Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0984 -- [Win][UNIX/Linux][Debian] New wesnoth packages fix arbitrary file disclosure 7 December 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: wesnoth Publisher: Debian Operating System: Debian GNU/Linux UNIX variants (UNIX, Linux, OSX) Windows Impact: Read-only Data Access Access: Remote/Unauthenticated CVE Names: CVE-2007-5742 Original Bulletin: http://www.debian.org/security/2007/dsa-1421 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 1421-1 security@debian.org http://www.debian.org/security/ Martin Schulze December 6th, 2007 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : wesnoth Vulnerability : directory traversal Problem type : remote Debian-specific: no CVE ID : CVE-2007-5742 A vulnerability has been discovered in Battle for Wesnoth that allows remote attackers to read arbitrary files the user running the client has access to on the machine running the game client. For the old stable distribution (sarge) this problem has been fixed in version 0.9.0-7. For the stable distribution (etch) this problem has been fixed in version 1.2-3. For the stable backports distribution (etch-backports) this problem has been fixed in version 1.2.8-1~bpo40+1. For the unstable distribution (sid) this problem has been fixed in version 1.2.8-1. For the experimental distribution this problem has been fixed in version 1.3.12-1. We recommend that you upgrade your wesnoth package. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7.dsc Size/MD5 checksum: 850 7a32bba9f1bc498c9f18d7f0b4e8bcc5 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7.diff.gz Size/MD5 checksum: 35737 e48f022ba672f368468bd0963777177d http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0.orig.tar.gz Size/MD5 checksum: 36051074 8dd59719631e0e6329a0a25e1dcbf302 Architecture independent components: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-data_0.9.0-7_all.deb Size/MD5 checksum: 14743278 e5fa396da0eb9fedf05e80481cf3a121 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-ei_0.9.0-7_all.deb Size/MD5 checksum: 681980 39ba40eb63b14b756c8c847627ae070e http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-httt_0.9.0-7_all.deb Size/MD5 checksum: 4373916 9e71e1b72c91d74e743e5935bd8fcf6f http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-music_0.9.0-7_all.deb Size/MD5 checksum: 9936932 fe113db1873e90f3be255d52d9a64a93 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-sotbe_0.9.0-7_all.deb Size/MD5 checksum: 1844840 f3addc9fa6529f2e01074f3505042055 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-tdh_0.9.0-7_all.deb Size/MD5 checksum: 66066 1324d16d02fd1e3c7f8daebba19846e7 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-trow_0.9.0-7_all.deb Size/MD5 checksum: 1717880 3ff81c9b863d6c7f74a96da7faab214b Alpha architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_alpha.deb Size/MD5 checksum: 1901112 ecbcc158dd9c11092d3301fb5dd70976 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_alpha.deb Size/MD5 checksum: 1518470 2e5466d1cdcee2e44dee0f1318c90b92 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_alpha.deb Size/MD5 checksum: 229504 161b50a0069154365d734d99be7fb2f9 AMD64 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_amd64.deb Size/MD5 checksum: 1521710 d867d3b826ab7ff3538b1a882fbd641f http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_amd64.deb Size/MD5 checksum: 1210116 b72031667aa5538b05dfb6346e4c618a http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_amd64.deb Size/MD5 checksum: 197722 fc421baa70d0a903e2252fa384703efc ARM architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_arm.deb Size/MD5 checksum: 2608206 023976bd45032204350012bdf078c1b1 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_arm.deb Size/MD5 checksum: 2031774 d1c5f2a67b980e31ebabed6fabde5959 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_arm.deb Size/MD5 checksum: 261158 41291940ea8a5fb2e8dced11e92b7b97 HP Precision architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_hppa.deb Size/MD5 checksum: 2158552 9c20bf8ccab06b79d0360e12853877f8 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_hppa.deb Size/MD5 checksum: 1711292 844e00bd92594bbf7a585061a7e70cf6 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_hppa.deb Size/MD5 checksum: 247442 028fbc1b3d1763576c95e7353646ad7f Intel IA-32 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_i386.deb Size/MD5 checksum: 1565002 b20aa39d2dfa23f9e47aa31314b7256d http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_i386.deb Size/MD5 checksum: 1237190 0a3e2858548d25c7288045f0d7183038 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_i386.deb Size/MD5 checksum: 200058 fcfa2014973615061c8a2fd3ef87babb Intel IA-64 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_ia64.deb Size/MD5 checksum: 2179628 1897edcf3128bb927d3de787cfe2b746 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_ia64.deb Size/MD5 checksum: 1751252 656ca82f16d9e88155e23894106d41ce http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_ia64.deb Size/MD5 checksum: 260398 dcba27203c4bde926507110172e51166 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_m68k.deb Size/MD5 checksum: 1752820 6ef06485b98e3450ea319e7ea06e943f http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_m68k.deb Size/MD5 checksum: 1381340 54c232ddfdd22cd039de1d9cb19abfb2 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_m68k.deb Size/MD5 checksum: 206432 f0e63ebcf49fec76828a49accaa10447 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_mips.deb Size/MD5 checksum: 1607376 9243709150fa4d7f64e671f30be4468b http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_mips.deb Size/MD5 checksum: 1303300 a04f2316ee21d19b40aafa6e502ed87e http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_mips.deb Size/MD5 checksum: 219674 3aa4511a9369d3f49ef11d62d9f86a7d Little endian MIPS architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_mipsel.deb Size/MD5 checksum: 1600150 6b674ac6a31888a59d07fb949da1d288 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_mipsel.deb Size/MD5 checksum: 1297920 9afbeb20215504d326003d793ea80ab4 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_mipsel.deb Size/MD5 checksum: 218648 595d559d5106b679507c93e1210e8b94 PowerPC architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_powerpc.deb Size/MD5 checksum: 1572314 540a8124db338c6d842a9714c0f7eeb8 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_powerpc.deb Size/MD5 checksum: 1257314 0b8764a2c2033fcdf5a379fdf7947419 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_powerpc.deb Size/MD5 checksum: 205306 e982493cc54fe3c83d2e973f46bd775a IBM S/390 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_s390.deb Size/MD5 checksum: 1290438 64363dc34283576678459babdee38fd2 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_s390.deb Size/MD5 checksum: 1034754 cf7f4ffcd45f6445ced076a450d56558 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_s390.deb Size/MD5 checksum: 189336 60012e8f09c553e1c265ba442d5b3dc5 Sun Sparc architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_sparc.deb Size/MD5 checksum: 1527694 d9e4ff4e587238da3a1352f0c07eeda0 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_sparc.deb Size/MD5 checksum: 1211256 d8ffe2d23b0eadf3642fc3abb7488477 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_sparc.deb Size/MD5 checksum: 191946 5e2aa896b33a49fa8817078af15331ec Debian GNU/Linux 4.0 alias etch - - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3.dsc Size/MD5 checksum: 886 4755aa848cf96a8b5424a68bcfa05a75 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3.diff.gz Size/MD5 checksum: 37156 06bacca4169b32edf18e00f93019d85b http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2.orig.tar.gz Size/MD5 checksum: 74823113 722a459282abe6d04dbe228d031c088e Architecture independent components: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-data_1.2-3_all.deb Size/MD5 checksum: 24524090 d82fd44c7f161adc6794a74f54ae5a02 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-ei_1.2-3_all.deb Size/MD5 checksum: 1016586 eec078325914ae05c4bf2f5d2c5e212c http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-httt_1.2-3_all.deb Size/MD5 checksum: 4853676 248082e7fe2edbddd04b97db8a90caaa http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-music_1.2-3_all.deb Size/MD5 checksum: 25575004 bb365b0aeb3f8a9e454fd9603b9e5234 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-trow_1.2-3_all.deb Size/MD5 checksum: 4095390 b3ce90c6103a99e552704cc7e4cbbb98 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-tsg_1.2-3_all.deb Size/MD5 checksum: 1452772 9059a28a2fa93f3303fd1a1025d5dab3 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-ttb_1.2-3_all.deb Size/MD5 checksum: 343894 128653e013693ce7bacbb8cd8abae35e http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-utbs_1.2-3_all.deb Size/MD5 checksum: 4827756 8e4bb61b592dfbe97407ce3f90f936d7 Alpha architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3_alpha.deb Size/MD5 checksum: 2276352 9305fd657b35410db8f4a18f91e90e63 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-3_alpha.deb Size/MD5 checksum: 1771320 5ea7253c88def83c2297d615fc7ad948 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-3_alpha.deb Size/MD5 checksum: 345866 3e860b535f69b5d247c23f1d7ede6226 AMD64 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3_amd64.deb Size/MD5 checksum: 1983386 3f79a3cb48dbbdc2d0d190575a78bd1d http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-3_amd64.deb Size/MD5 checksum: 1535714 7aa7e4f30c2a45a6cd1bd0853cf98ef0 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-3_amd64.deb Size/MD5 checksum: 313504 e614a3d82599b930cdd5e7b1a4ab4cde ARM architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3_arm.deb Size/MD5 checksum: 2362920 478575f0ca02f16e78b01d437eb23c0d http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-3_arm.deb Size/MD5 checksum: 1844938 a1276b70e5897aafb060dc6e623f64c4 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-3_arm.deb Size/MD5 checksum: 345832 cc6b742631e8b65ba765e5c72b19298b HP Precision architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3_hppa.deb Size/MD5 checksum: 2223526 2130a18fc3ee51a3a764ea7dd6e63878 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-3_hppa.deb Size/MD5 checksum: 1734336 a59ba340d2d8407817e0fbf6e213609b http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-3_hppa.deb Size/MD5 checksum: 346300 d48d93a0701f01a224bed565d2902a4b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3_i386.deb Size/MD5 checksum: 2010674 21bc4969ac8f88aef10940f4d2056d63 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-3_i386.deb Size/MD5 checksum: 1553936 6cbd4d7f8f82f760f66f76a82185f738 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-3_i386.deb Size/MD5 checksum: 316366 da1398298f8309af93a99c169b8dc624 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3_ia64.deb Size/MD5 checksum: 2678262 7bd838e6ec6e8c200a08f5d012cbdcde http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-3_ia64.deb Size/MD5 checksum: 2100926 b526003aba6ff900d1450e89bd6a0f3b http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-3_ia64.deb Size/MD5 checksum: 397640 9c8d9f743a8417fbb81658f6661a4a56 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3_mips.deb Size/MD5 checksum: 2007394 2f44bd92a1ec1cac574f07c4163843ab http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-3_mips.deb Size/MD5 checksum: 1562268 846783e19090c159677dd8e6a5a2cf63 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-3_mips.deb Size/MD5 checksum: 323752 d641243b2d915a7738a5c820e3a29059 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3_mipsel.deb Size/MD5 checksum: 1994548 c8c5519a526db10a09959fa7118b8f2f http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-3_mipsel.deb Size/MD5 checksum: 1553900 de0c00814bcad69083e8798c35c0e056 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-3_mipsel.deb Size/MD5 checksum: 322984 42452d34052600151cf4005e1406d532 PowerPC architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3_powerpc.deb Size/MD5 checksum: 2003508 99714cb26fd6ca0e5d5868442725d85c http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-3_powerpc.deb Size/MD5 checksum: 1557198 99c17b8390ba132f5b2233301e094655 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-3_powerpc.deb Size/MD5 checksum: 319796 8fd680358a6c376534437111002a28ef IBM S/390 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3_s390.deb Size/MD5 checksum: 1828352 696457c701d90e9cea99c61e3be151fc http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-3_s390.deb Size/MD5 checksum: 1417114 87cbb554b0ae0b86a7ec10f4d0c34842 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-3_s390.deb Size/MD5 checksum: 299714 17b0ce75d6dd6f88560f22adccaaba2f Sun Sparc architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-3_sparc.deb Size/MD5 checksum: 2094260 36085e6e76524d67d9bf4b8c3561a52d http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-3_sparc.deb Size/MD5 checksum: 1609506 640741d9fe731c10ea71d4b27d4ba56f http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-3_sparc.deb Size/MD5 checksum: 312892 647617c81d53e4ee4d3983c3b6e3270a These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHV9dIW5ql+IAeqTIRAl8jAJ49yEp4Y/yq0I33X07LehxgejO/tQCghH3Y V1kNhyJaIS+5zQbjjEmrfio= =+rnl - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR1ibxih9+71yA2DNAQKMKQP/XA2hMP+8ArgyNaoXzm/pRm+gNQPZwZXZ 8k2Zqn4vTNP4CikqGyFNE7724TqqEolXXQh2mdWRBZdblDvRo4bVu5vMG9ag8iw3 22JWYSwdQ9nVO38wKGX9EW6jmokgBQ9ZRm2fQsNN72sjjOBQY+UupntMdGPuUPWH eeRbJHiaYr4= =cMPM -----END PGP SIGNATURE-----