Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0173 -- [Debian]
New python-crypto packages fix denial of service
26 February 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-crypto
Publisher: Debian
Operating System: Debian GNU/Linux 5.0
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2009-0544
Ref: ESB-2009.0166
Original Bulletin: http://www.debian.org/security/2009/dsa-1726
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1726-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
February 25, 2009 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : python-crypto
Vulnerability : buffer overflow
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2009-0544
Mike Wiacek discovered that a buffer overflow in the ARC2 implementation
of Python Crypto, a collection of cryptographic algorithms and protocols
for Python allows denial of service and potentially the execution of
arbitrary code.
For the stable distribution (lenny), this problem has been fixed in
version 2.0.1+dfsg1-2.3+lenny0.
Due to a technical limitation in the Debian archive management scripts
the update for the old stable distribution (etch) cannot be released
synchronously. It will be fixed in version 2.0.1+dfsg1-1.2+etch0 soon.
For the unstable distribution (sid), this problem will be fixed soon.
We recommend that you upgrade your python-crypto package.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- - --------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0.diff.gz
Size/MD5 checksum: 10119 1bcc8b9ca25adb5442612ecb08a87773
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1.orig.tar.gz
Size/MD5 checksum: 158593 f81d94a506981c67188f08057d797420
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0.dsc
Size/MD5 checksum: 1294 1f0b48e12f296ba99bfa8da9fa362cb4
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3+lenny0_alpha.deb
Size/MD5 checksum: 627788 631e1ea5e7f73d59ab07c3986434f11f
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0_alpha.deb
Size/MD5 checksum: 266176 9c551d2d4a85f90f33ec715df3eeb584
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3+lenny0_amd64.deb
Size/MD5 checksum: 572068 ef452cdbc44fa2dd5565c5a3913cf957
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0_amd64.deb
Size/MD5 checksum: 245640 f79d0401a21ebde70268367435462e84
arm architecture (ARM)
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3+lenny0_arm.deb
Size/MD5 checksum: 544928 d354bb116a8346aa92405e288bd323eb
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0_arm.deb
Size/MD5 checksum: 235126 55b4ef5994132145f6d17d51076d0351
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3+lenny0_armel.deb
Size/MD5 checksum: 544874 a03c5dbbcb16b8ab554010547806fc3d
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0_armel.deb
Size/MD5 checksum: 230526 71356ee6ddb8be712b909aaaea1f5f48
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3+lenny0_i386.deb
Size/MD5 checksum: 520136 d8be00fbefb8abaf7603708852014947
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0_i386.deb
Size/MD5 checksum: 225730 3c36d456175771351141a5e5f9494308
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0_ia64.deb
Size/MD5 checksum: 339162 e7d63ed452443707c7e482d612bccb65
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3+lenny0_ia64.deb
Size/MD5 checksum: 669298 ee288f0fe63f2f952336f9272732579a
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0_mips.deb
Size/MD5 checksum: 227878 51faa12fe32052d6bd9d8f5eb2e5612d
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3+lenny0_mips.deb
Size/MD5 checksum: 545022 7ec73b47a01bd75460a9ea8afbee8892
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0_mipsel.deb
Size/MD5 checksum: 226694 c47c31f8091a3759ca032211fd8f606b
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3+lenny0_mipsel.deb
Size/MD5 checksum: 540456 ceea7cce9a95487f7d538854dbfbd0a6
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0_powerpc.deb
Size/MD5 checksum: 264798 ea753acccc457266739ed3e4b38dab9c
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3+lenny0_powerpc.deb
Size/MD5 checksum: 674786 0734263a3974af01562d5c2107787eed
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0_s390.deb
Size/MD5 checksum: 234282 9ce5e55881a826ccaffc1ffb7bd2e60e
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3+lenny0_s390.deb
Size/MD5 checksum: 541262 6756b41a086e615dd5bdb864e4274dae
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3+lenny0_sparc.deb
Size/MD5 checksum: 230684 37fc20c2e65c3fe273aac05e76a72789
http://security.debian.org/pool/updates/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3+lenny0_sparc.de
Size/MD5 checksum: 510644 486f3ffd9ee9385eae475580be4fba17
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmlqlwACgkQXm3vHE4uyloAoACfeG2KmsHVYnnX1kfsp1RrCLYR
pfAAoN+869pQnXI68LNdD7sL/hsHDDWM
=TQSU
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJpe1RNVH5XJJInbgRAlhxAJ9bG8qaZgrMZrte0Umd2jVXCIJ2zgCggWft
1hrhWzjgQO0A36eEe+WI7xo=
=FiFV
-----END PGP SIGNATURE-----