Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0168 -- Debian Security Advisory DSA 686-1
New gftp packages fix directory traversal vulnerability
18 February 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: gftp
Publisher: Debian
Operating System: Debian GNU/Linux 3.0
Linux variants
UNIX variants
Impact: Create Arbitrary Files
Overwrite Arbitrary Files
Access: Remote/Unauthenticated
CVE Names: CAN-2005-0372 CAN-2004-1376
Original Bulletin: http://www.debian.org/security/2005/dsa-686
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 686-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 17th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : gftp
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0372
Albert Puigsech Galicia discovered a directory traversal vulnerability
in a proprietary FTP client (CAN-2004-1376) which is also present in
gftp, a GTK+ FTP client. A malicious server could provide a specially
crafted filename that could cause arbitrary files to be overwritten or
created by the client.
For the stable distribution (woody) this problem has been fixed in
version 2.0.11-1woody1.
For the unstable distribution (sid) this problem has been fixed in
version 2.0.18-1.
We recommend that you upgrade your gftp package.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1.dsc
Size/MD5 checksum: 631 980555d208281b3ac35069dd0119f98c
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1.diff.gz
Size/MD5 checksum: 2760 15eff6342db5e2f2bee5c262618cf642
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11.orig.tar.gz
Size/MD5 checksum: 896320 3c63b5eed2faffe820bace112be2db8a
Alpha architecture:
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_alpha.deb
Size/MD5 checksum: 27350 39764c5e34ef08fce49bf59f887a0afa
http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_alpha.deb
Size/MD5 checksum: 234078 359126a5f2d1da940f1b6000c7ab9752
http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_alpha.deb
Size/MD5 checksum: 252376 56405294ce7a01e84976c8fc6683f544
http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_alpha.deb
Size/MD5 checksum: 86296 8ac8f60d39cf4c3db57dd04df0b11a53
ARM architecture:
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_arm.deb
Size/MD5 checksum: 27360 9fea83142508e1b6c2790016c3395ca0
http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_arm.deb
Size/MD5 checksum: 234120 a4760d5de60e0a4a04be1c8dc75ec264
http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_arm.deb
Size/MD5 checksum: 226588 71fb1b6d6603d5967c6714e7ca33f389
http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_arm.deb
Size/MD5 checksum: 73906 60c748df56cbef3944079654553497ea
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_i386.deb
Size/MD5 checksum: 27312 10aec83a3257a3bc22739e6087bc6ef2
http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_i386.deb
Size/MD5 checksum: 234056 57459c25bd9f96bd6f26e566468856ba
http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_i386.deb
Size/MD5 checksum: 219792 98beb285ca804a8fbbed4498a54268ff
http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_i386.deb
Size/MD5 checksum: 68360 f8fa329a81404c4d5392c285e50a5505
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_ia64.deb
Size/MD5 checksum: 27348 6f32e2cb005ffe56e2803b860e0e4d74
http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_ia64.deb
Size/MD5 checksum: 234044 a2c3ff641d7b2e880456f1a8868b33fe
http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_ia64.deb
Size/MD5 checksum: 299582 b7c2e1ea7228f461235666d932361551
http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_ia64.deb
Size/MD5 checksum: 110640 26995f700b8389fd9aad5b368f5faf7c
HP Precision architecture:
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_hppa.deb
Size/MD5 checksum: 27358 07b2d426543fd686ad3380e8bcd4805f
http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_hppa.deb
Size/MD5 checksum: 234094 322189d295ba47c91d2061309fa6a9fa
http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_hppa.deb
Size/MD5 checksum: 242482 44bb85b863ae217f2575835877041d4a
http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_hppa.deb
Size/MD5 checksum: 82608 e31d810b73f571088cc837958d7a2796
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_m68k.deb
Size/MD5 checksum: 27358 faf8af474984da98e9d6f98f0918a261
http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_m68k.deb
Size/MD5 checksum: 234106 a8b2e05b710887903feed817016f5f97
http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_m68k.deb
Size/MD5 checksum: 210554 7a532d25cb6840e69f97647b08d619c0
http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_m68k.deb
Size/MD5 checksum: 64032 983b93b4e2aac1922e97a193220e18d4
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_mips.deb
Size/MD5 checksum: 27362 103f10d9ae47826ee1957d14d556a46f
http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_mips.deb
Size/MD5 checksum: 234114 0667ca7e24f987e6002955093df95537
http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_mips.deb
Size/MD5 checksum: 224722 0bdb6399f56a1cc4819c3ab883a53a68
http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_mips.deb
Size/MD5 checksum: 77184 26288b5af19513a0cf09bd82ca7b9336
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_mipsel.deb
Size/MD5 checksum: 27372 43c94486400ca12254c554cb4650fe01
http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_mipsel.deb
Size/MD5 checksum: 234188 94df73bb1fe62d21a665ee80380db772
http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_mipsel.deb
Size/MD5 checksum: 224648 210416ce87866bab58f2b2c390f52ece
http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_mipsel.deb
Size/MD5 checksum: 77994 e1803d086deb47d61f2f79b62e22913e
PowerPC architecture:
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_powerpc.deb
Size/MD5 checksum: 27356 6426c00ec3364f72f0ec9481e5e89bb5
http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_powerpc.deb
Size/MD5 checksum: 234082 35a1396d45c42ee5b34045c23ae34b05
http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_powerpc.deb
Size/MD5 checksum: 227890 8fb52949c02dc3c8a8bf39c86814da9b
http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_powerpc.deb
Size/MD5 checksum: 73356 8eba2f163e75f0716879c0320442c246
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_s390.deb
Size/MD5 checksum: 27352 6e71f2937c2db84ed950583237308504
http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_s390.deb
Size/MD5 checksum: 234104 85637cf1e6794969be0cc35b6478f95b
http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_s390.deb
Size/MD5 checksum: 219246 1f4647d19f593d958c5653e1a6515c2d
http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_s390.deb
Size/MD5 checksum: 68090 f0a4483365820c67a7d875b21bc81734
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_sparc.deb
Size/MD5 checksum: 27356 f734ad981e036daed46044b6bd12f236
http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_sparc.deb
Size/MD5 checksum: 234102 4d9c016c8daefd7b20aefa37a193a6ce
http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_sparc.deb
Size/MD5 checksum: 226774 e04c114438c2788155e43c6c32eb4683
http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_sparc.deb
Size/MD5 checksum: 74910 88a25c71729495ccbebaf4c98eee102d
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCFL8EW5ql+IAeqTIRAh86AJsG09wTgBE2liWU749noFHntWaHTACfeFfr
bpWjExuQyO+zj3bqzOnvl2E=
=Lbsq
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQhVD8ih9+71yA2DNAQLw3AP/QmKbIuZdwG6DUUrPAXv6U4zT9XXcubpg
3MjJsPvSkkzgH2emYeDvRoskd33iQPH+MZLLCGhYdZhdPUC+wLxtzP53zESqTT+G
bnT5BCeMxllEQEH/r4/D7IvxN5jfaEPurzIwgVNGaT+21U5GJDDUJweyrGnCcxKu
mcfx9//gIOc=
=cPpX
-----END PGP SIGNATURE-----