-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                ESB-2008.0406 -- [Win][UNIX/Linux][Debian]
            New python2.4 packages fix several vulnerabilities
                               21 April 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              python2.4
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
                      UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Execute Arbitrary Code/Commands
                      Access Confidential Data
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-1887 CVE-2008-1721 CVE-2008-1679
                      CVE-2007-4965 CVE-2007-2052

Ref:                  ESB-2008.0189
                      AU-2007.0028

Original Bulletin:    http://www.debian.org/security/2008/dsa-1551

Comment: This advisory references vulnerabilities in products which run on
         platforms other than Debian. It is recommended that administrators
         running python check for an updated version of the software for
         their operating system

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1551-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
April 19, 2008                        http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : python2.4
Vulnerability  : several
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)      : CVE-2007-2052 CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-1887

Several vulnerabilities have been discovered in the interpreter for the
Python language. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2007-2052

    Piotr Engelking discovered that the strxfrm() function of the locale
    module miscalculates the length of an internal buffer, which may
    result in a minor information disclosure.

CVE-2007-4965

    It was discovered that several integer overflows in the imageop
    module may lead to the execution of arbitrary code, if a user is
    tricked into processing malformed images. This issue is also
    tracked as CVE-2008-1679 due to an initially incomplete patch.

CVE-2008-1721
 
    Justin Ferguson discovered that a buffer overflow in the zlib
    module may lead to the execution of arbitrary code.

CVE-2008-1887

    Justin Ferguson discovered that insufficient input validation in
    PyString_FromStringAndSize() may lead to the execution of arbitrary
    code.

For the stable distribution (etch), these problems have been fixed in
version 2.4.4-3+etch1.

For the unstable distribution (sid), these problems have been fixed in
version 2.4.5-2.

We recommend that you upgrade your python2.4 packages.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 4.0 (stable)
- - -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1.diff.gz
    Size/MD5 checksum:   195434 8b86b3dc4c5a86a9ad8682fee56f30ca
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4.orig.tar.gz
    Size/MD5 checksum:  9508940 f74ef9de91918f8927e75e8c3024263a
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1.dsc
    Size/MD5 checksum:     1201 585773fd24634e05bb56b8cc85215c65

Architecture independent packages:

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-examples_2.4.4-3+etch1_all.deb
    Size/MD5 checksum:   589642 63092c4cd1ea78c0993345be25a162b8
  http://security.debian.org/pool/updates/main/p/python2.4/idle-python2.4_2.4.4-3+etch1_all.deb
    Size/MD5 checksum:    60864 21664a3f029087144046b6c175e88736

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_alpha.deb
    Size/MD5 checksum:  2968890 60a29f058a96e21d278a738fbb8067bf
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_alpha.deb
    Size/MD5 checksum:  1848176 ddb7c47970f277baa00e6c080e4530bd
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_alpha.deb
    Size/MD5 checksum:  5226532 5aa6daa859acdfdfcb7445586f4a0eb6
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_alpha.deb
    Size/MD5 checksum:   963606 38c08ee31ae6189631e503ad3d76fa87

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_amd64.deb
    Size/MD5 checksum:  2967058 6f06a90e94a6068b126413111185aff5
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_amd64.deb
    Size/MD5 checksum:  1635936 d5f98666609c652224b5552f5bb6b7a9
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_amd64.deb
    Size/MD5 checksum:   966196 7436b29b52acd99872d79b595f489ace
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_amd64.deb
    Size/MD5 checksum:  5587046 82444f4d11055f259d0899a0f8574b37

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_arm.deb
    Size/MD5 checksum:  2881272 408ac2b8cd6180975109364b26ae1c95
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_arm.deb
    Size/MD5 checksum:   901442 88d59caa6744da5c62a802124087d09c
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_arm.deb
    Size/MD5 checksum:  1500512 3113ad3590f5969703ce426a23ca67dd
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_arm.deb
    Size/MD5 checksum:  5351974 4f77de8e3dd9c12aa1e06a57cee82dac

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_hppa.deb
    Size/MD5 checksum:  3073066 1b4498c26a825c27c6d9765ed8a2e33e
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_hppa.deb
    Size/MD5 checksum:  5521834 68a5524fdb007cacc29a38865a43781d
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_hppa.deb
    Size/MD5 checksum:  1798220 6c9ce4754c024fbd1674a63c5ba0f06a
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_hppa.deb
    Size/MD5 checksum:  1017646 b8dd6490a43da08aa36c43712c360ff8

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_i386.deb
    Size/MD5 checksum:  2849512 2598cb802b7f5e1aac6404b801a0a7f0
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_i386.deb
    Size/MD5 checksum:  1508782 b8ffe50ecf5dfe173765dc5b263b7737
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_i386.deb
    Size/MD5 checksum:  5176966 f6892dc5e598f1811bfc32ea81a863d6
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_i386.deb
    Size/MD5 checksum:   900670 7956a1cf96b4b59de2d9e4972e04fff2

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_ia64.deb
    Size/MD5 checksum:  3371938 88e170459b0762e1db775753f6d69bb5
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_ia64.deb
    Size/MD5 checksum:  2269496 2c1ef318f92b9d4b1c202ad77c8c4462
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_ia64.deb
    Size/MD5 checksum:  1289496 d6fba2d2ea64736cf614b0b3b1ced9bf
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_ia64.deb
    Size/MD5 checksum:  6059106 e1008e68d3d775590b2a29bd7bec7b6c

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_mips.deb
    Size/MD5 checksum:  2906992 e6e43c336e1095e3fe7f5985e500bf55
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_mips.deb
    Size/MD5 checksum:  1725610 a9e2b6b11b1d9185885a9f99ed2d03b8
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_mips.deb
    Size/MD5 checksum:  5646190 5c420d1aa984c190b121c8494c6fca5a
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_mips.deb
    Size/MD5 checksum:   956712 4949e953435f72cf9d06bb8684170175

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_mipsel.deb
    Size/MD5 checksum:  1717120 30986065ecf6810f46294c8ca196b538
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_mipsel.deb
    Size/MD5 checksum:   939320 89571b10c2635774f65921083344a911
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_mipsel.deb
    Size/MD5 checksum:  5507492 a06d9728ef16072ee50b3a1fcf7d08a8
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_mipsel.deb
    Size/MD5 checksum:  2863620 90b6a4b2c498acb4a46e205d36cf8ec9

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_powerpc.deb
    Size/MD5 checksum:  1639780 4b7c83795b6d07c3a4050d5db977c577
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_powerpc.deb
    Size/MD5 checksum:  5778968 7e97b8f62daf0f91e48bf6af20552b51
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_powerpc.deb
    Size/MD5 checksum:  2956174 8e55e492ee8aa6e4787e77b161a245e5
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_powerpc.deb
    Size/MD5 checksum:   978078 9212e583942704f71a07478baa4d6446

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_s390.deb
    Size/MD5 checksum:   973904 3cc580a21934a7f5fac203235386e250
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_s390.deb
    Size/MD5 checksum:  2976776 efb7a2dc81b69a45ead47986d3b8fce5
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_s390.deb
    Size/MD5 checksum:  1646932 146ee8341c514308b15ca151753b3ca8
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_s390.deb
    Size/MD5 checksum:  5667818 9b4543d9a0e5f51e8d9b790f6c3b43c8


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFICiFUXm3vHE4uyloRAngQAKCJJPkv3wrtkymZDNanh9AQoGeRxACgqrLd
GsESR3yK0RopGIWWi6Ed91I=
=rgLC
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSAvYlCh9+71yA2DNAQK0/AP6Arhx7n0PRaYA6Qg337nCmtmhX0Vhe/3n
5xc4Rh1Lck2ceGVx1/ryfMCWR+/6Aghg0kaidOZuaEv8d7Ait9bb8cXkpsXQnMAF
aGFszFx6tHUdk5n2Xa5Ii78EM+h0ucRtNo5lrYI23MsIfGyN/IUNdKMTPtkZTMaD
TLurytdeNfA=
=0fhb
-----END PGP SIGNATURE-----