-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                         ESB-2008.0206 -- [Debian]
        New diatheke packages fix arbirary shell command execution
                             26 February 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              diatheke
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
                      Debian GNU/Linux 3.1
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-0932

Original Bulletin:    http://www.debian.org/security/2008/dsa-1508

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1508-1                  security@debian.org
http://www.debian.org/security/                          Thijs Kinkhorst
February 25, 2008                     http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : diatheke
Vulnerability  : insufficient input sanitising
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2008-0932
Debian Bug     : 466449

Dan Dennison discovered that Diatheke, a CGI program to make a bible
website, performs insufficient sanitising of a parameter, allowing a
remote attacker to execute arbitrary shell commands as the web server
user.

For the stable distribution (etch), this problem has been fixed in version
1.5.9-2etch1.

For the old stable distribution (sarge), this problem has been fixed in
version 1.5.7-7sarge1.

For the unstable distribution (sid), this problem has been fixed in version
1.5.9-8.

We recommend that you upgrade your diatheke package.


Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/s/sword/sword_1.5.7-7sarge1.dsc
    Size/MD5 checksum:      938 4f7872250c457ac36f0b20b4be235647
  http://security.debian.org/pool/updates/main/s/sword/sword_1.5.7-7sarge1.diff.gz
    Size/MD5 checksum:   277640 f8993cddacdac25ca55b7e99ced8ff49
  http://security.debian.org/pool/updates/main/s/sword/sword_1.5.7.orig.tar.gz
    Size/MD5 checksum:  1482711 369f09068839c646aeab691c63a40d67

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_alpha.deb
    Size/MD5 checksum:   861694 ca88e3e550ae01cd8e3ad1a6d6471814
  http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_alpha.deb
    Size/MD5 checksum:   419320 35838e66e76e99777524aa81741025c8
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_alpha.deb
    Size/MD5 checksum:    61684 b97611c37f53b39941573e6c76609c40

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_amd64.deb
    Size/MD5 checksum:   602656 c4b37895a49dce481ea3c6a8817123c2
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_amd64.deb
    Size/MD5 checksum:    56944 ad12da845e900e3a28c70b9b2baa6d70
  http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_amd64.deb
    Size/MD5 checksum:   383486 614d4988fd26ccc58dbe1029aacb7930

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_arm.deb
    Size/MD5 checksum:    60386 3400611bc0cba8ea77e4bfbeaa659ac6
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_arm.deb
    Size/MD5 checksum:   664170 d0d17f06931f3e6076aed502e8128d5c
  http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_arm.deb
    Size/MD5 checksum:   423264 9951b8913a4c6b18b357aead48e53f6c

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_hppa.deb
    Size/MD5 checksum:    62772 676ff7f61ab0ee7629e7fcb59d67cfd5
  http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_hppa.deb
    Size/MD5 checksum:   494764 15e5da49e21a167088aacebf94a12367
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_hppa.deb
    Size/MD5 checksum:   750722 44a066596efa0bb63b184635d3d9c985

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_i386.deb
    Size/MD5 checksum:   556994 f04d2f9bc41e5703967630adf4e12754
  http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_i386.deb
    Size/MD5 checksum:   388072 4dabb05ea1d6b72ba61e8877cbad1544
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_i386.deb
    Size/MD5 checksum:    58108 665ce388ee9a74a0d850007beae3051a

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_ia64.deb
    Size/MD5 checksum:   466340 0a9f1874a5ee1d6617da38d4f7417802
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_ia64.deb
    Size/MD5 checksum:    64644 e50afdc379e2ee1cfc63362ca56b6a43
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_ia64.deb
    Size/MD5 checksum:   837798 81cf1be5ab2d124e9dd92a1da9c1c15d

m68k architecture (Motorola Mc680x0)

  http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_m68k.deb
    Size/MD5 checksum:   417132 f5e116fb462b5bdf9ef08211d1c6cd52
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_m68k.deb
    Size/MD5 checksum:    57980 86d8007e4816fffee69ea16c4827ce06
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_m68k.deb
    Size/MD5 checksum:   567256 2d9c3d17625959ab6cc07e4f793ffe1e

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_mips.deb
    Size/MD5 checksum:    56452 5d7c6933e70b725863bd0a66c67a55fe
  http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_mips.deb
    Size/MD5 checksum:   386732 9cf45f9a4f2a724ddf59f44722fe65a0
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_mips.deb
    Size/MD5 checksum:   646212 b9384991c2c1b2b8e0018b6416d31951

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_mipsel.deb
    Size/MD5 checksum:    56966 35d2052410564a85968bf742f3f68dbf
  http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_mipsel.deb
    Size/MD5 checksum:   379530 26b3825148616fd2d6dd3cd903a4e977
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_mipsel.deb
    Size/MD5 checksum:   638566 46b77e2b772f5541e1796e7da843a247

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_powerpc.deb
    Size/MD5 checksum:   391192 0b34febe0ebb14c92682c2dbc76771fa
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_powerpc.deb
    Size/MD5 checksum:    58252 19548157c20b44b18caef5d403e14fb7
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_powerpc.deb
    Size/MD5 checksum:   604674 be541b1d6bcc5e80316060186be21d10

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_s390.deb
    Size/MD5 checksum:    56026 b8120c2d0e5be07ddb300af6a60c1faa
  http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_s390.deb
    Size/MD5 checksum:   370772 ddf6d071ad5aa712420c75a8d2bfb738
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_s390.deb
    Size/MD5 checksum:   556410 ee6ddc10bfbe16de2169fdc0520141b0

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_sparc.deb
    Size/MD5 checksum:   371800 65781c2553eb412d5fde41764acda7a4
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_sparc.deb
    Size/MD5 checksum:   562484 01aab00a96c2a41a993dda30244bcd39
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_sparc.deb
    Size/MD5 checksum:    55892 269c7013235b22bb8f729d1be6afdf14

Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/s/sword/sword_1.5.9.orig.tar.gz
    Size/MD5 checksum:  1806178 346539f31b41015161d8dd0d2f035243
  http://security.debian.org/pool/updates/main/s/sword/sword_1.5.9-2etch1.diff.gz
    Size/MD5 checksum:    82071 c39c316e9c81e54136eb02f68292c09d
  http://security.debian.org/pool/updates/main/s/sword/sword_1.5.9-2etch1.dsc
    Size/MD5 checksum:     1026 d93f49c3798272c9de84ec6ae5d1cbed

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_alpha.deb
    Size/MD5 checksum:    63862 f5bd3d4b2b9f4d25e4e46bd340be6574
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_alpha.deb
    Size/MD5 checksum:  1083146 9e5c12ac37f74c73de71640dc9123451
  http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_alpha.deb
    Size/MD5 checksum:   570134 8f0e4a8a277c52f8792fbaaf3832cad4

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_amd64.deb
    Size/MD5 checksum:    60336 bda3b15108b9219d05c912a163aebe3f
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_amd64.deb
    Size/MD5 checksum:   753952 b3317e5f636d51d0d3cb67bea6d8ff66
  http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_amd64.deb
    Size/MD5 checksum:   522700 c3811d54aaf90d8a1e21f15c5002fd17

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_arm.deb
    Size/MD5 checksum:   573672 8ffba4012e609e2798d350b38ddbd8c7
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_arm.deb
    Size/MD5 checksum:   766388 55b6d5123ca9b9092032bf9caee98112
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_arm.deb
    Size/MD5 checksum:    63234 958ca4da6586909d9409b40329f39f45

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_hppa.deb
    Size/MD5 checksum:   584080 6f1cc9c15b664ebb74e1cf7e939c4f75
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_hppa.deb
    Size/MD5 checksum:   845330 71c64fedf3e13c7b539f312eb086c49a
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_hppa.deb
    Size/MD5 checksum:    61824 2d469a58a247a92c465580385506f9a7

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_i386.deb
    Size/MD5 checksum:   526314 95b5aaff3ccec4dcd1f77e95f6bf2da0
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_i386.deb
    Size/MD5 checksum:   701078 e3c8ec3d6dcfcfae0cddbb618353db36
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_i386.deb
    Size/MD5 checksum:    62206 0a384fecde3e4492fda105eb9d82ce35

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_ia64.deb
    Size/MD5 checksum:    67770 c7296f050f8b6aa8b3716407c1e8bd9e
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_ia64.deb
    Size/MD5 checksum:  1056066 63924aeee34272cb2aa1488ffcb62c49
  http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_ia64.deb
    Size/MD5 checksum:   652744 4e403c544c3894965f828fa63336d227

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_mips.deb
    Size/MD5 checksum:   513104 4235aac60a97d5095faa74fcb6f63673
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_mips.deb
    Size/MD5 checksum:   808744 5fcc41e803e360838401204ea3d15473
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_mips.deb
    Size/MD5 checksum:    59746 c1cbe01f3531e635f30bb2b41b362222

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_mipsel.deb
    Size/MD5 checksum:   798964 db9f7c30066e22baadbcb732b6eadbf8
  http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_mipsel.deb
    Size/MD5 checksum:   491160 53790c7e146badd8a45bb46bf5908d7e
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_mipsel.deb
    Size/MD5 checksum:    59656 cbcedf0aa7bed75a0c633367c08b24ea

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_powerpc.deb
    Size/MD5 checksum:    61128 e66a08fccc0c312e7ae74296dda033ad
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_powerpc.deb
    Size/MD5 checksum:   777846 579e38653daaddc21914087ad5584b57
  http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_powerpc.deb
    Size/MD5 checksum:   535186 2f9311708b7d8ec3121831676086f333

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_s390.deb
    Size/MD5 checksum:   495200 fc79f7ccbeabbd6e7522918f1b749c75
  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_s390.deb
    Size/MD5 checksum:   684810 776d22f572895a62b0a569321a9cbb8d
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_s390.deb
    Size/MD5 checksum:    58638 0c496a1f4ab88f02fd737a30a61939a3

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.9-2etch1_sparc.deb
    Size/MD5 checksum:   689496 0d06108dda2563af38065bc454d1e9ac
  http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.9-2etch1_sparc.deb
    Size/MD5 checksum:    59264 71c327d607c82faaacbc5a8fe498e8da
  http://security.debian.org/pool/updates/main/s/sword/libsword6_1.5.9-2etch1_sparc.deb
    Size/MD5 checksum:   548874 6c18df8573010673e5a3855ec326604b


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR8MNhWz0hbPcukPfAQKXIwf9GA4xUv4IEC/FlHH6xWnRLHwD8OsVTEFf
r+eSjxhQy3At2SEIRN4BPxGp9KyMpHhwox69S4SG5dcpAIJJk5Jks+WumYkYPOsc
R/J9iiadAQ+nUBZvM8pfZCEOKE6VULTzTxJDoPYsio71FVMrezXlJWeq2/sFyiyE
lEpqt84xTi86XGCy77Mi4pUCszQ+XtOZQB8T/tCNxQpqvX3tZpjzTM0LSF/ZCREO
lQ8s/JnXeAP8i97ksYRAn659shLnhviQeN3G8Kf5tYT+xDxl0bPqIoKEUL38cdSY
jtxN+AMF9bTkkyNJO3xk1MPasH91JrP8GeoB5NYTP/zNi8g3PIfzsQ==
=EEB8
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR8NLVyh9+71yA2DNAQJW+wP/d4uLFOHplVNPdKqJ0X8SxwEX4iYK6ptv
eNhbqW48dkdul+kPbZ1acxHBoD9tIVc0VNNECzlaVzTLPm8YcQnAAt+mwVChA2ho
eg9G8lcw9Qvn7VIm+vOZAjVPMXqIBnM32YihMfNKkYpbIjfrm5K36a6M5VyKZrks
3cqoLZ4PWFs=
=wavs
-----END PGP SIGNATURE-----