Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0717 -- Debian Security Advisory DSA 590-1 New gnats packages fix arbitrary code execution 10 November 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gnats Publisher: Debian Operating System: Debian GNU/Linux 3.0 Linux variants UNIX variants Mac OS X Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CAN-2004-0623 Original Bulletin: http://www.debian.org/security/2004/dsa-590 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 590-1 security@debian.org http://www.debian.org/security/ Martin Schulze November 9th, 2004 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : gnats Vulnerability : format string vulnerability Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0623 BugTraq ID : 10609 Debian Bug : 278577 Khan Shirani discovered a format string vulnerability in gnats, the GNU problem report management system. This problem may be exploited to execute arbitrary code. For the stable distribution (woody) this problem has been fixed in version 3.999.beta1+cvs20020303-2. For the unstable distribution (sid) this problem has been fixed in version 4.0-7. We recommend that you upgrade your gnats package. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2.dsc Size/MD5 checksum: 572 a50e8e6bcea84deb584a0427bfdbc96d http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2.tar.gz Size/MD5 checksum: 1570021 b0f7f28328e21a7ce35e3315bf2bca0b Alpha architecture: http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_alpha.deb Size/MD5 checksum: 1050882 f604c53e94753708ff44e533c39c43e2 http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_alpha.deb Size/MD5 checksum: 685026 6185e02fc2775180bf2c5ec11239b69a ARM architecture: http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_arm.deb Size/MD5 checksum: 880912 3d2662f156e638cd1a52fd609dcab941 http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_arm.deb Size/MD5 checksum: 602334 8fa0573e4f85c9363d53c6020b88ddd9 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_i386.deb Size/MD5 checksum: 866718 341223ed8802f9db37d635f885aeea18 http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_i386.deb Size/MD5 checksum: 592452 d02b91bae6efc9628aab7d53236c6a7b Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_ia64.deb Size/MD5 checksum: 1242616 2365d9b58be38a9ab75550c14aa021c0 http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_ia64.deb Size/MD5 checksum: 778954 72a9110a68fbba73b5c8ed6427ce18df HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_hppa.deb Size/MD5 checksum: 983490 b5f6d8bbff6ac02830b01a4e02284e75 http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_hppa.deb Size/MD5 checksum: 652166 7c5057561328f30ec1177054ed57e638 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_m68k.deb Size/MD5 checksum: 822588 a539353ebf28be0523f808c1e1a4ca64 http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_m68k.deb Size/MD5 checksum: 572790 472ed96d0bbbc993e0321af5d83bf394 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_mips.deb Size/MD5 checksum: 975242 e11de0c1cc6e7e85321411cd1066602a http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_mips.deb Size/MD5 checksum: 644922 85b1d1e6146c3bcdc655f1d120fc3361 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_mipsel.deb Size/MD5 checksum: 973682 aaf838802193112d9ec2ffaeec9ef65f http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_mipsel.deb Size/MD5 checksum: 645350 6cc250414c90dc14ffebce38846c3cf7 PowerPC architecture: http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_powerpc.deb Size/MD5 checksum: 909244 51c380ca38ba98a93312edfb99431da7 http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_powerpc.deb Size/MD5 checksum: 614968 dcb3e1db579471f1dabc73d8a75b52ac IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_s390.deb Size/MD5 checksum: 895272 649ee321f435ee1340f854387fa66c67 http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_s390.deb Size/MD5 checksum: 607174 2993bb4ebe7845926dee6641362569f2 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_sparc.deb Size/MD5 checksum: 898306 602f6382b3bef02e9d4e2a8009c46212 http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_sparc.deb Size/MD5 checksum: 608376 3f6bab03dd22a70e2007f1cb16f7b996 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBkOdYW5ql+IAeqTIRAuXrAJ9DhxYBMhOGkoeGSNH4SABTsSnSVACfWTam vhOieU/C/dfKFmxKpkEIlp8= =hhzi - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQZFnyih9+71yA2DNAQIS/AQAjFtuBrWGuJoRXDk4lRDYLvUVHksLy9i3 BMwayLRbOU6SE/ounZJNLoa+SL01taCY4VePKf0rgudsoq0J2yi3x68U5q9Qf9RT /R52hQhcdFiL0/jmYTtb+SRY1pV7Wfg8oRe+ztHZcyhF+GciKE1Vy9V1R3vVhV3n Il7OUNEVF7o= =nl92 -----END PGP SIGNATURE-----