Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0391 -- [UNIX/Linux][Debian] New xmcd packages fix denial of service 6 June 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xmcd Publisher: Debian Operating System: Debian GNU/Linux 3.1 Debian GNU/Linux 3.0 UNIX variants (UNIX, Linux, OSX) Impact: Denial of Service Access: Existing Account CVE Names: CVE-2006-2542 Original Bulletin: http://www.debian.org/security/2006/dsa-1086 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running xmcd check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 1086-1 security@debian.org http://www.debian.org/security/ Martin Schulze June 2nd, 2006 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : xmcd Vulnerability : design flaw Problem type : local Debian-specific: no CVE ID : CVE-2006-2542 Debian Bug : 366816 The xmcdconfig creates directories world-writeable allowing local users to fill the /usr and /var partition and hence cause a denial of service. This problem has been half-fixed since version 2.3-1. For the old stable distribution (woody) this problem has been fixed in version 2.6-14woody1. For the stable distribution (sarge) this problem has been fixed in version 2.6-17sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.6-18. We recommend that you upgrade your xmcd package. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1.dsc Size/MD5 checksum: 619 42038224877b80e57969e82e14a6ee5a http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1.diff.gz Size/MD5 checksum: 19169 3144b9f7dc78b1a0a668eff06ded3b08 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6.orig.tar.gz Size/MD5 checksum: 553934 ce3208e21d8e37059e44ce9310d08f5f Alpha architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_alpha.deb Size/MD5 checksum: 65648 d4beba33b15cdef57c315666e9dbeaf3 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_alpha.deb Size/MD5 checksum: 458520 da2013cefff5009ed770397ea7cf23fe ARM architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_arm.deb Size/MD5 checksum: 60464 2a9f06c9a2f888ea56ac62bdfe2eb05e http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_arm.deb Size/MD5 checksum: 378038 932f832766a947aac29d9b40f2f8a026 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_i386.deb Size/MD5 checksum: 58970 506435aef6b9a12c0715e73dea67eefd http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_i386.deb Size/MD5 checksum: 324960 2eba0f70812dada62ec2fb3f3b054318 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_ia64.deb Size/MD5 checksum: 66140 6d3eff9fdf1d9c6052c9554bc4dd584a http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_ia64.deb Size/MD5 checksum: 543700 dce5ff73c754b4425fe642117a52f5fa HP Precision architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_hppa.deb Size/MD5 checksum: 60954 f48d59a10a2891bdb1842da42fe0b0f4 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_hppa.deb Size/MD5 checksum: 406294 2b12245768fce9c5f57cc4a8818ea1be Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_m68k.deb Size/MD5 checksum: 58890 ce57236e978ed6310d23cf1cfede3224 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_m68k.deb Size/MD5 checksum: 309832 0de1924af1c4981505849da8e6b8c7af Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_mips.deb Size/MD5 checksum: 61476 8a4dcea7adbfb4a1c3294a2622e05d15 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_mips.deb Size/MD5 checksum: 377170 91d622c19970fe0dcda24f63e85c7350 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_mipsel.deb Size/MD5 checksum: 61436 27eaa3e4c2365f2e4b49c526acc3df00 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_mipsel.deb Size/MD5 checksum: 378122 c9b63596911f83c72a4c9b7fbd01abf0 PowerPC architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_powerpc.deb Size/MD5 checksum: 60998 74e9b62e02f69db4dfedab57100904dd http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_powerpc.deb Size/MD5 checksum: 364402 28547836494d0142a84c2bf58888c6bf IBM S/390 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_s390.deb Size/MD5 checksum: 59818 8d3d1ca6ff1fd1ceb32c42b73d4fe3bb http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_s390.deb Size/MD5 checksum: 347966 dd3cc13ee026156516f315b77cb1f06b Sun Sparc architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_sparc.deb Size/MD5 checksum: 62724 597ddc3fe6e1c56a3ecb78e2b46c7fd4 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_sparc.deb Size/MD5 checksum: 361214 e93e33fe714c4b5429eb7a2bce8ba0ea Debian GNU/Linux 3.1 alias sarge - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1.dsc Size/MD5 checksum: 619 25a530a0383c4ab2cbc2d23a6c95d5f2 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1.diff.gz Size/MD5 checksum: 20482 d9ce89eebe6f068df0c1d49eacc0bb4b http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6.orig.tar.gz Size/MD5 checksum: 553934 ce3208e21d8e37059e44ce9310d08f5f Alpha architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_alpha.deb Size/MD5 checksum: 62480 d99e5ad3da64edbfbc6a9e5c610683e1 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_alpha.deb Size/MD5 checksum: 452252 19bf881ff9a11a1d398d97ef2158f07c AMD64 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_amd64.deb Size/MD5 checksum: 60974 d14a6718ad2f95983d0af699aa585df2 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_amd64.deb Size/MD5 checksum: 375978 1064343cbef2794c637ce6431935280b ARM architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_arm.deb Size/MD5 checksum: 60052 870eb636eb62c6b3d5fc310d82e9ae2c http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_arm.deb Size/MD5 checksum: 363752 cf23e90fa86d845a66c297a12de2c887 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_i386.deb Size/MD5 checksum: 59976 95f0064a7b485df46d6275e3ba98b28e http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_i386.deb Size/MD5 checksum: 347032 2e5dfd037ca6a7d7e7ef77fa5b3cdd6a Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_ia64.deb Size/MD5 checksum: 64146 9cf8c9c4c9aa5a6bf8da06ff9079e4df http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_ia64.deb Size/MD5 checksum: 521072 6759905bab7f05d9cba71fa19b7b971d HP Precision architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_hppa.deb Size/MD5 checksum: 61618 578d619050afd48ba63fbb103a443673 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_hppa.deb Size/MD5 checksum: 399428 b7c61aa93ff2efd42cb4375940b675df Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_m68k.deb Size/MD5 checksum: 59428 a95f8b6d48635de344faf79d8dce01f5 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_m68k.deb Size/MD5 checksum: 311534 313f9f8e4db059b0c58bc37ef61fe6cd Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_mips.deb Size/MD5 checksum: 61656 35c929f75f4ab0989ab7fe94afe08a3d http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_mips.deb Size/MD5 checksum: 379520 57b63417bfb1d07afb79767268e56022 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_mipsel.deb Size/MD5 checksum: 61688 63b48f033d11adeb78d933e36ad0a904 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_mipsel.deb Size/MD5 checksum: 381286 0e05464ae0243e4c6abfa50d21bf032c PowerPC architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_powerpc.deb Size/MD5 checksum: 60740 5bfc0950afeb05321af3623f90b015e4 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_powerpc.deb Size/MD5 checksum: 372902 e1706bbfe5c2e920465f339824c3639a IBM S/390 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_s390.deb Size/MD5 checksum: 60742 95dcd70b6713309c6f0d57017b024ed7 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_s390.deb Size/MD5 checksum: 364676 0e28c9bf8c98276469af3b7a906f9c39 Sun Sparc architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-17sarge1_sparc.deb Size/MD5 checksum: 59944 6057d32cd180068884fa63923163cc92 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-17sarge1_sparc.deb Size/MD5 checksum: 354052 51387f66a75f9ab56fa036b970ace931 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEgA8TW5ql+IAeqTIRAnJoAKCo+RUx++bsD3QhPyrN+SVRsLn4fgCgom2y kuqz0ZtlJqekaiMevzgL5EQ= =T6Q7 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRIT2gyh9+71yA2DNAQJ/pwP6AoRAVAzhsaEfxxLK3UJJwfVSFq9AvBvT UwP1jDgbzl0FqO/mbz0SN5yOKTSuEKKl1LmDDztMwaL5jVx1NMxPLAxCD8i2s0D7 /waZOcBbWRzzGBICoDmBgmPAEGTqNExo4B2lhkaJktP+N2UxU3Q87tBqJdHWVfMa 79watNKN4L8= =l1i0 -----END PGP SIGNATURE-----