Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0878 -- [UNIX/Linux][Debian] New gforge packages fix several vulnerabilities 8 November 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gforge Publisher: Debian Operating System: Debian GNU/Linux 4.0 Debian GNU/Linux 3.1 UNIX variants (UNIX, Linux, OSX) Impact: Modify Arbitrary Files Delete Arbitrary Files Denial of Service Access: Existing Account CVE Names: CVE-2007-3921 Original Bulletin: http://www.debian.org/security/2007/dsa-1402 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running gforge check for an updated version of the software for their operating system. Revision History: November 8 2007: Added Comment November 8 2007: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1402-1 security@debian.org http://www.debian.org/security/ Steve Kemp November 07, 2007 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : gforge Vulnerability : insecure temporary files Problem type : local Debian-specific: no CVE Id(s) : CVE-2007-3921 Steve Kemp from the Debian Security Audit project discovered that gforge, a collaborative development tool, used temporary files insecurely which could allow local users to truncate files upon the system with the privileges of the gforge user, or create a denial of service attack. For the stable distribution (etch), this problem has been fixed in version 4.5.14-22etch3. For the old stable distribution (sarge), this problem has been fixed in version 3.1-31sarge4. We recommend that you upgrade your gforge package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4.dsc Size/MD5 checksum: 868 4005b2a103656a62f38e1786a227b1d0 http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1.orig.tar.gz Size/MD5 checksum: 1409879 c723b3a9efc016fd5449c4765d5de29c http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4.diff.gz Size/MD5 checksum: 297962 8fd56957c8fbab462ac619339c2f00d3 Architecture independent packages: http://security.debian.org/pool/updates/main/g/gforge/sourceforge_3.1-31sarge4_all.deb Size/MD5 checksum: 55884 f4b7e0aee840e3574a0febf1615070be http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_3.1-31sarge4_all.deb Size/MD5 checksum: 70804 967a22a70e3ee974962073ab74cfb980 http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_3.1-31sarge4_all.deb Size/MD5 checksum: 61044 7b10ab898c539af9aa118b38fcd77843 http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_3.1-31sarge4_all.deb Size/MD5 checksum: 72508 7ad6f5e0672cbb256fd12f270130adc6 http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4_all.deb Size/MD5 checksum: 56432 fc8ee68a79928b0833e2a183228a3493 http://security.debian.org/pool/updates/main/g/gforge/gforge-sourceforge-transition_3.1-31sarge4_all.deb Size/MD5 checksum: 59388 d0db9082a30227f4b9b60491d58a8c78 http://security.debian.org/pool/updates/main/g/gforge/gforge-cvs_3.1-31sarge4_all.deb Size/MD5 checksum: 99248 6fb788e20a56a3b39688723a1c285680 http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_3.1-31sarge4_all.deb Size/MD5 checksum: 59914 79c5932a61e0382017da8e1893307e66 http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_3.1-31sarge4_all.deb Size/MD5 checksum: 148476 e22948a815a5ffa5b4c829b926f04d8c http://security.debian.org/pool/updates/main/g/gforge/gforge-common_3.1-31sarge4_all.deb Size/MD5 checksum: 93924 12005d816bb895cb93c3add804d137bf http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_3.1-31sarge4_all.deb Size/MD5 checksum: 64834 bea186826f61ae4b1d473d45d2821538 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_3.1-31sarge4_all.deb Size/MD5 checksum: 65198 b17e85bb88554d2e083d9dcb799e6da7 http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_3.1-31sarge4_all.deb Size/MD5 checksum: 1108056 f812bd185a9dede06dec099e9abaa335 http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_3.1-31sarge4_all.deb Size/MD5 checksum: 58298 c3abd99679008d3919d59e373589d8cd http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_3.1-31sarge4_all.deb Size/MD5 checksum: 64732 941c0d9bc65f37e3e8860adf3181a3fc Debian GNU/Linux 4.0 alias etch - - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3.dsc Size/MD5 checksum: 950 6099abb16f573f57a3bef4a5fec2df30 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3.diff.gz Size/MD5 checksum: 196475 94131f4f4040768e173c4568894f052f http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz Size/MD5 checksum: 2161141 e85f82eff84ee073f80a2a52dd32c8a5 Architecture independent packages: http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch3_all.deb Size/MD5 checksum: 85774 6ef702c44459bcb5602cf15f2c5408a7 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch3_all.deb Size/MD5 checksum: 88240 03cd801f8442311fa94772b7f7994b92 http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch3_all.deb Size/MD5 checksum: 81816 0513fa49e24d3d32aab0b06f1784917a http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch3_all.deb Size/MD5 checksum: 212246 5c8141de198c575026dd45daa102abf8 http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch3_all.deb Size/MD5 checksum: 86880 ed9555dda5c9362f86f9fd19f44da63e http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch3_all.deb Size/MD5 checksum: 86070 4f98531e9f1a9140ead750449bece33e http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch3_all.deb Size/MD5 checksum: 88852 fbb81cbba0e639c37f2aa4ed388ccb97 http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch3_all.deb Size/MD5 checksum: 1010522 d6c6de89c0373fe98f23484985db224b http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3_all.deb Size/MD5 checksum: 80004 e57126df7280e1ef2822514db1886d34 http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch3_all.deb Size/MD5 checksum: 95346 2303c086ce85a29158fc6c6e98fe168d http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch3_all.deb Size/MD5 checksum: 75808 5847979a3121ba010aa9cc99bf72d63b http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch3_all.deb Size/MD5 checksum: 704552 f805d6dee8f80eed35d6b52f821e8e05 http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch3_all.deb Size/MD5 checksum: 103496 daab9b6b66b251d69b1774fd90c6fc98 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch3_all.deb Size/MD5 checksum: 88346 be6ee1639fe1bcd0a3d8fb0ec398b48c These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHMhycwM/Gs81MDZ0RAm4KAKDFXPa/ccF52L8TuFiy0yDrD38UnQCggf60 Zlq2nxz+MO2O8KSDVtFYXBk= =3/tx - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRzJWGyh9+71yA2DNAQLPwAP/aaxX1l9iLnBT972rAdU3MHfRNObzGbPa 6+svZ3Cp+cLl2nWkPJ9E92DXMc1b7cR2aX0jlS8xU3xF216Cd0Q9iNvhQ+t1WaMR n0uGkOpOcaLpaehi8aX8PKIrm/n0Ix53zNYm9U551q8A6gIkRzBSS9px1urf/npa YCOVTr5wJg4= =JGAv -----END PGP SIGNATURE-----