Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0878 -- [UNIX/Linux][Debian]
New gforge packages fix several vulnerabilities
8 November 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: gforge
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
Debian GNU/Linux 3.1
UNIX variants (UNIX, Linux, OSX)
Impact: Modify Arbitrary Files
Delete Arbitrary Files
Denial of Service
Access: Existing Account
CVE Names: CVE-2007-3921
Original Bulletin: http://www.debian.org/security/2007/dsa-1402
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running gforge check for an updated version of the software for
their operating system.
Revision History: November 8 2007: Added Comment
November 8 2007: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1402-1 security@debian.org
http://www.debian.org/security/ Steve Kemp
November 07, 2007 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : gforge
Vulnerability : insecure temporary files
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2007-3921
Steve Kemp from the Debian Security Audit project discovered that gforge,
a collaborative development tool, used temporary files insecurely which
could allow local users to truncate files upon the system with the privileges
of the gforge user, or create a denial of service attack.
For the stable distribution (etch), this problem has been fixed in version
4.5.14-22etch3.
For the old stable distribution (sarge), this problem has been fixed in
version 3.1-31sarge4.
We recommend that you upgrade your gforge package.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4.dsc
Size/MD5 checksum: 868 4005b2a103656a62f38e1786a227b1d0
http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1.orig.tar.gz
Size/MD5 checksum: 1409879 c723b3a9efc016fd5449c4765d5de29c
http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4.diff.gz
Size/MD5 checksum: 297962 8fd56957c8fbab462ac619339c2f00d3
Architecture independent packages:
http://security.debian.org/pool/updates/main/g/gforge/sourceforge_3.1-31sarge4_all.deb
Size/MD5 checksum: 55884 f4b7e0aee840e3574a0febf1615070be
http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_3.1-31sarge4_all.deb
Size/MD5 checksum: 70804 967a22a70e3ee974962073ab74cfb980
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_3.1-31sarge4_all.deb
Size/MD5 checksum: 61044 7b10ab898c539af9aa118b38fcd77843
http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_3.1-31sarge4_all.deb
Size/MD5 checksum: 72508 7ad6f5e0672cbb256fd12f270130adc6
http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4_all.deb
Size/MD5 checksum: 56432 fc8ee68a79928b0833e2a183228a3493
http://security.debian.org/pool/updates/main/g/gforge/gforge-sourceforge-transition_3.1-31sarge4_all.deb
Size/MD5 checksum: 59388 d0db9082a30227f4b9b60491d58a8c78
http://security.debian.org/pool/updates/main/g/gforge/gforge-cvs_3.1-31sarge4_all.deb
Size/MD5 checksum: 99248 6fb788e20a56a3b39688723a1c285680
http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_3.1-31sarge4_all.deb
Size/MD5 checksum: 59914 79c5932a61e0382017da8e1893307e66
http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_3.1-31sarge4_all.deb
Size/MD5 checksum: 148476 e22948a815a5ffa5b4c829b926f04d8c
http://security.debian.org/pool/updates/main/g/gforge/gforge-common_3.1-31sarge4_all.deb
Size/MD5 checksum: 93924 12005d816bb895cb93c3add804d137bf
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_3.1-31sarge4_all.deb
Size/MD5 checksum: 64834 bea186826f61ae4b1d473d45d2821538
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_3.1-31sarge4_all.deb
Size/MD5 checksum: 65198 b17e85bb88554d2e083d9dcb799e6da7
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_3.1-31sarge4_all.deb
Size/MD5 checksum: 1108056 f812bd185a9dede06dec099e9abaa335
http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_3.1-31sarge4_all.deb
Size/MD5 checksum: 58298 c3abd99679008d3919d59e373589d8cd
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_3.1-31sarge4_all.deb
Size/MD5 checksum: 64732 941c0d9bc65f37e3e8860adf3181a3fc
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3.dsc
Size/MD5 checksum: 950 6099abb16f573f57a3bef4a5fec2df30
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3.diff.gz
Size/MD5 checksum: 196475 94131f4f4040768e173c4568894f052f
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz
Size/MD5 checksum: 2161141 e85f82eff84ee073f80a2a52dd32c8a5
Architecture independent packages:
http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch3_all.deb
Size/MD5 checksum: 85774 6ef702c44459bcb5602cf15f2c5408a7
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch3_all.deb
Size/MD5 checksum: 88240 03cd801f8442311fa94772b7f7994b92
http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch3_all.deb
Size/MD5 checksum: 81816 0513fa49e24d3d32aab0b06f1784917a
http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch3_all.deb
Size/MD5 checksum: 212246 5c8141de198c575026dd45daa102abf8
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch3_all.deb
Size/MD5 checksum: 86880 ed9555dda5c9362f86f9fd19f44da63e
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch3_all.deb
Size/MD5 checksum: 86070 4f98531e9f1a9140ead750449bece33e
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch3_all.deb
Size/MD5 checksum: 88852 fbb81cbba0e639c37f2aa4ed388ccb97
http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch3_all.deb
Size/MD5 checksum: 1010522 d6c6de89c0373fe98f23484985db224b
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3_all.deb
Size/MD5 checksum: 80004 e57126df7280e1ef2822514db1886d34
http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch3_all.deb
Size/MD5 checksum: 95346 2303c086ce85a29158fc6c6e98fe168d
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch3_all.deb
Size/MD5 checksum: 75808 5847979a3121ba010aa9cc99bf72d63b
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch3_all.deb
Size/MD5 checksum: 704552 f805d6dee8f80eed35d6b52f821e8e05
http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch3_all.deb
Size/MD5 checksum: 103496 daab9b6b66b251d69b1774fd90c6fc98
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch3_all.deb
Size/MD5 checksum: 88346 be6ee1639fe1bcd0a3d8fb0ec398b48c
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHMhycwM/Gs81MDZ0RAm4KAKDFXPa/ccF52L8TuFiy0yDrD38UnQCggf60
Zlq2nxz+MO2O8KSDVtFYXBk=
=3/tx
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRzJWGyh9+71yA2DNAQLPwAP/aaxX1l9iLnBT972rAdU3MHfRNObzGbPa
6+svZ3Cp+cLl2nWkPJ9E92DXMc1b7cR2aX0jlS8xU3xF216Cd0Q9iNvhQ+t1WaMR
n0uGkOpOcaLpaehi8aX8PKIrm/n0Ix53zNYm9U551q8A6gIkRzBSS9px1urf/npa
YCOVTr5wJg4=
=JGAv
-----END PGP SIGNATURE-----