1.8 +4 -0 openpkg-web/security.txt 1.24+4 -0 openpkg-web/security.wml Index: openpkg-web/security.txt $ cvs diff -u -r1.7 -r1.8 security.txt --- openpkg-web/security.txt 29 Nov 2002 10:12:50 - 1.7 +++ openpkg-web/security.txt 17 Dec 2002 16:24:44 - 1.8 @@ -1,3 +1,7 @@ +17-Dec-2002: Security Advisory: S +16-Dec-2002: Security Advisory: S +16-Dec-2002: Security Advisory: S +16-Dec-2002: Security Advisory: S 29-Nov-2002: Security Advisory: S 15-Nov-2002: Security Advisory: S 23-Oct-2002: Security Advisory: S Index: openpkg-web/security.wml $ cvs diff -u -r1.23 -r1.24 security.wml --- openpkg-web/security.wml 29 Nov 2002 10:12:50 - 1.23 +++ openpkg-web/security.wml 17 Dec 2002 16:24:44 - 1.24 @@ -70,6 +70,10 @@ TXT) + + + + __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 18-Feb-2003 16:03:25 Branch: HEAD Handle: 2003021815032400 Modified files: openpkg-web security.txt security.wml Log: Put new PHP advisory online. Summary: RevisionChanges Path 1.19+1 -0 openpkg-web/security.txt 1.35+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.18 -r1.19 security.txt --- openpkg-web/security.txt 18 Feb 2003 11:43:13 - 1.18 +++ openpkg-web/security.txt 18 Feb 2003 15:03:24 - 1.19 @@ -1,3 +1,4 @@ +18-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S 29-Jan-2003: Security Advisory: S 23-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.34 -r1.35 security.wml --- openpkg-web/security.wml 18 Feb 2003 11:43:05 - 1.34 +++ openpkg-web/security.wml 18 Feb 2003 15:03:24 - 1.35 @@ -78,6 +78,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 19-Feb-2003 16:29:15 Branch: HEAD Handle: 2003021915291500 Modified files: openpkg-web security.txt security.wml Log: activate already the OpenSSL SA for easier testing Summary: RevisionChanges Path 1.22+1 -0 openpkg-web/security.txt 1.38+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.21 -r1.22 security.txt --- openpkg-web/security.txt 19 Feb 2003 13:48:07 - 1.21 +++ openpkg-web/security.txt 19 Feb 2003 15:29:15 - 1.22 @@ -1,3 +1,4 @@ +19-Feb-2003: Security Advisory: S 19-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.37 -r1.38 security.wml --- openpkg-web/security.wml 19 Feb 2003 13:48:07 - 1.37 +++ openpkg-web/security.wml 19 Feb 2003 15:29:15 - 1.38 @@ -78,6 +78,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 04-Mar-2003 11:26:05 Branch: HEAD Handle: 2003030410260400 Modified files: openpkg-web security.txt security.wml Log: link tcpdump SA into website Summary: RevisionChanges Path 1.23+1 -0 openpkg-web/security.txt 1.39+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.22 -r1.23 security.txt --- openpkg-web/security.txt 19 Feb 2003 15:29:15 - 1.22 +++ openpkg-web/security.txt 4 Mar 2003 10:26:04 - 1.23 @@ -1,3 +1,4 @@ +04-Mar-2003: Security Advisory: S 19-Feb-2003: Security Advisory: S 19-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.38 -r1.39 security.wml --- openpkg-web/security.wml 19 Feb 2003 15:29:15 - 1.38 +++ openpkg-web/security.wml 4 Mar 2003 10:26:04 - 1.39 @@ -78,6 +78,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 14-Mar-2003 22:17:47 Branch: HEAD Handle: 2003031421174500 Modified files: openpkg-web security.txt security.wml Log: link in QPopper SA Summary: RevisionChanges Path 1.26+1 -0 openpkg-web/security.txt 1.42+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.25 -r1.26 security.txt --- openpkg-web/security.txt 4 Mar 2003 15:37:38 - 1.25 +++ openpkg-web/security.txt 14 Mar 2003 21:17:45 - 1.26 @@ -1,3 +1,4 @@ +14-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.41 -r1.42 security.wml --- openpkg-web/security.wml 4 Mar 2003 15:37:39 - 1.41 +++ openpkg-web/security.wml 14 Mar 2003 21:17:45 - 1.42 @@ -78,6 +78,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 18-Mar-2003 11:12:57 Branch: HEAD Handle: 2003031810125700 Modified files: openpkg-web security.txt security.wml Log: activate OpenSSL SA Summary: RevisionChanges Path 1.27+1 -0 openpkg-web/security.txt 1.43+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.26 -r1.27 security.txt --- openpkg-web/security.txt 14 Mar 2003 21:17:45 - 1.26 +++ openpkg-web/security.txt 18 Mar 2003 10:12:57 - 1.27 @@ -1,3 +1,4 @@ +18-Mar-2003: Security Advisory: S 14-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.42 -r1.43 security.wml --- openpkg-web/security.wml 14 Mar 2003 21:17:45 - 1.42 +++ openpkg-web/security.wml 18 Mar 2003 10:12:57 - 1.43 @@ -78,6 +78,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 18-Mar-2003 16:26:43 Branch: HEAD Handle: 2003031815264200 Modified files: openpkg-web security.txt security.wml Log: add mod_ssl SA Summary: RevisionChanges Path 1.28+1 -0 openpkg-web/security.txt 1.44+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.27 -r1.28 security.txt --- openpkg-web/security.txt 18 Mar 2003 10:12:57 - 1.27 +++ openpkg-web/security.txt 18 Mar 2003 15:26:42 - 1.28 @@ -1,3 +1,4 @@ +18-Mar-2003: Security Advisory: S 18-Mar-2003: Security Advisory: S 14-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.43 -r1.44 security.wml --- openpkg-web/security.wml 18 Mar 2003 10:12:57 - 1.43 +++ openpkg-web/security.wml 18 Mar 2003 15:26:42 - 1.44 @@ -78,6 +78,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 18-Mar-2003 16:38:30 Branch: HEAD Handle: 2003031815383000 Modified files: openpkg-web security.txt security.wml Log: link in Samba SA Summary: RevisionChanges Path 1.29+1 -0 openpkg-web/security.txt 1.45+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.28 -r1.29 security.txt --- openpkg-web/security.txt 18 Mar 2003 15:26:42 - 1.28 +++ openpkg-web/security.txt 18 Mar 2003 15:38:30 - 1.29 @@ -1,3 +1,4 @@ +18-Mar-2003: Security Advisory: S 18-Mar-2003: Security Advisory: S 18-Mar-2003: Security Advisory: S 14-Mar-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.44 -r1.45 security.wml --- openpkg-web/security.wml 18 Mar 2003 15:26:42 - 1.44 +++ openpkg-web/security.wml 18 Mar 2003 15:38:30 - 1.45 @@ -78,6 +78,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 18-Mar-2003 16:55:43 Branch: HEAD Handle: 2003031815554200 Modified files: openpkg-web security.txt security.wml Log: activate MySQL SA Summary: RevisionChanges Path 1.30+1 -0 openpkg-web/security.txt 1.46+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.29 -r1.30 security.txt --- openpkg-web/security.txt 18 Mar 2003 15:38:30 - 1.29 +++ openpkg-web/security.txt 18 Mar 2003 15:55:42 - 1.30 @@ -1,3 +1,4 @@ +18-Mar-2003: Security Advisory: S 18-Mar-2003: Security Advisory: S 18-Mar-2003: Security Advisory: S 18-Mar-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.45 -r1.46 security.wml --- openpkg-web/security.wml 18 Mar 2003 15:38:30 - 1.45 +++ openpkg-web/security.wml 18 Mar 2003 15:55:42 - 1.46 @@ -78,6 +78,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 20-Mar-2003 17:21:59 Branch: HEAD Handle: 2003032016215900 Modified files: openpkg-web security.txt security.wml Log: link in mutt SA Summary: RevisionChanges Path 1.31+3 -0 openpkg-web/security.txt 1.47+3 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.30 -r1.31 security.txt --- openpkg-web/security.txt 18 Mar 2003 15:55:42 - 1.30 +++ openpkg-web/security.txt 20 Mar 2003 16:21:59 - 1.31 @@ -1,3 +1,6 @@ +20-Mar-2003: Security Advisory: S +19-Mar-2003: Security Advisory: S +19-Mar-2003: Security Advisory: S 18-Mar-2003: Security Advisory: S 18-Mar-2003: Security Advisory: S 18-Mar-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.46 -r1.47 security.wml --- openpkg-web/security.wml 18 Mar 2003 15:55:42 - 1.46 +++ openpkg-web/security.wml 20 Mar 2003 16:21:59 - 1.47 @@ -78,6 +78,9 @@ + + + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 20-Mar-2003 21:17:31 Branch: HEAD Handle: 2003032020173100 Modified files: openpkg-web security.txt security.wml Log: link OpenSSL SA into website Summary: RevisionChanges Path 1.32+1 -0 openpkg-web/security.txt 1.48+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.31 -r1.32 security.txt --- openpkg-web/security.txt 20 Mar 2003 16:21:59 - 1.31 +++ openpkg-web/security.txt 20 Mar 2003 20:17:31 - 1.32 @@ -1,3 +1,4 @@ +20-Mar-2003: Security Advisory: S 20-Mar-2003: Security Advisory: S 19-Mar-2003: Security Advisory: S 19-Mar-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.47 -r1.48 security.wml --- openpkg-web/security.wml 20 Mar 2003 16:21:59 - 1.47 +++ openpkg-web/security.wml 20 Mar 2003 20:17:31 - 1.48 @@ -78,6 +78,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 30-Mar-2003 14:09:22 Branch: HEAD Handle: 2003033013092200 Modified files: openpkg-web security.txt security.wml Log: activate Sendmail SA Summary: RevisionChanges Path 1.33+1 -0 openpkg-web/security.txt 1.49+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.32 -r1.33 security.txt --- openpkg-web/security.txt 20 Mar 2003 20:17:31 - 1.32 +++ openpkg-web/security.txt 30 Mar 2003 12:09:22 - 1.33 @@ -1,3 +1,4 @@ +30-Mar-2003: Security Advisory: S 20-Mar-2003: Security Advisory: S 20-Mar-2003: Security Advisory: S 19-Mar-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.48 -r1.49 security.wml --- openpkg-web/security.wml 20 Mar 2003 20:17:31 - 1.48 +++ openpkg-web/security.wml 30 Mar 2003 12:09:22 - 1.49 @@ -78,6 +78,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 11-Jun-2003 13:04:37 Branch: HEAD Handle: 2003061112043600 Modified files: openpkg-web security.txt security.wml Log: link in gzip SA Summary: RevisionChanges Path 1.37+1 -0 openpkg-web/security.txt 1.53+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.36 -r1.37 security.txt --- openpkg-web/security.txt 3 Jun 2003 12:11:24 - 1.36 +++ openpkg-web/security.txt 11 Jun 2003 11:04:36 - 1.37 @@ -1,3 +1,4 @@ +11-Jun-2003: Security Advisory: S 03-Jun-2003: Security Advisory: S 16-May-2003: Security Advisory: S 07-Apr-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.52 -r1.53 security.wml --- openpkg-web/security.wml 3 Jun 2003 12:11:24 - 1.52 +++ openpkg-web/security.wml 11 Jun 2003 11:04:36 - 1.53 @@ -78,6 +78,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 28-Aug-2003 10:37:00 Branch: HEAD Handle: 200308280937 Modified files: openpkg-web security.txt security.wml Log: link Sendmail SA into website Summary: RevisionChanges Path 1.43+1 -0 openpkg-web/security.txt 1.61+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.42 -r1.43 security.txt --- openpkg-web/security.txt 6 Aug 2003 15:26:42 - 1.42 +++ openpkg-web/security.txt 28 Aug 2003 08:37:00 - 1.43 @@ -1,3 +1,4 @@ +28-Aug-2003: Security Advisory: S 06-Aug-2003: Security Advisory: S 06-Aug-2003: Security Advisory: S 10-Jul-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.60 -r1.61 security.wml --- openpkg-web/security.wml 6 Aug 2003 15:26:42 - 1.60 +++ openpkg-web/security.wml 28 Aug 2003 08:37:00 - 1.61 @@ -76,6 +76,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 19-Sep-2003 10:14:36 Branch: HEAD Handle: 2003091909143600 Modified files: openpkg-web security.txt security.wml Log: link Sendmail SA into website Summary: RevisionChanges Path 1.48+1 -0 openpkg-web/security.txt 1.66+1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.47 -r1.48 security.txt --- openpkg-web/security.txt 17 Sep 2003 08:29:00 - 1.47 +++ openpkg-web/security.txt 19 Sep 2003 08:14:36 - 1.48 @@ -1,3 +1,4 @@ +19-Sep-2003: Security Advisory: S 17-Sep-2003: Security Advisory: S 15-Sep-2003: Security Advisory: S 15-Sep-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.65 -r1.66 security.wml --- openpkg-web/security.wml 17 Sep 2003 06:59:37 - 1.65 +++ openpkg-web/security.wml 19 Sep 2003 08:14:36 - 1.66 @@ -76,6 +76,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
Re: [CVS] OpenPKG: openpkg-web/ security.txt security.wml
On Thu, Apr 01, 2004, Thomas Lotterer wrote: > make SA-2004.008-squid visible Ops, thanks. I've overlooked this. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ The OpenPKG Projectwww.openpkg.org Developer Communication List [EMAIL PROTECTED]
Re: [CVS] OpenPKG: openpkg-web/ security.txt security.wml
On Sat, Jun 11, 2005, Michael Schloh wrote: > link new cvs, bzip2, gzip, and openpkg SAs into website Ops, good catch. Although Thomas reminded me I've forgotten it. Thanks. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ The OpenPKG Projectwww.openpkg.org Developer Communication List openpkg-dev@openpkg.org
Re: [CVS] OpenPKG: openpkg-web/ security.txt security.wml
On Sat, Jun 11, 2005 at 06:47:15PM +0200, Ralf S. Engelschall wrote: > On Sat, Jun 11, 2005, Michael Schloh wrote: > >> link new cvs, bzip2, gzip, and openpkg SAs into website >> > Ops, good catch. Although Thomas reminded me I've forgotten it. > Thanks. > Yes, but unfortunately I have no shell access to the web pages on master.openpkg.org. You'll have to type 'make' yourself there, or we just wait for cron to do the job, assuming there is a cronjob for that. Regards, Michael -- Michael Schloh von Bennewitz <[EMAIL PROTECTED]> Software Engineer Development, Spacenet AG Joseph-Dollinger-Bogen 14, D-80807 Muenchen pgpzCzPAjJ88a.pgp Description: PGP signature
Re: [CVS] OpenPKG: openpkg-web/ security.txt security.wml
On Sat, Jun 11, 2005, Michael Schloh von Bennewitz wrote: > On Sat, Jun 11, 2005 at 06:47:15PM +0200, Ralf S. Engelschall wrote: > > On Sat, Jun 11, 2005, Michael Schloh wrote: > > > >> link new cvs, bzip2, gzip, and openpkg SAs into website > >> > > Ops, good catch. Although Thomas reminded me I've forgotten it. > > Thanks. > > > Yes, but unfortunately I have no shell access to the web pages on > master.openpkg.org. You'll have to type 'make' yourself there, or > we just wait for cron to do the job, assuming there is a cronjob > for that. No, there is a cron job which updates the website every 15 minutes. Just comitting is fully enough. There was just a bug in the auto-update procedure which is now fixed, too. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ The OpenPKG Projectwww.openpkg.org Developer Communication List openpkg-dev@openpkg.org
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 19-Oct-2003 09:16:29 Branch: HEAD Handle: 2003101908162900 Added files: openpkg-web/securityOpenPKG-SA-2003.045-ircd.txt Modified files: openpkg-web security.txt security.wml openpkg-web/securitypage.pl Log: SA-2003.045-ircd; CAN-2003-0864 Summary: RevisionChanges Path 1.52+1 -0 openpkg-web/security.txt 1.70+1 -0 openpkg-web/security.wml 1.1 +72 -0 openpkg-web/security/OpenPKG-SA-2003.045-ircd.txt 1.29+1 -1 openpkg-web/security/page.pl patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.51 -r1.52 security.txt --- openpkg-web/security.txt 30 Sep 2003 12:47:11 - 1.51 +++ openpkg-web/security.txt 19 Oct 2003 07:16:29 - 1.52 @@ -1,3 +1,4 @@ +19-Oct-2003: Security Advisory: S 30-Sep-2003: Security Advisory: S 24-Sep-2003: Security Advisory: S 24-Sep-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.69 -r1.70 security.wml --- openpkg-web/security.wml 30 Sep 2003 12:47:11 - 1.69 +++ openpkg-web/security.wml 19 Oct 2003 07:16:29 - 1.70 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.045-ircd.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.045-ircd.txt --- /dev/null 2003-10-19 09:16:29.0 +0200 +++ OpenPKG-SA-2003.045-ircd.txt 2003-10-19 09:16:29.0 +0200 @@ -0,0 +1,72 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.045 19-Oct-2003 + + +Package: ircd +Vulnerability: remote denial of service vulnerability +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= ircd-2.10.3p3-20030725 >= ircd-2.10.3p4-20031012 +OpenPKG 1.3 <= ircd-2.10.3p3-1.3.0 >= ircd-2.10.3p3-1.3.1 +OpenPKG 1.2 <= ircd-2.10.3p3-1.2.0 >= ircd-2.10.3p3-1.2.1 + +Dependent Packages: none + +Description: + According to a report from Piotr Kucharski [0] a buffer overflow + vulnerability exists in ircd [1] that allows a remote attacker to + crash the ircd server, thus causing a denial of service condition. + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0864 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + ircd". If you have the "ircd" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.3, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get ircd-2.10.3p3-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig ircd-2.10.3p3-1.3.1.src.rpm + $ /bin/rpm --rebuild ircd-2.10.3p3-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/ircd-2.10.3p3-1.3.1.*.rpm + + +References: + [0] http://www.securityfocus.com/archive/1/341099 + [1] http://www.irc.org/servers.html + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0864 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.2/UPD/ircd-2.10.3p3-1.2.1.src.rpm + [6] ftp://ftp.op
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 28-Oct-2003 15:46:56 Branch: HEAD Handle: 2003102814465600 Added files: openpkg-web/securityOpenPKG-SA-2003.046-apache.txt Modified files: openpkg-web security.txt security.wml openpkg-web/securitypage.pl Log: SA-2003.046-apache; CAN-2003-0542 Summary: RevisionChanges Path 1.53+1 -0 openpkg-web/security.txt 1.71+1 -0 openpkg-web/security.wml 1.1 +71 -0 openpkg-web/security/OpenPKG-SA-2003.046-apache.txt 1.30+1 -1 openpkg-web/security/page.pl patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.52 -r1.53 security.txt --- openpkg-web/security.txt 19 Oct 2003 07:16:29 - 1.52 +++ openpkg-web/security.txt 28 Oct 2003 14:46:56 - 1.53 @@ -1,3 +1,4 @@ +28-Oct-2003: Security Advisory: S 19-Oct-2003: Security Advisory: S 30-Sep-2003: Security Advisory: S 24-Sep-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.70 -r1.71 security.wml --- openpkg-web/security.wml 19 Oct 2003 07:16:29 - 1.70 +++ openpkg-web/security.wml 28 Oct 2003 14:46:56 - 1.71 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.046-apache.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.046-apache.txt --- /dev/null 2003-10-28 15:46:56.0 +0100 +++ OpenPKG-SA-2003.046-apache.txt2003-10-28 15:46:56.0 +0100 @@ -0,0 +1,71 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.046 29-Oct-2003 + + +Package: apache +Vulnerability: local regex backreference overflow +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= apache-1.3.28-20031009 >= apache-1.3.29-20031028 +OpenPKG 1.3 <= apache-1.3.28-1.3.0 >= apache-1.3.28-1.3.1 +OpenPKG 1.2 <= apache-1.3.27-1.2.2 >= apache-1.3.27-1.2.3 + +Dependent Packages: none + +Description: + Andre Malo fixed problems [0] in the mod_alias and mod_rewrite + modules of the Apache [1] webserver. Buffer overflows occurred if a + regular expression with more than 9 captures were configured. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0542 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + apache". If you have the "apache" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the current release OpenPKG 1.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get apache-1.3.28-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig apache-1.3.28-1.3.1.src.rpm + $ /bin/rpm --rebuild apache-1.3.28-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/apache-1.3.28-1.3.1.*.rpm + + +References: + [0] http://marc.theaimsgroup.com/?l=apache-cvs&m=106701190026083 + [1] http://httpd.apache.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.2/UPD/apache-1.3.27-1.2.3.src.rpm + [6] f
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 30-Oct-2003 11:48:40 Branch: HEAD Handle: 2003103010483901 Added files: openpkg-web/securityOpenPKG-SA-2003.047-postgresql.txt Modified files: openpkg-web security.txt security.wml Log: link in PostgreSQL security advisory Summary: RevisionChanges Path 1.54+1 -0 openpkg-web/security.txt 1.72+1 -0 openpkg-web/security.wml 1.1 +88 -0 openpkg-web/security/OpenPKG-SA-2003.047-postgresql.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.53 -r1.54 security.txt --- openpkg-web/security.txt 28 Oct 2003 14:46:56 - 1.53 +++ openpkg-web/security.txt 30 Oct 2003 10:48:39 - 1.54 @@ -1,3 +1,4 @@ +30-Oct-2003: Security Advisory: S 28-Oct-2003: Security Advisory: S 19-Oct-2003: Security Advisory: S 30-Sep-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.71 -r1.72 security.wml --- openpkg-web/security.wml 28 Oct 2003 14:46:56 - 1.71 +++ openpkg-web/security.wml 30 Oct 2003 10:48:39 - 1.72 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.047-postgresql.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.047-postgresql.txt --- /dev/null 2003-10-30 11:48:40.0 +0100 +++ OpenPKG-SA-2003.047-postgresql.txt2003-10-30 11:48:40.0 +0100 @@ -0,0 +1,88 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.047 30-Oct-2003 + + +Package: postgresql +Vulnerability: remote code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= postgresql-7.3.3-20030723 >= postgresql-7.3.4-20030725 +OpenPKG 1.3 N.A. none +OpenPKG 1.2 <= postgresql-7.3.1-1.2.2>= postgresql-7.3.1-1.2.3 + +Dependent Packages: none + +Description: + Two bugs leading to a buffer overflow in the PostgreSQL [0] RDBMS, + versions 7.2.x and 7.3.x prior to 7.3.4, were discovered. The + vulnerability exists in the PostgreSQL abstract data type (ADT) to + ASCII conversion functions. + + It has been conjectured that excessive data passed to the involved + to_ascii_xxx() functions may overrun the bounds of an insufficient + buffer reserved in heap memory, resulting in the corruption of heap + based memory management structures that are adjacent to it. It is + currently believed that under the correct circumstances an attacker + may use this to execute arbitrary instructions in the context of the + PostgreSQL server. + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0901 [1] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + postgresql". If you have the "postgresql" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution). [2][3] + +Solution: + Select the updated source RPM appropriate for the OpenPKG release + [4], fetch it from the OpenPKG FTP service [5] or a mirror location, + verify its integrity [6], build a corresponding binary RPM from it + [2] and update your OpenPKG installation by applying the binary RPM + [3]. For the release OpenPKG 1.2, perform the following operations + to permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get postgresql-7.3.1-1.2.3.src.rpm + ftp> bye + $ /bin/rpm -v --checksig postgresql-7.3.1-1.2.3.src.rpm + $ /bin/rpm --rebuild postgresql-7.3.1-1.2.3.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/postgresql-7.3.
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 25-Nov-2003 14:38:00 Branch: HEAD Handle: 2003112513375901 Added files: openpkg-web/securityOpenPKG-SA-2003.049-zebra.txt Modified files: openpkg-web security.txt security.wml openpkg-web/securitypage.pl Log: SA-2003.049-zebra; CAN-2003-0795, CAN-2003-0858 Summary: RevisionChanges Path 1.56+1 -0 openpkg-web/security.txt 1.73+2 -0 openpkg-web/security.wml 1.1 +76 -0 openpkg-web/security/OpenPKG-SA-2003.049-zebra.txt 1.32+1 -1 openpkg-web/security/page.pl patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.55 -r1.56 security.txt --- openpkg-web/security.txt 11 Nov 2003 20:08:05 - 1.55 +++ openpkg-web/security.txt 25 Nov 2003 13:37:59 - 1.56 @@ -1,3 +1,4 @@ +25-Nov-2003: Security Advisory: S 11-Nov-2003: Security Advisory: S 30-Oct-2003: Security Advisory: S 28-Oct-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.72 -r1.73 security.wml --- openpkg-web/security.wml 30 Oct 2003 10:48:39 - 1.72 +++ openpkg-web/security.wml 25 Nov 2003 13:37:59 - 1.73 @@ -76,6 +76,8 @@ + + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.049-zebra.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.049-zebra.txt --- /dev/null 2003-11-25 14:38:00.0 +0100 +++ OpenPKG-SA-2003.049-zebra.txt 2003-11-25 14:38:00.0 +0100 @@ -0,0 +1,76 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.049 25-Nov-2003 + + +Package: zebra +Vulnerability: denial of service +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= zebra-0.93b-20031001 >= zebra-0.93b-20031113 +OpenPKG 1.3 <= zebra-0.93b-1.3.0>= zebra-0.93b-1.3.1 +OpenPKG 1.2 <= zebra-0.93b-1.2.0>= zebra-0.93b-1.2.1 + +Dependent Packages: none + +Description: + Jonny Robertson reported that Zebra can be remotely crashed if a + remote attacker can connect to the Zebra telnet management port [0]. + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0795 [1] to the problem. + + Herbert Xu reported that Zebra can accept spoofed messages sent on the + kernel netlink interface by other users on the local machine [2]. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0858 [3] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + zebra". If you have the "zebra" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [4][5] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror + location, verify its integrity [10], build a corresponding binary + RPM from it [4] and update your OpenPKG installation by applying the + binary RPM [5]. For the current release OpenPKG 1.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get zebra-0.93b-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig zebra-0.93b-1.3.1.src.rpm + $ /bin/rpm --rebuild zebra-0.93b-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/zebra-0.93b-1.3.1.*.rpm + + +References: + [0] http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140 + [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0795 + [2] http://bugzilla.redhat.com/bugzilla/sh
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 28-Nov-2003 12:21:07 Branch: HEAD Handle: 2003112811210600 Added files: openpkg-web/securityOpenPKG-SA-2003.050-screen.txt Modified files: openpkg-web security.txt security.wml openpkg-web/securitypage.pl Log: SA-2003.050-screen Summary: RevisionChanges Path 1.57+1 -0 openpkg-web/security.txt 1.74+1 -0 openpkg-web/security.wml 1.1 +71 -0 openpkg-web/security/OpenPKG-SA-2003.050-screen.txt 1.33+1 -1 openpkg-web/security/page.pl patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.56 -r1.57 security.txt --- openpkg-web/security.txt 25 Nov 2003 13:37:59 - 1.56 +++ openpkg-web/security.txt 28 Nov 2003 11:21:06 - 1.57 @@ -1,3 +1,4 @@ +28-Nov-2003: Security Advisory: S 25-Nov-2003: Security Advisory: S 11-Nov-2003: Security Advisory: S 30-Oct-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.73 -r1.74 security.wml --- openpkg-web/security.wml 25 Nov 2003 13:37:59 - 1.73 +++ openpkg-web/security.wml 28 Nov 2003 11:21:06 - 1.74 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.050-screen.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.050-screen.txt --- /dev/null 2003-11-28 12:21:07.0 +0100 +++ OpenPKG-SA-2003.050-screen.txt2003-11-28 12:21:07.0 +0100 @@ -0,0 +1,71 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.050 28-Nov-2003 + + +Package: screen +Vulnerability: privilege escalation +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= screen-4.0.1-20031009>= screen-4.0.1-20031127 +OpenPKG 1.3 <= screen-3.9.15-1.3.0 >= screen-3.9.15-1.3.1 +OpenPKG 1.2 <= screen-3.9.13-1.2.0 >= screen-3.9.13-1.2.1 + +Dependent Packages: none + +Description: + According to a posting on Bugtraq [1], Timo Sirainen fixed a buffer + overflow bug which allows privilege escalation in the Virtual Screen + Manager "screen" [2], whose executable is installed setuid-root. It + also has some potential for attackers getting control of another + user's screen. Transfer of approximately two gigabytes of data is + required to exploit this vulnerability. + + Please check whether you are affected by running "/bin/rpm -q + screen". If you have the "screen" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the current release OpenPKG 1.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get screen-3.9.15-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig screen-3.9.15-1.3.1.src.rpm + $ /bin/rpm --rebuild screen-3.9.15-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/screen-3.9.15-1.3.1.*.rpm + + +References: + [1] http://www.securityfocus.com/archive/1/345844/2003-11-24/2003-11-30/0 + [2] http://www.gnu.org/software/screen/ + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.2/UPD/screen-3.9.13-1.2.1.src.rpm + [
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 04-Dec-2003 16:21:13 Branch: HEAD Handle: 2003120415211201 Added files: openpkg-web/securityOpenPKG-SA-2003.051-rsync.txt Modified files: openpkg-web security.txt security.wml openpkg-web/securitypage.pl Log: SA-2003.051-rsync; CAN-2003-0962 Summary: RevisionChanges Path 1.58+1 -0 openpkg-web/security.txt 1.75+1 -0 openpkg-web/security.wml 1.1 +80 -0 openpkg-web/security/OpenPKG-SA-2003.051-rsync.txt 1.34+1 -1 openpkg-web/security/page.pl patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.57 -r1.58 security.txt --- openpkg-web/security.txt 28 Nov 2003 11:21:06 - 1.57 +++ openpkg-web/security.txt 4 Dec 2003 15:21:12 - 1.58 @@ -1,3 +1,4 @@ +04-Dec-2003: Security Advisory: S 28-Nov-2003: Security Advisory: S 25-Nov-2003: Security Advisory: S 11-Nov-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.74 -r1.75 security.wml --- openpkg-web/security.wml 28 Nov 2003 11:21:06 - 1.74 +++ openpkg-web/security.wml 4 Dec 2003 15:21:12 - 1.75 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.051-rsync.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.051-rsync.txt --- /dev/null 2003-12-04 16:21:13.0 +0100 +++ OpenPKG-SA-2003.051-rsync.txt 2003-12-04 16:21:13.0 +0100 @@ -0,0 +1,80 @@ + + + + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.051 04-Dec-2003 + + +Package: rsync +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= rsync-2.5.6-20030807 >= rsync-2.5.7-20031204 +OpenPKG 1.3 <= rsync-2.5.6-1.3.0>= rsync-2.5.6-1.3.1 +OpenPKG 1.2 <= rsync-2.5.5-1.2.0>= rsync-2.5.5-1.2.1 + +Dependent Packages: none FIXME check meta-core and rdiff-backup + +Description: + According to a rsync security advisory [0], a heap overflow + vulnerability exists in rsync [1] version 2.5.6 and earlier when used + as a rsync server which typically listens on TCP port 873. An exploit + is known to be in the wild and the security of a public rsync was + compromised. A successful attack does not directly lead to root access + but can be combined with other local exploits. The do_brk vulnerbility + in Linux kernels prior 2.4.23 is worthwhile to mention these days. The + attack is known to be considerably easier when the "use chroot = no" + option is set in rsync.conf which is not the default in OpenPKG. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0962 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + rsync". If you have the "rsync" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.3, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get rsync-2.5.6-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig rsync-2.5.6-1.3.1.src.rpm + $ /bin/rpm --rebuild rsync-2.5.6-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/rsync-2.5.6-1.3.1.*.rpm +__
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 08-Jan-2004 09:03:58 Branch: HEAD Handle: 2004010808035701 Added files: openpkg-web/securityOpenPKG-SA-2004.001-inn.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.001-inn Summary: RevisionChanges Path 1.60+1 -0 openpkg-web/security.txt 1.77+1 -0 openpkg-web/security.wml 1.1 +69 -0 openpkg-web/security/OpenPKG-SA-2004.001-inn.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.59 -r1.60 security.txt --- openpkg-web/security.txt 17 Dec 2003 11:59:23 - 1.59 +++ openpkg-web/security.txt 8 Jan 2004 08:03:57 - 1.60 @@ -1,3 +1,4 @@ +08-Jan-2004: Security Advisory: S 17-Dec-2003: Security Advisory: S 17-Dec-2003: Security Advisory: S 04-Dec-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.76 -r1.77 security.wml --- openpkg-web/security.wml 17 Dec 2003 11:59:24 - 1.76 +++ openpkg-web/security.wml 8 Jan 2004 08:03:57 - 1.77 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.001-inn.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.001-inn.txt --- /dev/null 2004-01-08 09:03:58.0 +0100 +++ OpenPKG-SA-2004.001-inn.txt 2004-01-08 09:03:58.0 +0100 @@ -0,0 +1,69 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.001 08-Jan-2004 + + +Package: inn +Vulnerability: remotely exploitable access to inn user +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= inn-2.4.0-2003 >= inn-2.4.0-20040108 +OpenPKG 1.3 <= inn-2.4.0-1.3.0 >= inn-2.4.0-1.3.1 +OpenPKG 1.2 noneN.A. + +Description: + According to a posting from Russ Allbery on the inn announce mailing + list, Dan Riley discovered a buffer overflow in a portion of the + control message handling code introduced in INN 2.4.0. It is fairly + likely that this overflow could be remotely exploited to gain access + to the user innd runs as. INN 2.3.x and earlier are not affected. + + Please check whether you are affected by running "/bin/rpm + -q inn". If you have the "inn" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][5], fetch it from the OpenPKG FTP service [7][6] or a mirror + location, verify its integrity [7], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.3, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get inn-2.4.0-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig inn-2.4.0-1.3.1.src.rpm + $ /bin/rpm --rebuild inn-2.4.0-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/inn-2.4.0-1.3.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] + + +References: + [1] http://www.isc.org/products/INN/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-... + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.3/UPD/inn-2.4.0-1.3.1.src.rpm + [6] ftp://ftp.openpkg.org/release/1.3/UPD/ + [7] http://www.openpkg.org/security.html#signature +__
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 16-Jan-2004 13:43:45 Branch: HEAD Handle: 2004011612434400 Added files: openpkg-web/securityOpenPKG-SA-2004.002-tcpdump.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.002-tcpdump; CAN-2002-0380, CAN-2002-1350, CAN-2003-0108, CAN-2003-0989, CAN-2003-1029, CAN-2004-0055, CAN-2004-0057 Summary: RevisionChanges Path 1.61+1 -0 openpkg-web/security.txt 1.78+1 -0 openpkg-web/security.wml 1.1 +97 -0 openpkg-web/security/OpenPKG-SA-2004.002-tcpdump.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.60 -r1.61 security.txt --- openpkg-web/security.txt 8 Jan 2004 08:03:57 - 1.60 +++ openpkg-web/security.txt 16 Jan 2004 12:43:44 - 1.61 @@ -1,3 +1,4 @@ +16-Jan-2004: Security Advisory: S 08-Jan-2004: Security Advisory: S 17-Dec-2003: Security Advisory: S 17-Dec-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.77 -r1.78 security.wml --- openpkg-web/security.wml 8 Jan 2004 08:03:57 - 1.77 +++ openpkg-web/security.wml 16 Jan 2004 12:43:44 - 1.78 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.002-tcpdump.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.002-tcpdump.txt --- /dev/null 2004-01-16 13:43:45.0 +0100 +++ OpenPKG-SA-2004.002-tcpdump.txt 2004-01-16 13:43:45.0 +0100 @@ -0,0 +1,97 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.002 16-Jan-2004 + + +Package: tcpdump +Vulnerability: denial of service +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= tcpdump-3.8.1-20040108 >= tcpdump-3.8.1-20040116 +OpenPKG 1.3 <= tcpdump-3.7.2-1.3.0 >= tcpdump-3.7.2-1.3.1 +OpenPKG 1.2 <= tcpdump-3.7.1-1.2.1 >= tcpdump-3.7.1-1.2.2 + +Dependent Packages: none + +Description: + A bunch of vulnerabilities in tcpdump [0] were found and addressed + in the past. All of them are in the area of packet decoding. Faulty + decoder functions can result in denial of service attacks through + infinite loops, memory starvation and application crashes. In the + worst case arbitrary code execution is possible. + + This OpenPKG update resolves all issues currently known, as shown in + the following table: + + tcpdump 371 371 372 381 + OpenPKG 120 121 130 20020822 +--- --- --- --- + CAN-2002-0380 [2] nfs y n n n see past OpenPKG-SA [1] + CAN-2002-1350 [3] bgp y n n n see past OpenPKG-SA [1] + CAN-2003-0108 [4] isakmp y n n n see past OpenPKG-SA [1] +depthy y y n (*) + CAN-2003-0989 [5] isakmp y y y n updates CAN-2003-0108-isakmp + CAN-2003-1029 [6] l2tp y y n n + CAN-2004-0055 [7] radius y y y y + CAN-2004-0057 [8] isakmp y y y y + + (*) the vendor code fix for CAN-2003-0108 had two other unrelated code + changes piggybacked. We removed the cosmetics (constify) and + extracted an enhancement (depth). + + Please check whether you are affected by running "/bin/rpm -q + tcpdump". If you have the "tcpdump" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution) and it's dependent packages (see above), if any, too. + [9][10] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [11][12], fetch it from the OpenPKG FTP service [13][14] or a mirror + location, verify its integrity [15], build a corresponding binary RPM + from it [9] and update your
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 08-Mar-2004 15:09:52 Branch: HEAD Handle: 2004030814095100 Added files: openpkg-web/securityOpenPKG-SA-2004.004-libtool.txt Modified files: openpkg-web security.txt security.wml Log: OpenPKG-SA-2004.004-libtool Summary: RevisionChanges Path 1.63+1 -0 openpkg-web/security.txt 1.82+1 -0 openpkg-web/security.wml 1.1 +82 -0 openpkg-web/security/OpenPKG-SA-2004.004-libtool.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.62 -r1.63 security.txt --- openpkg-web/security.txt 5 Mar 2004 16:07:14 - 1.62 +++ openpkg-web/security.txt 8 Mar 2004 14:09:51 - 1.63 @@ -1,3 +1,4 @@ +08-Mar-2004: Security Advisory: S 05-Mar-2004: Security Advisory: S 16-Jan-2004: Security Advisory: S 08-Jan-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.81 -r1.82 security.wml --- openpkg-web/security.wml 5 Mar 2004 16:07:14 - 1.81 +++ openpkg-web/security.wml 8 Mar 2004 14:09:51 - 1.82 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.004-libtool.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.004-libtool.txt --- /dev/null 2004-03-08 15:09:52.0 +0100 +++ OpenPKG-SA-2004.004-libtool.txt 2004-03-08 15:09:52.0 +0100 @@ -0,0 +1,82 @@ + + + + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.004 08-Mar-2004 + + +Package: libtool +Vulnerability: insecure creation of temporary directory +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= libtool-1.5.2-20040207 >= libtool-1.5.2-20040308 +OpenPKG 2.0 <= libtool-1.5.2-2.0.0 >= libtool-1.5.2-2.0.1 +OpenPKG 1.3 <= libtool-1.5-1.3.0>= libtool-1.5-1.3.1 + +Dependent Packages: none + +Description: + According to a posting on Bugtraq [0], a issue regarding the insecure + creation of a temporary directory issue exists in libtool [1] versions + before 1.5.2. Use of mkdir(1) along with -p option makes libtool + vulnerable to symlink attacks. Stefan Nordhausen commited a fix that + removes use of the -p option in 1.5.2. Discussion on Bugtraq further + indicates that a additional race condition issue exists in the same + context using chmod(1) which was reported by Joseph S. Myers back in + March 2000 [2]. The updated OpenPKG versions of libtool contain fixes + for both issues. + + Please check whether you are affected by running "/bin/rpm + -q libtool". If you have the "libtool" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution) and it's dependent packages (see above), if any, + too. [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 2.0, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get libtool-1.5.2-2.0.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig libtool-1.5.2-2.0.1.src.rpm + $ /bin/openpkg rpm --rebuild libtool-1.5.2-2.0.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/libtool-1.5.2-2.0.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] +_
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 09-Mar-2004 15:43:36 Branch: HEAD Handle: 2004030914433501 Added files: openpkg-web/securityOpenPKG-SA-2004.005-mutt.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.005-mutt; CAN-2004-0078 Summary: RevisionChanges Path 1.64+1 -0 openpkg-web/security.txt 1.83+1 -0 openpkg-web/security.wml 1.1 +73 -0 openpkg-web/security/OpenPKG-SA-2004.005-mutt.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.63 -r1.64 security.txt --- openpkg-web/security.txt 8 Mar 2004 14:09:51 - 1.63 +++ openpkg-web/security.txt 9 Mar 2004 14:43:35 - 1.64 @@ -1,3 +1,4 @@ +09-Mar-2004: Security Advisory: S 08-Mar-2004: Security Advisory: S 05-Mar-2004: Security Advisory: S 16-Jan-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.82 -r1.83 security.wml --- openpkg-web/security.wml 8 Mar 2004 14:09:51 - 1.82 +++ openpkg-web/security.wml 9 Mar 2004 14:43:35 - 1.83 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.005-mutt.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.005-mutt.txt --- /dev/null 2004-03-09 15:43:36.0 +0100 +++ OpenPKG-SA-2004.005-mutt.txt 2004-03-09 15:43:36.0 +0100 @@ -0,0 +1,73 @@ + + + + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.005 09-Mar-2004 + + +Package: mutt +Vulnerability: buffer overflow in the index menu code +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= mutt-1.4.1i-20040207 >= mutt-1.4.2.1i-20040214 +OpenPKG 2.0 noneN.A. +OpenPKG 1.3 <= mutt-1.4.1i-1.3.1>= mutt-1.4.1i-1.3.2 + +Dependent Packages: none + +Description: + According to a posting on Bugtraq [0], a buffer overflow exists in the + mail user agent Mutt [1]. It be triggered by incoming messages and + there are reports about spam that has actually triggered this problem + and crashed mutt. The bug was reported to Red Hat by Niels Heinen. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2004-0078 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + mutt". If you have the "mutt" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it [3] + and update your OpenPKG installation by applying the binary RPM [4]. + For the affected release OpenPKG 1.3, perform the following operations + to permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get mutt-1.4.1i-1.3.2.src.rpm + ftp> bye + $ /bin/rpm -v --checksig mutt-1.4.1i-1.3.2.src.rpm + $ /bin/rpm --rebuild mutt-1.4.1i-1.3.2.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/mutt-1.4.1i-1.3.2.*.rpm + + +References: + [0] http://marc.theaimsgroup.com/?l=bugtraq&m=107651677817933 + [1] http://www.mutt.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0078 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.3/UPD/foo-1.2.3-1.3.1.src.rpm + [6] ftp://ftp.openpkg.org/release/1.3/UPD/ + [7] htt
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 12-Mar-2004 15:45:11 Branch: HEAD Handle: 2004031214451000 Added files: openpkg-web/securityOpenPKG-SA-2004.006-uudeview.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.006-uudeview Summary: RevisionChanges Path 1.65+2 -1 openpkg-web/security.txt 1.84+1 -0 openpkg-web/security.wml 1.1 +75 -0 openpkg-web/security/OpenPKG-SA-2004.006-uudeview.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.64 -r1.65 security.txt --- openpkg-web/security.txt 9 Mar 2004 14:43:35 - 1.64 +++ openpkg-web/security.txt 12 Mar 2004 14:45:10 - 1.65 @@ -1,4 +1,5 @@ -09-Mar-2004: Security Advisory: S +12-Mar-2004: Security Advisory: S +09-Mar-2004: Security Advisory: S 08-Mar-2004: Security Advisory: S 05-Mar-2004: Security Advisory: S 16-Jan-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.83 -r1.84 security.wml --- openpkg-web/security.wml 9 Mar 2004 14:43:35 - 1.83 +++ openpkg-web/security.wml 12 Mar 2004 14:45:10 - 1.84 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.006-uudeview.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.006-uudeview.txt --- /dev/null 2004-03-12 15:45:11.0 +0100 +++ OpenPKG-SA-2004.006-uudeview.txt 2004-03-12 15:45:11.0 +0100 @@ -0,0 +1,75 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.006 12-Mar-2004 + + +Package: uudeview +Vulnerability: insecure temp file handling, buffer overflow +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= uudeview-0.5.20-20040302 >= uudeview-0.5.20-20040312 +OpenPKG 2.0 <= uudeview-0.5.19-2.0.0>= uudeview-0.5.19-2.0.1 +OpenPKG 1.3 <= uudeview-0.5.18-1.3.0>= uudeview-0.5.18-1.3.1 + +Dependent Packages: none + +Description: + Alerted by a posting on Bugtraq [1] the uudeview [2] package was + reviewed. It was found that 0.5.19 and later contain a bug which + leads to failure retrieving the filename during decode. All versions + suffered from insecure temp file handling. Version 0.5.20 contains bug + fixes for the parsing of header lines, exact handling of maximum line + length and fixes for two buffer overflows which needed backporting. + The corected packages listed above remedy all of these problems. + + Please check whether you are affected by running "/bin/rpm + -q uudeview". If you have the "uudeview" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.0, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get uudeview-0.5.19-2.0.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig uudeview-0.5.19-2.0.1.src.rpm + $ /bin/openpkg rpm --rebuild uudeview-0.5.19-2.0.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/uudeview-0.5.19-2.0.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] + + +References: + [1] http://marc.theaimsgroup
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository
http://cvs.openpkg.org/
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 18-Mar-2004 11:02:39
Branch: HEAD Handle: 2004031810023800
Added files:
openpkg-web/securityOpenPKG-SA-2004.007-openssl.txt
Modified files:
openpkg-web security.txt security.wml
Log:
SA-2004.007-openssl; CAN-2004-0079, CAN-2004-0112
Summary:
RevisionChanges Path
1.66+1 -0 openpkg-web/security.txt
1.85+1 -0 openpkg-web/security.wml
1.1 +111 -0 openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt
patch -p0 <<'@@ .'
Index: openpkg-web/security.txt
$ cvs diff -u -r1.65 -r1.66 security.txt
--- openpkg-web/security.txt 12 Mar 2004 14:45:10 - 1.65
+++ openpkg-web/security.txt 18 Mar 2004 10:02:38 - 1.66
@@ -1,3 +1,4 @@
+18-Mar-2004: Security Advisory: S
12-Mar-2004: Security Advisory: S
09-Mar-2004: Security Advisory: S
08-Mar-2004: Security Advisory: S
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security.wml
$ cvs diff -u -r1.84 -r1.85 security.wml
--- openpkg-web/security.wml 12 Mar 2004 14:45:10 - 1.84
+++ openpkg-web/security.wml 18 Mar 2004 10:02:38 - 1.85
@@ -76,6 +76,7 @@
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.007-openssl.txt
--- /dev/null 2004-03-18 11:02:39.0 +0100
+++ OpenPKG-SA-2004.007-openssl.txt 2004-03-18 11:02:39.0 +0100
@@ -0,0 +1,111 @@
+-BEGIN PGP SIGNED MESSAGE-#FIXME, this is a template
+Hash: SHA1#FIXME, this is a template
+ #FIXME, this is a template
+
+
+OpenPKG Security AdvisoryThe OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2004.007 18-Mar-2004
+
+
+Package: openssl
+Vulnerability: denial of service
+OpenPKG Specific:no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= openssl-0.9.7c-20040207 >= openssl-0.9.7d-20040318
+OpenPKG 2.0 <= openssl-0.9.7c-2.0.0 >= openssl-0.9.7c-2.0.1
+OpenPKG 1.3 <= openssl-0.9.7b-1.3.2 >= openssl-0.9.7b-1.3.3
+
+Affected Releases: Dependent Packages:
+
+OpenPKG CURRENT same as OpenPKG 2.0 FIXME this list needs review
+
+OpenPKG 2.0 apache* bind blender cadaver cfengine cpu cups curl
+ distcache dsniff easysoap ethereal* exim fetchmail
+ imap imapd imaputils inn jabberd kde-base kde-libs
+ linc links lynx mailsync meta-core mico* mixmaster
+ monit* mozilla mutt mutt15 nail neon nessus-libs
+ nmap openldap openssh openvpn perl-ssl pgadmin php*
+ pine* postfix* postgresql pound proftpd* qpopper
+ rdesktop samba samba3 sasl scanssh sendmail* siege
+ sio* sitecopy snmp socat squid* stunnel subversion
+ suck sysmon tcpdump tinyca w3m wget xmlsec
+
+OpenPKG 1.3 apache* bind cfengine cpu curl ethereal* fetchmail
+ imap imapd inn links lynx mico* mutt nail neon
+ openldap openssh perl-ssl php* postfix* postgresql
+ proftpd* qpopper rdesktop samba sasl scanssh
+ sendmail* siege sio* sitecopy snmp socat squid*
+ stunnel suck sysmon tcpdump tinyca w3m wget xmlsec
+
+ (*) marked packages are only affected if certain build
+ options ("with_xxx") were used at build time. See
+ Appendix below for details.
+
+Description:
+ According to an OpenSSL [0] security advisory [1], denial of service
+ vulnerabilities exist in OpenSSL versions 0.9.6c to 0.9.6l inclusive
+ and versions 0.9.7a to 0.9.7c inclusive.
+
+ Testing perf
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 05-Apr-2004 14:48:30 Branch: HEAD Handle: 2004040513482901 Added files: openpkg-web/securityOpenPKG-SA-2004.009-mc Modified files: openpkg-web security.txt security.wml Log: SA-2004.009-mc; CAN-2003-1023 Summary: RevisionChanges Path 1.68+1 -0 openpkg-web/security.txt 1.87+1 -0 openpkg-web/security.wml 1.1 +78 -0 openpkg-web/security/OpenPKG-SA-2004.009-mc patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.67 -r1.68 security.txt --- openpkg-web/security.txt 1 Apr 2004 21:01:13 - 1.67 +++ openpkg-web/security.txt 5 Apr 2004 12:48:29 - 1.68 @@ -1,3 +1,4 @@ +05-Apr-2004: Security Advisory: S 01-Apr-2004: Security Advisory: S 18-Mar-2004: Security Advisory: S 12-Mar-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.86 -r1.87 security.wml --- openpkg-web/security.wml 1 Apr 2004 21:01:13 - 1.86 +++ openpkg-web/security.wml 5 Apr 2004 12:48:29 - 1.87 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.009-mc $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.009-mc --- /dev/null 2004-04-05 14:48:30.0 +0200 +++ OpenPKG-SA-2004.009-mc2004-04-05 14:48:30.0 +0200 @@ -0,0 +1,78 @@ +-BEGIN PGP SIGNED MESSAGE-#FIXME, this is a template +Hash: SHA1#FIXME, this is a template + #FIXME, this is a template + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.009 05-Apr-2004 + + +Package: mc +Vulnerability: buffer overflow +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= mc-4.6.0-20040207>= mc-4.6.0-20040405 +OpenPKG 2.0 <= mc-4.6.0-2.0.0 >= mc-4.6.0-2.0.1 +OpenPKG 1.3 <= mc-4.6.0-1.3.0 >= mc-4.6.0-1.3.1 + +Dependent Packages: none + +Description: + According to a message from Ilya Teterin posted on Bugtraq [0] the + Midnight Commander application [1] is using uninitialized buffer for + handling symlinks in VFS. This allows attackers to execute arbitrary + code during symlink conversion. The Common Vulnerabilities and + Exposures (CVE) project assigned the id CAN-2003-1023 [2] to the + problem. + + Please check whether you are affected by running "/bin/rpm + -q mc". If you have the "mc" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.0, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get mc-4.6.0-2.0.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig mc-4.6.0-2.0.1.src.rpm + $ /bin/openpkg rpm --rebuild mc-4.6.0-2.0.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/mc-4.6.0-2.0.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] + + +References: + [0] http://marc.theaimsgroup.com/?l=bugtraq&m=106399528518704 + [1] http://www.ibiblio.org/mc/ + [2] http://cve.mitre.org/cgi-bin/cvename.c
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 07-Apr-2004 14:45:54 Branch: HEAD Handle: 2004040713455301 Added files: openpkg-web/securityOpenPKG-SA-2004.011-sharutils Modified files: openpkg-web security.txt security.wml Log: SA-2004.011-sharutils Summary: RevisionChanges Path 1.69+1 -0 openpkg-web/security.txt 1.89+1 -0 openpkg-web/security.wml 1.1 +75 -0 openpkg-web/security/OpenPKG-SA-2004.011-sharutils patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.68 -r1.69 security.txt --- openpkg-web/security.txt 5 Apr 2004 12:48:29 - 1.68 +++ openpkg-web/security.txt 7 Apr 2004 12:45:53 - 1.69 @@ -1,3 +1,4 @@ +07-Apr-2004: Security Advisory: S 05-Apr-2004: Security Advisory: S 01-Apr-2004: Security Advisory: S 18-Mar-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.88 -r1.89 security.wml --- openpkg-web/security.wml 5 Apr 2004 12:56:08 - 1.88 +++ openpkg-web/security.wml 7 Apr 2004 12:45:54 - 1.89 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.011-sharutils $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.011-sharutils --- /dev/null 2004-04-07 14:45:54.0 +0200 +++ OpenPKG-SA-2004.011-sharutils 2004-04-07 14:45:54.0 +0200 @@ -0,0 +1,75 @@ +#FIXME, this is a template +#FIXME, the first three lines are just dummies +#FIXME, to help comparing this against sibling signed documents + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.011 07-Apr-2004 + + +Package: sharutils +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= sharutils-4.2.1-20011201 >= sharutils-4.2.1-20040407 +OpenPKG 2.0 <= sharutils-4.2.1-2.0.0>= sharutils-4.2.1-2.0.1 +OpenPKG 1.3 <= sharutils-4.2.1-1.3.0>= sharutils-4.2.1-1.3.1 + +Dependent Packages: none + +Description: + According to a posting on Bugtraq [1], Shaun Colley discovered and + researched a stack-based buffer overflow vulnerability which exists in + the GNU Sharutils [2] due to lack of bounds checking when handling the + '-o' command-line option. + + Please check whether you are affected by running "/bin/rpm + -q sharutils". If you have the "sharutils" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.0, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get sharutils-4.2.1-2.0.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig sharutils-4.2.1-2.0.1.src.rpm + $ /bin/openpkg rpm --rebuild sharutils-4.2.1-2.0.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/sharutils-4.2.1-2.0.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] + + +References: + [1] http://www.securityfocus.com/archive/1/359639 + [2] http://www.gnu.org/software/sharutils/ + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://f
[CVS] OpenPKG: openpkg-web security.txt security.wml openpkg-web/secur...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 23-Oct-2002 14:24:15 Branch: HEAD Handle: 2002102313241400 Added files: openpkg-web/securityOpenPKG-SA-2002.010-apache.txt Modified files: openpkg-web security.txt security.wml Log: add SA for Apache/mod_ssl Summary: RevisionChanges Path 1.6 +1 -0 openpkg-web/security.txt 1.22+1 -0 openpkg-web/security.wml 1.1 +73 -0 openpkg-web/security/OpenPKG-SA-2002.010-apache.txt Index: openpkg-web/security.txt $ cvs diff -u -r1.5 -r1.6 security.txt --- openpkg-web/security.txt 4 Oct 2002 19:47:18 - 1.5 +++ openpkg-web/security.txt 23 Oct 2002 12:24:14 - 1.6 @@ -1,3 +1,4 @@ +23-Oct-2002: Security Advisory: S 04-Oct-2002: Security Advisory: S 30-Jul-2002: Security Advisory: S 30-Jul-2002: Security Advisory: S Index: openpkg-web/security.wml $ cvs diff -u -r1.21 -r1.22 security.wml --- openpkg-web/security.wml 4 Oct 2002 19:47:18 - 1.21 +++ openpkg-web/security.wml 23 Oct 2002 12:24:14 - 1.22 @@ -70,6 +70,7 @@ TXT) + Index: openpkg-web/security/OpenPKG-SA-2002.010-apache.txt $ cvs update -p -r1.1 OpenPKG-SA-2002.010-apache.txt OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2002.010 23-Oct-2002 Package: apache Vulnerability: cross side scripting OpenPKG Specific:no Affected Releases: Affected Packages:Corrected Packages: OpenPKG 1.0 <= apache-1.3.22-1.0.5>= apache-1.3.22-1.0.6 OpenPKG 1.1 <= apache-1.3.26-1.1.1>= apache-1.3.26-1.1.2 OpenPKG CURRENT <= apache-1.3.27-20021009 >= apache-1.3.27-20021023 Description: Joe Orton <[EMAIL PROTECTED]> discovered a cross site scripting (XSS) bug [3] in mod_ssl [1], the SSL/TLS component for the Apache webserver [2]. Like the other recent Apache XSS bugs, this only affects servers using a combination of "UseCanonicalName off" (_not_ the default in OpenPKG package of Apache) and a wildcard A record of the server in the DNS. Although this combination for HTTPS servers is even less common than with plain HTTP servers, this nevertheless could allow remote attackers to execute client-side script code as other web page visitors via the HTTP "Host" header. Please check whether you are affected by running "/bin/rpm -q apache". If you have an affected version of the "apache" package (see above), upgrade it according to the solution below. Remember to also rebuild and reinstall any dependent OpenPKG packages. [4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6][7], fetch it from the OpenPKG FTP service or a mirror location, verify its integrity [8], build a corresponding binary RPM from it and update your OpenPKG installation by finally installing the binary RPM [4]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get apache-1.3.26-1.1.2.src.rpm ftp> bye $ /bin/rpm --checksig apache-1.3.26-1.1.2.src.rpm $ /bin/rpm --rebuild apache-1.3.26-1.1.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/apache-1.3.26-1.1.2.*.rpm # /etc/rc apache stop start References: [1] http://www.modssl.org/ [2] http://httpd.apache.org/ [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840 [4] http://www.openpkg.org/tutorial.html#regular-source [5] ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.6.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.2.src.rpm [7] ftp://ftp.openpkg.org/current/SRC/apache-1.3.27-20021023.src.rpm [8] http://www.openpkg.org/security.html#signature ___
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 20-Jan-2003 21:11:49 Branch: HEAD Handle: 2003012020114701 Added files: openpkg-web/securityOpenPKG-SA-2003.003-vim.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.003-vim; CAN-2002-1377 Summary: RevisionChanges Path 1.11+1 -0 openpkg-web/security.txt 1.27+1 -0 openpkg-web/security.wml 1.1 +76 -0 openpkg-web/security/OpenPKG-SA-2003.003-vim.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.10 -r1.11 security.txt --- openpkg-web/security.txt 16 Jan 2003 13:35:12 - 1.10 +++ openpkg-web/security.txt 20 Jan 2003 20:11:47 - 1.11 @@ -1,3 +1,4 @@ +21-Jan-2003: Security Advisory: S 16-Jan-2003: Security Advisory: S 15-Jan-2003: Security Advisory: S 17-Dec-2002: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.26 -r1.27 security.wml --- openpkg-web/security.wml 16 Jan 2003 14:25:53 - 1.26 +++ openpkg-web/security.wml 20 Jan 2003 20:11:47 - 1.27 @@ -70,6 +70,7 @@ TXT) + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.003-vim.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.003-vim.txt --- /dev/null 2003-01-20 21:11:48.0 +0100 +++ OpenPKG-SA-2003.003-vim.txt 2003-01-20 21:11:49.0 +0100 @@ -0,0 +1,76 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.003 21-Jan-2003 + + +Package: vim +Vulnerability: arbitrary command execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= vim-6.1.264-20021223 >= vim-6.1.266-20021224 +OpenPKG 1.1 <= vim-6.1.165-1.1.0>= vim-6.1.165-1.1.1 +OpenPKG 1.0 <= vim-6.0.92-1.0.1 >= vim-6.0.92-1.0.2 + +Affected Releases: Dependent Packages: none + +Description: + According to a security advisory from Georgi Guninski [0] a + vulnerability exists in the Vim (Vi Improved) text editor [1] which + allows arbitrary command execution using the libcall feature in + modelines. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2002-1377 [2] to the problem. Both versions 6.0 + and 6.1 are affected. The necessary patch was incorporated into the + 6.1 source tree beginning with patchlevel 265. We have backported the + patch to the 6.0.92 and 6.1.165 releases. + + Please check whether you are affected by running "/bin/rpm + -q vim". If you have the "vim" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.1, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.1/UPD + ftp> get vim-6.1.165-1.1.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig vim-6.1.165-1.1.1.src.rpm + $ /bin/rpm --rebuild vim-6.1.165-1.1.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/1.1.*.rpm + + +References: + [0] http://www.guninski.com/vim1.html + [1] http://www.vim.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1377 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 21-Jan-2003 14:49:02 Branch: HEAD Handle: 2003012113490101 Added files: openpkg-web/securityOpenPKG-SA-2003.004-cvs.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.004-cvs; CAN-2003-0015 Summary: RevisionChanges Path 1.12+1 -0 openpkg-web/security.txt 1.28+1 -0 openpkg-web/security.wml 1.1 +76 -0 openpkg-web/security/OpenPKG-SA-2003.004-cvs.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.11 -r1.12 security.txt --- openpkg-web/security.txt 20 Jan 2003 20:11:47 - 1.11 +++ openpkg-web/security.txt 21 Jan 2003 13:49:01 - 1.12 @@ -1,3 +1,4 @@ +21-Jan-2003: Security Advisory: S 21-Jan-2003: Security Advisory: S 16-Jan-2003: Security Advisory: S 15-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.27 -r1.28 security.wml --- openpkg-web/security.wml 20 Jan 2003 20:11:47 - 1.27 +++ openpkg-web/security.wml 21 Jan 2003 13:49:01 - 1.28 @@ -70,6 +70,7 @@ TXT) + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.004-cvs.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.004-cvs.txt --- /dev/null 2003-01-21 14:49:02.0 +0100 +++ OpenPKG-SA-2003.004-cvs.txt 2003-01-21 14:49:02.0 +0100 @@ -0,0 +1,76 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.004 21-Jan-2003 + + +Package: cvs +Vulnerability: remote root compromise +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= cvs-1.11.4-20030114 >= cvs-1.11.5-20030121 +OpenPKG 1.1 <= cvs-1.11.2-1.1.0 >= cvs-1.11.2-1.1.1 +OpenPKG 1.0 <= cvs-1.11.1p1-1.0.1 >= cvs-1.11.1p1-1.0.2 + +Affected Releases: Dependent Packages: none + +Description: + According to an e-matters Security Advisory [0] from Stefan Esser + <[EMAIL PROTECTED]>, a vulnerability exists in the Concurrent + Versions System (CVS) [1] which allows remote compromise of CVS + servers. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2003-0015 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + cvs". If you have the "cvs" package installed and its version is + affected (see above), we recommend that you immediately upgrade + it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.1, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.1/UPD + ftp> get cvs-1.11.2-1.1.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig cvs-1.11.2-1.1.1.src.rpm + $ /bin/rpm --rebuild cvs-1.11.2-1.1.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/cvs-1.11.2-1.1.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] + + +References: + [0] http://security.e-matters.de/advisories/012003.html + [1] http://www.cvshome.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.0/UPD/foo-1.2.0-1.0.1.src.rpm + [6]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 22-Jan-2003 14:01:33 Branch: HEAD Handle: 2003012213013101 Added files: openpkg-web/securityOpenPKG-SA-2003.005-php.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.005-php; CAN-2002-1396 Summary: RevisionChanges Path 1.13+1 -0 openpkg-web/security.txt 1.29+1 -0 openpkg-web/security.wml 1.1 +86 -0 openpkg-web/security/OpenPKG-SA-2003.005-php.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.12 -r1.13 security.txt --- openpkg-web/security.txt 21 Jan 2003 13:49:01 - 1.12 +++ openpkg-web/security.txt 22 Jan 2003 13:01:31 - 1.13 @@ -1,3 +1,4 @@ +22-Jan-2003: Security Advisory: S 21-Jan-2003: Security Advisory: S 21-Jan-2003: Security Advisory: S 16-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.28 -r1.29 security.wml --- openpkg-web/security.wml 21 Jan 2003 13:49:01 - 1.28 +++ openpkg-web/security.wml 22 Jan 2003 13:01:31 - 1.29 @@ -70,6 +70,7 @@ TXT) + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.005-php.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.005-php.txt --- /dev/null 2003-01-22 14:01:33.0 +0100 +++ OpenPKG-SA-2003.005-php.txt 2003-01-22 14:01:33.0 +0100 @@ -0,0 +1,86 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.005 22-Jan-2003 + + +Package: php +Vulnerability: buffer overflow in "wordwrap" function +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= php-4.2.3-20020907 >= php-4.3.0-20021228 +OpenPKG 1.2 none>= php-4.3.0-1.2.0 +OpenPKG 1.1 <= php-4.2.2-1.1.0 >= php-4.2.2-1.1.1 +OpenPKG 1.0 none>= php-4.0.6-1.0.1 + +Affected Releases: Dependent Packages: +OpenPKG CURRENT <= apache-1.3.27-20021129 >= apache-1.3.27-20021228 +OpenPKG 1.2 none>= apache-1.3.27-1.2.0 +OpenPKG 1.1 <= apache-1.3.26-1.1.2 >= apache-1.3.26-1.1.3 +OpenPKG 1.0 none>= apache-1.3.22-1.0.6 + +Description: + According to a bug report [0] from David F. Skoll + <[EMAIL PROTECTED]> a buffer overflow problem exists in the + "wordwrap" function of Personal HomePage (PHP) [1], a an HTML-embedded + scripting language. Thanks to David's input and help the source of the + problem was tracked down and corrected. The Common Vulnerabilities and + Exposures (CVE) project assigned the id CAN-2002-1396 [2] to the + problem. + + Please check whether you are affected by running "/bin/rpm -q + php". If you have the "php" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + + Also run "/bin/rpm -qi apache". If you have the "apache" + package installed having the "with_mod_php" option set to "yes" and + its version is affected (see above), we recommend that you immediately + upgrade it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror + location, verify its integrity [7], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the release OpenPKG 1.1, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.1/UPD + ftp> get php-4.2.2-1.1.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig php-4.2
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 22-Jan-2003 17:04:54 Branch: HEAD Handle: 2003012216045301 Added files: openpkg-web/securityOpenPKG-SA-2003.006-python.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.006-python; CAN-2002-1119 Summary: RevisionChanges Path 1.14+1 -0 openpkg-web/security.txt 1.31+1 -0 openpkg-web/security.wml 1.1 +72 -0 openpkg-web/security/OpenPKG-SA-2003.006-python.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.13 -r1.14 security.txt --- openpkg-web/security.txt 22 Jan 2003 13:01:31 - 1.13 +++ openpkg-web/security.txt 22 Jan 2003 16:04:53 - 1.14 @@ -1,3 +1,4 @@ +22-Jan-2003: Security Advisory: S 22-Jan-2003: Security Advisory: S 21-Jan-2003: Security Advisory: S 21-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.30 -r1.31 security.wml --- openpkg-web/security.wml 22 Jan 2003 13:12:54 - 1.30 +++ openpkg-web/security.wml 22 Jan 2003 16:04:53 - 1.31 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.006-python.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.006-python.txt --- /dev/null 2003-01-22 17:04:54.0 +0100 +++ OpenPKG-SA-2003.006-python.txt2003-01-22 17:04:54.0 +0100 @@ -0,0 +1,72 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.006 23-Jan-2003 + + +Package: python +Vulnerability: predictable filename allows arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= python-2.2.1-20020820>= python-2.2.2-20021015 +OpenPKG 1.2 noneN.A. +OpenPKG 1.1 <= python-2.2.1-1.1.0 >= python-2.2.1-1.1.1 + +Affected Releases: Dependent Packages: none + +Description: + Zack Weinberg discovered an insecure use of a hardcoded file name [0] + in Python, a interpreted, interactive, object-oriented programming + language [1]. Python uses a predictable filename which could lead to + execution of arbitrary code. The Common Vulnerabilities and Exposures + (CVE) project assigned the id CAN-2002-1119 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + python". If you have the "python" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution) and it's dependent packages (see above), if any, too. + [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it [3] + and update your OpenPKG installation by applying the binary RPM [4]. + For the release OpenPKG 1.1, perform the following operations to + permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.1/UPD + ftp> get python-2.2.1-1.1.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig python-2.2.1-1.1.1.src.rpm + $ /bin/rpm --rebuild python-2.2.1-1.1.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/python-2.2.1-1.1.1.*.rpm + + +References: + [0] http://mail.python.org/pipermail/python-dev/2002-August/027223.html + [1] http://www.python.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1119 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.1/UPD/python-2.2.1-1.1.1.src.r
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 23-Jan-2003 14:36:59 Branch: HEAD Handle: 2003012313365801 Added files: openpkg-web/securityOpenPKG-SA-2003.007-wget.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.007-wget; CAN-2002-1344 Summary: RevisionChanges Path 1.16+1 -0 openpkg-web/security.txt 1.32+1 -0 openpkg-web/security.wml 1.1 +72 -0 openpkg-web/security/OpenPKG-SA-2003.007-wget.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.15 -r1.16 security.txt --- openpkg-web/security.txt 23 Jan 2003 10:37:13 - 1.15 +++ openpkg-web/security.txt 23 Jan 2003 13:36:58 - 1.16 @@ -1,3 +1,4 @@ +23-Jan-2003: Security Advisory: S 23-Jan-2003: Security Advisory: S 22-Jan-2003: Security Advisory: S 21-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.31 -r1.32 security.wml --- openpkg-web/security.wml 22 Jan 2003 16:04:53 - 1.31 +++ openpkg-web/security.wml 23 Jan 2003 13:36:58 - 1.32 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.007-wget.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.007-wget.txt --- /dev/null 2003-01-23 14:36:59.0 +0100 +++ OpenPKG-SA-2003.007-wget.txt 2003-01-23 14:36:59.0 +0100 @@ -0,0 +1,72 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.007 23-Jan-2003 + + +Package: wget +Vulnerability: directory traversal vulnerability +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= wget-1.8.2-20021206 >= wget-1.8.2-20021216 +OpenPKG 1.2 <= none N.A. +OpenPKG 1.1 <= wget-1.8.2-1.1.0 >= wget-1.8.2-1.1.1 + +Affected Releases: Dependent Packages: none + +Description: + According to research done by Steve Christey [0], directory traversal + vulnerabilities exist in many FTP clients including wget [1]. + Resolution of this issue was handled primarily through Mark Cox of Red + Hat whose patches were incorporated into the wget 1.8.2 HEAD + development branch. The Common Vulnerabilities and Exposures (CVE) + project assigned the id CAN-2002-1344 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + wget". If you have the "wget" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it [3] + and update your OpenPKG installation by applying the binary RPM [4]. + For the release OpenPKG 1.1, perform the following operations to + permanently fix the security problem (for other releases adjust + accordingly). + + $ rpm --rebuild ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get wget-1.8.2-1.1.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig wget-1.8.2-1.1.1.src.rpm + $ /bin/rpm --rebuild wget-1.8.2-1.1.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/wget-1.8.2-1.1.1.*.rpm + + +References: + [0] http://marc.theaimsgroup.com/?l=bugtraq&m=103962838628940&w=2 + [1] http://sunsite.dk/wget/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.1/UPD/wget-1.8.2-1.1.1.src.rpm + [6] ftp://ftp.openpkg.org/release/1.1
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 29-Jan-2003 13:01:19 Branch: HEAD Handle: 2003012912011701 Added files: openpkg-web/securityOpenPKG-SA-2003.008-mysql.txt Modified files: openpkg-web security.txt security.wml Log: OpenPKG-SA-2003.008 fix mysql double free bug Summary: RevisionChanges Path 1.17+1 -0 openpkg-web/security.txt 1.33+1 -0 openpkg-web/security.wml 1.1 +72 -0 openpkg-web/security/OpenPKG-SA-2003.008-mysql.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.16 -r1.17 security.txt --- openpkg-web/security.txt 23 Jan 2003 13:36:58 - 1.16 +++ openpkg-web/security.txt 29 Jan 2003 12:01:17 - 1.17 @@ -1,3 +1,4 @@ +29-Jan-2003: Security Advisory: S 23-Jan-2003: Security Advisory: S 23-Jan-2003: Security Advisory: S 22-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.32 -r1.33 security.wml --- openpkg-web/security.wml 23 Jan 2003 13:36:58 - 1.32 +++ openpkg-web/security.wml 29 Jan 2003 12:01:17 - 1.33 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.008-mysql.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.008-mysql.txt --- /dev/null 2003-01-29 13:01:18.0 +0100 +++ OpenPKG-SA-2003.008-mysql.txt 2003-01-29 13:01:18.0 +0100 @@ -0,0 +1,72 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.008 29-Jan-2003 + + +Package: mysql +Vulnerability: double free can cause denial of service +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= mysql-3.23.54a-20030116 >= mysql-3.23.55-20030124 +OpenPKG 1.2 <= mysql-3.23.54a-1.2.0 >= mysql-3.23.54a-1.2.1 +OpenPKG 1.1 <= mysql-3.23.52-1.1.1 >= mysql-3.23.52-1.1.2 + +Affected Releases: Dependent Packages: none + +Description: + Vincent Danen of MandrakeSoft noticed that according to the change log + [0] for MySQL release 3.23.55 [1] a vulnerbility has been fixed where + a double free pointer bug in mysql_change_user() handling enabled a + specially hacked version of MySQL client to crash mysqld. He + extracted the fix for use in previous releases. + + Please check whether you are affected by running "/bin/rpm -q + mysql". If you have the "mysql" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [2][3] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror + location, verify its integrity [8], build a corresponding binary RPM + from it [2] and update your OpenPKG installation by applying the binary + RPM [3]. For the current release OpenPKG 1.2, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get mysql-3.23.54a-1.2.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig mysql-3.23.54a-1.2.1.src.rpm + $ /bin/rpm --rebuild mysql-3.23.54a-1.2.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/mysql-3.23.54a-1.2.1.*.rpm + + +References: + [0] http://www.mysql.com/doc/en/News-3.23.55.html + [1] http://www.mysql.com/ + [2] http://www.openpkg.org/tutorial.html#regular-source + [3] http://www.openpkg.org/tutorial.html#regular-binary + [4] ftp://ftp.openpkg.org/release/1.1/UPD/mysql-3.23.52-1.1.2.src.rpm + [5] ftp://ftp.openpkg.org/release/1.2/UPD/mysql-3.23.54a-1.2.1.src.rpm + [6] ftp://ftp.openpkg.org/release/1.1/UPD/ + [7] f
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 18-Feb-2003 16:13:07 Branch: HEAD Handle: 2003021815130501 Added files: openpkg-web/securityOpenPKG-SA-2003.011-lynx.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.011-lynx; CAN-2002-1405 Summary: RevisionChanges Path 1.20+1 -0 openpkg-web/security.txt 1.36+1 -0 openpkg-web/security.wml 1.1 +75 -0 openpkg-web/security/OpenPKG-SA-2003.011-lynx.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.19 -r1.20 security.txt --- openpkg-web/security.txt 18 Feb 2003 15:03:24 - 1.19 +++ openpkg-web/security.txt 18 Feb 2003 15:13:05 - 1.20 @@ -1,3 +1,4 @@ +18-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S 29-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.35 -r1.36 security.wml --- openpkg-web/security.wml 18 Feb 2003 15:03:24 - 1.35 +++ openpkg-web/security.wml 18 Feb 2003 15:13:05 - 1.36 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.011-lynx.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.011-lynx.txt --- /dev/null 2003-02-18 16:13:07.0 +0100 +++ OpenPKG-SA-2003.011-lynx.txt 2003-02-18 16:13:07.0 +0100 @@ -0,0 +1,75 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.011 18-Feb-2003 + + +Package: lynx +Vulnerability: CRLF injection vulnerability +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= lynx-2.8.4-20020206 >= lynx-2.8.4-20021216 +OpenPKG 1.2 <= N.A. >= lynx-2.8.4-1.2.0 +OpenPKG 1.1 <= lynx-2.8.4-1.1.0 >= lynx-2.8.4-1.1.1 + +Affected Releases: Dependent Packages: none + +Description: + Ulf Harnhammar posted information [0] reporting a "CRLF Injection" + problem with Lynx [1] 2.8.4 and earlier. It is possible to inject + false HTTP headers into an HTTP request that is provided on the + command line, via a URL containing encoded carriage return, line feed, + and other whitespace characters. This way, scripts that use Lynx for + downloading files access the wrong site on a web server with multiple + virtual hosts. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2002-1405 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + lynx". If you have the "lynx" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it [3] + and update your OpenPKG installation by applying the binary RPM [4]. + For the release OpenPKG 1.1, perform the following operations to + permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.1/UPD + ftp> get lynx-2.8.4-1.1.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig lynx-2.8.4-1.1.1.src.rpm + $ /bin/rpm --rebuild lynx-2.8.4-1.1.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/lynx-2.8.4-1.1.1.*.rpm + + +References: + [0] http://www.mail-archive.com/bugtraq@securityfocus.com/msg08897.html + [1] http://lynx.isc.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1405 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpk
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 19-Feb-2003 14:48:12 Branch: HEAD Handle: 2003021913480704 Added files: openpkg-web/securityOpenPKG-SA-2003.012-dhcpd.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.012-dhcpd; CAN-2003-0039 Summary: RevisionChanges Path 1.21+1 -0 openpkg-web/security.txt 1.37+1 -0 openpkg-web/security.wml 1.1 +87 -0 openpkg-web/security/OpenPKG-SA-2003.012-dhcpd.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.20 -r1.21 security.txt --- openpkg-web/security.txt 18 Feb 2003 15:13:05 - 1.20 +++ openpkg-web/security.txt 19 Feb 2003 13:48:07 - 1.21 @@ -1,3 +1,4 @@ +19-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.36 -r1.37 security.wml --- openpkg-web/security.wml 18 Feb 2003 15:13:05 - 1.36 +++ openpkg-web/security.wml 19 Feb 2003 13:48:07 - 1.37 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.012-dhcpd.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.012-dhcpd.txt --- /dev/null 2003-02-19 14:48:11.0 +0100 +++ OpenPKG-SA-2003.012-dhcpd.txt 2003-02-19 14:48:11.0 +0100 @@ -0,0 +1,87 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.012 19-Feb-2003 + + +Package: dhcpd +Vulnerability: denial of service (packet storm) +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= dhcpd-3.0.1rc11-20030116 >= dhcpd-3.0.1rc11-20030219 +OpenPKG 1.2 <= dhcpd-3.0.1rc11-1.2.0>= dhcpd-3.0.1rc11-1.2.1 +OpenPKG 1.1 <= dhcpd-3.0.1rc9-1.1.1 >= dhcpd-3.0.1rc9-1.1.2 + +Affected Releases: Dependent Packages: none + +Description: + Florian Lohoff discovered a bug [0] in dhcrelay which is part of the + ISC DHCPD [1]. The bug is causing the relay agent to send a continuing + packet storm towards the configured dhcp server(s) in case of a + malicious BOOTP packet. The Common Vulnerabilities and Exposures + (CVE) project assigned the id CAN-2003-0039 [2] to the problem. + + The update does not ultimately fix the root cause of the problem. + However, it improves dhcrelay's compliance to RFC1542 [10] by + rigorously supporting the requirements listed in section 4.1.1 + BOOTREQUEST Messages and thus limiting havoc wreaked to the network: + + > The relay agent MUST silently discard BOOTREQUEST messages whose + > 'hops' field exceeds the value 16. A configuration option SHOULD be + > provided to set this threshold to a smaller value if desired by the + > network manager. The default setting for a configurable threshold + > SHOULD be 4. + + The new configuration option is '-c', it defaults to 4, the range of + parameter is between 0 and 16. + + Please check whether you are affected by running "/bin/rpm + -q dhcpd". If you have the "dhcpd" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.1, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get dhcpd-3.0.1rc11-1.2.
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael van Elst Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 04-Mar-2003 14:06:12 Branch: HEAD Handle: 2003030413061001 Added files: openpkg-web/securityOpenPKG-SA-2003.016-sendmail.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.016; CAN-2002-133 Summary: RevisionChanges Path 1.24+2 -0 openpkg-web/security.txt 1.40+2 -0 openpkg-web/security.wml 1.1 +73 -0 openpkg-web/security/OpenPKG-SA-2003.016-sendmail.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.23 -r1.24 security.txt --- openpkg-web/security.txt 4 Mar 2003 10:26:04 - 1.23 +++ openpkg-web/security.txt 4 Mar 2003 13:06:10 - 1.24 @@ -1,3 +1,5 @@ +04-Mar-2003: Security Advisory: S +04-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S 19-Feb-2003: Security Advisory: S 19-Feb-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.39 -r1.40 security.wml --- openpkg-web/security.wml 4 Mar 2003 10:26:04 - 1.39 +++ openpkg-web/security.wml 4 Mar 2003 13:06:10 - 1.40 @@ -78,6 +78,8 @@ + + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.016-sendmail.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.016-sendmail.txt --- /dev/null 2003-03-04 14:06:12.0 +0100 +++ OpenPKG-SA-2003.016-sendmail.txt 2003-03-04 14:06:12.0 +0100 @@ -0,0 +1,73 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.016 04-Mar-2003 + + +Package: sendmail +Vulnerability: buffer overflow +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= sendmail-8.12.7-20030205 >= sendmail-8.12.8-20030304 +OpenPKG 1.2 <= sendmail-8.12.7-1.2.0>= sendmail-8.12.4-1.2.1 +OpenPKG 1.1 noneN.A. + +Dependent Packages: none + +Description: + According to a ISS X-Force [0], a buffer overflow vulnerability + exists in all sendmail versions from 5.79 to 8.12.7 [1]. Attackers + may remotely exploit this vulnerability to gain "root" or superuser + control of any vulnerable Sendmail server. The Common Vulnerabilities + and Exposures (CVE) project assigned the id CAN-2002-1337 [2] to the + problem. + + Please check whether you are affected by running "/bin/rpm + -q sendmail". If you have the "sendmail" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it [3] + and update your OpenPKG installation by applying the binary RPM [4]. + For the current release OpenPKG 1.2, perform the following operations + to permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get sendmail-8.12.7-1.2.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig sendmail-8.12.7-1.2.1.src.rpm + $ /bin/rpm --rebuild sendmail-8.12.7-1.2.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/sendmail-8.12.7-1.2.1.*.rpm + + + +References: + [0] http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 + [1] http://www.sendmail.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.2/UPD/sendmail-8.12.7-1.2.1.src.rpm + [6] ftp://ftp
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 04-Mar-2003 16:37:41 Branch: HEAD Handle: 2003030415373802 Added files: openpkg-web/securityOpenPKG-SA-2003.017-file.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.017-file Summary: RevisionChanges Path 1.25+1 -0 openpkg-web/security.txt 1.41+1 -0 openpkg-web/security.wml 1.1 +75 -0 openpkg-web/security/OpenPKG-SA-2003.017-file.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.24 -r1.25 security.txt --- openpkg-web/security.txt 4 Mar 2003 13:06:10 - 1.24 +++ openpkg-web/security.txt 4 Mar 2003 15:37:38 - 1.25 @@ -1,3 +1,4 @@ +04-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.40 -r1.41 security.wml --- openpkg-web/security.wml 4 Mar 2003 13:06:10 - 1.40 +++ openpkg-web/security.wml 4 Mar 2003 15:37:39 - 1.41 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.017-file.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.017-file.txt --- /dev/null 2003-03-04 16:37:40.0 +0100 +++ OpenPKG-SA-2003.017-file.txt 2003-03-04 16:37:40.0 +0100 @@ -0,0 +1,75 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.017 04-Mar-2003 + + +Package: file +Vulnerability: memory allocation problem, stack overflow +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= file-3.40-20030209 >= file-3.41-20030228 +OpenPKG 1.2 <= file-3.39-1.2.0 >= file-3.39-1.2.1 +OpenPKG 1.1 <= file-3.39-1.1.1 >= file-3.39-1.1.2 + +Dependent Packages: noneN.A. + +Description: + Jeff Johnson found a memory allocation problem and David Endler found + a stack overflow corruption problem in the file [0] "Automatic File + Content Type Recognition Tool" version 3.41. Nalin Dahyabhai improved + ELF section and program header handling in file [0] version 3.40. We + believe that file versions without those modifications are vulnerable + to memory allocation and stack overflow problems which put security at + risk. We have backported the security relevant pieces of the 3.41 and + 3.40 vendor changes into OpenPKG releases using vendor version 3.39. + + Please check whether you are affected by running "/bin/rpm + -q file". If you have the "file" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution). [2][3] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror + location, verify its integrity [8], build a corresponding binary RPM + from it [2] and update your OpenPKG installation by applying the binary + RPM [3]. For the current release OpenPKG 1.2, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get file-3.39-1.2.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig file-3.39-1.2.1.src.rpm + $ /bin/rpm --rebuild file-3.39-1.2.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/file-3.39-1.2.1.*.rpm + + + +References: + [1] ftp://ftp.astron.com/pub/file/ + [2] http://www.openpkg.org/tutorial.html#regular-source + [3] http://www.openpkg.org/tutorial.html#regular-binary + [4] ftp://ftp.openpkg.org/release/1.1/UPD/file-3
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository
http://cvs.openpkg.org/
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 03-Jun-2003 14:11:25
Branch: HEAD Handle: 2003060313112401
Added files:
openpkg-web/securityOpenPKG-SA-2003.030-ghostscript.txt
Modified files:
openpkg-web security.txt security.wml
Log:
SA-2003.030-ghostscript; CAN-2003-0354; execute arbitrary commands
Summary:
RevisionChanges Path
1.36+1 -0 openpkg-web/security.txt
1.52+1 -0 openpkg-web/security.wml
1.1 +99 -0 openpkg-web/security/OpenPKG-SA-2003.030-ghostscript.txt
patch -p0 <<'@@ .'
Index: openpkg-web/security.txt
$ cvs diff -u -r1.35 -r1.36 security.txt
--- openpkg-web/security.txt 16 May 2003 09:39:04 - 1.35
+++ openpkg-web/security.txt 3 Jun 2003 12:11:24 - 1.36
@@ -1,3 +1,4 @@
+03-Jun-2003: Security Advisory: S
16-May-2003: Security Advisory: S
07-Apr-2003: Security Advisory: S
30-Mar-2003: Security Advisory: S
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security.wml
$ cvs diff -u -r1.51 -r1.52 security.wml
--- openpkg-web/security.wml 16 May 2003 09:39:04 - 1.51
+++ openpkg-web/security.wml 3 Jun 2003 12:11:24 - 1.52
@@ -78,6 +78,7 @@
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.030-ghostscript.txt
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.030-ghostscript.txt
--- /dev/null 2003-06-03 14:11:25.0 +0200
+++ OpenPKG-SA-2003.030-ghostscript.txt 2003-06-03 14:11:25.0 +0200
@@ -0,0 +1,99 @@
+
+
+OpenPKG Security AdvisoryThe OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2003.030 03-Jun-2003
+
+
+Package: ghostscript
+Vulnerability: execute arbitrary commands
+OpenPKG Specific:no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT noneN.A.
+OpenPKG 1.2 noneN.A.
+OpenPKG 1.1 <= ghostscript-7.04-1.1.0 >= ghostscript-7.04-1.1.1
+
+Dependent Packages: none FIXME
+
+Affected Releases: Dependent Packages: FIXME
+OpenPKG CURRENT bar quux
+OpenPKG 1.2 bar quux
+OpenPKG 1.1 bar
+
+FIXME
+gv.spec BuildPreReq: X11, xaw3d, ghostscript
+gv.spec PreReq: X11, xaw3d, ghostscript
+latex2html.spec BuildPreReq: perl, ghostscript, tetex, png, netpbm
+latex2html.spec PreReq: perl, ghostscript, tetex, png, netpbm
+libwmf.spec BuildPreReq: X11, libxml, freetype, zlib, png, jpeg, gd,
ghostscript = %{V_ghostscript}
+libwmf.spec PreReq: X11, libxml, freetype, zlib, png, jpeg, gd,
ghostscript = %{V_ghostscript}
+lyx.specPreReq: gv, ghostscript, ghostscript::with_x11 = yes
+mgv.specPreReq: X11, ghostscript
+pstoedit.spec BuildPreReq: ghostscript, gcc, png, zlib
+pstoedit.spec PreReq: ghostscript
+sam2p.spec BuildPreReq: ghostscript, jpeg, gzip, infozip, make, gcc, perl,
bash
+sam2p.spec PreReq: ghostscript, jpeg, gzip, infozip
+scribus.specBuildPreReq: qt, freetype, ghostscript, png, jpeg, tiff, zlib
+scribus.specPreReq: qt, freetype, ghostscript, png, jpeg, tiff, zlib
+tex4ht.spec PreReq: tetex, ghostscript, imagemagick
+
+Description:
+ According to a RedHat security advisory [1] a flaw in unpatched
+ versions of Ghostscript before 7.07 allows malicious postscript files
+ to execute arbitrary commands even with -dSAFER enabled. The Common
+ Vulnerabilities and Exposures (CVE) project assigned the id
+ CAN-2003-0354 [2] to the problem.
+
+ Please check whether you are affected by running "/bin/rpm -q
+ ghostscript". If you have the "ghostscript" package installed and its
+ version is affected (see above), we recommend that you immediately
+ upgrade it (see Solution) and it's dependent packages (see
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 07-Jul-2003 15:48:09 Branch: HEAD Handle: 2003070714480800 Added files: openpkg-web/securityOpenPKG-SA-2003.032-php.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.032-php; CAN-2002-0985, CAN-2002-0986, CAN-2003-0442 Summary: RevisionChanges Path 1.38+1 -0 openpkg-web/security.txt 1.54+1 -0 openpkg-web/security.wml 1.1 +93 -0 openpkg-web/security/OpenPKG-SA-2003.032-php.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.37 -r1.38 security.txt --- openpkg-web/security.txt 11 Jun 2003 11:04:36 - 1.37 +++ openpkg-web/security.txt 7 Jul 2003 13:48:08 - 1.38 @@ -1,3 +1,4 @@ +07-Jul-2003: Security Advisory: S 11-Jun-2003: Security Advisory: S 03-Jun-2003: Security Advisory: S 16-May-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.53 -r1.54 security.wml --- openpkg-web/security.wml 11 Jun 2003 11:04:36 - 1.53 +++ openpkg-web/security.wml 7 Jul 2003 13:48:08 - 1.54 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.032-php.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.032-php.txt --- /dev/null 2003-07-07 15:48:08.0 +0200 +++ OpenPKG-SA-2003.032-php.txt 2003-07-07 15:48:09.0 +0200 @@ -0,0 +1,93 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.032 07-Jul-2003 + + +Package: php, apache +Vulnerability: XSS; bypass safe mode +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= php-4.3.1-20030516 >= php-4.3.2-20030529 + <= apache-1.3.27-20030516 >= apache-1.3.27-20030529 +OpenPKG 1.2 noneN.A. +OpenPKG 1.1 <= php-4.2.2-1.1.1 >= php-4.2.2-1.1.2 + <= apache-1.3.26-1.1.4 >= apache-1.3.26-1.1.5 + +Dependent Packages: none + +Description: + Wojciech Purczynski found [2] out that it is possible to allow remote + attackers to bypass safe mode restrictions in PHP [1] 4.x to 4.2.2 and + modify command line arguments to the MTA (e.g. sendmail) in the 5th + argument to mail(), altering MTA behavior and possibly executing + commands. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2002-0985 [4] to the problem. + + Wojciech Purczynski also reported [2] that the mail function in PHP + [1] 4.x to 4.2.2 does not filter ASCII control characters from its + arguments, which could allow remote attackers to modify mail message + content, including mail headers, and possibly use PHP as a "spam + proxy." Depending on how The Common Vulnerabilities and Exposures + (CVE) project assigned the id CAN-2002-0986 [5] to the problem. + + A security advisory [3] states that in PHP [1] version 4.3.1 (but we + at OpenPKG believe 4.2.x) and earlier, when transparent session ID + support is enabled using the "session.use_trans_sid" option, the + session ID is not escaped before use, which allows remote attackers to + insert arbitrary script via the PHPSESSID parameter, The Common + Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0442 [6] to the problem. + + Please check whether you are affected by running "/bin/rpm + -q php". If you have the "php" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution). + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [9], fetch it from the OpenPKG FTP service [10] or a mirror + location, verify its integrity [11], build a corresponding binary RPM + from it
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jul-2003 11:54:17 Branch: HEAD Handle: 2003071010541601 Added files: openpkg-web/securityOpenPKG-SA-2003.033-infozip.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.033-infozip; CAN-2003-0282 Summary: RevisionChanges Path 1.39+1 -0 openpkg-web/security.txt 1.55+1 -0 openpkg-web/security.wml 1.1 +94 -0 openpkg-web/security/OpenPKG-SA-2003.033-infozip.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.38 -r1.39 security.txt --- openpkg-web/security.txt 7 Jul 2003 13:48:08 - 1.38 +++ openpkg-web/security.txt 10 Jul 2003 09:54:16 - 1.39 @@ -1,3 +1,4 @@ +10-Jul-2003: Security Advisory: S 07-Jul-2003: Security Advisory: S 11-Jun-2003: Security Advisory: S 03-Jun-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.54 -r1.55 security.wml --- openpkg-web/security.wml 7 Jul 2003 13:48:08 - 1.54 +++ openpkg-web/security.wml 10 Jul 2003 09:54:16 - 1.55 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.033-infozip.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.033-infozip.txt --- /dev/null 2003-07-10 11:54:17.0 +0200 +++ OpenPKG-SA-2003.033-infozip.txt 2003-07-10 11:54:17.0 +0200 @@ -0,0 +1,94 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.033 10-Jul-2003 + + +Package: infozip +Vulnerability: overwrite arbitrary files +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= infozip-20030306-20030708 >= infozip-20030710-20030710 +OpenPKG 1.2 <= infozip-1.2.0-1.2.0 >= infozip-1.2.0-1.2.1 +OpenPKG 1.1 <= infozip-1.1.0-1.1.0 >= infozip-1.1.0-1.1.1 + +Dependent Packages: none + +Affected Releases: Dependent Packages: +OpenPKG CURRENT bar quux +OpenPKG 1.2 bar quux +OpenPKG 1.1 bar + +FIXME candidates +cvsweb PreReq: +docbook BuildPreReq: +heise PreReq: BuildPreReq: +mozilla PreReq: BuildPreReq: +pccts BuildPreReq: +sam2p PreReq: BuildPreReq: +sav BuildPreReq: +saxon BuildPreReq: +tetex BuildPreReq: +tex4ht BuildPreReq: + +Description: + A directory traversal vulnerability in UnZip 5.50 allows attackers to + overwrite arbitrary files via invalid characters between two . (dot) + characters, which are filtered and result in a ".." sequence. The + corrected packages include a patch taken from RedHat [1] ensuring that + non-printable characters do not make it possible for a malicious .zip + file to write to parent directories unless the "-:" command line + parameter is specified. The Common Vulnerabilities and Exposures + (CVE) project assigned the id CAN-2003-0282 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + infozip". If you have the "infozip" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution) and it's dependent packages (see above), if any, too. + [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the current release OpenPKG 1.2, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jul-2003 16:22:49 Branch: HEAD Handle: 2003071015224801 Added files: openpkg-web/securityOpenPKG-SA-2003.034-imagemagick.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.034-imagemagick; CAN-2003-0455 Summary: RevisionChanges Path 1.40+1 -0 openpkg-web/security.txt 1.56+1 -0 openpkg-web/security.wml 1.1 +86 -0 openpkg-web/security/OpenPKG-SA-2003.034-imagemagick.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.39 -r1.40 security.txt --- openpkg-web/security.txt 10 Jul 2003 09:54:16 - 1.39 +++ openpkg-web/security.txt 10 Jul 2003 14:22:48 - 1.40 @@ -1,3 +1,4 @@ +10-Jul-2003: Security Advisory: S 10-Jul-2003: Security Advisory: S 07-Jul-2003: Security Advisory: S 11-Jun-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.55 -r1.56 security.wml --- openpkg-web/security.wml 10 Jul 2003 09:54:16 - 1.55 +++ openpkg-web/security.wml 10 Jul 2003 14:22:48 - 1.56 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.034-imagemagick.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.034-imagemagick.txt --- /dev/null 2003-07-10 16:22:49.0 +0200 +++ OpenPKG-SA-2003.034-imagemagick.txt 2003-07-10 16:22:49.0 +0200 @@ -0,0 +1,86 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.034 10-Jul-2003 + + +Package: imagemagick +Vulnerability: create or overwrite files +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= imagemagick-5.5.6.0-20030409 >= imagemagick-5.5.7.0-20030512 +OpenPKG 1.2 <= imagemagick-5.5.3.2-1.2.0>= imagemagick-5.5.3.2-1.2.1 +OpenPKG 1.1 <= imagemagick-5.4.8.2-1.1.0>= imagemagick-5.4.8.2-1.1.1 + +Affected Releases: Dependent Packages: +OpenPKG CURRENT bar quux +OpenPKG 1.2 bar quux +OpenPKG 1.1 bar + +FIXME candidates +autotrace-0.31.1-20030707 +tex4ht-20030119-20030707 +wv-0.7.6-20030707 + +Description: + According to a Debian security advisory [0] imagemagick's libmagick + [1] library, under certain circumstances, creates temporary files + without taking appropriate security precautions. This vulnerability + could be exploited by a local user to create or overwrite files with + the privileges of another user who is invoking a program using this + library. Research has shown that all versions of imagemagick before + 5.5.7.0 are affected. The Common Vulnerabilities and Exposures (CVE) + project assigned the id CAN-2003-0455 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + imagemagick". If you have the "imagemagick" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution) and it's dependent packages (see above), if + any, too. [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.2, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get imagemagick-5.5.3.2-1.2.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig imagemagick-5.5.3.2-1.2.1.src.rpm + $ /bin/rpm --rebuild imagemagick-5.5.3.2-1.2.1.src.rpm + $ su -
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 06-Aug-2003 15:07:51 Branch: HEAD Handle: 2003080614075000 Added files: openpkg-web/securityOpenPKG-SA-2003.035-openssh.txt Modified files: openpkg-web security.txt security.wml Log: OpenPKG-SA-2003.035-openssh; CAN-2003-0190 Summary: RevisionChanges Path 1.41+1 -0 openpkg-web/security.txt 1.59+1 -0 openpkg-web/security.wml 1.1 +80 -0 openpkg-web/security/OpenPKG-SA-2003.035-openssh.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.40 -r1.41 security.txt --- openpkg-web/security.txt 10 Jul 2003 14:22:48 - 1.40 +++ openpkg-web/security.txt 6 Aug 2003 13:07:50 - 1.41 @@ -1,3 +1,4 @@ +06-Aug-2003: Security Advisory: S 10-Jul-2003: Security Advisory: S 10-Jul-2003: Security Advisory: S 07-Jul-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.58 -r1.59 security.wml --- openpkg-web/security.wml 5 Aug 2003 08:47:06 - 1.58 +++ openpkg-web/security.wml 6 Aug 2003 13:07:50 - 1.59 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.035-openssh.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.035-openssh.txt --- /dev/null 2003-08-06 15:07:51.0 +0200 +++ OpenPKG-SA-2003.035-openssh.txt 2003-08-06 15:07:51.0 +0200 @@ -0,0 +1,80 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.035 06-Aug-2003 + + +Package: openssh +Vulnerability: information leakage +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= openssh-3.6.1p1-20030423 >= openssh-3.6.1p2-20030429 +OpenPKG 1.3 N/A +OpenPKG 1.2 <= openssh-3.5p1-1.2.1 >= openssh-3.5p1-1.2.2 + +Description: + According to a Mediaservice.net security advisory [0], a information + leakage exists in OpenSSH [1] 3.6.1p1 and earlier with PAM support + enabled. When a user does not exist, an error message is send + immediately which allows remote attackers to determine valid usernames + via a timing attack. OpenPKG installations are only affected when the + package was build '--with_pam yes', which is not the default. We could + only reproduce the problem on Linux. It seems FreeBSD and Solaris are + not vulnerable, the patch does not affect their behaviour. However, + the problem is related to the PAM configuration, not the operating + system. Using a non-default configuration might leak information on + other operating systems, too. On Linux systems, a valid workaround is + to add a "nodelay" option to the pam_unix.so auth. + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0190 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + openssh". If you have the "openssh" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution). + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it [3] + and update your OpenPKG installation by applying the binary RPM [4]. + For the current release OpenPKG 1.2, perform the following operations + to permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get openssh-3.5p1-1.2.2.src.rpm + ftp> bye + $ /bin/rpm -v --checksig openssh-3.5p1-1.2.2.src.rpm + $ /bin/rpm --rebuild openssh-3.5p1-1.2.2.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/openssh-3.5p1-1.2.2.*.rp
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 06-Aug-2003 17:26:43 Branch: HEAD Handle: 2003080616264201 Added files: openpkg-web/securityOpenPKG-SA-2003.036-perl-www.txt Modified files: openpkg-web security.txt security.wml openpkg-web/securitypage.pl Log: OpenPKG-SA-2003.036-perl-www; CAN-2003-0615 Summary: RevisionChanges Path 1.42+1 -0 openpkg-web/security.txt 1.60+1 -0 openpkg-web/security.wml 1.1 +75 -0 openpkg-web/security/OpenPKG-SA-2003.036-perl-www.txt 1.21+1 -1 openpkg-web/security/page.pl patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.41 -r1.42 security.txt --- openpkg-web/security.txt 6 Aug 2003 13:07:50 - 1.41 +++ openpkg-web/security.txt 6 Aug 2003 15:26:42 - 1.42 @@ -1,3 +1,4 @@ +06-Aug-2003: Security Advisory: S 06-Aug-2003: Security Advisory: S 10-Jul-2003: Security Advisory: S 10-Jul-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.59 -r1.60 security.wml --- openpkg-web/security.wml 6 Aug 2003 13:07:50 - 1.59 +++ openpkg-web/security.wml 6 Aug 2003 15:26:42 - 1.60 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.036-perl-www.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.036-perl-www.txt --- /dev/null 2003-08-06 17:26:43.0 +0200 +++ OpenPKG-SA-2003.036-perl-www.txt 2003-08-06 17:26:43.0 +0200 @@ -0,0 +1,75 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.perl-www 06-Aug-2003 + + +Package: perl-www +Vulnerability: CGI.pm cross site scripting +OpenPKG Specific:no + +Affected Releases: Affected Packages:Corrected Packages: +OpenPKG CURRENT <= perl-www-20030726-20030726 >= perl-www-20030802-20030802 +OpenPKG 1.3 <= perl-www-1.3.0-1.3.0 >= perl-www-1.3.1-1.3.1 +OpenPKG 1.2 <= perl-www-1.2.0-1.2.0 >= perl-www-1.2.1-1.2.1 + +Dependent Packages: none + +Description: + According to a security advisory [0] from [EMAIL PROTECTED] a + cross site scripting vulnerability exists in the start_form() function + in CGI.pm [1]. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2003-0615 [2] to the problem. + + Note that beginning with perl-www-20030609-20030609 and + perl-www-1.3.0-1.3.0 a preliminary patch was already included which + fixes the specific issue discussed in the original SA. The corrected + packages include a more generalized patch. + + Please check whether you are affected by running "/bin/rpm + -q perl-www". If you have the "perl-www" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution). + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the current release OpenPKG 1.2, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get perl-www-1.3.1-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig perl-www-1.3.1-1.3.1.src.rpm + $ /bin/rpm --rebuild perl-www-1.3.1-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/perl-www-1.3.1-1.3.1.*.rpm + + +References: + [0] http://eyeonsecurity.org/advisories/CGI.pm/adv.html + [1] http://stein.cshl.org/WWW/software/CGI/ + [2] http://cve.mitre.org/cg
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 15-Sep-2003 13:33:39 Branch: HEAD Handle: 2003091512333900 Added files: openpkg-web/securityOpenPKG-SA-2003.038-mysql.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.038-mysql; CAN-2003-0780 Summary: RevisionChanges Path 1.44+1 -0 openpkg-web/security.txt 1.62+1 -0 openpkg-web/security.wml 1.1 +77 -0 openpkg-web/security/OpenPKG-SA-2003.038-mysql.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.43 -r1.44 security.txt --- openpkg-web/security.txt 28 Aug 2003 08:37:00 - 1.43 +++ openpkg-web/security.txt 15 Sep 2003 11:33:39 - 1.44 @@ -1,3 +1,4 @@ +15-Sep-2003: Security Advisory: S 28-Aug-2003: Security Advisory: S 06-Aug-2003: Security Advisory: S 06-Aug-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.61 -r1.62 security.wml --- openpkg-web/security.wml 28 Aug 2003 08:37:00 - 1.61 +++ openpkg-web/security.wml 15 Sep 2003 11:33:39 - 1.62 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.038-mysql.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.038-mysql.txt --- /dev/null 2003-09-15 13:33:39.0 +0200 +++ OpenPKG-SA-2003.038-mysql.txt 2003-09-15 13:33:39.0 +0200 @@ -0,0 +1,77 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.mysql15-Sep-2003 + + +Package: mysql +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= mysql-4.0.14-20030904>= mysql-4.0.15-20030910 +OpenPKG 1.3 <= mysql-4.0.14-1.3.1 >= mysql-4.0.14-1.3.2 +OpenPKG 1.2 <= mysql-3.23.54a-1.2.3 >= mysql-3.23.54a-1.2.4 + +Dependent Packages: none + +Description: + Frank Denis <[EMAIL PROTECTED]> reported a vulnerability [0] in MySQL + [1] affecting MySQL3 versions 3.0.57 and earlier and MySQL4 versions + 4.0.14 and earlier. Passwords of MySQL users are stored in the "User" + table, part of the "mysql" database, specifically in the "Password" + field. The passwords are hashed and stored as a 16 characters + long hexadecimal value, specifically in the "Password" field. + Unfortunately, a function involved in password checking misses correct + bounds checking. By filling a "Password" field a value wider than 16 + characters, a buffer overflow will occur. The Common Vulnerabilities + and Exposures (CVE) project assigned the id CAN-2003-0780 [2] to the + problem. + + Please check whether you are affected by running "/bin/rpm -q + mysql". If you have the "mysql" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.3, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get mysql-4.0.14-1.3.2.src.rpm + ftp> bye + $ /bin/rpm -v --checksig mysql-4.0.14-1.3.2.src.rpm + $ /bin/rpm --rebuild mysql-4.0.14-1.3.2.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/mysql-4.0.14-1.3.2.*.rpm + + +References: + [0] http://www.securityfocus.com/archive/1/337012/2003-09-05/2003-09-11
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 15-Sep-2003 15:27:24 Branch: HEAD Handle: 2003091514272300 Added files: openpkg-web/securityOpenPKG-SA-2003.039-perl.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.039-perl; CAN-2003-0615 Summary: RevisionChanges Path 1.45+1 -0 openpkg-web/security.txt 1.63+1 -0 openpkg-web/security.wml 1.1 +90 -0 openpkg-web/security/OpenPKG-SA-2003.039-perl.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.44 -r1.45 security.txt --- openpkg-web/security.txt 15 Sep 2003 11:33:39 - 1.44 +++ openpkg-web/security.txt 15 Sep 2003 13:27:23 - 1.45 @@ -1,3 +1,4 @@ +15-Sep-2003: Security Advisory: S 15-Sep-2003: Security Advisory: S 28-Aug-2003: Security Advisory: S 06-Aug-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.62 -r1.63 security.wml --- openpkg-web/security.wml 15 Sep 2003 11:33:39 - 1.62 +++ openpkg-web/security.wml 15 Sep 2003 13:27:23 - 1.63 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.039-perl.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.039-perl.txt --- /dev/null 2003-09-15 15:27:24.0 +0200 +++ OpenPKG-SA-2003.039-perl.txt 2003-09-15 15:27:24.0 +0200 @@ -0,0 +1,90 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.039 15-Sep-2003 + + +Package: perl (CGI.pm) +Vulnerability: cross site scripting +OpenPKG Specific:no + +Affected Releases: Affected Packages:Corrected Packages: +OpenPKG CURRENT <= perl-5.8.0-20030903>= perl-5.8.0-20030915 +OpenPKG 1.3 <= perl-5.8.0-1.3.0 >= perl-5.8.0-1.3.1 +OpenPKG 1.2 <= perl-5.8.0-1.2.0 >= perl-5.8.0-1.2.1 + +Dependent Packages: none + +Description: + This message is a continuation of OpenPKG-SA-2003.036-perl-www [0]. + The Common Vulnerabilities and Exposures (CVE) project assigned the + id CAN-2003-0615 [1] to the problem described. This document also + outlines a important problematic regarding the native load order of + perl modules. + + The CGI.pm module not only comes with the "perl-www" package but a + ancient version 2.81 is also embedded into "perl". The corrected + packages mentioned above have the official fix backported to the + embedded version. + + Be aware that all releases of OpenPKG up to and including 1.3 use + Perl's native load order of modules. Embedded modules are preferred + over additional modules. This means that CGI.pm embedded into the + "perl" package is loaded before the sibling from the additional + "perl-www" package is found. This inhibits the use and correction of + additional modules with same name as embedded ones. + + It should be noted that beginning with perl-5.8.0-20030903 the load + order is patched to prefer additional modules [2]. There are no plans + modifiying the module load order of the "perl" package in existing + releases. Although more intuitive it would change existing behaviour + and is likely to break existing installations. During the support + lifecycle security advisories and corrected packages will be issued + for both, embedded and additional packages. + + Please check whether you are affected by running "/bin/rpm -q + perl". If you have the "perl" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 17-Sep-2003 08:59:38 Branch: HEAD Handle: 2003091707593701 Added files: openpkg-web/securityOpenPKG-SA-2003.040-openssh.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.040-openssh; CAN-2003-0693 Summary: RevisionChanges Path 1.46+1 -0 openpkg-web/security.txt 1.65+1 -0 openpkg-web/security.wml 1.1 +73 -0 openpkg-web/security/OpenPKG-SA-2003.040-openssh.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.45 -r1.46 security.txt --- openpkg-web/security.txt 15 Sep 2003 13:27:23 - 1.45 +++ openpkg-web/security.txt 17 Sep 2003 06:59:37 - 1.46 @@ -1,3 +1,4 @@ +16-Sep-2003: Security Advisory: S 15-Sep-2003: Security Advisory: S 15-Sep-2003: Security Advisory: S 28-Aug-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.64 -r1.65 security.wml --- openpkg-web/security.wml 16 Sep 2003 10:21:12 - 1.64 +++ openpkg-web/security.wml 17 Sep 2003 06:59:37 - 1.65 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.040-openssh.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.040-openssh.txt --- /dev/null 2003-09-17 08:59:38.0 +0200 +++ OpenPKG-SA-2003.040-openssh.txt 2003-09-17 08:59:38.0 +0200 @@ -0,0 +1,73 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.040 17-Sep-2003 + + +Package: openssh +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= openssh-3.6.1p2-20030729 >= openssh-3.7p1-20030916 +OpenPKG 1.3 <= openssh-3.6.1p2-1.3.0>= openssh-3.6.1p2-1.3.1 +OpenPKG 1.2 <= openssh-3.5p1-1.2.2 >= openssh-3.5p1-1.2.3 + +Dependent Packages: none + +Description: + According to a OpenSSH Security Advisory [0] all versions of OpenSSH's + sshd prior to 3.7.1 contain buffer management errors [1]. Those + may allow remote attackers to execute arbitrary code by causing an + incorrect amount of memory to be freed and corrupting the heap + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0693 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + openssh". If you have the "openssh" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the current release OpenPKG 1.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get openssh-3.6.1p2-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig openssh-3.6.1p2-1.3.1.src.rpm + $ /bin/rpm --rebuild openssh-3.6.1p2-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/openssh-3.6.1p2-1.3.1.*.rpm + + +References: + [0] http://www.openssh.com/txt/buffer.adv + [1] http://www.openssh.com/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.2/UPD/openssh-3.6.1p2-1.3.1.src.rpm + [6] ftp://ftp.openpkg.org/relea
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 24-Sep-2003 10:08:11 Branch: HEAD Handle: 2003092409081001 Added files: openpkg-web/securityOpenPKG-SA-2003.042-openssh.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.042-openssh; CAN-2003-0786, CAN-2003-0787 Summary: RevisionChanges Path 1.49+1 -0 openpkg-web/security.txt 1.67+1 -0 openpkg-web/security.wml 1.1 +78 -0 openpkg-web/security/OpenPKG-SA-2003.042-openssh.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.48 -r1.49 security.txt --- openpkg-web/security.txt 19 Sep 2003 08:14:36 - 1.48 +++ openpkg-web/security.txt 24 Sep 2003 08:08:10 - 1.49 @@ -1,3 +1,4 @@ +24-Sep-2003: Security Advisory: S 19-Sep-2003: Security Advisory: S 17-Sep-2003: Security Advisory: S 15-Sep-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.66 -r1.67 security.wml --- openpkg-web/security.wml 19 Sep 2003 08:14:36 - 1.66 +++ openpkg-web/security.wml 24 Sep 2003 08:08:10 - 1.67 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.042-openssh.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.042-openssh.txt --- /dev/null 2003-09-24 10:08:11.0 +0200 +++ OpenPKG-SA-2003.042-openssh.txt 2003-09-24 10:08:11.0 +0200 @@ -0,0 +1,78 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.042 24-Sep-2003 + + +Package: openssh +Vulnerability: remote root exploit +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= openssh-3.7.1p1-20030917 >= openssh-3.7.1p2-20030923 +OpenPKG 1.3 N.A. +OpenPKG 1.2 N.A. + +Dependent Packages: none + +Description: + According to a Portable OpenSSH Security Advisory [0] versions 3.7p1 + and 3.7.1p1 of portable OpenSSH [1] contain multiple vulnerabilities + in the new PAM code. At least one of these bugs is remotely + exploitable with privsep disabled. Older versions of portable OpenSSH + are not vulnerable. OpenPKG installations are only affected if the + package was build with option "with_pam" set to "yes" -- which is not + the default. + + The Common Vulnerabilities and Exposures (CVE) project assigned the + id CAN-2003-0786 [2] to the problem where SSH1 PAM challenge response + auth ignored the result of the authentication with privsep off. + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0787 [3] to the problem where the PAM conversation function + trashed the stack. + + Please check whether you are affected by running "/bin/rpm -q + openssh". If you have the "openssh" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution). [4][5] + +Solution: + Select the updated source RPM appropriate for OpenPKG CURRENT [6] + fetch it from the OpenPKG FTP service [7] or a mirror location, + build a corresponding binary RPM from it [4] and update your OpenPKG + installation by applying the binary RPM [5]. Perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd current/SRC + ftp> get openssh-3.7.1p2-20030923.src.rpm + ftp> bye + $ /bin/rpm --rebuild openssh-3.7.1p2-20030923.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/openssh-3.7.1p2-20030923.*.rpm + + +References: + [0] http://www.openssh.com/txt/sshpam.adv + [1] http://www.openssh.com/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0786 +
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 24-Sep-2003 10:09:35 Branch: HEAD Handle: 2003092409093401 Added files: openpkg-web/securityOpenPKG-SA-2003.043-proftpd.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.043-proftpd; CAN unknown Summary: RevisionChanges Path 1.50+1 -0 openpkg-web/security.txt 1.68+1 -0 openpkg-web/security.wml 1.1 +86 -0 openpkg-web/security/OpenPKG-SA-2003.043-proftpd.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.49 -r1.50 security.txt --- openpkg-web/security.txt 24 Sep 2003 08:08:10 - 1.49 +++ openpkg-web/security.txt 24 Sep 2003 08:09:34 - 1.50 @@ -1,3 +1,4 @@ +24-Sep-2003: Security Advisory: S 24-Sep-2003: Security Advisory: S 19-Sep-2003: Security Advisory: S 17-Sep-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.67 -r1.68 security.wml --- openpkg-web/security.wml 24 Sep 2003 08:08:10 - 1.67 +++ openpkg-web/security.wml 24 Sep 2003 08:09:34 - 1.68 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.043-proftpd.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.043-proftpd.txt --- /dev/null 2003-09-24 10:09:35.0 +0200 +++ OpenPKG-SA-2003.043-proftpd.txt 2003-09-24 10:09:35.0 +0200 @@ -0,0 +1,86 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.043 24-Sep-2003 + + +Package: proftpd +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= proftpd-1.2.9rc2-20030911 >= proftpd-1.2.9rc2-20030923 +OpenPKG 1.3 <= proftpd-1.2.8-1.3.0 >= proftpd-1.2.8-1.3.1 +OpenPKG 1.2 <= proftpd-1.2.7-1.2.0 >= proftpd-1.2.7-1.2.1 + +Dependent Packages: none + +Description: + According to a ISS X-Force security advisory [0] a vulnerability + exists in the ProFTPD server [1]. It can be triggered by remote + attackers when transferring files from the FTP server in ASCII mode. + The attacker must have the ability to upload a file to the server, and + then attempt to download the same file to trigger the vulnerability. + During ASCII transfer, file data is examined in 1024 byte chunks + to check for newline characters. The translation of these newline + characters is not handled correctly, and a buffer overflow can + manifest if ProFTPD parses a specially crafted file. + + Note that the OpenPKG 20030923 version of the proftpd package contains + the vendor version 1.2.9rc2p, also the trailing 'p' was omitted from + the package filename. + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-FIXME [2] to the problem. + + Please check whether you are affected by running "/bin/rpm + -q proftpd". If you have the "proftpd" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution) and it's dependent packages (see above), if any, + too. [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.3, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get proftpd-1.2.8-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig proftpd-1.2.8-1.3.1.src.rpm + $ /bin/rpm --rebuild
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository
http://cvs.openpkg.org/
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 30-Sep-2003 14:47:11
Branch: HEAD Handle: 2003093013471100
Added files:
openpkg-web/securityOpenPKG-SA-2003.044-openssl.txt
Modified files:
openpkg-web security.txt security.wml
Log:
SA-2003.044-openssl; CAN-2003-0543, CAN-2003-0544, CAN-2003-0545
Summary:
RevisionChanges Path
1.51+1 -0 openpkg-web/security.txt
1.69+1 -0 openpkg-web/security.wml
1.1 +158 -0 openpkg-web/security/OpenPKG-SA-2003.044-openssl.txt
patch -p0 <<'@@ .'
Index: openpkg-web/security.txt
$ cvs diff -u -r1.50 -r1.51 security.txt
--- openpkg-web/security.txt 24 Sep 2003 08:09:34 - 1.50
+++ openpkg-web/security.txt 30 Sep 2003 12:47:11 - 1.51
@@ -1,3 +1,4 @@
+30-Sep-2003: Security Advisory: S
24-Sep-2003: Security Advisory: S
24-Sep-2003: Security Advisory: S
19-Sep-2003: Security Advisory: S
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security.wml
$ cvs diff -u -r1.68 -r1.69 security.wml
--- openpkg-web/security.wml 24 Sep 2003 08:09:34 - 1.68
+++ openpkg-web/security.wml 30 Sep 2003 12:47:11 - 1.69
@@ -76,6 +76,7 @@
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.044-openssl.txt
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.044-openssl.txt
--- /dev/null 2003-09-30 14:47:11.0 +0200
+++ OpenPKG-SA-2003.044-openssl.txt 2003-09-30 14:47:11.0 +0200
@@ -0,0 +1,158 @@
+
+
+OpenPKG Security AdvisoryThe OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2003.044 30-Sep-2003
+
+
+Package: openssl
+Vulnerability: denial of service, possibly arbitrary code execution
+OpenPKG Specific:no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= openssl-0.9.7b-20030806 >= openssl-0.9.7b-20030930
+OpenPKG 1.3 <= openssl-0.9.7b-1.3.1>= openssl-0.9.7b-1.3.2
+OpenPKG 1.2 <= openssl-0.9.7-1.2.3 >= openssl-0.9.7-1.2.4
+
+Affected Releases: Dependent Packages:
+
+OpenPKG CURRENT apache* bind blender cadaver cfengine cpu cups curl
+ distcache dsniff easysoap ethereal* exim fetchmail
+ imap imapd imaputils inn jabberd kde-base kde-libs
+ linc links lynx mailsync meta-core mico* mixmaster
+ monit* mozilla mutt mutt15 nail neon nessus-libs
+ nmap openldap openssh openvpn perl-ssl pgadmin php*
+ pine* postfix* postgresql pound proftpd* qpopper
+ rdesktop samba samba3 sasl scanssh sendmail* siege
+ sio* sitecopy snmp socat squid* stunnel subversion
+ suck sysmon tcpdump tinyca w3m wget xmlsec
+
+OpenPKG 1.3 apache* bind cfengine cpu curl ethereal* fetchmail
+ imap imapd inn links lynx mico* mutt nail neon
+ openldap openssh perl-ssl php* postfix* postgresql
+ proftpd* qpopper rdesktop samba sasl scanssh
+ sendmail* siege sio* sitecopy snmp socat squid*
+ stunnel suck sysmon tcpdump tinyca w3m wget xmlsec
+
+OpenPKG 1.2 apache* bind cpu curl ethereal* fetchmail imap inn
+ links lynx mico* mutt nail neon openldap openssh
+ perl-ssl postfix* postgresql qpopper rdesktop samba
+ sasl scanssh sendmail* siege sitecopy snmp socat
+ stunnel sysmon tcpdump tinyca w3m wget
+
+ (*) marked packages are only affected if certain build
+ options ("with_xxx") were used at build time. See
+ Appendix below for details.
+
+Description:
+ According to an OpenSSL [0] security advisory [1], multiple
+ vulnerabilities exist in OpenSSL versions
