Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0995 -- [Debian]
New dbus packages fix denial of service
23 October 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: dbus
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
Impact: Denial of Service
Access: Existing Account
CVE Names: CVE-2008-3834
Ref: ESB-2008.0983
Original Bulletin: http://www.debian.org/security/2008/dsa-1658
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1658-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
October 22, 2008 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : dbus
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-3834
Debian Bug : 501443
Colin Walters discovered that the dbus_signature_validate function in
dbus, a simple interprocess messaging system, is prone to a denial of
service attack.
For the stable distribution (etch), this problem has been fixed in
version 1.0.2-1+etch2.
For the testing distribution (lenny) and unstable distribution (sid)
this problem will be fixed soon.
We recommend that you upgrade your dbus package.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2.dsc
Size/MD5 checksum: 824 476bb3df500c50f67b4088317482e0ef
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2.diff.gz
Size/MD5 checksum: 19909 27df2fd0bc5cb93069d6c10d89e0214a
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2.orig.tar.gz
Size/MD5 checksum: 1400278 0552a9b54beb4a044951b7cdbc8fc855
Architecture independent packages:
http://security.debian.org/pool/updates/main/d/dbus/dbus-1-doc_1.0.2-1+etch2_all.deb
Size/MD5 checksum: 1623126 68e4e1787515928f95af670ec2677663
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_alpha.deb
Size/MD5 checksum: 403640 fa77ef6e2fc986018a1b6074b3ae9343
http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_alpha.deb
Size/MD5 checksum: 184728 631b1a1ed1215eb05a696b40a72db26c
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_alpha.deb
Size/MD5 checksum: 378152 662bea6b7c1db00fdf933b53a2334f7d
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_alpha.deb
Size/MD5 checksum: 289022 3ebba7555c92b42fdfe9331c35fbafc6
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_amd64.deb
Size/MD5 checksum: 279202 dfbd440a6a800eea8ba2e46b692dd636
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_amd64.deb
Size/MD5 checksum: 348548 ccc32fdddbaca40a7e62cffc250d493a
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_amd64.deb
Size/MD5 checksum: 363840 fd13ad30b922eff52503762ba60d08e0
http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_amd64.deb
Size/MD5 checksum: 184096 cb1028347d48476de045ad633939119a
arm architecture (ARM)
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_arm.deb
Size/MD5 checksum: 331110 508d164df564a28f626b1941bf784bcd
http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_arm.deb
Size/MD5 checksum: 183846 34fc9addad9e6e1858107a9382fc89e4
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_arm.deb
Size/MD5 checksum: 343302 dd43eeb35c44bb838d45d6324f9842fb
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_arm.deb
Size/MD5 checksum: 265858 e2438b408ec289d96454d30c971a1eeb
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_hppa.deb
Size/MD5 checksum: 184866 7b0aa00c72398485849a46c3a376b5a3
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_hppa.deb
Size/MD5 checksum: 375644 6146db75333cc23bcf98184886e2358f
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_hppa.deb
Size/MD5 checksum: 362346 5002551bf82c33092fdd3fee8356078d
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_hppa.deb
Size/MD5 checksum: 285994 55964151812beb09104dadc5fe883ded
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_i386.deb
Size/MD5 checksum: 335874 116b0084af4713242092e2b07a64734f
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_i386.deb
Size/MD5 checksum: 349844 cfa20eea1e6e8be195d520199e8415c6
http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_i386.deb
Size/MD5 checksum: 184284 98c8270b762a20bffc194124562c2a68
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_i386.deb
Size/MD5 checksum: 269032 ebf1993ab8d40f4d10becd43324c3fb7
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_ia64.deb
Size/MD5 checksum: 439328 0e4d4761c026e5d1a1d0fec1a2e2cc59
http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_ia64.deb
Size/MD5 checksum: 186576 9a83ca03b18ba3bbaa0e976c73e5ee49
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_ia64.deb
Size/MD5 checksum: 411494 c4e44af1f20c10c57205270249f337a9
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_ia64.deb
Size/MD5 checksum: 322378 94081937e3524ee2faecb311d0b55772
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_mips.deb
Size/MD5 checksum: 370622 4bdcd5653af2b8d82005e4f517b9b4b4
http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_mips.deb
Size/MD5 checksum: 183866 413cae07b1a9058a0c6aebdd7f8ea027
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_mips.deb
Size/MD5 checksum: 272250 6d0e938439d3eb8ca62606630b8c3703
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_mips.deb
Size/MD5 checksum: 359500 7f221dd76f85d4ba43e2f9de932a0e2d
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_mipsel.deb
Size/MD5 checksum: 184158 fb889a6d77b704244d791a6eacc6bdd7
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_mipsel.deb
Size/MD5 checksum: 369594 90c29c9d9647268f0b44b94a01de0f45
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_mipsel.deb
Size/MD5 checksum: 358738 cd6052fccfc4fefdda2ca7bf42823922
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_mipsel.deb
Size/MD5 checksum: 272356 c61c0d2c433d4300df31bc681d0d0edd
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_powerpc.deb
Size/MD5 checksum: 271688 b4fa35b2b6d5d106043064b321c62ff7
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_powerpc.deb
Size/MD5 checksum: 353198 192e72c7dabd1d8d7b64a755293969b9
http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_powerpc.deb
Size/MD5 checksum: 184192 0a4598f9d41f45a4f8d99982258bc352
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_powerpc.deb
Size/MD5 checksum: 335480 4267b587cd7d75ea76dc36ec679bb2d6
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_s390.deb
Size/MD5 checksum: 355016 839cfa24a74c834cba9161faaf7621e0
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_s390.deb
Size/MD5 checksum: 285310 d7265f270c738d91c19bfaeeff8130a7
http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_s390.deb
Size/MD5 checksum: 184598 86f3ad1f997139c8f2c18105417f369b
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_s390.deb
Size/MD5 checksum: 373294 8e8fbab4cf0f0214dbd64e6faaf1a87a
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_sparc.deb
Size/MD5 checksum: 340024 74d40edc715045d8693421b4093168c8
http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_sparc.deb
Size/MD5 checksum: 184162 32f294e0f8a06390053f8592cfce1f4d
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_sparc.deb
Size/MD5 checksum: 336182 65adba9662394147aad1d34bb5ac90a4
http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_sparc.deb
Size/MD5 checksum: 265080 9d47f318df9648ad5988c36e30d63016
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSP+D1mz0hbPcukPfAQKMyAf+IKzaHgiC7SGAygCqL+q+I7G369OnB/jg
9XkmYKugwFk6iwQNFyOcFNvmLn0FuykZZf4D2tA+p9Syzi6r17DK/s5k5ImG0Gkt
hVxUvix1VUxxRE6It3HDPTMgsJ95o7ux/ErcWATtv4YlbsxZ7ecLD+/h4wAFHrXW
zOTVO2zzpzUrLrnM9//PzD9ag8vznvwWREG146Xk0HaSVYSTsPpzBmR34pvFMGC/
Z1L+zdJYETPWsH2lfKB2Q0kAyjJQMM2nnxHatVO0eqHlyrPzoQwSyTBlwxlP4XmD
iU4MPgtK5CV/RMmxSG87/3JdXMnyPY+D8X9w6QVW3Gzbf5z51Idkpw==
=9fZV
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSP/EkSh9+71yA2DNAQKeKgP/buypffB9EeCM2zPFDNGBWYhiE/82f5zJ
c1Ovde7nf61/+6yl/C9AZSfLu1TfJFhyKD/b+XoG2khqfYuFMrV9Se3ZGtmrxKBT
/MIhxvMcNgK9dya2971I2iMXdtGOV/loS9CMLZWHAlkS5eXDmI1ToQYnmBCYW2hS
sTgY8LsrZ3Q=
=KZQP
-----END PGP SIGNATURE-----