[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 07-Apr-2004 14:45:54 Branch: HEAD Handle: 2004040713455301 Added files: openpkg-web/securityOpenPKG-SA-2004.011-sharutils Modified files: openpkg-web security.txt security.wml Log: SA-2004.011-sharutils Summary: RevisionChanges Path 1.69+1 -0 openpkg-web/security.txt 1.89+1 -0 openpkg-web/security.wml 1.1 +75 -0 openpkg-web/security/OpenPKG-SA-2004.011-sharutils patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.68 -r1.69 security.txt --- openpkg-web/security.txt 5 Apr 2004 12:48:29 - 1.68 +++ openpkg-web/security.txt 7 Apr 2004 12:45:53 - 1.69 @@ -1,3 +1,4 @@ +07-Apr-2004: Security Advisory: S 05-Apr-2004: Security Advisory: S 01-Apr-2004: Security Advisory: S 18-Mar-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.88 -r1.89 security.wml --- openpkg-web/security.wml 5 Apr 2004 12:56:08 - 1.88 +++ openpkg-web/security.wml 7 Apr 2004 12:45:54 - 1.89 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.011-sharutils $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.011-sharutils --- /dev/null 2004-04-07 14:45:54.0 +0200 +++ OpenPKG-SA-2004.011-sharutils 2004-04-07 14:45:54.0 +0200 @@ -0,0 +1,75 @@ +#FIXME, this is a template +#FIXME, the first three lines are just dummies +#FIXME, to help comparing this against sibling signed documents + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.011 07-Apr-2004 + + +Package: sharutils +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= sharutils-4.2.1-20011201 >= sharutils-4.2.1-20040407 +OpenPKG 2.0 <= sharutils-4.2.1-2.0.0>= sharutils-4.2.1-2.0.1 +OpenPKG 1.3 <= sharutils-4.2.1-1.3.0>= sharutils-4.2.1-1.3.1 + +Dependent Packages: none + +Description: + According to a posting on Bugtraq [1], Shaun Colley discovered and + researched a stack-based buffer overflow vulnerability which exists in + the GNU Sharutils [2] due to lack of bounds checking when handling the + '-o' command-line option. + + Please check whether you are affected by running "/bin/rpm + -q sharutils". If you have the "sharutils" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.0, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get sharutils-4.2.1-2.0.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig sharutils-4.2.1-2.0.1.src.rpm + $ /bin/openpkg rpm --rebuild sharutils-4.2.1-2.0.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/sharutils-4.2.1-2.0.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] + + +References: + [1] http://www.securityfocus.com/archive/1/359639 + [2] http://www.gnu.org/software/sharutils/ + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://f
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 05-Apr-2004 14:48:30 Branch: HEAD Handle: 2004040513482901 Added files: openpkg-web/securityOpenPKG-SA-2004.009-mc Modified files: openpkg-web security.txt security.wml Log: SA-2004.009-mc; CAN-2003-1023 Summary: RevisionChanges Path 1.68+1 -0 openpkg-web/security.txt 1.87+1 -0 openpkg-web/security.wml 1.1 +78 -0 openpkg-web/security/OpenPKG-SA-2004.009-mc patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.67 -r1.68 security.txt --- openpkg-web/security.txt 1 Apr 2004 21:01:13 - 1.67 +++ openpkg-web/security.txt 5 Apr 2004 12:48:29 - 1.68 @@ -1,3 +1,4 @@ +05-Apr-2004: Security Advisory: S 01-Apr-2004: Security Advisory: S 18-Mar-2004: Security Advisory: S 12-Mar-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.86 -r1.87 security.wml --- openpkg-web/security.wml 1 Apr 2004 21:01:13 - 1.86 +++ openpkg-web/security.wml 5 Apr 2004 12:48:29 - 1.87 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.009-mc $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.009-mc --- /dev/null 2004-04-05 14:48:30.0 +0200 +++ OpenPKG-SA-2004.009-mc2004-04-05 14:48:30.0 +0200 @@ -0,0 +1,78 @@ +-BEGIN PGP SIGNED MESSAGE-#FIXME, this is a template +Hash: SHA1#FIXME, this is a template + #FIXME, this is a template + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.009 05-Apr-2004 + + +Package: mc +Vulnerability: buffer overflow +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= mc-4.6.0-20040207>= mc-4.6.0-20040405 +OpenPKG 2.0 <= mc-4.6.0-2.0.0 >= mc-4.6.0-2.0.1 +OpenPKG 1.3 <= mc-4.6.0-1.3.0 >= mc-4.6.0-1.3.1 + +Dependent Packages: none + +Description: + According to a message from Ilya Teterin posted on Bugtraq [0] the + Midnight Commander application [1] is using uninitialized buffer for + handling symlinks in VFS. This allows attackers to execute arbitrary + code during symlink conversion. The Common Vulnerabilities and + Exposures (CVE) project assigned the id CAN-2003-1023 [2] to the + problem. + + Please check whether you are affected by running "/bin/rpm + -q mc". If you have the "mc" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.0, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get mc-4.6.0-2.0.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig mc-4.6.0-2.0.1.src.rpm + $ /bin/openpkg rpm --rebuild mc-4.6.0-2.0.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/mc-4.6.0-2.0.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] + + +References: + [0] http://marc.theaimsgroup.com/?l=bugtraq&m=106399528518704 + [1] http://www.ibiblio.org/mc/ + [2] http://cve.mitre.org/cgi-bin/cvename.c
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository
http://cvs.openpkg.org/
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 18-Mar-2004 11:02:39
Branch: HEAD Handle: 2004031810023800
Added files:
openpkg-web/securityOpenPKG-SA-2004.007-openssl.txt
Modified files:
openpkg-web security.txt security.wml
Log:
SA-2004.007-openssl; CAN-2004-0079, CAN-2004-0112
Summary:
RevisionChanges Path
1.66+1 -0 openpkg-web/security.txt
1.85+1 -0 openpkg-web/security.wml
1.1 +111 -0 openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt
patch -p0 <<'@@ .'
Index: openpkg-web/security.txt
$ cvs diff -u -r1.65 -r1.66 security.txt
--- openpkg-web/security.txt 12 Mar 2004 14:45:10 - 1.65
+++ openpkg-web/security.txt 18 Mar 2004 10:02:38 - 1.66
@@ -1,3 +1,4 @@
+18-Mar-2004: Security Advisory: S
12-Mar-2004: Security Advisory: S
09-Mar-2004: Security Advisory: S
08-Mar-2004: Security Advisory: S
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security.wml
$ cvs diff -u -r1.84 -r1.85 security.wml
--- openpkg-web/security.wml 12 Mar 2004 14:45:10 - 1.84
+++ openpkg-web/security.wml 18 Mar 2004 10:02:38 - 1.85
@@ -76,6 +76,7 @@
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.007-openssl.txt
--- /dev/null 2004-03-18 11:02:39.0 +0100
+++ OpenPKG-SA-2004.007-openssl.txt 2004-03-18 11:02:39.0 +0100
@@ -0,0 +1,111 @@
+-BEGIN PGP SIGNED MESSAGE-#FIXME, this is a template
+Hash: SHA1#FIXME, this is a template
+ #FIXME, this is a template
+
+
+OpenPKG Security AdvisoryThe OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2004.007 18-Mar-2004
+
+
+Package: openssl
+Vulnerability: denial of service
+OpenPKG Specific:no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= openssl-0.9.7c-20040207 >= openssl-0.9.7d-20040318
+OpenPKG 2.0 <= openssl-0.9.7c-2.0.0 >= openssl-0.9.7c-2.0.1
+OpenPKG 1.3 <= openssl-0.9.7b-1.3.2 >= openssl-0.9.7b-1.3.3
+
+Affected Releases: Dependent Packages:
+
+OpenPKG CURRENT same as OpenPKG 2.0 FIXME this list needs review
+
+OpenPKG 2.0 apache* bind blender cadaver cfengine cpu cups curl
+ distcache dsniff easysoap ethereal* exim fetchmail
+ imap imapd imaputils inn jabberd kde-base kde-libs
+ linc links lynx mailsync meta-core mico* mixmaster
+ monit* mozilla mutt mutt15 nail neon nessus-libs
+ nmap openldap openssh openvpn perl-ssl pgadmin php*
+ pine* postfix* postgresql pound proftpd* qpopper
+ rdesktop samba samba3 sasl scanssh sendmail* siege
+ sio* sitecopy snmp socat squid* stunnel subversion
+ suck sysmon tcpdump tinyca w3m wget xmlsec
+
+OpenPKG 1.3 apache* bind cfengine cpu curl ethereal* fetchmail
+ imap imapd inn links lynx mico* mutt nail neon
+ openldap openssh perl-ssl php* postfix* postgresql
+ proftpd* qpopper rdesktop samba sasl scanssh
+ sendmail* siege sio* sitecopy snmp socat squid*
+ stunnel suck sysmon tcpdump tinyca w3m wget xmlsec
+
+ (*) marked packages are only affected if certain build
+ options ("with_xxx") were used at build time. See
+ Appendix below for details.
+
+Description:
+ According to an OpenSSL [0] security advisory [1], denial of service
+ vulnerabilities exist in OpenSSL versions 0.9.6c to 0.9.6l inclusive
+ and versions 0.9.7a to 0.9.7c inclusive.
+
+ Testing perf
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 12-Mar-2004 15:45:11 Branch: HEAD Handle: 2004031214451000 Added files: openpkg-web/securityOpenPKG-SA-2004.006-uudeview.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.006-uudeview Summary: RevisionChanges Path 1.65+2 -1 openpkg-web/security.txt 1.84+1 -0 openpkg-web/security.wml 1.1 +75 -0 openpkg-web/security/OpenPKG-SA-2004.006-uudeview.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.64 -r1.65 security.txt --- openpkg-web/security.txt 9 Mar 2004 14:43:35 - 1.64 +++ openpkg-web/security.txt 12 Mar 2004 14:45:10 - 1.65 @@ -1,4 +1,5 @@ -09-Mar-2004: Security Advisory: S +12-Mar-2004: Security Advisory: S +09-Mar-2004: Security Advisory: S 08-Mar-2004: Security Advisory: S 05-Mar-2004: Security Advisory: S 16-Jan-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.83 -r1.84 security.wml --- openpkg-web/security.wml 9 Mar 2004 14:43:35 - 1.83 +++ openpkg-web/security.wml 12 Mar 2004 14:45:10 - 1.84 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.006-uudeview.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.006-uudeview.txt --- /dev/null 2004-03-12 15:45:11.0 +0100 +++ OpenPKG-SA-2004.006-uudeview.txt 2004-03-12 15:45:11.0 +0100 @@ -0,0 +1,75 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.006 12-Mar-2004 + + +Package: uudeview +Vulnerability: insecure temp file handling, buffer overflow +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= uudeview-0.5.20-20040302 >= uudeview-0.5.20-20040312 +OpenPKG 2.0 <= uudeview-0.5.19-2.0.0>= uudeview-0.5.19-2.0.1 +OpenPKG 1.3 <= uudeview-0.5.18-1.3.0>= uudeview-0.5.18-1.3.1 + +Dependent Packages: none + +Description: + Alerted by a posting on Bugtraq [1] the uudeview [2] package was + reviewed. It was found that 0.5.19 and later contain a bug which + leads to failure retrieving the filename during decode. All versions + suffered from insecure temp file handling. Version 0.5.20 contains bug + fixes for the parsing of header lines, exact handling of maximum line + length and fixes for two buffer overflows which needed backporting. + The corected packages listed above remedy all of these problems. + + Please check whether you are affected by running "/bin/rpm + -q uudeview". If you have the "uudeview" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.0, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get uudeview-0.5.19-2.0.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig uudeview-0.5.19-2.0.1.src.rpm + $ /bin/openpkg rpm --rebuild uudeview-0.5.19-2.0.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/uudeview-0.5.19-2.0.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] + + +References: + [1] http://marc.theaimsgroup
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 09-Mar-2004 15:43:36 Branch: HEAD Handle: 2004030914433501 Added files: openpkg-web/securityOpenPKG-SA-2004.005-mutt.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.005-mutt; CAN-2004-0078 Summary: RevisionChanges Path 1.64+1 -0 openpkg-web/security.txt 1.83+1 -0 openpkg-web/security.wml 1.1 +73 -0 openpkg-web/security/OpenPKG-SA-2004.005-mutt.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.63 -r1.64 security.txt --- openpkg-web/security.txt 8 Mar 2004 14:09:51 - 1.63 +++ openpkg-web/security.txt 9 Mar 2004 14:43:35 - 1.64 @@ -1,3 +1,4 @@ +09-Mar-2004: Security Advisory: S 08-Mar-2004: Security Advisory: S 05-Mar-2004: Security Advisory: S 16-Jan-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.82 -r1.83 security.wml --- openpkg-web/security.wml 8 Mar 2004 14:09:51 - 1.82 +++ openpkg-web/security.wml 9 Mar 2004 14:43:35 - 1.83 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.005-mutt.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.005-mutt.txt --- /dev/null 2004-03-09 15:43:36.0 +0100 +++ OpenPKG-SA-2004.005-mutt.txt 2004-03-09 15:43:36.0 +0100 @@ -0,0 +1,73 @@ + + + + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.005 09-Mar-2004 + + +Package: mutt +Vulnerability: buffer overflow in the index menu code +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= mutt-1.4.1i-20040207 >= mutt-1.4.2.1i-20040214 +OpenPKG 2.0 noneN.A. +OpenPKG 1.3 <= mutt-1.4.1i-1.3.1>= mutt-1.4.1i-1.3.2 + +Dependent Packages: none + +Description: + According to a posting on Bugtraq [0], a buffer overflow exists in the + mail user agent Mutt [1]. It be triggered by incoming messages and + there are reports about spam that has actually triggered this problem + and crashed mutt. The bug was reported to Red Hat by Niels Heinen. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2004-0078 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + mutt". If you have the "mutt" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it [3] + and update your OpenPKG installation by applying the binary RPM [4]. + For the affected release OpenPKG 1.3, perform the following operations + to permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get mutt-1.4.1i-1.3.2.src.rpm + ftp> bye + $ /bin/rpm -v --checksig mutt-1.4.1i-1.3.2.src.rpm + $ /bin/rpm --rebuild mutt-1.4.1i-1.3.2.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/mutt-1.4.1i-1.3.2.*.rpm + + +References: + [0] http://marc.theaimsgroup.com/?l=bugtraq&m=107651677817933 + [1] http://www.mutt.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0078 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.3/UPD/foo-1.2.3-1.3.1.src.rpm + [6] ftp://ftp.openpkg.org/release/1.3/UPD/ + [7] htt
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 08-Mar-2004 15:09:52 Branch: HEAD Handle: 2004030814095100 Added files: openpkg-web/securityOpenPKG-SA-2004.004-libtool.txt Modified files: openpkg-web security.txt security.wml Log: OpenPKG-SA-2004.004-libtool Summary: RevisionChanges Path 1.63+1 -0 openpkg-web/security.txt 1.82+1 -0 openpkg-web/security.wml 1.1 +82 -0 openpkg-web/security/OpenPKG-SA-2004.004-libtool.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.62 -r1.63 security.txt --- openpkg-web/security.txt 5 Mar 2004 16:07:14 - 1.62 +++ openpkg-web/security.txt 8 Mar 2004 14:09:51 - 1.63 @@ -1,3 +1,4 @@ +08-Mar-2004: Security Advisory: S 05-Mar-2004: Security Advisory: S 16-Jan-2004: Security Advisory: S 08-Jan-2004: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.81 -r1.82 security.wml --- openpkg-web/security.wml 5 Mar 2004 16:07:14 - 1.81 +++ openpkg-web/security.wml 8 Mar 2004 14:09:51 - 1.82 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.004-libtool.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.004-libtool.txt --- /dev/null 2004-03-08 15:09:52.0 +0100 +++ OpenPKG-SA-2004.004-libtool.txt 2004-03-08 15:09:52.0 +0100 @@ -0,0 +1,82 @@ + + + + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.004 08-Mar-2004 + + +Package: libtool +Vulnerability: insecure creation of temporary directory +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= libtool-1.5.2-20040207 >= libtool-1.5.2-20040308 +OpenPKG 2.0 <= libtool-1.5.2-2.0.0 >= libtool-1.5.2-2.0.1 +OpenPKG 1.3 <= libtool-1.5-1.3.0>= libtool-1.5-1.3.1 + +Dependent Packages: none + +Description: + According to a posting on Bugtraq [0], a issue regarding the insecure + creation of a temporary directory issue exists in libtool [1] versions + before 1.5.2. Use of mkdir(1) along with -p option makes libtool + vulnerable to symlink attacks. Stefan Nordhausen commited a fix that + removes use of the -p option in 1.5.2. Discussion on Bugtraq further + indicates that a additional race condition issue exists in the same + context using chmod(1) which was reported by Joseph S. Myers back in + March 2000 [2]. The updated OpenPKG versions of libtool contain fixes + for both issues. + + Please check whether you are affected by running "/bin/rpm + -q libtool". If you have the "libtool" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution) and it's dependent packages (see above), if any, + too. [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 2.0, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get libtool-1.5.2-2.0.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig libtool-1.5.2-2.0.1.src.rpm + $ /bin/openpkg rpm --rebuild libtool-1.5.2-2.0.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/libtool-1.5.2-2.0.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] +_
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 16-Jan-2004 13:43:45 Branch: HEAD Handle: 2004011612434400 Added files: openpkg-web/securityOpenPKG-SA-2004.002-tcpdump.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.002-tcpdump; CAN-2002-0380, CAN-2002-1350, CAN-2003-0108, CAN-2003-0989, CAN-2003-1029, CAN-2004-0055, CAN-2004-0057 Summary: RevisionChanges Path 1.61+1 -0 openpkg-web/security.txt 1.78+1 -0 openpkg-web/security.wml 1.1 +97 -0 openpkg-web/security/OpenPKG-SA-2004.002-tcpdump.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.60 -r1.61 security.txt --- openpkg-web/security.txt 8 Jan 2004 08:03:57 - 1.60 +++ openpkg-web/security.txt 16 Jan 2004 12:43:44 - 1.61 @@ -1,3 +1,4 @@ +16-Jan-2004: Security Advisory: S 08-Jan-2004: Security Advisory: S 17-Dec-2003: Security Advisory: S 17-Dec-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.77 -r1.78 security.wml --- openpkg-web/security.wml 8 Jan 2004 08:03:57 - 1.77 +++ openpkg-web/security.wml 16 Jan 2004 12:43:44 - 1.78 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.002-tcpdump.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.002-tcpdump.txt --- /dev/null 2004-01-16 13:43:45.0 +0100 +++ OpenPKG-SA-2004.002-tcpdump.txt 2004-01-16 13:43:45.0 +0100 @@ -0,0 +1,97 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.002 16-Jan-2004 + + +Package: tcpdump +Vulnerability: denial of service +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= tcpdump-3.8.1-20040108 >= tcpdump-3.8.1-20040116 +OpenPKG 1.3 <= tcpdump-3.7.2-1.3.0 >= tcpdump-3.7.2-1.3.1 +OpenPKG 1.2 <= tcpdump-3.7.1-1.2.1 >= tcpdump-3.7.1-1.2.2 + +Dependent Packages: none + +Description: + A bunch of vulnerabilities in tcpdump [0] were found and addressed + in the past. All of them are in the area of packet decoding. Faulty + decoder functions can result in denial of service attacks through + infinite loops, memory starvation and application crashes. In the + worst case arbitrary code execution is possible. + + This OpenPKG update resolves all issues currently known, as shown in + the following table: + + tcpdump 371 371 372 381 + OpenPKG 120 121 130 20020822 +--- --- --- --- + CAN-2002-0380 [2] nfs y n n n see past OpenPKG-SA [1] + CAN-2002-1350 [3] bgp y n n n see past OpenPKG-SA [1] + CAN-2003-0108 [4] isakmp y n n n see past OpenPKG-SA [1] +depthy y y n (*) + CAN-2003-0989 [5] isakmp y y y n updates CAN-2003-0108-isakmp + CAN-2003-1029 [6] l2tp y y n n + CAN-2004-0055 [7] radius y y y y + CAN-2004-0057 [8] isakmp y y y y + + (*) the vendor code fix for CAN-2003-0108 had two other unrelated code + changes piggybacked. We removed the cosmetics (constify) and + extracted an enhancement (depth). + + Please check whether you are affected by running "/bin/rpm -q + tcpdump". If you have the "tcpdump" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution) and it's dependent packages (see above), if any, too. + [9][10] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [11][12], fetch it from the OpenPKG FTP service [13][14] or a mirror + location, verify its integrity [15], build a corresponding binary RPM + from it [9] and update your
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 08-Jan-2004 09:03:58 Branch: HEAD Handle: 2004010808035701 Added files: openpkg-web/securityOpenPKG-SA-2004.001-inn.txt Modified files: openpkg-web security.txt security.wml Log: SA-2004.001-inn Summary: RevisionChanges Path 1.60+1 -0 openpkg-web/security.txt 1.77+1 -0 openpkg-web/security.wml 1.1 +69 -0 openpkg-web/security/OpenPKG-SA-2004.001-inn.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.59 -r1.60 security.txt --- openpkg-web/security.txt 17 Dec 2003 11:59:23 - 1.59 +++ openpkg-web/security.txt 8 Jan 2004 08:03:57 - 1.60 @@ -1,3 +1,4 @@ +08-Jan-2004: Security Advisory: S 17-Dec-2003: Security Advisory: S 17-Dec-2003: Security Advisory: S 04-Dec-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.76 -r1.77 security.wml --- openpkg-web/security.wml 17 Dec 2003 11:59:24 - 1.76 +++ openpkg-web/security.wml 8 Jan 2004 08:03:57 - 1.77 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.001-inn.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.001-inn.txt --- /dev/null 2004-01-08 09:03:58.0 +0100 +++ OpenPKG-SA-2004.001-inn.txt 2004-01-08 09:03:58.0 +0100 @@ -0,0 +1,69 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.001 08-Jan-2004 + + +Package: inn +Vulnerability: remotely exploitable access to inn user +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= inn-2.4.0-2003 >= inn-2.4.0-20040108 +OpenPKG 1.3 <= inn-2.4.0-1.3.0 >= inn-2.4.0-1.3.1 +OpenPKG 1.2 noneN.A. + +Description: + According to a posting from Russ Allbery on the inn announce mailing + list, Dan Riley discovered a buffer overflow in a portion of the + control message handling code introduced in INN 2.4.0. It is fairly + likely that this overflow could be remotely exploited to gain access + to the user innd runs as. INN 2.3.x and earlier are not affected. + + Please check whether you are affected by running "/bin/rpm + -q inn". If you have the "inn" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][5], fetch it from the OpenPKG FTP service [7][6] or a mirror + location, verify its integrity [7], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.3, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get inn-2.4.0-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig inn-2.4.0-1.3.1.src.rpm + $ /bin/rpm --rebuild inn-2.4.0-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/inn-2.4.0-1.3.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] + + +References: + [1] http://www.isc.org/products/INN/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-... + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.3/UPD/inn-2.4.0-1.3.1.src.rpm + [6] ftp://ftp.openpkg.org/release/1.3/UPD/ + [7] http://www.openpkg.org/security.html#signature +__
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 04-Dec-2003 16:21:13 Branch: HEAD Handle: 2003120415211201 Added files: openpkg-web/securityOpenPKG-SA-2003.051-rsync.txt Modified files: openpkg-web security.txt security.wml openpkg-web/securitypage.pl Log: SA-2003.051-rsync; CAN-2003-0962 Summary: RevisionChanges Path 1.58+1 -0 openpkg-web/security.txt 1.75+1 -0 openpkg-web/security.wml 1.1 +80 -0 openpkg-web/security/OpenPKG-SA-2003.051-rsync.txt 1.34+1 -1 openpkg-web/security/page.pl patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.57 -r1.58 security.txt --- openpkg-web/security.txt 28 Nov 2003 11:21:06 - 1.57 +++ openpkg-web/security.txt 4 Dec 2003 15:21:12 - 1.58 @@ -1,3 +1,4 @@ +04-Dec-2003: Security Advisory: S 28-Nov-2003: Security Advisory: S 25-Nov-2003: Security Advisory: S 11-Nov-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.74 -r1.75 security.wml --- openpkg-web/security.wml 28 Nov 2003 11:21:06 - 1.74 +++ openpkg-web/security.wml 4 Dec 2003 15:21:12 - 1.75 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.051-rsync.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.051-rsync.txt --- /dev/null 2003-12-04 16:21:13.0 +0100 +++ OpenPKG-SA-2003.051-rsync.txt 2003-12-04 16:21:13.0 +0100 @@ -0,0 +1,80 @@ + + + + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.051 04-Dec-2003 + + +Package: rsync +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= rsync-2.5.6-20030807 >= rsync-2.5.7-20031204 +OpenPKG 1.3 <= rsync-2.5.6-1.3.0>= rsync-2.5.6-1.3.1 +OpenPKG 1.2 <= rsync-2.5.5-1.2.0>= rsync-2.5.5-1.2.1 + +Dependent Packages: none FIXME check meta-core and rdiff-backup + +Description: + According to a rsync security advisory [0], a heap overflow + vulnerability exists in rsync [1] version 2.5.6 and earlier when used + as a rsync server which typically listens on TCP port 873. An exploit + is known to be in the wild and the security of a public rsync was + compromised. A successful attack does not directly lead to root access + but can be combined with other local exploits. The do_brk vulnerbility + in Linux kernels prior 2.4.23 is worthwhile to mention these days. The + attack is known to be considerably easier when the "use chroot = no" + option is set in rsync.conf which is not the default in OpenPKG. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0962 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + rsync". If you have the "rsync" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.3, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get rsync-2.5.6-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig rsync-2.5.6-1.3.1.src.rpm + $ /bin/rpm --rebuild rsync-2.5.6-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/rsync-2.5.6-1.3.1.*.rpm +__
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 28-Nov-2003 12:21:07 Branch: HEAD Handle: 2003112811210600 Added files: openpkg-web/securityOpenPKG-SA-2003.050-screen.txt Modified files: openpkg-web security.txt security.wml openpkg-web/securitypage.pl Log: SA-2003.050-screen Summary: RevisionChanges Path 1.57+1 -0 openpkg-web/security.txt 1.74+1 -0 openpkg-web/security.wml 1.1 +71 -0 openpkg-web/security/OpenPKG-SA-2003.050-screen.txt 1.33+1 -1 openpkg-web/security/page.pl patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.56 -r1.57 security.txt --- openpkg-web/security.txt 25 Nov 2003 13:37:59 - 1.56 +++ openpkg-web/security.txt 28 Nov 2003 11:21:06 - 1.57 @@ -1,3 +1,4 @@ +28-Nov-2003: Security Advisory: S 25-Nov-2003: Security Advisory: S 11-Nov-2003: Security Advisory: S 30-Oct-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.73 -r1.74 security.wml --- openpkg-web/security.wml 25 Nov 2003 13:37:59 - 1.73 +++ openpkg-web/security.wml 28 Nov 2003 11:21:06 - 1.74 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.050-screen.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.050-screen.txt --- /dev/null 2003-11-28 12:21:07.0 +0100 +++ OpenPKG-SA-2003.050-screen.txt2003-11-28 12:21:07.0 +0100 @@ -0,0 +1,71 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.050 28-Nov-2003 + + +Package: screen +Vulnerability: privilege escalation +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= screen-4.0.1-20031009>= screen-4.0.1-20031127 +OpenPKG 1.3 <= screen-3.9.15-1.3.0 >= screen-3.9.15-1.3.1 +OpenPKG 1.2 <= screen-3.9.13-1.2.0 >= screen-3.9.13-1.2.1 + +Dependent Packages: none + +Description: + According to a posting on Bugtraq [1], Timo Sirainen fixed a buffer + overflow bug which allows privilege escalation in the Virtual Screen + Manager "screen" [2], whose executable is installed setuid-root. It + also has some potential for attackers getting control of another + user's screen. Transfer of approximately two gigabytes of data is + required to exploit this vulnerability. + + Please check whether you are affected by running "/bin/rpm -q + screen". If you have the "screen" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the current release OpenPKG 1.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get screen-3.9.15-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig screen-3.9.15-1.3.1.src.rpm + $ /bin/rpm --rebuild screen-3.9.15-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/screen-3.9.15-1.3.1.*.rpm + + +References: + [1] http://www.securityfocus.com/archive/1/345844/2003-11-24/2003-11-30/0 + [2] http://www.gnu.org/software/screen/ + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.2/UPD/screen-3.9.13-1.2.1.src.rpm + [
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 25-Nov-2003 14:38:00 Branch: HEAD Handle: 2003112513375901 Added files: openpkg-web/securityOpenPKG-SA-2003.049-zebra.txt Modified files: openpkg-web security.txt security.wml openpkg-web/securitypage.pl Log: SA-2003.049-zebra; CAN-2003-0795, CAN-2003-0858 Summary: RevisionChanges Path 1.56+1 -0 openpkg-web/security.txt 1.73+2 -0 openpkg-web/security.wml 1.1 +76 -0 openpkg-web/security/OpenPKG-SA-2003.049-zebra.txt 1.32+1 -1 openpkg-web/security/page.pl patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.55 -r1.56 security.txt --- openpkg-web/security.txt 11 Nov 2003 20:08:05 - 1.55 +++ openpkg-web/security.txt 25 Nov 2003 13:37:59 - 1.56 @@ -1,3 +1,4 @@ +25-Nov-2003: Security Advisory: S 11-Nov-2003: Security Advisory: S 30-Oct-2003: Security Advisory: S 28-Oct-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.72 -r1.73 security.wml --- openpkg-web/security.wml 30 Oct 2003 10:48:39 - 1.72 +++ openpkg-web/security.wml 25 Nov 2003 13:37:59 - 1.73 @@ -76,6 +76,8 @@ + + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.049-zebra.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.049-zebra.txt --- /dev/null 2003-11-25 14:38:00.0 +0100 +++ OpenPKG-SA-2003.049-zebra.txt 2003-11-25 14:38:00.0 +0100 @@ -0,0 +1,76 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.049 25-Nov-2003 + + +Package: zebra +Vulnerability: denial of service +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= zebra-0.93b-20031001 >= zebra-0.93b-20031113 +OpenPKG 1.3 <= zebra-0.93b-1.3.0>= zebra-0.93b-1.3.1 +OpenPKG 1.2 <= zebra-0.93b-1.2.0>= zebra-0.93b-1.2.1 + +Dependent Packages: none + +Description: + Jonny Robertson reported that Zebra can be remotely crashed if a + remote attacker can connect to the Zebra telnet management port [0]. + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0795 [1] to the problem. + + Herbert Xu reported that Zebra can accept spoofed messages sent on the + kernel netlink interface by other users on the local machine [2]. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0858 [3] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + zebra". If you have the "zebra" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [4][5] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror + location, verify its integrity [10], build a corresponding binary + RPM from it [4] and update your OpenPKG installation by applying the + binary RPM [5]. For the current release OpenPKG 1.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get zebra-0.93b-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig zebra-0.93b-1.3.1.src.rpm + $ /bin/rpm --rebuild zebra-0.93b-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/zebra-0.93b-1.3.1.*.rpm + + +References: + [0] http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140 + [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0795 + [2] http://bugzilla.redhat.com/bugzilla/sh
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 30-Oct-2003 11:48:40 Branch: HEAD Handle: 2003103010483901 Added files: openpkg-web/securityOpenPKG-SA-2003.047-postgresql.txt Modified files: openpkg-web security.txt security.wml Log: link in PostgreSQL security advisory Summary: RevisionChanges Path 1.54+1 -0 openpkg-web/security.txt 1.72+1 -0 openpkg-web/security.wml 1.1 +88 -0 openpkg-web/security/OpenPKG-SA-2003.047-postgresql.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.53 -r1.54 security.txt --- openpkg-web/security.txt 28 Oct 2003 14:46:56 - 1.53 +++ openpkg-web/security.txt 30 Oct 2003 10:48:39 - 1.54 @@ -1,3 +1,4 @@ +30-Oct-2003: Security Advisory: S 28-Oct-2003: Security Advisory: S 19-Oct-2003: Security Advisory: S 30-Sep-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.71 -r1.72 security.wml --- openpkg-web/security.wml 28 Oct 2003 14:46:56 - 1.71 +++ openpkg-web/security.wml 30 Oct 2003 10:48:39 - 1.72 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.047-postgresql.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.047-postgresql.txt --- /dev/null 2003-10-30 11:48:40.0 +0100 +++ OpenPKG-SA-2003.047-postgresql.txt2003-10-30 11:48:40.0 +0100 @@ -0,0 +1,88 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.047 30-Oct-2003 + + +Package: postgresql +Vulnerability: remote code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= postgresql-7.3.3-20030723 >= postgresql-7.3.4-20030725 +OpenPKG 1.3 N.A. none +OpenPKG 1.2 <= postgresql-7.3.1-1.2.2>= postgresql-7.3.1-1.2.3 + +Dependent Packages: none + +Description: + Two bugs leading to a buffer overflow in the PostgreSQL [0] RDBMS, + versions 7.2.x and 7.3.x prior to 7.3.4, were discovered. The + vulnerability exists in the PostgreSQL abstract data type (ADT) to + ASCII conversion functions. + + It has been conjectured that excessive data passed to the involved + to_ascii_xxx() functions may overrun the bounds of an insufficient + buffer reserved in heap memory, resulting in the corruption of heap + based memory management structures that are adjacent to it. It is + currently believed that under the correct circumstances an attacker + may use this to execute arbitrary instructions in the context of the + PostgreSQL server. + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0901 [1] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + postgresql". If you have the "postgresql" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution). [2][3] + +Solution: + Select the updated source RPM appropriate for the OpenPKG release + [4], fetch it from the OpenPKG FTP service [5] or a mirror location, + verify its integrity [6], build a corresponding binary RPM from it + [2] and update your OpenPKG installation by applying the binary RPM + [3]. For the release OpenPKG 1.2, perform the following operations + to permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get postgresql-7.3.1-1.2.3.src.rpm + ftp> bye + $ /bin/rpm -v --checksig postgresql-7.3.1-1.2.3.src.rpm + $ /bin/rpm --rebuild postgresql-7.3.1-1.2.3.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/postgresql-7.3.
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 28-Oct-2003 15:46:56 Branch: HEAD Handle: 2003102814465600 Added files: openpkg-web/securityOpenPKG-SA-2003.046-apache.txt Modified files: openpkg-web security.txt security.wml openpkg-web/securitypage.pl Log: SA-2003.046-apache; CAN-2003-0542 Summary: RevisionChanges Path 1.53+1 -0 openpkg-web/security.txt 1.71+1 -0 openpkg-web/security.wml 1.1 +71 -0 openpkg-web/security/OpenPKG-SA-2003.046-apache.txt 1.30+1 -1 openpkg-web/security/page.pl patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.52 -r1.53 security.txt --- openpkg-web/security.txt 19 Oct 2003 07:16:29 - 1.52 +++ openpkg-web/security.txt 28 Oct 2003 14:46:56 - 1.53 @@ -1,3 +1,4 @@ +28-Oct-2003: Security Advisory: S 19-Oct-2003: Security Advisory: S 30-Sep-2003: Security Advisory: S 24-Sep-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.70 -r1.71 security.wml --- openpkg-web/security.wml 19 Oct 2003 07:16:29 - 1.70 +++ openpkg-web/security.wml 28 Oct 2003 14:46:56 - 1.71 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.046-apache.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.046-apache.txt --- /dev/null 2003-10-28 15:46:56.0 +0100 +++ OpenPKG-SA-2003.046-apache.txt2003-10-28 15:46:56.0 +0100 @@ -0,0 +1,71 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.046 29-Oct-2003 + + +Package: apache +Vulnerability: local regex backreference overflow +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= apache-1.3.28-20031009 >= apache-1.3.29-20031028 +OpenPKG 1.3 <= apache-1.3.28-1.3.0 >= apache-1.3.28-1.3.1 +OpenPKG 1.2 <= apache-1.3.27-1.2.2 >= apache-1.3.27-1.2.3 + +Dependent Packages: none + +Description: + Andre Malo fixed problems [0] in the mod_alias and mod_rewrite + modules of the Apache [1] webserver. Buffer overflows occurred if a + regular expression with more than 9 captures were configured. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0542 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + apache". If you have the "apache" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the current release OpenPKG 1.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get apache-1.3.28-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig apache-1.3.28-1.3.1.src.rpm + $ /bin/rpm --rebuild apache-1.3.28-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/apache-1.3.28-1.3.1.*.rpm + + +References: + [0] http://marc.theaimsgroup.com/?l=apache-cvs&m=106701190026083 + [1] http://httpd.apache.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.2/UPD/apache-1.3.27-1.2.3.src.rpm + [6] f
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 19-Oct-2003 09:16:29 Branch: HEAD Handle: 2003101908162900 Added files: openpkg-web/securityOpenPKG-SA-2003.045-ircd.txt Modified files: openpkg-web security.txt security.wml openpkg-web/securitypage.pl Log: SA-2003.045-ircd; CAN-2003-0864 Summary: RevisionChanges Path 1.52+1 -0 openpkg-web/security.txt 1.70+1 -0 openpkg-web/security.wml 1.1 +72 -0 openpkg-web/security/OpenPKG-SA-2003.045-ircd.txt 1.29+1 -1 openpkg-web/security/page.pl patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.51 -r1.52 security.txt --- openpkg-web/security.txt 30 Sep 2003 12:47:11 - 1.51 +++ openpkg-web/security.txt 19 Oct 2003 07:16:29 - 1.52 @@ -1,3 +1,4 @@ +19-Oct-2003: Security Advisory: S 30-Sep-2003: Security Advisory: S 24-Sep-2003: Security Advisory: S 24-Sep-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.69 -r1.70 security.wml --- openpkg-web/security.wml 30 Sep 2003 12:47:11 - 1.69 +++ openpkg-web/security.wml 19 Oct 2003 07:16:29 - 1.70 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.045-ircd.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.045-ircd.txt --- /dev/null 2003-10-19 09:16:29.0 +0200 +++ OpenPKG-SA-2003.045-ircd.txt 2003-10-19 09:16:29.0 +0200 @@ -0,0 +1,72 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.045 19-Oct-2003 + + +Package: ircd +Vulnerability: remote denial of service vulnerability +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= ircd-2.10.3p3-20030725 >= ircd-2.10.3p4-20031012 +OpenPKG 1.3 <= ircd-2.10.3p3-1.3.0 >= ircd-2.10.3p3-1.3.1 +OpenPKG 1.2 <= ircd-2.10.3p3-1.2.0 >= ircd-2.10.3p3-1.2.1 + +Dependent Packages: none + +Description: + According to a report from Piotr Kucharski [0] a buffer overflow + vulnerability exists in ircd [1] that allows a remote attacker to + crash the ircd server, thus causing a denial of service condition. + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0864 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + ircd". If you have the "ircd" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.3, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get ircd-2.10.3p3-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig ircd-2.10.3p3-1.3.1.src.rpm + $ /bin/rpm --rebuild ircd-2.10.3p3-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/ircd-2.10.3p3-1.3.1.*.rpm + + +References: + [0] http://www.securityfocus.com/archive/1/341099 + [1] http://www.irc.org/servers.html + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0864 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.2/UPD/ircd-2.10.3p3-1.2.1.src.rpm + [6] ftp://ftp.op
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository
http://cvs.openpkg.org/
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 30-Sep-2003 14:47:11
Branch: HEAD Handle: 2003093013471100
Added files:
openpkg-web/securityOpenPKG-SA-2003.044-openssl.txt
Modified files:
openpkg-web security.txt security.wml
Log:
SA-2003.044-openssl; CAN-2003-0543, CAN-2003-0544, CAN-2003-0545
Summary:
RevisionChanges Path
1.51+1 -0 openpkg-web/security.txt
1.69+1 -0 openpkg-web/security.wml
1.1 +158 -0 openpkg-web/security/OpenPKG-SA-2003.044-openssl.txt
patch -p0 <<'@@ .'
Index: openpkg-web/security.txt
$ cvs diff -u -r1.50 -r1.51 security.txt
--- openpkg-web/security.txt 24 Sep 2003 08:09:34 - 1.50
+++ openpkg-web/security.txt 30 Sep 2003 12:47:11 - 1.51
@@ -1,3 +1,4 @@
+30-Sep-2003: Security Advisory: S
24-Sep-2003: Security Advisory: S
24-Sep-2003: Security Advisory: S
19-Sep-2003: Security Advisory: S
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security.wml
$ cvs diff -u -r1.68 -r1.69 security.wml
--- openpkg-web/security.wml 24 Sep 2003 08:09:34 - 1.68
+++ openpkg-web/security.wml 30 Sep 2003 12:47:11 - 1.69
@@ -76,6 +76,7 @@
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.044-openssl.txt
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.044-openssl.txt
--- /dev/null 2003-09-30 14:47:11.0 +0200
+++ OpenPKG-SA-2003.044-openssl.txt 2003-09-30 14:47:11.0 +0200
@@ -0,0 +1,158 @@
+
+
+OpenPKG Security AdvisoryThe OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2003.044 30-Sep-2003
+
+
+Package: openssl
+Vulnerability: denial of service, possibly arbitrary code execution
+OpenPKG Specific:no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= openssl-0.9.7b-20030806 >= openssl-0.9.7b-20030930
+OpenPKG 1.3 <= openssl-0.9.7b-1.3.1>= openssl-0.9.7b-1.3.2
+OpenPKG 1.2 <= openssl-0.9.7-1.2.3 >= openssl-0.9.7-1.2.4
+
+Affected Releases: Dependent Packages:
+
+OpenPKG CURRENT apache* bind blender cadaver cfengine cpu cups curl
+ distcache dsniff easysoap ethereal* exim fetchmail
+ imap imapd imaputils inn jabberd kde-base kde-libs
+ linc links lynx mailsync meta-core mico* mixmaster
+ monit* mozilla mutt mutt15 nail neon nessus-libs
+ nmap openldap openssh openvpn perl-ssl pgadmin php*
+ pine* postfix* postgresql pound proftpd* qpopper
+ rdesktop samba samba3 sasl scanssh sendmail* siege
+ sio* sitecopy snmp socat squid* stunnel subversion
+ suck sysmon tcpdump tinyca w3m wget xmlsec
+
+OpenPKG 1.3 apache* bind cfengine cpu curl ethereal* fetchmail
+ imap imapd inn links lynx mico* mutt nail neon
+ openldap openssh perl-ssl php* postfix* postgresql
+ proftpd* qpopper rdesktop samba sasl scanssh
+ sendmail* siege sio* sitecopy snmp socat squid*
+ stunnel suck sysmon tcpdump tinyca w3m wget xmlsec
+
+OpenPKG 1.2 apache* bind cpu curl ethereal* fetchmail imap inn
+ links lynx mico* mutt nail neon openldap openssh
+ perl-ssl postfix* postgresql qpopper rdesktop samba
+ sasl scanssh sendmail* siege sitecopy snmp socat
+ stunnel sysmon tcpdump tinyca w3m wget
+
+ (*) marked packages are only affected if certain build
+ options ("with_xxx") were used at build time. See
+ Appendix below for details.
+
+Description:
+ According to an OpenSSL [0] security advisory [1], multiple
+ vulnerabilities exist in OpenSSL versions
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 24-Sep-2003 10:09:35 Branch: HEAD Handle: 2003092409093401 Added files: openpkg-web/securityOpenPKG-SA-2003.043-proftpd.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.043-proftpd; CAN unknown Summary: RevisionChanges Path 1.50+1 -0 openpkg-web/security.txt 1.68+1 -0 openpkg-web/security.wml 1.1 +86 -0 openpkg-web/security/OpenPKG-SA-2003.043-proftpd.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.49 -r1.50 security.txt --- openpkg-web/security.txt 24 Sep 2003 08:08:10 - 1.49 +++ openpkg-web/security.txt 24 Sep 2003 08:09:34 - 1.50 @@ -1,3 +1,4 @@ +24-Sep-2003: Security Advisory: S 24-Sep-2003: Security Advisory: S 19-Sep-2003: Security Advisory: S 17-Sep-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.67 -r1.68 security.wml --- openpkg-web/security.wml 24 Sep 2003 08:08:10 - 1.67 +++ openpkg-web/security.wml 24 Sep 2003 08:09:34 - 1.68 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.043-proftpd.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.043-proftpd.txt --- /dev/null 2003-09-24 10:09:35.0 +0200 +++ OpenPKG-SA-2003.043-proftpd.txt 2003-09-24 10:09:35.0 +0200 @@ -0,0 +1,86 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.043 24-Sep-2003 + + +Package: proftpd +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= proftpd-1.2.9rc2-20030911 >= proftpd-1.2.9rc2-20030923 +OpenPKG 1.3 <= proftpd-1.2.8-1.3.0 >= proftpd-1.2.8-1.3.1 +OpenPKG 1.2 <= proftpd-1.2.7-1.2.0 >= proftpd-1.2.7-1.2.1 + +Dependent Packages: none + +Description: + According to a ISS X-Force security advisory [0] a vulnerability + exists in the ProFTPD server [1]. It can be triggered by remote + attackers when transferring files from the FTP server in ASCII mode. + The attacker must have the ability to upload a file to the server, and + then attempt to download the same file to trigger the vulnerability. + During ASCII transfer, file data is examined in 1024 byte chunks + to check for newline characters. The translation of these newline + characters is not handled correctly, and a buffer overflow can + manifest if ProFTPD parses a specially crafted file. + + Note that the OpenPKG 20030923 version of the proftpd package contains + the vendor version 1.2.9rc2p, also the trailing 'p' was omitted from + the package filename. + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-FIXME [2] to the problem. + + Please check whether you are affected by running "/bin/rpm + -q proftpd". If you have the "proftpd" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution) and it's dependent packages (see above), if any, + too. [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.3, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get proftpd-1.2.8-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig proftpd-1.2.8-1.3.1.src.rpm + $ /bin/rpm --rebuild
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 24-Sep-2003 10:08:11 Branch: HEAD Handle: 2003092409081001 Added files: openpkg-web/securityOpenPKG-SA-2003.042-openssh.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.042-openssh; CAN-2003-0786, CAN-2003-0787 Summary: RevisionChanges Path 1.49+1 -0 openpkg-web/security.txt 1.67+1 -0 openpkg-web/security.wml 1.1 +78 -0 openpkg-web/security/OpenPKG-SA-2003.042-openssh.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.48 -r1.49 security.txt --- openpkg-web/security.txt 19 Sep 2003 08:14:36 - 1.48 +++ openpkg-web/security.txt 24 Sep 2003 08:08:10 - 1.49 @@ -1,3 +1,4 @@ +24-Sep-2003: Security Advisory: S 19-Sep-2003: Security Advisory: S 17-Sep-2003: Security Advisory: S 15-Sep-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.66 -r1.67 security.wml --- openpkg-web/security.wml 19 Sep 2003 08:14:36 - 1.66 +++ openpkg-web/security.wml 24 Sep 2003 08:08:10 - 1.67 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.042-openssh.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.042-openssh.txt --- /dev/null 2003-09-24 10:08:11.0 +0200 +++ OpenPKG-SA-2003.042-openssh.txt 2003-09-24 10:08:11.0 +0200 @@ -0,0 +1,78 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.042 24-Sep-2003 + + +Package: openssh +Vulnerability: remote root exploit +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= openssh-3.7.1p1-20030917 >= openssh-3.7.1p2-20030923 +OpenPKG 1.3 N.A. +OpenPKG 1.2 N.A. + +Dependent Packages: none + +Description: + According to a Portable OpenSSH Security Advisory [0] versions 3.7p1 + and 3.7.1p1 of portable OpenSSH [1] contain multiple vulnerabilities + in the new PAM code. At least one of these bugs is remotely + exploitable with privsep disabled. Older versions of portable OpenSSH + are not vulnerable. OpenPKG installations are only affected if the + package was build with option "with_pam" set to "yes" -- which is not + the default. + + The Common Vulnerabilities and Exposures (CVE) project assigned the + id CAN-2003-0786 [2] to the problem where SSH1 PAM challenge response + auth ignored the result of the authentication with privsep off. + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0787 [3] to the problem where the PAM conversation function + trashed the stack. + + Please check whether you are affected by running "/bin/rpm -q + openssh". If you have the "openssh" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution). [4][5] + +Solution: + Select the updated source RPM appropriate for OpenPKG CURRENT [6] + fetch it from the OpenPKG FTP service [7] or a mirror location, + build a corresponding binary RPM from it [4] and update your OpenPKG + installation by applying the binary RPM [5]. Perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd current/SRC + ftp> get openssh-3.7.1p2-20030923.src.rpm + ftp> bye + $ /bin/rpm --rebuild openssh-3.7.1p2-20030923.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/openssh-3.7.1p2-20030923.*.rpm + + +References: + [0] http://www.openssh.com/txt/sshpam.adv + [1] http://www.openssh.com/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0786 +
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 17-Sep-2003 08:59:38 Branch: HEAD Handle: 2003091707593701 Added files: openpkg-web/securityOpenPKG-SA-2003.040-openssh.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.040-openssh; CAN-2003-0693 Summary: RevisionChanges Path 1.46+1 -0 openpkg-web/security.txt 1.65+1 -0 openpkg-web/security.wml 1.1 +73 -0 openpkg-web/security/OpenPKG-SA-2003.040-openssh.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.45 -r1.46 security.txt --- openpkg-web/security.txt 15 Sep 2003 13:27:23 - 1.45 +++ openpkg-web/security.txt 17 Sep 2003 06:59:37 - 1.46 @@ -1,3 +1,4 @@ +16-Sep-2003: Security Advisory: S 15-Sep-2003: Security Advisory: S 15-Sep-2003: Security Advisory: S 28-Aug-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.64 -r1.65 security.wml --- openpkg-web/security.wml 16 Sep 2003 10:21:12 - 1.64 +++ openpkg-web/security.wml 17 Sep 2003 06:59:37 - 1.65 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.040-openssh.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.040-openssh.txt --- /dev/null 2003-09-17 08:59:38.0 +0200 +++ OpenPKG-SA-2003.040-openssh.txt 2003-09-17 08:59:38.0 +0200 @@ -0,0 +1,73 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.040 17-Sep-2003 + + +Package: openssh +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= openssh-3.6.1p2-20030729 >= openssh-3.7p1-20030916 +OpenPKG 1.3 <= openssh-3.6.1p2-1.3.0>= openssh-3.6.1p2-1.3.1 +OpenPKG 1.2 <= openssh-3.5p1-1.2.2 >= openssh-3.5p1-1.2.3 + +Dependent Packages: none + +Description: + According to a OpenSSH Security Advisory [0] all versions of OpenSSH's + sshd prior to 3.7.1 contain buffer management errors [1]. Those + may allow remote attackers to execute arbitrary code by causing an + incorrect amount of memory to be freed and corrupting the heap + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0693 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + openssh". If you have the "openssh" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the current release OpenPKG 1.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get openssh-3.6.1p2-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig openssh-3.6.1p2-1.3.1.src.rpm + $ /bin/rpm --rebuild openssh-3.6.1p2-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/openssh-3.6.1p2-1.3.1.*.rpm + + +References: + [0] http://www.openssh.com/txt/buffer.adv + [1] http://www.openssh.com/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.2/UPD/openssh-3.6.1p2-1.3.1.src.rpm + [6] ftp://ftp.openpkg.org/relea
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 15-Sep-2003 15:27:24 Branch: HEAD Handle: 2003091514272300 Added files: openpkg-web/securityOpenPKG-SA-2003.039-perl.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.039-perl; CAN-2003-0615 Summary: RevisionChanges Path 1.45+1 -0 openpkg-web/security.txt 1.63+1 -0 openpkg-web/security.wml 1.1 +90 -0 openpkg-web/security/OpenPKG-SA-2003.039-perl.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.44 -r1.45 security.txt --- openpkg-web/security.txt 15 Sep 2003 11:33:39 - 1.44 +++ openpkg-web/security.txt 15 Sep 2003 13:27:23 - 1.45 @@ -1,3 +1,4 @@ +15-Sep-2003: Security Advisory: S 15-Sep-2003: Security Advisory: S 28-Aug-2003: Security Advisory: S 06-Aug-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.62 -r1.63 security.wml --- openpkg-web/security.wml 15 Sep 2003 11:33:39 - 1.62 +++ openpkg-web/security.wml 15 Sep 2003 13:27:23 - 1.63 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.039-perl.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.039-perl.txt --- /dev/null 2003-09-15 15:27:24.0 +0200 +++ OpenPKG-SA-2003.039-perl.txt 2003-09-15 15:27:24.0 +0200 @@ -0,0 +1,90 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.039 15-Sep-2003 + + +Package: perl (CGI.pm) +Vulnerability: cross site scripting +OpenPKG Specific:no + +Affected Releases: Affected Packages:Corrected Packages: +OpenPKG CURRENT <= perl-5.8.0-20030903>= perl-5.8.0-20030915 +OpenPKG 1.3 <= perl-5.8.0-1.3.0 >= perl-5.8.0-1.3.1 +OpenPKG 1.2 <= perl-5.8.0-1.2.0 >= perl-5.8.0-1.2.1 + +Dependent Packages: none + +Description: + This message is a continuation of OpenPKG-SA-2003.036-perl-www [0]. + The Common Vulnerabilities and Exposures (CVE) project assigned the + id CAN-2003-0615 [1] to the problem described. This document also + outlines a important problematic regarding the native load order of + perl modules. + + The CGI.pm module not only comes with the "perl-www" package but a + ancient version 2.81 is also embedded into "perl". The corrected + packages mentioned above have the official fix backported to the + embedded version. + + Be aware that all releases of OpenPKG up to and including 1.3 use + Perl's native load order of modules. Embedded modules are preferred + over additional modules. This means that CGI.pm embedded into the + "perl" package is loaded before the sibling from the additional + "perl-www" package is found. This inhibits the use and correction of + additional modules with same name as embedded ones. + + It should be noted that beginning with perl-5.8.0-20030903 the load + order is patched to prefer additional modules [2]. There are no plans + modifiying the module load order of the "perl" package in existing + releases. Although more intuitive it would change existing behaviour + and is likely to break existing installations. During the support + lifecycle security advisories and corrected packages will be issued + for both, embedded and additional packages. + + Please check whether you are affected by running "/bin/rpm -q + perl". If you have the "perl" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 15-Sep-2003 13:33:39 Branch: HEAD Handle: 2003091512333900 Added files: openpkg-web/securityOpenPKG-SA-2003.038-mysql.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.038-mysql; CAN-2003-0780 Summary: RevisionChanges Path 1.44+1 -0 openpkg-web/security.txt 1.62+1 -0 openpkg-web/security.wml 1.1 +77 -0 openpkg-web/security/OpenPKG-SA-2003.038-mysql.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.43 -r1.44 security.txt --- openpkg-web/security.txt 28 Aug 2003 08:37:00 - 1.43 +++ openpkg-web/security.txt 15 Sep 2003 11:33:39 - 1.44 @@ -1,3 +1,4 @@ +15-Sep-2003: Security Advisory: S 28-Aug-2003: Security Advisory: S 06-Aug-2003: Security Advisory: S 06-Aug-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.61 -r1.62 security.wml --- openpkg-web/security.wml 28 Aug 2003 08:37:00 - 1.61 +++ openpkg-web/security.wml 15 Sep 2003 11:33:39 - 1.62 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.038-mysql.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.038-mysql.txt --- /dev/null 2003-09-15 13:33:39.0 +0200 +++ OpenPKG-SA-2003.038-mysql.txt 2003-09-15 13:33:39.0 +0200 @@ -0,0 +1,77 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.mysql15-Sep-2003 + + +Package: mysql +Vulnerability: arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= mysql-4.0.14-20030904>= mysql-4.0.15-20030910 +OpenPKG 1.3 <= mysql-4.0.14-1.3.1 >= mysql-4.0.14-1.3.2 +OpenPKG 1.2 <= mysql-3.23.54a-1.2.3 >= mysql-3.23.54a-1.2.4 + +Dependent Packages: none + +Description: + Frank Denis <[EMAIL PROTECTED]> reported a vulnerability [0] in MySQL + [1] affecting MySQL3 versions 3.0.57 and earlier and MySQL4 versions + 4.0.14 and earlier. Passwords of MySQL users are stored in the "User" + table, part of the "mysql" database, specifically in the "Password" + field. The passwords are hashed and stored as a 16 characters + long hexadecimal value, specifically in the "Password" field. + Unfortunately, a function involved in password checking misses correct + bounds checking. By filling a "Password" field a value wider than 16 + characters, a buffer overflow will occur. The Common Vulnerabilities + and Exposures (CVE) project assigned the id CAN-2003-0780 [2] to the + problem. + + Please check whether you are affected by running "/bin/rpm -q + mysql". If you have the "mysql" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.3, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get mysql-4.0.14-1.3.2.src.rpm + ftp> bye + $ /bin/rpm -v --checksig mysql-4.0.14-1.3.2.src.rpm + $ /bin/rpm --rebuild mysql-4.0.14-1.3.2.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/mysql-4.0.14-1.3.2.*.rpm + + +References: + [0] http://www.securityfocus.com/archive/1/337012/2003-09-05/2003-09-11
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 06-Aug-2003 17:26:43 Branch: HEAD Handle: 2003080616264201 Added files: openpkg-web/securityOpenPKG-SA-2003.036-perl-www.txt Modified files: openpkg-web security.txt security.wml openpkg-web/securitypage.pl Log: OpenPKG-SA-2003.036-perl-www; CAN-2003-0615 Summary: RevisionChanges Path 1.42+1 -0 openpkg-web/security.txt 1.60+1 -0 openpkg-web/security.wml 1.1 +75 -0 openpkg-web/security/OpenPKG-SA-2003.036-perl-www.txt 1.21+1 -1 openpkg-web/security/page.pl patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.41 -r1.42 security.txt --- openpkg-web/security.txt 6 Aug 2003 13:07:50 - 1.41 +++ openpkg-web/security.txt 6 Aug 2003 15:26:42 - 1.42 @@ -1,3 +1,4 @@ +06-Aug-2003: Security Advisory: S 06-Aug-2003: Security Advisory: S 10-Jul-2003: Security Advisory: S 10-Jul-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.59 -r1.60 security.wml --- openpkg-web/security.wml 6 Aug 2003 13:07:50 - 1.59 +++ openpkg-web/security.wml 6 Aug 2003 15:26:42 - 1.60 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.036-perl-www.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.036-perl-www.txt --- /dev/null 2003-08-06 17:26:43.0 +0200 +++ OpenPKG-SA-2003.036-perl-www.txt 2003-08-06 17:26:43.0 +0200 @@ -0,0 +1,75 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.perl-www 06-Aug-2003 + + +Package: perl-www +Vulnerability: CGI.pm cross site scripting +OpenPKG Specific:no + +Affected Releases: Affected Packages:Corrected Packages: +OpenPKG CURRENT <= perl-www-20030726-20030726 >= perl-www-20030802-20030802 +OpenPKG 1.3 <= perl-www-1.3.0-1.3.0 >= perl-www-1.3.1-1.3.1 +OpenPKG 1.2 <= perl-www-1.2.0-1.2.0 >= perl-www-1.2.1-1.2.1 + +Dependent Packages: none + +Description: + According to a security advisory [0] from [EMAIL PROTECTED] a + cross site scripting vulnerability exists in the start_form() function + in CGI.pm [1]. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2003-0615 [2] to the problem. + + Note that beginning with perl-www-20030609-20030609 and + perl-www-1.3.0-1.3.0 a preliminary patch was already included which + fixes the specific issue discussed in the original SA. The corrected + packages include a more generalized patch. + + Please check whether you are affected by running "/bin/rpm + -q perl-www". If you have the "perl-www" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution). + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the current release OpenPKG 1.2, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.3/UPD + ftp> get perl-www-1.3.1-1.3.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig perl-www-1.3.1-1.3.1.src.rpm + $ /bin/rpm --rebuild perl-www-1.3.1-1.3.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/perl-www-1.3.1-1.3.1.*.rpm + + +References: + [0] http://eyeonsecurity.org/advisories/CGI.pm/adv.html + [1] http://stein.cshl.org/WWW/software/CGI/ + [2] http://cve.mitre.org/cg
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 06-Aug-2003 15:07:51 Branch: HEAD Handle: 2003080614075000 Added files: openpkg-web/securityOpenPKG-SA-2003.035-openssh.txt Modified files: openpkg-web security.txt security.wml Log: OpenPKG-SA-2003.035-openssh; CAN-2003-0190 Summary: RevisionChanges Path 1.41+1 -0 openpkg-web/security.txt 1.59+1 -0 openpkg-web/security.wml 1.1 +80 -0 openpkg-web/security/OpenPKG-SA-2003.035-openssh.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.40 -r1.41 security.txt --- openpkg-web/security.txt 10 Jul 2003 14:22:48 - 1.40 +++ openpkg-web/security.txt 6 Aug 2003 13:07:50 - 1.41 @@ -1,3 +1,4 @@ +06-Aug-2003: Security Advisory: S 10-Jul-2003: Security Advisory: S 10-Jul-2003: Security Advisory: S 07-Jul-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.58 -r1.59 security.wml --- openpkg-web/security.wml 5 Aug 2003 08:47:06 - 1.58 +++ openpkg-web/security.wml 6 Aug 2003 13:07:50 - 1.59 @@ -76,6 +76,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.035-openssh.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.035-openssh.txt --- /dev/null 2003-08-06 15:07:51.0 +0200 +++ OpenPKG-SA-2003.035-openssh.txt 2003-08-06 15:07:51.0 +0200 @@ -0,0 +1,80 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.035 06-Aug-2003 + + +Package: openssh +Vulnerability: information leakage +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= openssh-3.6.1p1-20030423 >= openssh-3.6.1p2-20030429 +OpenPKG 1.3 N/A +OpenPKG 1.2 <= openssh-3.5p1-1.2.1 >= openssh-3.5p1-1.2.2 + +Description: + According to a Mediaservice.net security advisory [0], a information + leakage exists in OpenSSH [1] 3.6.1p1 and earlier with PAM support + enabled. When a user does not exist, an error message is send + immediately which allows remote attackers to determine valid usernames + via a timing attack. OpenPKG installations are only affected when the + package was build '--with_pam yes', which is not the default. We could + only reproduce the problem on Linux. It seems FreeBSD and Solaris are + not vulnerable, the patch does not affect their behaviour. However, + the problem is related to the PAM configuration, not the operating + system. Using a non-default configuration might leak information on + other operating systems, too. On Linux systems, a valid workaround is + to add a "nodelay" option to the pam_unix.so auth. + + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0190 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + openssh". If you have the "openssh" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution). + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it [3] + and update your OpenPKG installation by applying the binary RPM [4]. + For the current release OpenPKG 1.2, perform the following operations + to permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get openssh-3.5p1-1.2.2.src.rpm + ftp> bye + $ /bin/rpm -v --checksig openssh-3.5p1-1.2.2.src.rpm + $ /bin/rpm --rebuild openssh-3.5p1-1.2.2.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/openssh-3.5p1-1.2.2.*.rp
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jul-2003 16:22:49 Branch: HEAD Handle: 2003071015224801 Added files: openpkg-web/securityOpenPKG-SA-2003.034-imagemagick.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.034-imagemagick; CAN-2003-0455 Summary: RevisionChanges Path 1.40+1 -0 openpkg-web/security.txt 1.56+1 -0 openpkg-web/security.wml 1.1 +86 -0 openpkg-web/security/OpenPKG-SA-2003.034-imagemagick.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.39 -r1.40 security.txt --- openpkg-web/security.txt 10 Jul 2003 09:54:16 - 1.39 +++ openpkg-web/security.txt 10 Jul 2003 14:22:48 - 1.40 @@ -1,3 +1,4 @@ +10-Jul-2003: Security Advisory: S 10-Jul-2003: Security Advisory: S 07-Jul-2003: Security Advisory: S 11-Jun-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.55 -r1.56 security.wml --- openpkg-web/security.wml 10 Jul 2003 09:54:16 - 1.55 +++ openpkg-web/security.wml 10 Jul 2003 14:22:48 - 1.56 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.034-imagemagick.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.034-imagemagick.txt --- /dev/null 2003-07-10 16:22:49.0 +0200 +++ OpenPKG-SA-2003.034-imagemagick.txt 2003-07-10 16:22:49.0 +0200 @@ -0,0 +1,86 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.034 10-Jul-2003 + + +Package: imagemagick +Vulnerability: create or overwrite files +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= imagemagick-5.5.6.0-20030409 >= imagemagick-5.5.7.0-20030512 +OpenPKG 1.2 <= imagemagick-5.5.3.2-1.2.0>= imagemagick-5.5.3.2-1.2.1 +OpenPKG 1.1 <= imagemagick-5.4.8.2-1.1.0>= imagemagick-5.4.8.2-1.1.1 + +Affected Releases: Dependent Packages: +OpenPKG CURRENT bar quux +OpenPKG 1.2 bar quux +OpenPKG 1.1 bar + +FIXME candidates +autotrace-0.31.1-20030707 +tex4ht-20030119-20030707 +wv-0.7.6-20030707 + +Description: + According to a Debian security advisory [0] imagemagick's libmagick + [1] library, under certain circumstances, creates temporary files + without taking appropriate security precautions. This vulnerability + could be exploited by a local user to create or overwrite files with + the privileges of another user who is invoking a program using this + library. Research has shown that all versions of imagemagick before + 5.5.7.0 are affected. The Common Vulnerabilities and Exposures (CVE) + project assigned the id CAN-2003-0455 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + imagemagick". If you have the "imagemagick" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution) and it's dependent packages (see above), if + any, too. [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.2, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get imagemagick-5.5.3.2-1.2.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig imagemagick-5.5.3.2-1.2.1.src.rpm + $ /bin/rpm --rebuild imagemagick-5.5.3.2-1.2.1.src.rpm + $ su -
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jul-2003 11:54:17 Branch: HEAD Handle: 2003071010541601 Added files: openpkg-web/securityOpenPKG-SA-2003.033-infozip.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.033-infozip; CAN-2003-0282 Summary: RevisionChanges Path 1.39+1 -0 openpkg-web/security.txt 1.55+1 -0 openpkg-web/security.wml 1.1 +94 -0 openpkg-web/security/OpenPKG-SA-2003.033-infozip.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.38 -r1.39 security.txt --- openpkg-web/security.txt 7 Jul 2003 13:48:08 - 1.38 +++ openpkg-web/security.txt 10 Jul 2003 09:54:16 - 1.39 @@ -1,3 +1,4 @@ +10-Jul-2003: Security Advisory: S 07-Jul-2003: Security Advisory: S 11-Jun-2003: Security Advisory: S 03-Jun-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.54 -r1.55 security.wml --- openpkg-web/security.wml 7 Jul 2003 13:48:08 - 1.54 +++ openpkg-web/security.wml 10 Jul 2003 09:54:16 - 1.55 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.033-infozip.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.033-infozip.txt --- /dev/null 2003-07-10 11:54:17.0 +0200 +++ OpenPKG-SA-2003.033-infozip.txt 2003-07-10 11:54:17.0 +0200 @@ -0,0 +1,94 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.033 10-Jul-2003 + + +Package: infozip +Vulnerability: overwrite arbitrary files +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= infozip-20030306-20030708 >= infozip-20030710-20030710 +OpenPKG 1.2 <= infozip-1.2.0-1.2.0 >= infozip-1.2.0-1.2.1 +OpenPKG 1.1 <= infozip-1.1.0-1.1.0 >= infozip-1.1.0-1.1.1 + +Dependent Packages: none + +Affected Releases: Dependent Packages: +OpenPKG CURRENT bar quux +OpenPKG 1.2 bar quux +OpenPKG 1.1 bar + +FIXME candidates +cvsweb PreReq: +docbook BuildPreReq: +heise PreReq: BuildPreReq: +mozilla PreReq: BuildPreReq: +pccts BuildPreReq: +sam2p PreReq: BuildPreReq: +sav BuildPreReq: +saxon BuildPreReq: +tetex BuildPreReq: +tex4ht BuildPreReq: + +Description: + A directory traversal vulnerability in UnZip 5.50 allows attackers to + overwrite arbitrary files via invalid characters between two . (dot) + characters, which are filtered and result in a ".." sequence. The + corrected packages include a patch taken from RedHat [1] ensuring that + non-printable characters do not make it possible for a malicious .zip + file to write to parent directories unless the "-:" command line + parameter is specified. The Common Vulnerabilities and Exposures + (CVE) project assigned the id CAN-2003-0282 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + infozip". If you have the "infozip" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution) and it's dependent packages (see above), if any, too. + [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the current release OpenPKG 1.2, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 07-Jul-2003 15:48:09 Branch: HEAD Handle: 2003070714480800 Added files: openpkg-web/securityOpenPKG-SA-2003.032-php.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.032-php; CAN-2002-0985, CAN-2002-0986, CAN-2003-0442 Summary: RevisionChanges Path 1.38+1 -0 openpkg-web/security.txt 1.54+1 -0 openpkg-web/security.wml 1.1 +93 -0 openpkg-web/security/OpenPKG-SA-2003.032-php.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.37 -r1.38 security.txt --- openpkg-web/security.txt 11 Jun 2003 11:04:36 - 1.37 +++ openpkg-web/security.txt 7 Jul 2003 13:48:08 - 1.38 @@ -1,3 +1,4 @@ +07-Jul-2003: Security Advisory: S 11-Jun-2003: Security Advisory: S 03-Jun-2003: Security Advisory: S 16-May-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.53 -r1.54 security.wml --- openpkg-web/security.wml 11 Jun 2003 11:04:36 - 1.53 +++ openpkg-web/security.wml 7 Jul 2003 13:48:08 - 1.54 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.032-php.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.032-php.txt --- /dev/null 2003-07-07 15:48:08.0 +0200 +++ OpenPKG-SA-2003.032-php.txt 2003-07-07 15:48:09.0 +0200 @@ -0,0 +1,93 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.032 07-Jul-2003 + + +Package: php, apache +Vulnerability: XSS; bypass safe mode +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= php-4.3.1-20030516 >= php-4.3.2-20030529 + <= apache-1.3.27-20030516 >= apache-1.3.27-20030529 +OpenPKG 1.2 noneN.A. +OpenPKG 1.1 <= php-4.2.2-1.1.1 >= php-4.2.2-1.1.2 + <= apache-1.3.26-1.1.4 >= apache-1.3.26-1.1.5 + +Dependent Packages: none + +Description: + Wojciech Purczynski found [2] out that it is possible to allow remote + attackers to bypass safe mode restrictions in PHP [1] 4.x to 4.2.2 and + modify command line arguments to the MTA (e.g. sendmail) in the 5th + argument to mail(), altering MTA behavior and possibly executing + commands. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2002-0985 [4] to the problem. + + Wojciech Purczynski also reported [2] that the mail function in PHP + [1] 4.x to 4.2.2 does not filter ASCII control characters from its + arguments, which could allow remote attackers to modify mail message + content, including mail headers, and possibly use PHP as a "spam + proxy." Depending on how The Common Vulnerabilities and Exposures + (CVE) project assigned the id CAN-2002-0986 [5] to the problem. + + A security advisory [3] states that in PHP [1] version 4.3.1 (but we + at OpenPKG believe 4.2.x) and earlier, when transparent session ID + support is enabled using the "session.use_trans_sid" option, the + session ID is not escaped before use, which allows remote attackers to + insert arbitrary script via the PHPSESSID parameter, The Common + Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2003-0442 [6] to the problem. + + Please check whether you are affected by running "/bin/rpm + -q php". If you have the "php" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution). + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [9], fetch it from the OpenPKG FTP service [10] or a mirror + location, verify its integrity [11], build a corresponding binary RPM + from it
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository
http://cvs.openpkg.org/
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 03-Jun-2003 14:11:25
Branch: HEAD Handle: 2003060313112401
Added files:
openpkg-web/securityOpenPKG-SA-2003.030-ghostscript.txt
Modified files:
openpkg-web security.txt security.wml
Log:
SA-2003.030-ghostscript; CAN-2003-0354; execute arbitrary commands
Summary:
RevisionChanges Path
1.36+1 -0 openpkg-web/security.txt
1.52+1 -0 openpkg-web/security.wml
1.1 +99 -0 openpkg-web/security/OpenPKG-SA-2003.030-ghostscript.txt
patch -p0 <<'@@ .'
Index: openpkg-web/security.txt
$ cvs diff -u -r1.35 -r1.36 security.txt
--- openpkg-web/security.txt 16 May 2003 09:39:04 - 1.35
+++ openpkg-web/security.txt 3 Jun 2003 12:11:24 - 1.36
@@ -1,3 +1,4 @@
+03-Jun-2003: Security Advisory: S
16-May-2003: Security Advisory: S
07-Apr-2003: Security Advisory: S
30-Mar-2003: Security Advisory: S
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security.wml
$ cvs diff -u -r1.51 -r1.52 security.wml
--- openpkg-web/security.wml 16 May 2003 09:39:04 - 1.51
+++ openpkg-web/security.wml 3 Jun 2003 12:11:24 - 1.52
@@ -78,6 +78,7 @@
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.030-ghostscript.txt
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.030-ghostscript.txt
--- /dev/null 2003-06-03 14:11:25.0 +0200
+++ OpenPKG-SA-2003.030-ghostscript.txt 2003-06-03 14:11:25.0 +0200
@@ -0,0 +1,99 @@
+
+
+OpenPKG Security AdvisoryThe OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2003.030 03-Jun-2003
+
+
+Package: ghostscript
+Vulnerability: execute arbitrary commands
+OpenPKG Specific:no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT noneN.A.
+OpenPKG 1.2 noneN.A.
+OpenPKG 1.1 <= ghostscript-7.04-1.1.0 >= ghostscript-7.04-1.1.1
+
+Dependent Packages: none FIXME
+
+Affected Releases: Dependent Packages: FIXME
+OpenPKG CURRENT bar quux
+OpenPKG 1.2 bar quux
+OpenPKG 1.1 bar
+
+FIXME
+gv.spec BuildPreReq: X11, xaw3d, ghostscript
+gv.spec PreReq: X11, xaw3d, ghostscript
+latex2html.spec BuildPreReq: perl, ghostscript, tetex, png, netpbm
+latex2html.spec PreReq: perl, ghostscript, tetex, png, netpbm
+libwmf.spec BuildPreReq: X11, libxml, freetype, zlib, png, jpeg, gd,
ghostscript = %{V_ghostscript}
+libwmf.spec PreReq: X11, libxml, freetype, zlib, png, jpeg, gd,
ghostscript = %{V_ghostscript}
+lyx.specPreReq: gv, ghostscript, ghostscript::with_x11 = yes
+mgv.specPreReq: X11, ghostscript
+pstoedit.spec BuildPreReq: ghostscript, gcc, png, zlib
+pstoedit.spec PreReq: ghostscript
+sam2p.spec BuildPreReq: ghostscript, jpeg, gzip, infozip, make, gcc, perl,
bash
+sam2p.spec PreReq: ghostscript, jpeg, gzip, infozip
+scribus.specBuildPreReq: qt, freetype, ghostscript, png, jpeg, tiff, zlib
+scribus.specPreReq: qt, freetype, ghostscript, png, jpeg, tiff, zlib
+tex4ht.spec PreReq: tetex, ghostscript, imagemagick
+
+Description:
+ According to a RedHat security advisory [1] a flaw in unpatched
+ versions of Ghostscript before 7.07 allows malicious postscript files
+ to execute arbitrary commands even with -dSAFER enabled. The Common
+ Vulnerabilities and Exposures (CVE) project assigned the id
+ CAN-2003-0354 [2] to the problem.
+
+ Please check whether you are affected by running "/bin/rpm -q
+ ghostscript". If you have the "ghostscript" package installed and its
+ version is affected (see above), we recommend that you immediately
+ upgrade it (see Solution) and it's dependent packages (see
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 04-Mar-2003 16:37:41 Branch: HEAD Handle: 2003030415373802 Added files: openpkg-web/securityOpenPKG-SA-2003.017-file.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.017-file Summary: RevisionChanges Path 1.25+1 -0 openpkg-web/security.txt 1.41+1 -0 openpkg-web/security.wml 1.1 +75 -0 openpkg-web/security/OpenPKG-SA-2003.017-file.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.24 -r1.25 security.txt --- openpkg-web/security.txt 4 Mar 2003 13:06:10 - 1.24 +++ openpkg-web/security.txt 4 Mar 2003 15:37:38 - 1.25 @@ -1,3 +1,4 @@ +04-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.40 -r1.41 security.wml --- openpkg-web/security.wml 4 Mar 2003 13:06:10 - 1.40 +++ openpkg-web/security.wml 4 Mar 2003 15:37:39 - 1.41 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.017-file.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.017-file.txt --- /dev/null 2003-03-04 16:37:40.0 +0100 +++ OpenPKG-SA-2003.017-file.txt 2003-03-04 16:37:40.0 +0100 @@ -0,0 +1,75 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.017 04-Mar-2003 + + +Package: file +Vulnerability: memory allocation problem, stack overflow +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= file-3.40-20030209 >= file-3.41-20030228 +OpenPKG 1.2 <= file-3.39-1.2.0 >= file-3.39-1.2.1 +OpenPKG 1.1 <= file-3.39-1.1.1 >= file-3.39-1.1.2 + +Dependent Packages: noneN.A. + +Description: + Jeff Johnson found a memory allocation problem and David Endler found + a stack overflow corruption problem in the file [0] "Automatic File + Content Type Recognition Tool" version 3.41. Nalin Dahyabhai improved + ELF section and program header handling in file [0] version 3.40. We + believe that file versions without those modifications are vulnerable + to memory allocation and stack overflow problems which put security at + risk. We have backported the security relevant pieces of the 3.41 and + 3.40 vendor changes into OpenPKG releases using vendor version 3.39. + + Please check whether you are affected by running "/bin/rpm + -q file". If you have the "file" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution). [2][3] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror + location, verify its integrity [8], build a corresponding binary RPM + from it [2] and update your OpenPKG installation by applying the binary + RPM [3]. For the current release OpenPKG 1.2, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get file-3.39-1.2.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig file-3.39-1.2.1.src.rpm + $ /bin/rpm --rebuild file-3.39-1.2.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/file-3.39-1.2.1.*.rpm + + + +References: + [1] ftp://ftp.astron.com/pub/file/ + [2] http://www.openpkg.org/tutorial.html#regular-source + [3] http://www.openpkg.org/tutorial.html#regular-binary + [4] ftp://ftp.openpkg.org/release/1.1/UPD/file-3
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael van Elst Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 04-Mar-2003 14:06:12 Branch: HEAD Handle: 2003030413061001 Added files: openpkg-web/securityOpenPKG-SA-2003.016-sendmail.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.016; CAN-2002-133 Summary: RevisionChanges Path 1.24+2 -0 openpkg-web/security.txt 1.40+2 -0 openpkg-web/security.wml 1.1 +73 -0 openpkg-web/security/OpenPKG-SA-2003.016-sendmail.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.23 -r1.24 security.txt --- openpkg-web/security.txt 4 Mar 2003 10:26:04 - 1.23 +++ openpkg-web/security.txt 4 Mar 2003 13:06:10 - 1.24 @@ -1,3 +1,5 @@ +04-Mar-2003: Security Advisory: S +04-Mar-2003: Security Advisory: S 04-Mar-2003: Security Advisory: S 19-Feb-2003: Security Advisory: S 19-Feb-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.39 -r1.40 security.wml --- openpkg-web/security.wml 4 Mar 2003 10:26:04 - 1.39 +++ openpkg-web/security.wml 4 Mar 2003 13:06:10 - 1.40 @@ -78,6 +78,8 @@ + + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.016-sendmail.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.016-sendmail.txt --- /dev/null 2003-03-04 14:06:12.0 +0100 +++ OpenPKG-SA-2003.016-sendmail.txt 2003-03-04 14:06:12.0 +0100 @@ -0,0 +1,73 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.016 04-Mar-2003 + + +Package: sendmail +Vulnerability: buffer overflow +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= sendmail-8.12.7-20030205 >= sendmail-8.12.8-20030304 +OpenPKG 1.2 <= sendmail-8.12.7-1.2.0>= sendmail-8.12.4-1.2.1 +OpenPKG 1.1 noneN.A. + +Dependent Packages: none + +Description: + According to a ISS X-Force [0], a buffer overflow vulnerability + exists in all sendmail versions from 5.79 to 8.12.7 [1]. Attackers + may remotely exploit this vulnerability to gain "root" or superuser + control of any vulnerable Sendmail server. The Common Vulnerabilities + and Exposures (CVE) project assigned the id CAN-2002-1337 [2] to the + problem. + + Please check whether you are affected by running "/bin/rpm + -q sendmail". If you have the "sendmail" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it [3] + and update your OpenPKG installation by applying the binary RPM [4]. + For the current release OpenPKG 1.2, perform the following operations + to permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get sendmail-8.12.7-1.2.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig sendmail-8.12.7-1.2.1.src.rpm + $ /bin/rpm --rebuild sendmail-8.12.7-1.2.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/sendmail-8.12.7-1.2.1.*.rpm + + + +References: + [0] http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 + [1] http://www.sendmail.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.2/UPD/sendmail-8.12.7-1.2.1.src.rpm + [6] ftp://ftp
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 19-Feb-2003 14:48:12 Branch: HEAD Handle: 2003021913480704 Added files: openpkg-web/securityOpenPKG-SA-2003.012-dhcpd.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.012-dhcpd; CAN-2003-0039 Summary: RevisionChanges Path 1.21+1 -0 openpkg-web/security.txt 1.37+1 -0 openpkg-web/security.wml 1.1 +87 -0 openpkg-web/security/OpenPKG-SA-2003.012-dhcpd.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.20 -r1.21 security.txt --- openpkg-web/security.txt 18 Feb 2003 15:13:05 - 1.20 +++ openpkg-web/security.txt 19 Feb 2003 13:48:07 - 1.21 @@ -1,3 +1,4 @@ +19-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.36 -r1.37 security.wml --- openpkg-web/security.wml 18 Feb 2003 15:13:05 - 1.36 +++ openpkg-web/security.wml 19 Feb 2003 13:48:07 - 1.37 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.012-dhcpd.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.012-dhcpd.txt --- /dev/null 2003-02-19 14:48:11.0 +0100 +++ OpenPKG-SA-2003.012-dhcpd.txt 2003-02-19 14:48:11.0 +0100 @@ -0,0 +1,87 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.012 19-Feb-2003 + + +Package: dhcpd +Vulnerability: denial of service (packet storm) +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= dhcpd-3.0.1rc11-20030116 >= dhcpd-3.0.1rc11-20030219 +OpenPKG 1.2 <= dhcpd-3.0.1rc11-1.2.0>= dhcpd-3.0.1rc11-1.2.1 +OpenPKG 1.1 <= dhcpd-3.0.1rc9-1.1.1 >= dhcpd-3.0.1rc9-1.1.2 + +Affected Releases: Dependent Packages: none + +Description: + Florian Lohoff discovered a bug [0] in dhcrelay which is part of the + ISC DHCPD [1]. The bug is causing the relay agent to send a continuing + packet storm towards the configured dhcp server(s) in case of a + malicious BOOTP packet. The Common Vulnerabilities and Exposures + (CVE) project assigned the id CAN-2003-0039 [2] to the problem. + + The update does not ultimately fix the root cause of the problem. + However, it improves dhcrelay's compliance to RFC1542 [10] by + rigorously supporting the requirements listed in section 4.1.1 + BOOTREQUEST Messages and thus limiting havoc wreaked to the network: + + > The relay agent MUST silently discard BOOTREQUEST messages whose + > 'hops' field exceeds the value 16. A configuration option SHOULD be + > provided to set this threshold to a smaller value if desired by the + > network manager. The default setting for a configurable threshold + > SHOULD be 4. + + The new configuration option is '-c', it defaults to 4, the range of + parameter is between 0 and 16. + + Please check whether you are affected by running "/bin/rpm + -q dhcpd". If you have the "dhcpd" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.1, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get dhcpd-3.0.1rc11-1.2.
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 18-Feb-2003 16:13:07 Branch: HEAD Handle: 2003021815130501 Added files: openpkg-web/securityOpenPKG-SA-2003.011-lynx.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.011-lynx; CAN-2002-1405 Summary: RevisionChanges Path 1.20+1 -0 openpkg-web/security.txt 1.36+1 -0 openpkg-web/security.wml 1.1 +75 -0 openpkg-web/security/OpenPKG-SA-2003.011-lynx.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.19 -r1.20 security.txt --- openpkg-web/security.txt 18 Feb 2003 15:03:24 - 1.19 +++ openpkg-web/security.txt 18 Feb 2003 15:13:05 - 1.20 @@ -1,3 +1,4 @@ +18-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S 18-Feb-2003: Security Advisory: S 29-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.35 -r1.36 security.wml --- openpkg-web/security.wml 18 Feb 2003 15:03:24 - 1.35 +++ openpkg-web/security.wml 18 Feb 2003 15:13:05 - 1.36 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.011-lynx.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.011-lynx.txt --- /dev/null 2003-02-18 16:13:07.0 +0100 +++ OpenPKG-SA-2003.011-lynx.txt 2003-02-18 16:13:07.0 +0100 @@ -0,0 +1,75 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.011 18-Feb-2003 + + +Package: lynx +Vulnerability: CRLF injection vulnerability +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= lynx-2.8.4-20020206 >= lynx-2.8.4-20021216 +OpenPKG 1.2 <= N.A. >= lynx-2.8.4-1.2.0 +OpenPKG 1.1 <= lynx-2.8.4-1.1.0 >= lynx-2.8.4-1.1.1 + +Affected Releases: Dependent Packages: none + +Description: + Ulf Harnhammar posted information [0] reporting a "CRLF Injection" + problem with Lynx [1] 2.8.4 and earlier. It is possible to inject + false HTTP headers into an HTTP request that is provided on the + command line, via a URL containing encoded carriage return, line feed, + and other whitespace characters. This way, scripts that use Lynx for + downloading files access the wrong site on a web server with multiple + virtual hosts. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2002-1405 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + lynx". If you have the "lynx" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it [3] + and update your OpenPKG installation by applying the binary RPM [4]. + For the release OpenPKG 1.1, perform the following operations to + permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.1/UPD + ftp> get lynx-2.8.4-1.1.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig lynx-2.8.4-1.1.1.src.rpm + $ /bin/rpm --rebuild lynx-2.8.4-1.1.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/lynx-2.8.4-1.1.1.*.rpm + + +References: + [0] http://www.mail-archive.com/bugtraq@securityfocus.com/msg08897.html + [1] http://lynx.isc.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1405 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpk
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 29-Jan-2003 13:01:19 Branch: HEAD Handle: 2003012912011701 Added files: openpkg-web/securityOpenPKG-SA-2003.008-mysql.txt Modified files: openpkg-web security.txt security.wml Log: OpenPKG-SA-2003.008 fix mysql double free bug Summary: RevisionChanges Path 1.17+1 -0 openpkg-web/security.txt 1.33+1 -0 openpkg-web/security.wml 1.1 +72 -0 openpkg-web/security/OpenPKG-SA-2003.008-mysql.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.16 -r1.17 security.txt --- openpkg-web/security.txt 23 Jan 2003 13:36:58 - 1.16 +++ openpkg-web/security.txt 29 Jan 2003 12:01:17 - 1.17 @@ -1,3 +1,4 @@ +29-Jan-2003: Security Advisory: S 23-Jan-2003: Security Advisory: S 23-Jan-2003: Security Advisory: S 22-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.32 -r1.33 security.wml --- openpkg-web/security.wml 23 Jan 2003 13:36:58 - 1.32 +++ openpkg-web/security.wml 29 Jan 2003 12:01:17 - 1.33 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.008-mysql.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.008-mysql.txt --- /dev/null 2003-01-29 13:01:18.0 +0100 +++ OpenPKG-SA-2003.008-mysql.txt 2003-01-29 13:01:18.0 +0100 @@ -0,0 +1,72 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.008 29-Jan-2003 + + +Package: mysql +Vulnerability: double free can cause denial of service +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= mysql-3.23.54a-20030116 >= mysql-3.23.55-20030124 +OpenPKG 1.2 <= mysql-3.23.54a-1.2.0 >= mysql-3.23.54a-1.2.1 +OpenPKG 1.1 <= mysql-3.23.52-1.1.1 >= mysql-3.23.52-1.1.2 + +Affected Releases: Dependent Packages: none + +Description: + Vincent Danen of MandrakeSoft noticed that according to the change log + [0] for MySQL release 3.23.55 [1] a vulnerbility has been fixed where + a double free pointer bug in mysql_change_user() handling enabled a + specially hacked version of MySQL client to crash mysqld. He + extracted the fix for use in previous releases. + + Please check whether you are affected by running "/bin/rpm -q + mysql". If you have the "mysql" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [2][3] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror + location, verify its integrity [8], build a corresponding binary RPM + from it [2] and update your OpenPKG installation by applying the binary + RPM [3]. For the current release OpenPKG 1.2, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get mysql-3.23.54a-1.2.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig mysql-3.23.54a-1.2.1.src.rpm + $ /bin/rpm --rebuild mysql-3.23.54a-1.2.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/mysql-3.23.54a-1.2.1.*.rpm + + +References: + [0] http://www.mysql.com/doc/en/News-3.23.55.html + [1] http://www.mysql.com/ + [2] http://www.openpkg.org/tutorial.html#regular-source + [3] http://www.openpkg.org/tutorial.html#regular-binary + [4] ftp://ftp.openpkg.org/release/1.1/UPD/mysql-3.23.52-1.1.2.src.rpm + [5] ftp://ftp.openpkg.org/release/1.2/UPD/mysql-3.23.54a-1.2.1.src.rpm + [6] ftp://ftp.openpkg.org/release/1.1/UPD/ + [7] f
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 23-Jan-2003 14:36:59 Branch: HEAD Handle: 2003012313365801 Added files: openpkg-web/securityOpenPKG-SA-2003.007-wget.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.007-wget; CAN-2002-1344 Summary: RevisionChanges Path 1.16+1 -0 openpkg-web/security.txt 1.32+1 -0 openpkg-web/security.wml 1.1 +72 -0 openpkg-web/security/OpenPKG-SA-2003.007-wget.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.15 -r1.16 security.txt --- openpkg-web/security.txt 23 Jan 2003 10:37:13 - 1.15 +++ openpkg-web/security.txt 23 Jan 2003 13:36:58 - 1.16 @@ -1,3 +1,4 @@ +23-Jan-2003: Security Advisory: S 23-Jan-2003: Security Advisory: S 22-Jan-2003: Security Advisory: S 21-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.31 -r1.32 security.wml --- openpkg-web/security.wml 22 Jan 2003 16:04:53 - 1.31 +++ openpkg-web/security.wml 23 Jan 2003 13:36:58 - 1.32 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.007-wget.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.007-wget.txt --- /dev/null 2003-01-23 14:36:59.0 +0100 +++ OpenPKG-SA-2003.007-wget.txt 2003-01-23 14:36:59.0 +0100 @@ -0,0 +1,72 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.007 23-Jan-2003 + + +Package: wget +Vulnerability: directory traversal vulnerability +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= wget-1.8.2-20021206 >= wget-1.8.2-20021216 +OpenPKG 1.2 <= none N.A. +OpenPKG 1.1 <= wget-1.8.2-1.1.0 >= wget-1.8.2-1.1.1 + +Affected Releases: Dependent Packages: none + +Description: + According to research done by Steve Christey [0], directory traversal + vulnerabilities exist in many FTP clients including wget [1]. + Resolution of this issue was handled primarily through Mark Cox of Red + Hat whose patches were incorporated into the wget 1.8.2 HEAD + development branch. The Common Vulnerabilities and Exposures (CVE) + project assigned the id CAN-2002-1344 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + wget". If you have the "wget" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it [3] + and update your OpenPKG installation by applying the binary RPM [4]. + For the release OpenPKG 1.1, perform the following operations to + permanently fix the security problem (for other releases adjust + accordingly). + + $ rpm --rebuild ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.2/UPD + ftp> get wget-1.8.2-1.1.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig wget-1.8.2-1.1.1.src.rpm + $ /bin/rpm --rebuild wget-1.8.2-1.1.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/wget-1.8.2-1.1.1.*.rpm + + +References: + [0] http://marc.theaimsgroup.com/?l=bugtraq&m=103962838628940&w=2 + [1] http://sunsite.dk/wget/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.1/UPD/wget-1.8.2-1.1.1.src.rpm + [6] ftp://ftp.openpkg.org/release/1.1
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 22-Jan-2003 17:04:54 Branch: HEAD Handle: 2003012216045301 Added files: openpkg-web/securityOpenPKG-SA-2003.006-python.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.006-python; CAN-2002-1119 Summary: RevisionChanges Path 1.14+1 -0 openpkg-web/security.txt 1.31+1 -0 openpkg-web/security.wml 1.1 +72 -0 openpkg-web/security/OpenPKG-SA-2003.006-python.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.13 -r1.14 security.txt --- openpkg-web/security.txt 22 Jan 2003 13:01:31 - 1.13 +++ openpkg-web/security.txt 22 Jan 2003 16:04:53 - 1.14 @@ -1,3 +1,4 @@ +22-Jan-2003: Security Advisory: S 22-Jan-2003: Security Advisory: S 21-Jan-2003: Security Advisory: S 21-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.30 -r1.31 security.wml --- openpkg-web/security.wml 22 Jan 2003 13:12:54 - 1.30 +++ openpkg-web/security.wml 22 Jan 2003 16:04:53 - 1.31 @@ -78,6 +78,7 @@ + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.006-python.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.006-python.txt --- /dev/null 2003-01-22 17:04:54.0 +0100 +++ OpenPKG-SA-2003.006-python.txt2003-01-22 17:04:54.0 +0100 @@ -0,0 +1,72 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.006 23-Jan-2003 + + +Package: python +Vulnerability: predictable filename allows arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= python-2.2.1-20020820>= python-2.2.2-20021015 +OpenPKG 1.2 noneN.A. +OpenPKG 1.1 <= python-2.2.1-1.1.0 >= python-2.2.1-1.1.1 + +Affected Releases: Dependent Packages: none + +Description: + Zack Weinberg discovered an insecure use of a hardcoded file name [0] + in Python, a interpreted, interactive, object-oriented programming + language [1]. Python uses a predictable filename which could lead to + execution of arbitrary code. The Common Vulnerabilities and Exposures + (CVE) project assigned the id CAN-2002-1119 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + python". If you have the "python" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution) and it's dependent packages (see above), if any, too. + [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror location, + verify its integrity [7], build a corresponding binary RPM from it [3] + and update your OpenPKG installation by applying the binary RPM [4]. + For the release OpenPKG 1.1, perform the following operations to + permanently fix the security problem (for other releases adjust + accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.1/UPD + ftp> get python-2.2.1-1.1.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig python-2.2.1-1.1.1.src.rpm + $ /bin/rpm --rebuild python-2.2.1-1.1.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/python-2.2.1-1.1.1.*.rpm + + +References: + [0] http://mail.python.org/pipermail/python-dev/2002-August/027223.html + [1] http://www.python.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1119 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.1/UPD/python-2.2.1-1.1.1.src.r
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 22-Jan-2003 14:01:33 Branch: HEAD Handle: 2003012213013101 Added files: openpkg-web/securityOpenPKG-SA-2003.005-php.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.005-php; CAN-2002-1396 Summary: RevisionChanges Path 1.13+1 -0 openpkg-web/security.txt 1.29+1 -0 openpkg-web/security.wml 1.1 +86 -0 openpkg-web/security/OpenPKG-SA-2003.005-php.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.12 -r1.13 security.txt --- openpkg-web/security.txt 21 Jan 2003 13:49:01 - 1.12 +++ openpkg-web/security.txt 22 Jan 2003 13:01:31 - 1.13 @@ -1,3 +1,4 @@ +22-Jan-2003: Security Advisory: S 21-Jan-2003: Security Advisory: S 21-Jan-2003: Security Advisory: S 16-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.28 -r1.29 security.wml --- openpkg-web/security.wml 21 Jan 2003 13:49:01 - 1.28 +++ openpkg-web/security.wml 22 Jan 2003 13:01:31 - 1.29 @@ -70,6 +70,7 @@ TXT) + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.005-php.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.005-php.txt --- /dev/null 2003-01-22 14:01:33.0 +0100 +++ OpenPKG-SA-2003.005-php.txt 2003-01-22 14:01:33.0 +0100 @@ -0,0 +1,86 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.005 22-Jan-2003 + + +Package: php +Vulnerability: buffer overflow in "wordwrap" function +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= php-4.2.3-20020907 >= php-4.3.0-20021228 +OpenPKG 1.2 none>= php-4.3.0-1.2.0 +OpenPKG 1.1 <= php-4.2.2-1.1.0 >= php-4.2.2-1.1.1 +OpenPKG 1.0 none>= php-4.0.6-1.0.1 + +Affected Releases: Dependent Packages: +OpenPKG CURRENT <= apache-1.3.27-20021129 >= apache-1.3.27-20021228 +OpenPKG 1.2 none>= apache-1.3.27-1.2.0 +OpenPKG 1.1 <= apache-1.3.26-1.1.2 >= apache-1.3.26-1.1.3 +OpenPKG 1.0 none>= apache-1.3.22-1.0.6 + +Description: + According to a bug report [0] from David F. Skoll + <[EMAIL PROTECTED]> a buffer overflow problem exists in the + "wordwrap" function of Personal HomePage (PHP) [1], a an HTML-embedded + scripting language. Thanks to David's input and help the source of the + problem was tracked down and corrected. The Common Vulnerabilities and + Exposures (CVE) project assigned the id CAN-2002-1396 [2] to the + problem. + + Please check whether you are affected by running "/bin/rpm -q + php". If you have the "php" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + + Also run "/bin/rpm -qi apache". If you have the "apache" + package installed having the "with_mod_php" option set to "yes" and + its version is affected (see above), we recommend that you immediately + upgrade it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror + location, verify its integrity [7], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the release OpenPKG 1.1, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.1/UPD + ftp> get php-4.2.2-1.1.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig php-4.2
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 21-Jan-2003 14:49:02 Branch: HEAD Handle: 2003012113490101 Added files: openpkg-web/securityOpenPKG-SA-2003.004-cvs.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.004-cvs; CAN-2003-0015 Summary: RevisionChanges Path 1.12+1 -0 openpkg-web/security.txt 1.28+1 -0 openpkg-web/security.wml 1.1 +76 -0 openpkg-web/security/OpenPKG-SA-2003.004-cvs.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.11 -r1.12 security.txt --- openpkg-web/security.txt 20 Jan 2003 20:11:47 - 1.11 +++ openpkg-web/security.txt 21 Jan 2003 13:49:01 - 1.12 @@ -1,3 +1,4 @@ +21-Jan-2003: Security Advisory: S 21-Jan-2003: Security Advisory: S 16-Jan-2003: Security Advisory: S 15-Jan-2003: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.27 -r1.28 security.wml --- openpkg-web/security.wml 20 Jan 2003 20:11:47 - 1.27 +++ openpkg-web/security.wml 21 Jan 2003 13:49:01 - 1.28 @@ -70,6 +70,7 @@ TXT) + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.004-cvs.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.004-cvs.txt --- /dev/null 2003-01-21 14:49:02.0 +0100 +++ OpenPKG-SA-2003.004-cvs.txt 2003-01-21 14:49:02.0 +0100 @@ -0,0 +1,76 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.004 21-Jan-2003 + + +Package: cvs +Vulnerability: remote root compromise +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= cvs-1.11.4-20030114 >= cvs-1.11.5-20030121 +OpenPKG 1.1 <= cvs-1.11.2-1.1.0 >= cvs-1.11.2-1.1.1 +OpenPKG 1.0 <= cvs-1.11.1p1-1.0.1 >= cvs-1.11.1p1-1.0.2 + +Affected Releases: Dependent Packages: none + +Description: + According to an e-matters Security Advisory [0] from Stefan Esser + <[EMAIL PROTECTED]>, a vulnerability exists in the Concurrent + Versions System (CVS) [1] which allows remote compromise of CVS + servers. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2003-0015 [2] to the problem. + + Please check whether you are affected by running "/bin/rpm -q + cvs". If you have the "cvs" package installed and its version is + affected (see above), we recommend that you immediately upgrade + it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.1, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.1/UPD + ftp> get cvs-1.11.2-1.1.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig cvs-1.11.2-1.1.1.src.rpm + $ /bin/rpm --rebuild cvs-1.11.2-1.1.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/cvs-1.11.2-1.1.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] + + +References: + [0] http://security.e-matters.de/advisories/012003.html + [1] http://www.cvshome.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.0/UPD/foo-1.2.0-1.0.1.src.rpm + [6]
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 20-Jan-2003 21:11:49 Branch: HEAD Handle: 2003012020114701 Added files: openpkg-web/securityOpenPKG-SA-2003.003-vim.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.003-vim; CAN-2002-1377 Summary: RevisionChanges Path 1.11+1 -0 openpkg-web/security.txt 1.27+1 -0 openpkg-web/security.wml 1.1 +76 -0 openpkg-web/security/OpenPKG-SA-2003.003-vim.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.10 -r1.11 security.txt --- openpkg-web/security.txt 16 Jan 2003 13:35:12 - 1.10 +++ openpkg-web/security.txt 20 Jan 2003 20:11:47 - 1.11 @@ -1,3 +1,4 @@ +21-Jan-2003: Security Advisory: S 16-Jan-2003: Security Advisory: S 15-Jan-2003: Security Advisory: S 17-Dec-2002: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.26 -r1.27 security.wml --- openpkg-web/security.wml 16 Jan 2003 14:25:53 - 1.26 +++ openpkg-web/security.wml 20 Jan 2003 20:11:47 - 1.27 @@ -70,6 +70,7 @@ TXT) + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.003-vim.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.003-vim.txt --- /dev/null 2003-01-20 21:11:48.0 +0100 +++ OpenPKG-SA-2003.003-vim.txt 2003-01-20 21:11:49.0 +0100 @@ -0,0 +1,76 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.003 21-Jan-2003 + + +Package: vim +Vulnerability: arbitrary command execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= vim-6.1.264-20021223 >= vim-6.1.266-20021224 +OpenPKG 1.1 <= vim-6.1.165-1.1.0>= vim-6.1.165-1.1.1 +OpenPKG 1.0 <= vim-6.0.92-1.0.1 >= vim-6.0.92-1.0.2 + +Affected Releases: Dependent Packages: none + +Description: + According to a security advisory from Georgi Guninski [0] a + vulnerability exists in the Vim (Vi Improved) text editor [1] which + allows arbitrary command execution using the libcall feature in + modelines. The Common Vulnerabilities and Exposures (CVE) project + assigned the id CAN-2002-1377 [2] to the problem. Both versions 6.0 + and 6.1 are affected. The necessary patch was incorporated into the + 6.1 source tree beginning with patchlevel 265. We have backported the + patch to the 6.0.92 and 6.1.165 releases. + + Please check whether you are affected by running "/bin/rpm + -q vim". If you have the "vim" package installed and its version + is affected (see above), we recommend that you immediately upgrade + it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the current release OpenPKG 1.1, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.1/UPD + ftp> get vim-6.1.165-1.1.1.src.rpm + ftp> bye + $ /bin/rpm -v --checksig vim-6.1.165-1.1.1.src.rpm + $ /bin/rpm --rebuild vim-6.1.165-1.1.1.src.rpm + $ su - + # /bin/rpm -Fvh /RPM/PKG/1.1.*.rpm + + +References: + [0] http://www.guninski.com/vim1.html + [1] http://www.vim.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1377 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp
