Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0760 -- [Debian] New libxslt packages fix arbitrary code execution 1 August 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libxslt Publisher: Debian Operating System: Debian GNU/Linux 4.0 Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2008-2935 Ref: ESB-2008.0758 Original Bulletin: http://www.debian.org/security/2008/dsa-1624 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1624-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff July 31, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : libxslt Vulnerability : buffer overflows Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2008-2935 Chris Evans discovered that a buffer overflow in the RC4 functions of libexslt may lead to the execution of arbitrary code. For the stable distribution (etch), this problem has been fixed in version 1.1.19-3. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your libxslt packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libx/libxslt/libxslt_1.1.19.orig.tar.gz Size/MD5 checksum: 2799906 622e5843167593c8ea39bf86c66b8fcf http://security.debian.org/pool/updates/main/libx/libxslt/libxslt_1.1.19-3.diff.gz Size/MD5 checksum: 149686 b62a7dd0aa648576a266cd20d634c216 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt_1.1.19-3.dsc Size/MD5 checksum: 849 7d98fdda0079574b360d4a6e2a12e2be alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_alpha.deb Size/MD5 checksum: 107264 4aac707640a9fcf9aabcd42336b38be3 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_alpha.deb Size/MD5 checksum: 365058 0e966c67dfbc374141960789fcbe96ab http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_alpha.deb Size/MD5 checksum: 690408 a431dcc2f32428677e7b737b971e0f9e http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_alpha.deb Size/MD5 checksum: 230788 55d88a4f39eeccf4a21cd2b335c35ae5 http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_alpha.deb Size/MD5 checksum: 131312 ce983f9b6de55027f803e39d1dda2a25 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_amd64.deb Size/MD5 checksum: 362484 c91d2d5458f6de4002b4401f5675b742 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_amd64.deb Size/MD5 checksum: 225658 6d4a52da7c2ca5a4280b06bdf03875e0 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_amd64.deb Size/MD5 checksum: 630884 06616b7e52d2fc80530302c7d3acd540 http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_amd64.deb Size/MD5 checksum: 106562 7782d3653528b848ce1d98455f790196 http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_amd64.deb Size/MD5 checksum: 131782 8e9ed3c7418725e1853ae5ccbd082c9b arm architecture (ARM) http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_arm.deb Size/MD5 checksum: 106452 9ef81b83e04979147310ec62d2682550 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_arm.deb Size/MD5 checksum: 346610 29566f2276ff440e778dac5fb667f346 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_arm.deb Size/MD5 checksum: 613436 a9a4ebc76beb7ca67f9a7e92e8029ca7 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_arm.deb Size/MD5 checksum: 213438 2c16e6911e26b8fb360aabd16281c0f6 http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_arm.deb Size/MD5 checksum: 126468 b97c69ae48a06fd09a41fadc7c00366c hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_hppa.deb Size/MD5 checksum: 659318 c0f64453ca8cb8dbe9f3970cf157b3ab http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_hppa.deb Size/MD5 checksum: 238420 a7c8f14314bdb82fc51ec1578f4efad3 http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_hppa.deb Size/MD5 checksum: 107274 3fc49ac897c34e339b3f496700bdfd5e http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_hppa.deb Size/MD5 checksum: 132222 3f4dc4e5f1162e819bc534c610fad3dc http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_hppa.deb Size/MD5 checksum: 360748 a8c4ae1c8f2e8c348c852a0931f762c5 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_i386.deb Size/MD5 checksum: 105974 ea524e8b733c0aa52b797692ee2619b6 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_i386.deb Size/MD5 checksum: 216014 27edcf6172b7d9b5b304bf2265ce6e48 http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_i386.deb Size/MD5 checksum: 128718 3bb1df547e3b5312a382bda417a23bc6 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_i386.deb Size/MD5 checksum: 352132 a7707c2b2a1014f61b79383d639c734f http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_i386.deb Size/MD5 checksum: 589190 ea9dbf9647d07f026c6b1fd40c0a2546 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_ia64.deb Size/MD5 checksum: 364096 277f76958053137cd94f84d3543bfd75 http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_ia64.deb Size/MD5 checksum: 110406 2636a094ea4494abb2d972c6a7911689 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_ia64.deb Size/MD5 checksum: 688406 f8a2642f68f1afb6c2fe980acaef4db5 http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_ia64.deb Size/MD5 checksum: 135214 69e26e4d34a753112f8b4101f7c39812 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_ia64.deb Size/MD5 checksum: 286960 5e0ade1cf276e946cfd1a7f12160c7a0 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_mips.deb Size/MD5 checksum: 650964 68b73cf1d94f9e3df9bb5673270a3e4d http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_mips.deb Size/MD5 checksum: 128984 334fcd884357833ef1ba40e9753d856b http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_mips.deb Size/MD5 checksum: 106670 d93d383465f3c7943c82dcd65d1ac560 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_mips.deb Size/MD5 checksum: 213704 9f9fce502a07f2466b39ff4bf7ef58b0 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_mips.deb Size/MD5 checksum: 374008 12305da936211d86b13a7c98090391cb mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_mipsel.deb Size/MD5 checksum: 625304 53e74fce7300247478e318878b06a863 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_mipsel.deb Size/MD5 checksum: 365834 48789b75049ec966939982fafa7fa83e http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_mipsel.deb Size/MD5 checksum: 106716 d99ec4062b95d872f66a4a68cbd4bb60 http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_mipsel.deb Size/MD5 checksum: 128606 3ec247d95450b7091ffef7df0adad247 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_mipsel.deb Size/MD5 checksum: 213946 5ebc6eb3e75d70a0c093b2e9d65884d7 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_powerpc.deb Size/MD5 checksum: 223150 195bcb8c18c3024d4dbf15ad06d3d96c http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_powerpc.deb Size/MD5 checksum: 108146 332071c2aabb087b7ee3e6a12e6d2633 http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_powerpc.deb Size/MD5 checksum: 130170 1f2348ff3cb769eb72bb5a941afc1124 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_powerpc.deb Size/MD5 checksum: 612084 76ca146446c6470fab227e5cf4b91445 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_powerpc.deb Size/MD5 checksum: 367182 ec6a577956bedc887267bc6185abcedd s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_s390.deb Size/MD5 checksum: 601870 11a81ef5cf32bb11102b43b62c1d1371 http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_s390.deb Size/MD5 checksum: 106834 f3ed9fc6410f2f78de38348736116eee http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_s390.deb Size/MD5 checksum: 131760 1d7705741271ea0227cdf15eae46f846 http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_s390.deb Size/MD5 checksum: 226842 7700a4e49d319d5726074de70ff9a68f http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_s390.deb Size/MD5 checksum: 359430 f11c56a8baaa1bd61ef074324aea9068 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_sparc.deb Size/MD5 checksum: 599292 568ee2c44a15e4d5b1d27abb5f3f80ad http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_sparc.deb Size/MD5 checksum: 218166 953db53eba1934c6279875e4ff8b6834 http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_sparc.deb Size/MD5 checksum: 106372 c9eae6bbdde15ada4613922ab216c6ed http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_sparc.deb Size/MD5 checksum: 129172 8a97bb6cd74fe353383be290ea14298b http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_sparc.deb Size/MD5 checksum: 337986 2f869f832a7ecdcb7a6ae50b12d0e916 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkiSHgUACgkQXm3vHE4uylqklACgqpn4TCMTytxvAJYBaGdEKAYe w00AoObSWdP8IKI3e1DnEPisiPRUlUFV =Oc7f - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSJKCkSh9+71yA2DNAQJRHwP+LnbWXJoez4G+MC87bLrzwfeiUVnSKAbW dwwe+nLEZGG3xDF9eNOgOj5qKDQrwTcnrM9hxvZz2eZq+vyrTNV2AD4cUyxi2cd/ Sf97n1Enf3/pn5+RwOnjcisOQCRky7lENaw0Y8Zak9yRWvvb3kFQV6pqHUnvML6F Ju5kIjw9VoU= =sIFH -----END PGP SIGNATURE-----