Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0566 -- [UNIX/Linux][Debian] libtorrent-rasterbar: Denial of Service 15 June 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libtorrent-rasterbar Publisher: Debian Operating System: Debian GNU/Linux 5.0 UNIX variants (UNIX, Linux, OSX) Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2009-1760 Original Bulletin: http://www.debian.org/security/2009/dsa-1815 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running libtorrent-rasterbar check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1815-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff June 14, 2009 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : libtorrent-rasterbar Vulnerability : programming error Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2009-1760 It was discovered that the Rasterbar Bittorrent library performed insufficient validation of path names specified in torrent files, which could lead to denial of service by overwriting files. The old stable distribution (etch) doesn't include libtorrent-rasterbar. For the stable distribution (lenny), this problem has been fixed in version 0.13.1-2+lenny1. For the unstable distribution (sid), this problem has been fixed in version 0.14.4-1. We recommend that you upgrade your libtorrent-rasterbar package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - - -------------------------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar_0.13.1-2+lenny1.diff.gz Size/MD5 checksum: 5295 ad26ec230cfb51e8b1a11053c631e23a http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar_0.13.1.orig.tar.gz Size/MD5 checksum: 1469775 9d6b112fedc5861402647ff72e95dba0 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar_0.13.1-2+lenny1.dsc Size/MD5 checksum: 1688 615d598da6448acb06a5564b5af98504 Architecture independent packages: http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-doc_0.13.1-2+lenny1_all.deb Size/MD5 checksum: 494718 2ff3232090c18212dceab0c240ad5b6a alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dev_0.13.1-2+lenny1_alpha.deb Size/MD5 checksum: 2847180 bdc11c81ec50ef9c87e473a5adedef4d http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar0_0.13.1-2+lenny1_alpha.deb Size/MD5 checksum: 1191354 7fc10d95bb5fb39218ef46a4e0256aa0 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dbg_0.13.1-2+lenny1_alpha.deb Size/MD5 checksum: 7486406 be3e0f535a318d69bd8d8f84987c00c9 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar0_0.13.1-2+lenny1_amd64.deb Size/MD5 checksum: 991572 8bfc1c7c2a0e715830b6b869d6700826 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dev_0.13.1-2+lenny1_amd64.deb Size/MD5 checksum: 1958800 6f925903c79b0c09c861cfafc154fddb http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dbg_0.13.1-2+lenny1_amd64.deb Size/MD5 checksum: 7578292 b5fda43c6ef50c504a11362f34efba69 arm architecture (ARM) http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar0_0.13.1-2+lenny1_arm.deb Size/MD5 checksum: 1083396 265b8b109918bdb5a7cbd7a93a98f906 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dbg_0.13.1-2+lenny1_arm.deb Size/MD5 checksum: 7278890 4f175b83c43250504e3e6e927b1aa95b http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dev_0.13.1-2+lenny1_arm.deb Size/MD5 checksum: 2081302 f75e702139b6e6df8282ca8db807358a armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar0_0.13.1-2+lenny1_armel.deb Size/MD5 checksum: 863962 d3e22f0d17881578c94ff18577c7b0ff http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dev_0.13.1-2+lenny1_armel.deb Size/MD5 checksum: 2114218 28a9d8dd167a77c1c350c5f0c26656bb http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dbg_0.13.1-2+lenny1_armel.deb Size/MD5 checksum: 7401594 096572e6a80d8e2629893d2eda7b06b2 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar0_0.13.1-2+lenny1_hppa.deb Size/MD5 checksum: 1131024 69724d35147d2cb2d47f47b1dd2d09f2 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dev_0.13.1-2+lenny1_hppa.deb Size/MD5 checksum: 2188616 48986004e631fcb30dc617dd09d6bb7e http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dbg_0.13.1-2+lenny1_hppa.deb Size/MD5 checksum: 7447584 9c0ef400fb8a6af2fed8e57572749e82 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dbg_0.13.1-2+lenny1_i386.deb Size/MD5 checksum: 7466610 561fa4b4cc308ab89142ba8745144839 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar0_0.13.1-2+lenny1_i386.deb Size/MD5 checksum: 986646 fbae1919d47696f1160191896ee51fe2 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dev_0.13.1-2+lenny1_i386.deb Size/MD5 checksum: 1837994 706c48fe6df16cf87954938079b83bbd ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dev_0.13.1-2+lenny1_ia64.deb Size/MD5 checksum: 2839510 0784e971e672f0d3508735b58b0190e0 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dbg_0.13.1-2+lenny1_ia64.deb Size/MD5 checksum: 7867400 ef973715edcbbcc5739c959bc1a616e7 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar0_0.13.1-2+lenny1_ia64.deb Size/MD5 checksum: 1408300 465e116873aeb20eb4d3307f11e23a1f mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dev_0.13.1-2+lenny1_mips.deb Size/MD5 checksum: 2042000 a7da44aa33d55dd1720f03ff5578265b http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar0_0.13.1-2+lenny1_mips.deb Size/MD5 checksum: 923072 f228766d2143c5678b568a7317427a7d http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dbg_0.13.1-2+lenny1_mips.deb Size/MD5 checksum: 7563768 7269489934ef49530520be1f58d37137 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dbg_0.13.1-2+lenny1_mipsel.deb Size/MD5 checksum: 7357426 4c6e09de92323c4edfc2e9d1697b88d4 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar0_0.13.1-2+lenny1_mipsel.deb Size/MD5 checksum: 915480 5f6dcdcd4ebcf05c993ae8961172f8c3 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dev_0.13.1-2+lenny1_mipsel.deb Size/MD5 checksum: 2022654 d370a93c7711c996b40e679c75b9e450 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dev_0.13.1-2+lenny1_powerpc.deb Size/MD5 checksum: 2009160 ffe50b547f76cc3715a696ec446c4a96 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dbg_0.13.1-2+lenny1_powerpc.deb Size/MD5 checksum: 7771456 cf4a135f1dad2440449cc0a6e3ea2863 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar0_0.13.1-2+lenny1_powerpc.deb Size/MD5 checksum: 1046364 d68326739c445096bebf71b8da2fb9ab s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dbg_0.13.1-2+lenny1_s390.deb Size/MD5 checksum: 7523480 b51f62f23c283f3ec6992b234946a585 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar0_0.13.1-2+lenny1_s390.deb Size/MD5 checksum: 945680 55899bdfa3d12f96dcc8a3bca4688429 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dev_0.13.1-2+lenny1_s390.deb Size/MD5 checksum: 1877984 57a4674260e40426e3b12f2d1e2e500f sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dbg_0.13.1-2+lenny1_sparc.deb Size/MD5 checksum: 7366596 36c4f6f9964750a32ce7278bf4d04da2 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar0_0.13.1-2+lenny1_sparc.deb Size/MD5 checksum: 1145234 ff7d341f351f65144621eed3f9a3cf86 http://security.debian.org/pool/updates/main/libt/libtorrent-rasterbar/libtorrent-rasterbar-dev_0.13.1-2+lenny1_sparc.deb Size/MD5 checksum: 1734368 064c9bfed79ac652c89db16fb1b74357 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAko1djIACgkQXm3vHE4uylpqJQCfbBN7IeSF343VNst4KZ2EwvsK xKAAnigi5KyBXlF1PyCJ13pRz7hk0faZ =SGuV - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKNZJpNVH5XJJInbgRAuY1AJ9Uq4Q8FKU100Y5NRI3iS587W7EOQCePeBz doPxDzTCR3jJmuA507F+2Xw= =rYf4 -----END PGP SIGNATURE-----