Operating System:

Published:

31 March 2003

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

            ESB-2003.0223 -- Debian Security Advisory DSA 271-1
     New ecartis and listar packages fix password change vulnerability
                               31 March 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                ecartis
                        listar
Vendor:                 Debian
Operating System:       Debian GNU/Linux 2.2
                        Debian GNU/Linux 3.0
                        Linux
                        UNIX
Impact:                 Increased Privileges
Access Required:        Remote
CVE Names:              CAN-2003-0162

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 271-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
March 27th, 2003                        http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : ecartis, listar
Vulnerability  : unauthorized password change
Problem-Type   : remote
Debian-specific: no
CVE Id         : CAN-2003-0162

A problem has been discovered in ecartis, a mailing list manager,
formerly known as listar.  This vulnerability enables an attacker to
reset the password of any user defined on the list server, including
the list admins.

For the stable distribution (woody) this problem has been fixed in
version 0.129a+1.0.0-snap20020514-1.1 of ecartis.

For the old stable distribution (potato) this problem has been fixed
in version 0.129a-2.potato3 of listar.

For the unstable distribution (sid) this problem has been
fixed in version 1.0.0+cvs.20030321-1 of ecartis.

We recommend that you upgrade your ecartis and listar packages.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- - ---------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3.dsc
      Size/MD5 checksum:      556 6a598c9cac5f1da997f3790b47711e33
    http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3.diff.gz
      Size/MD5 checksum:    82819 d8154d1316c73efa71907f026b5a5df4
    http://security.debian.org/pool/updates/main/l/listar/listar_0.129a.orig.tar.gz
      Size/MD5 checksum:   323888 0302a199d9e5ee180c9e6e55ee7a0780

  Alpha architecture:

    http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_alpha.deb
      Size/MD5 checksum:   357788 7db5223f510d4d0d03cbf68e2d9a554c
    http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_alpha.deb
      Size/MD5 checksum:    32072 5e63d71fa7a8cd8aed70821f529b5d13

  ARM architecture:

    http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_arm.deb
      Size/MD5 checksum:   335076 5b51113b57b948e9b2b73c06a835dde2
    http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_arm.deb
      Size/MD5 checksum:    32174 1182335a3ce6c842aaef2832cd56db09

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_i386.deb
      Size/MD5 checksum:   301830 aa8d67d1f07cb0a769d2030708e3725c
    http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_i386.deb
      Size/MD5 checksum:    25342 efd78841548a3e97b0d0557e8b360a3d

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_m68k.deb
      Size/MD5 checksum:   308188 fbacaef28d85db28a2d3d5e1e70945ce
    http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_m68k.deb
      Size/MD5 checksum:    28030 2acf707d75e5f1e04cd297b5f1e33a3a

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_powerpc.deb
      Size/MD5 checksum:   339304 4fb6eaa9bb7a3bc6f7598b6dd77a11b6
    http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_powerpc.deb
      Size/MD5 checksum:    32094 ee010d55634c49190c6c31158474bc11

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_sparc.deb
      Size/MD5 checksum:   343804 f43699c1036fbbacba2ee9f726796208
    http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_sparc.deb
      Size/MD5 checksum:    31450 f0cd070c44790d8afdabd87a01aa3a9f


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1.dsc
      Size/MD5 checksum:      633 c12d84d29fc5f3a4d035abe9a4364d59
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1.diff.gz
      Size/MD5 checksum:    10058 a3a508ca141857099b5a2162ab960d2c
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514.orig.tar.gz
      Size/MD5 checksum:   326215 2772a595a3fe7ea5073874113da813ec

  Alpha architecture:

    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1_alpha.deb
      Size/MD5 checksum:   256488 b1acd0ec6048db96f8cca9f7f714012e
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.1_alpha.deb
      Size/MD5 checksum:    34062 2d294ecdf9de201e498e701f147cad9c

  ARM architecture:

    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1_arm.deb
      Size/MD5 checksum:   238342 9be97e50e03945c60b58298ab31c59b1
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.1_arm.deb
      Size/MD5 checksum:    34196 d8d260318e3d8cd7dcee6645a8691b18

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1_i386.deb
      Size/MD5 checksum:   199224 04f19e17d53b454345d1d3bcb61fc7b5
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.1_i386.deb
      Size/MD5 checksum:    26382 09241d9ce5d2638f3bc36e20cdca4780

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1_ia64.deb
      Size/MD5 checksum:   337858 8acbd18d48d6ce6afe2c484479d79d10
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.1_ia64.deb
      Size/MD5 checksum:    44382 231d8671abb4aae44fc54991668a15ef

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1_hppa.deb
      Size/MD5 checksum:   237048 b276c82af8eecf61c48d75de24d086fe
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.1_hppa.deb
      Size/MD5 checksum:    34168 fad0a2a3045895e4c4b091de3aa19c21

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1_m68k.deb
      Size/MD5 checksum:   210608 20fc0efde347e1c6641b698d6313465b
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.1_m68k.deb
      Size/MD5 checksum:    29460 2a85d86c33c287b909f69d65902ade15

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1_mips.deb
      Size/MD5 checksum:   203154 ce97ea51862960ad3aacbb6c4c1984df
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.1_mips.deb
      Size/MD5 checksum:    26412 1dbef7b1080e1af1944eefcca980dcc9

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1_mipsel.deb
      Size/MD5 checksum:   203586 757112215cdc752608c39cd28097c6fa
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.1_mipsel.deb
      Size/MD5 checksum:    26616 e12ed3aff462b581ac950782ee5611a3

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1_powerpc.deb
      Size/MD5 checksum:   230912 a2154d90a3fde7031b577b0cc8447664
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.1_powerpc.deb
      Size/MD5 checksum:    33566 86341f5c54c9f77600dd014b9e8aa1ff

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1_s390.deb
      Size/MD5 checksum:   205216 663b7a54b58b9e94945fffbb39d34ae6
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.1_s390.deb
      Size/MD5 checksum:    28146 055c6a32bf2ff31ed96517d6bc180ff2

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1_sparc.deb
      Size/MD5 checksum:   244436 fd62ecb7515ec274e1052e49f0f02ead
    http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.1_sparc.deb
      Size/MD5 checksum:    33726 92bcb1cf248a1400b4a1110a8e02b8e3


  These files will probably be moved into the stable distribution on
  its next revision.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+gubyW5ql+IAeqTIRAuyOAJ9XjEqS3iNtl+440md7gp/vGxI5PQCfcvUl
53I/klGgBjkaYSnMhFJTONE=
=P9L+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPohTwih9+71yA2DNAQEasgP/Wltz3eqofJMVEYrRDn7O4NdxNOO+Oab4
tZB/Wbwvtm6mtZkFTA9rwDMziSkVp/zenah4E+RigfXHQ/z1RJyEJO4t7roJmOTG
SbTjBLPDoNbtQqNqJCyev3blAIuIUZU/Ju+jYSwTWMvpx/zM5+IfXlnQHDl4gjIU
J3NZoh1h5EM=
=CI2h
-----END PGP SIGNATURE-----