-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                ESB-2008.0767 -- [Win][UNIX/Linux][Debian]
             New httrack packages fix arbitrary code execution
                               4 August 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              httrack
                      winhttrack
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
                      UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-3429

Original Bulletin:    http://www.debian.org/security/2008/dsa-1626

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1626-1                  security@debian.org
http://www.debian.org/security/                          Thijs Kinkhorst
August 01, 2008                       http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : httrack
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
BugTraq ID     : 30425

Joan Calvet discovered that httrack, a utility to create local copies of
websites, is vulnerable to a buffer overflow potentially allowing to
execute arbitrary code when passed excessively long URLs.

For the stable distribution (etch), this problem has been fixed in
version 3.40.4-3.1+etch1.

For the testing (lenny) and unstable distribution (sid), this problem has
been fixed in version 3.42.3-1.

We recommend that you upgrade your httrack package.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1.dsc
    Size/MD5 checksum:      950 277074178046b94ceebefa5f5eaee9de
  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4.orig.tar.gz
    Size/MD5 checksum:  1626176 9e4de064afc1dfcb6f50b773f8081f1c
  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1.diff.gz
    Size/MD5 checksum:     7597 005a605bfabc7f0830d8db87d3ee67fe

Architecture independent packages:

  http://security.debian.org/pool/updates/main/h/httrack/httrack-doc_3.40.4-3.1+etch1_all.deb
    Size/MD5 checksum:   516676 9f2c726cbc7e6f97dfeda4f8a72c8e77

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_amd64.deb
    Size/MD5 checksum:   441370 a37aaf592b7ab95fd11eeec082d4919a
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_amd64.deb
    Size/MD5 checksum:   395946 7eea58a1b8a7d6d11501ec2e879f0167
  http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_amd64.deb
    Size/MD5 checksum:    61108 0894913629340bd559c929d07a05f19f
  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_amd64.deb
    Size/MD5 checksum:    31766 63db4ac65e705d74d1eab458b33f56e5
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_amd64.deb
    Size/MD5 checksum:   491618 e8a2076bb272020be529c39a53eea534

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_arm.deb
    Size/MD5 checksum:    33424 eed7c807ccebd9db0722545849938d0f
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_arm.deb
    Size/MD5 checksum:   281686 1b4a63e9fea5cdbcd49eb02354fd0608
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_arm.deb
    Size/MD5 checksum:   350912 9c85eea85e7bf24b734f259ecba0a303
  http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_arm.deb
    Size/MD5 checksum:   443078 64a26f96bfb086474c47a9f37d9db15d
  http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_arm.deb
    Size/MD5 checksum:    59448 70d880740666db737ef8cbc8730e5377

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_hppa.deb
    Size/MD5 checksum:    34180 5ac05721cb623cf7c25b9bffbc81ad6d
  http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_hppa.deb
    Size/MD5 checksum:    65948 7a8fa1831ffadffab827c2a8ecc44068
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_hppa.deb
    Size/MD5 checksum:   321760 ee4562bcf5255b6addf8ac0b673d19fe
  http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_hppa.deb
    Size/MD5 checksum:   440990 594b8679acb8e05c9b0bede368a86ad3
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_hppa.deb
    Size/MD5 checksum:   438154 2bc91f3ebd931a161595b2c95253d15a

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_i386.deb
    Size/MD5 checksum:    32152 4f545c6163fc8516c6d0dae9ddf6082e
  http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_i386.deb
    Size/MD5 checksum:    59458 4c81a59964535c95ccdb08916fc47f63
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_i386.deb
    Size/MD5 checksum:   482448 8db927e07b642477f60cb0e4beeb2b3e
  http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_i386.deb
    Size/MD5 checksum:   438432 ae91317aa8eb3a32fdf6b5be6a3c153b
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_i386.deb
    Size/MD5 checksum:   365534 c38c17f82ea6b110c52d17d6a8098563

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_ia64.deb
    Size/MD5 checksum:    92114 88d98af0e94dbe1137db57341c0d7fe3
  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_ia64.deb
    Size/MD5 checksum:    35186 fcf89c422fdac82f9e436bd4ff13d161
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_ia64.deb
    Size/MD5 checksum:   736406 a4a9b2fdd5d4ba5e0147e56e39a81bb3
  http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_ia64.deb
    Size/MD5 checksum:   450002 523074d62431c05143a8db9d0d3ca8b3
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_ia64.deb
    Size/MD5 checksum:   501600 b0b7938e039dc12e6289353407a66f24

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_mips.deb
    Size/MD5 checksum:   422550 ddefd0cf52d210266bc10c1d6dfec2f1
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_mips.deb
    Size/MD5 checksum:   272376 f4312876c36fe9da386f7d10115cc87a
  http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_mips.deb
    Size/MD5 checksum:   438438 d37c7460ca2f4a848b4d441d90911d9a
  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_mips.deb
    Size/MD5 checksum:    33282 5f42aacc153fda5b4feac0932455b956
  http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_mips.deb
    Size/MD5 checksum:    64622 aa402be8bab600e6f9a7cc901e11be8b

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_mipsel.deb
    Size/MD5 checksum:   417812 71a8ae7e5cf51716c6c78debc31ce6a2
  http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_mipsel.deb
    Size/MD5 checksum:    64644 133bbfcee5935a205eb131dc9f363c08
  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_mipsel.deb
    Size/MD5 checksum:    33654 2b6df5a12a8f3457ee6e6353a73ed7f0
  http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_mipsel.deb
    Size/MD5 checksum:   432074 ef11cd7c26b5330fbf1b744559cd8c14
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_mipsel.deb
    Size/MD5 checksum:   271738 ee6ee78ba71e8977f4c6ad954f5356f6

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_powerpc.deb
    Size/MD5 checksum:    64012 33554371d96a8d344f673f7310dbba34
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_powerpc.deb
    Size/MD5 checksum:   556868 b313c676177281c3f6a9c38d9304a741
  http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_powerpc.deb
    Size/MD5 checksum:   433912 d51594790fad947486d48a744abf2823
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_powerpc.deb
    Size/MD5 checksum:   350286 59f98436ea6d2fe90a980fe3ce133db4
  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_powerpc.deb
    Size/MD5 checksum:    33998 1db2f2c7241c8274316c82e353213e00

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_s390.deb
    Size/MD5 checksum:    33560 7c3edeff7fd589d901f5c1dc67468c0c
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_s390.deb
    Size/MD5 checksum:   371182 7ef2888222cf6fd4f2751e140fc6f77b
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_s390.deb
    Size/MD5 checksum:   291818 063df1d6823a3489d3d859100bbe067a
  http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_s390.deb
    Size/MD5 checksum:   432386 6f88d4af48ee49e29f548ebde7308a43
  http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_s390.deb
    Size/MD5 checksum:    63462 f6850ab5eb5acd7a870664fef6ec520c

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_sparc.deb
    Size/MD5 checksum:    58698 128e8fa3ec781b8a4bc8cdae7438ef40
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_sparc.deb
    Size/MD5 checksum:   379330 865d453bb4f80590a0d267b7aa8c5a84
  http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_sparc.deb
    Size/MD5 checksum:   432042 9a9fc3e7a5db34850ed2fabf9465a214
  http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_sparc.deb
    Size/MD5 checksum:   553276 1d2d44e03ec1230a13442b4c72333906
  http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_sparc.deb
    Size/MD5 checksum:    31910 f9d4ef0ffe87192ac5410b456b9c2eaf


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEUAwUBSJLAh2z0hbPcukPfAQLFrgf4+1LO8Vq/NCswQ4QJ1aLKUMgl4gWYd+HD
qNFH+9UqDV0yVVK7sX3mH/PfL0nabuCcDO6ev3MNv+UtjXPji3SYj7eJW3O8I6mL
R9hi9kqgUcrHnrRb0QYr++I6VNHb31UYjAvPBUmM0D1mB4C9EYuZecYmptzcqrcX
u/c9KEZE7tOT2+2jSYb7pkiNNYHZl954KerTR1einaViphKboI7Urp2p6+ib1U9n
mOFAe6JYeea/1o9MAMF1u7I5d82pUS/ZK5W0ShB56DqtKxA02tT0Foa19XpqYoMA
Yo+8tJgD8SXuYmfvLQJhiVrszhG0asZZq9yNDgmAgrje59Cw2d2d
=GQbA
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSJZOvyh9+71yA2DNAQLDYwP/amwZm2B3eImbG6JfKFXk+nYnUVvJQRZp
lQ9qMiHA3kq1l0IaQl5lqHH9V2GQRiZPSkCTnJzJndxcGtJPQU5IRg2ZE98wNvt/
UTl6BP4uhkV7nSxz6TwRmL+Ui3hZQzwEx7SBvChx/DlEfeDZMqLyWVOzV4EBXqjT
7pJ/+1QpO3I=
=+Y74
-----END PGP SIGNATURE-----