Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0391 -- [UNIX/Linux][Debian]
New xmcd packages fix denial of service
6 June 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: xmcd
Publisher: Debian
Operating System: Debian GNU/Linux 3.1
Debian GNU/Linux 3.0
UNIX variants (UNIX, Linux, OSX)
Impact: Denial of Service
Access: Existing Account
CVE Names: CVE-2006-2542
Original Bulletin: http://www.debian.org/security/2006/dsa-1086
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running xmcd check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 1086-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
June 2nd, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : xmcd
Vulnerability : design flaw
Problem type : local
Debian-specific: no
CVE ID : CVE-2006-2542
Debian Bug : 366816
The xmcdconfig creates directories world-writeable allowing local
users to fill the /usr and /var partition and hence cause a denial of
service. This problem has been half-fixed since version 2.3-1.
For the old stable distribution (woody) this problem has been fixed in
version 2.6-14woody1.
For the stable distribution (sarge) this problem has been fixed in
version 2.6-17sarge1.
For the unstable distribution (sid) this problem has been fixed in
version 2.6-18.
We recommend that you upgrade your xmcd package.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1.dsc
Size/MD5 checksum: 619 42038224877b80e57969e82e14a6ee5a
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1.diff.gz
Size/MD5 checksum: 19169 3144b9f7dc78b1a0a668eff06ded3b08
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6.orig.tar.gz
Size/MD5 checksum: 553934 ce3208e21d8e37059e44ce9310d08f5f
Alpha architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_alpha.deb
Size/MD5 checksum: 65648 d4beba33b15cdef57c315666e9dbeaf3
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_alpha.deb
Size/MD5 checksum: 458520 da2013cefff5009ed770397ea7cf23fe
ARM architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_arm.deb
Size/MD5 checksum: 60464 2a9f06c9a2f888ea56ac62bdfe2eb05e
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_arm.deb
Size/MD5 checksum: 378038 932f832766a947aac29d9b40f2f8a026
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_i386.deb
Size/MD5 checksum: 58970 506435aef6b9a12c0715e73dea67eefd
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_i386.deb
Size/MD5 checksum: 324960 2eba0f70812dada62ec2fb3f3b054318
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_ia64.deb
Size/MD5 checksum: 66140 6d3eff9fdf1d9c6052c9554bc4dd584a
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_ia64.deb
Size/MD5 checksum: 543700 dce5ff73c754b4425fe642117a52f5fa
HP Precision architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_hppa.deb
Size/MD5 checksum: 60954 f48d59a10a2891bdb1842da42fe0b0f4
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_hppa.deb
Size/MD5 checksum: 406294 2b12245768fce9c5f57cc4a8818ea1be
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_m68k.deb
Size/MD5 checksum: 58890 ce57236e978ed6310d23cf1cfede3224
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_m68k.deb
Size/MD5 checksum: 309832 0de1924af1c4981505849da8e6b8c7af
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_mips.deb
Size/MD5 checksum: 61476 8a4dcea7adbfb4a1c3294a2622e05d15
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_mips.deb
Size/MD5 checksum: 377170 91d622c19970fe0dcda24f63e85c7350
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_mipsel.deb
Size/MD5 checksum: 61436 27eaa3e4c2365f2e4b49c526acc3df00
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_mipsel.deb
Size/MD5 checksum: 378122 c9b63596911f83c72a4c9b7fbd01abf0
PowerPC architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_powerpc.deb
Size/MD5 checksum: 60998 74e9b62e02f69db4dfedab57100904dd
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_powerpc.deb
Size/MD5 checksum: 364402 28547836494d0142a84c2bf58888c6bf
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_s390.deb
Size/MD5 checksum: 59818 8d3d1ca6ff1fd1ceb32c42b73d4fe3bb
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_s390.deb
Size/MD5 checksum: 347966 dd3cc13ee026156516f315b77cb1f06b
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_sparc.deb
Size/MD5 checksum: 62724 597ddc3fe6e1c56a3ecb78e2b46c7fd4
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_sparc.deb
Size/MD5 checksum: 361214 e93e33fe714c4b5429eb7a2bce8ba0ea
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1.dsc
Size/MD5 checksum: 619 25a530a0383c4ab2cbc2d23a6c95d5f2
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1.diff.gz
Size/MD5 checksum: 20482 d9ce89eebe6f068df0c1d49eacc0bb4b
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6.orig.tar.gz
Size/MD5 checksum: 553934 ce3208e21d8e37059e44ce9310d08f5f
Alpha architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_alpha.deb
Size/MD5 checksum: 62480 d99e5ad3da64edbfbc6a9e5c610683e1
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_alpha.deb
Size/MD5 checksum: 452252 19bf881ff9a11a1d398d97ef2158f07c
AMD64 architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_amd64.deb
Size/MD5 checksum: 60974 d14a6718ad2f95983d0af699aa585df2
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_amd64.deb
Size/MD5 checksum: 375978 1064343cbef2794c637ce6431935280b
ARM architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_arm.deb
Size/MD5 checksum: 60052 870eb636eb62c6b3d5fc310d82e9ae2c
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_arm.deb
Size/MD5 checksum: 363752 cf23e90fa86d845a66c297a12de2c887
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_i386.deb
Size/MD5 checksum: 59976 95f0064a7b485df46d6275e3ba98b28e
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_i386.deb
Size/MD5 checksum: 347032 2e5dfd037ca6a7d7e7ef77fa5b3cdd6a
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_ia64.deb
Size/MD5 checksum: 64146 9cf8c9c4c9aa5a6bf8da06ff9079e4df
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_ia64.deb
Size/MD5 checksum: 521072 6759905bab7f05d9cba71fa19b7b971d
HP Precision architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_hppa.deb
Size/MD5 checksum: 61618 578d619050afd48ba63fbb103a443673
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_hppa.deb
Size/MD5 checksum: 399428 b7c61aa93ff2efd42cb4375940b675df
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_m68k.deb
Size/MD5 checksum: 59428 a95f8b6d48635de344faf79d8dce01f5
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_m68k.deb
Size/MD5 checksum: 311534 313f9f8e4db059b0c58bc37ef61fe6cd
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_mips.deb
Size/MD5 checksum: 61656 35c929f75f4ab0989ab7fe94afe08a3d
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_mips.deb
Size/MD5 checksum: 379520 57b63417bfb1d07afb79767268e56022
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_mipsel.deb
Size/MD5 checksum: 61688 63b48f033d11adeb78d933e36ad0a904
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_mipsel.deb
Size/MD5 checksum: 381286 0e05464ae0243e4c6abfa50d21bf032c
PowerPC architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_powerpc.deb
Size/MD5 checksum: 60740 5bfc0950afeb05321af3623f90b015e4
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_powerpc.deb
Size/MD5 checksum: 372902 e1706bbfe5c2e920465f339824c3639a
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_s390.deb
Size/MD5 checksum: 60742 95dcd70b6713309c6f0d57017b024ed7
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_s390.deb
Size/MD5 checksum: 364676 0e28c9bf8c98276469af3b7a906f9c39
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_sparc.deb
Size/MD5 checksum: 59944 6057d32cd180068884fa63923163cc92
http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_sparc.deb
Size/MD5 checksum: 354052 51387f66a75f9ab56fa036b970ace931
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEgA8TW5ql+IAeqTIRAnJoAKCo+RUx++bsD3QhPyrN+SVRsLn4fgCgom2y
kuqz0ZtlJqekaiMevzgL5EQ=
=T6Q7
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRIT2gyh9+71yA2DNAQJ/pwP6AoRAVAzhsaEfxxLK3UJJwfVSFq9AvBvT
UwP1jDgbzl0FqO/mbz0SN5yOKTSuEKKl1LmDDztMwaL5jVx1NMxPLAxCD8i2s0D7
/waZOcBbWRzzGBICoDmBgmPAEGTqNExo4B2lhkaJktP+N2UxU3Q87tBqJdHWVfMa
79watNKN4L8=
=l1i0
-----END PGP SIGNATURE-----