Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0995 -- [Debian] New dbus packages fix denial of service 23 October 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dbus Publisher: Debian Operating System: Debian GNU/Linux 4.0 Impact: Denial of Service Access: Existing Account CVE Names: CVE-2008-3834 Ref: ESB-2008.0983 Original Bulletin: http://www.debian.org/security/2008/dsa-1658 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1658-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst October 22, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : dbus Vulnerability : programming error Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-3834 Debian Bug : 501443 Colin Walters discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack. For the stable distribution (etch), this problem has been fixed in version 1.0.2-1+etch2. For the testing distribution (lenny) and unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your dbus package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2.dsc Size/MD5 checksum: 824 476bb3df500c50f67b4088317482e0ef http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2.diff.gz Size/MD5 checksum: 19909 27df2fd0bc5cb93069d6c10d89e0214a http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2.orig.tar.gz Size/MD5 checksum: 1400278 0552a9b54beb4a044951b7cdbc8fc855 Architecture independent packages: http://security.debian.org/pool/updates/main/d/dbus/dbus-1-doc_1.0.2-1+etch2_all.deb Size/MD5 checksum: 1623126 68e4e1787515928f95af670ec2677663 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_alpha.deb Size/MD5 checksum: 403640 fa77ef6e2fc986018a1b6074b3ae9343 http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_alpha.deb Size/MD5 checksum: 184728 631b1a1ed1215eb05a696b40a72db26c http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_alpha.deb Size/MD5 checksum: 378152 662bea6b7c1db00fdf933b53a2334f7d http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_alpha.deb Size/MD5 checksum: 289022 3ebba7555c92b42fdfe9331c35fbafc6 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_amd64.deb Size/MD5 checksum: 279202 dfbd440a6a800eea8ba2e46b692dd636 http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_amd64.deb Size/MD5 checksum: 348548 ccc32fdddbaca40a7e62cffc250d493a http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_amd64.deb Size/MD5 checksum: 363840 fd13ad30b922eff52503762ba60d08e0 http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_amd64.deb Size/MD5 checksum: 184096 cb1028347d48476de045ad633939119a arm architecture (ARM) http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_arm.deb Size/MD5 checksum: 331110 508d164df564a28f626b1941bf784bcd http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_arm.deb Size/MD5 checksum: 183846 34fc9addad9e6e1858107a9382fc89e4 http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_arm.deb Size/MD5 checksum: 343302 dd43eeb35c44bb838d45d6324f9842fb http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_arm.deb Size/MD5 checksum: 265858 e2438b408ec289d96454d30c971a1eeb hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_hppa.deb Size/MD5 checksum: 184866 7b0aa00c72398485849a46c3a376b5a3 http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_hppa.deb Size/MD5 checksum: 375644 6146db75333cc23bcf98184886e2358f http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_hppa.deb Size/MD5 checksum: 362346 5002551bf82c33092fdd3fee8356078d http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_hppa.deb Size/MD5 checksum: 285994 55964151812beb09104dadc5fe883ded i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_i386.deb Size/MD5 checksum: 335874 116b0084af4713242092e2b07a64734f http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_i386.deb Size/MD5 checksum: 349844 cfa20eea1e6e8be195d520199e8415c6 http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_i386.deb Size/MD5 checksum: 184284 98c8270b762a20bffc194124562c2a68 http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_i386.deb Size/MD5 checksum: 269032 ebf1993ab8d40f4d10becd43324c3fb7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_ia64.deb Size/MD5 checksum: 439328 0e4d4761c026e5d1a1d0fec1a2e2cc59 http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_ia64.deb Size/MD5 checksum: 186576 9a83ca03b18ba3bbaa0e976c73e5ee49 http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_ia64.deb Size/MD5 checksum: 411494 c4e44af1f20c10c57205270249f337a9 http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_ia64.deb Size/MD5 checksum: 322378 94081937e3524ee2faecb311d0b55772 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_mips.deb Size/MD5 checksum: 370622 4bdcd5653af2b8d82005e4f517b9b4b4 http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_mips.deb Size/MD5 checksum: 183866 413cae07b1a9058a0c6aebdd7f8ea027 http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_mips.deb Size/MD5 checksum: 272250 6d0e938439d3eb8ca62606630b8c3703 http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_mips.deb Size/MD5 checksum: 359500 7f221dd76f85d4ba43e2f9de932a0e2d mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_mipsel.deb Size/MD5 checksum: 184158 fb889a6d77b704244d791a6eacc6bdd7 http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_mipsel.deb Size/MD5 checksum: 369594 90c29c9d9647268f0b44b94a01de0f45 http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_mipsel.deb Size/MD5 checksum: 358738 cd6052fccfc4fefdda2ca7bf42823922 http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_mipsel.deb Size/MD5 checksum: 272356 c61c0d2c433d4300df31bc681d0d0edd powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_powerpc.deb Size/MD5 checksum: 271688 b4fa35b2b6d5d106043064b321c62ff7 http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_powerpc.deb Size/MD5 checksum: 353198 192e72c7dabd1d8d7b64a755293969b9 http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_powerpc.deb Size/MD5 checksum: 184192 0a4598f9d41f45a4f8d99982258bc352 http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_powerpc.deb Size/MD5 checksum: 335480 4267b587cd7d75ea76dc36ec679bb2d6 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_s390.deb Size/MD5 checksum: 355016 839cfa24a74c834cba9161faaf7621e0 http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_s390.deb Size/MD5 checksum: 285310 d7265f270c738d91c19bfaeeff8130a7 http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_s390.deb Size/MD5 checksum: 184598 86f3ad1f997139c8f2c18105417f369b http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_s390.deb Size/MD5 checksum: 373294 8e8fbab4cf0f0214dbd64e6faaf1a87a sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch2_sparc.deb Size/MD5 checksum: 340024 74d40edc715045d8693421b4093168c8 http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch2_sparc.deb Size/MD5 checksum: 184162 32f294e0f8a06390053f8592cfce1f4d http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch2_sparc.deb Size/MD5 checksum: 336182 65adba9662394147aad1d34bb5ac90a4 http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch2_sparc.deb Size/MD5 checksum: 265080 9d47f318df9648ad5988c36e30d63016 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSP+D1mz0hbPcukPfAQKMyAf+IKzaHgiC7SGAygCqL+q+I7G369OnB/jg 9XkmYKugwFk6iwQNFyOcFNvmLn0FuykZZf4D2tA+p9Syzi6r17DK/s5k5ImG0Gkt hVxUvix1VUxxRE6It3HDPTMgsJ95o7ux/ErcWATtv4YlbsxZ7ecLD+/h4wAFHrXW zOTVO2zzpzUrLrnM9//PzD9ag8vznvwWREG146Xk0HaSVYSTsPpzBmR34pvFMGC/ Z1L+zdJYETPWsH2lfKB2Q0kAyjJQMM2nnxHatVO0eqHlyrPzoQwSyTBlwxlP4XmD iU4MPgtK5CV/RMmxSG87/3JdXMnyPY+D8X9w6QVW3Gzbf5z51Idkpw== =9fZV - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSP/EkSh9+71yA2DNAQKeKgP/buypffB9EeCM2zPFDNGBWYhiE/82f5zJ c1Ovde7nf61/+6yl/C9AZSfLu1TfJFhyKD/b+XoG2khqfYuFMrV9Se3ZGtmrxKBT /MIhxvMcNgK9dya2971I2iMXdtGOV/loS9CMLZWHAlkS5eXDmI1ToQYnmBCYW2hS sTgY8LsrZ3Q= =KZQP -----END PGP SIGNATURE-----