Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0410 -- Debian Security Advisory DSA 519-1 New CVS packages fix several potential security problems 16 June 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: cvs Publisher: Debian Operating System: Debian GNU/Linux 3.0 Linux variants Impact: Execute Arbitrary Code/Commands Access Required: Existing Account CVE Names: CAN-2004-0416 CAN-2004-0417 CAN-2004-0418 Ref: ESB-2004.0398 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 519-1 security@debian.org http://www.debian.org/security/ Martin Schulze June 15th, 2004 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : cvs Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0416 CAN-2004-0417 CAN-2004-0418 Sebastian Krahmer and Stefan Esser discovered several vulnerabilities in the CVS server, which serves the popular Concurrent Versions System. The Common Vulnerability and Exposures project identifies the following problems: CAN-2004-0416: double-free() in error_prog_name CAN-2004-0417: argument integer overflow CAN-2004-0418: out of bound writes in serve_notify() For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-9woody7. For the unstable distribution (sid) this problem has been fixed in version 1.12.9-1. We recommend that you upgrade your cvs package. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7.dsc Size/MD5 checksum: 693 808c55e071608254b399c5cf8288c478 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7.diff.gz Size/MD5 checksum: 55929 5c87146893651805658b497c8d2164f3 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian.orig.tar.gz Size/MD5 checksum: 2621658 500965ab9702b31605f8c58aa21a6205 Alpha architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_alpha.deb Size/MD5 checksum: 1178992 d411cdd545809660443ff35d49c6e105 ARM architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_arm.deb Size/MD5 checksum: 1106154 5839fcf6673e32d51fc8814591cb49d1 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_i386.deb Size/MD5 checksum: 1086800 1283329c4e9337eb1308945ab77738a7 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_ia64.deb Size/MD5 checksum: 1272232 e71070f4b415c03b996fbc5e14006094 HP Precision architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_hppa.deb Size/MD5 checksum: 1148086 8e70b23bba46da919774913f5b3d3b83 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_m68k.deb Size/MD5 checksum: 1066546 e7f59327f9afdeeec311178839c6997e Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_mips.deb Size/MD5 checksum: 1130478 08811baa91dabf7619b2ca9bb3c84fe6 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_mipsel.deb Size/MD5 checksum: 1131936 6f51edb9c8f078f8c37ffeb87db686e7 PowerPC architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_powerpc.deb Size/MD5 checksum: 1116890 c50418a92b897b0bd698a389a3dd5ba5 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_s390.deb Size/MD5 checksum: 1097614 1e967b9a0ea2f2feaf4f83b4fb082750 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_sparc.deb Size/MD5 checksum: 1107928 49e348f931f71a861140995edb0fcd30 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAzrK8W5ql+IAeqTIRAr8XAJ94PsjJeiEmk+30TWRQqTu20hTyIACeMmZp xDgNabtz7WdT+TlC3In2tZk= =iKaZ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQM/r7yh9+71yA2DNAQL85AP8DXNK9yEtZcvodIuLR/UK3y7atc4DMImd CBjAlpDBZTUnPohuOe/8qPGfh+898WxnfvuKfU8CqWS9/wujreOpO8fXXkb83iMA 2RVg+Tv0BJ+50sihh5CTxDCM59C1D2JM+dQyhvQl+A+mznbaho2eioHWSV5OiQWH eiP6OORgqBQ= =6Qe7 -----END PGP SIGNATURE-----