Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1375 New elinks packages fix arbitrary code execution 6 October 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: elinks Publisher: Debian Operating System: Debian GNU/Linux 4 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2008-7224 Reference: ESB-2009.1362 Original Bulletin: http://www.debian.org/security/2009/dsa-1902 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1902-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff October 05, 2009 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : elinks Vulnerability : buffer overflow Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2008-7224 Debian Bug : 380347 Jakub Wilk discovered an off-by-one buffer overflow in the charset handling of elinks, a feature-rich text-mode WWW browser, which might lead to the execution of arbitrary code if the user is tricked into opening a malformed HTML page. For the old stable distribution (etch), this problem has been fixed in version 0.11.1-1.2etch2. The stable distribution (lenny) and the unstable distribution (sid) already contain a patch for this problem. We recommend that you upgrade your elinks package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2.diff.gz Size/MD5 checksum: 30564 48727476dbfed45200797a0504fa6e4a http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1.orig.tar.gz Size/MD5 checksum: 3863617 dce0fa7cb2b6e7194ddd00e34825218b http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2.dsc Size/MD5 checksum: 872 870acbbc16c166c0e17669f435cf4478 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_alpha.deb Size/MD5 checksum: 496748 65a9e90caf0005912d0f307447bb7252 http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_alpha.deb Size/MD5 checksum: 1264746 750b9c9425d331afdd84ae9e8ec397cc amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_amd64.deb Size/MD5 checksum: 457658 d35d0729240a9a3e4edf596fab8b5519 http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_amd64.deb Size/MD5 checksum: 1219062 eeb677af4bd1f969062dcc49a6c5797f arm architecture (ARM) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_arm.deb Size/MD5 checksum: 1179258 2236eef0018c35106157254f1a9b5371 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_arm.deb Size/MD5 checksum: 417026 d6298439e61cfd390dc5f885fa6d3ce9 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_hppa.deb Size/MD5 checksum: 1249718 200ea460bf1c50c7c77fb818b99d6f93 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_hppa.deb Size/MD5 checksum: 481296 4d1ffd49415dc0f727fec71843e0cf1e i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_i386.deb Size/MD5 checksum: 423782 fd2bdd5f8d85049dd34e9d392cfb0d55 http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_i386.deb Size/MD5 checksum: 1188386 6b5bd5cc0801cc98c5f89eb755036a58 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_ia64.deb Size/MD5 checksum: 1432996 3f1c8fd354685e153aa0bf6001811f72 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_ia64.deb Size/MD5 checksum: 624264 6ab1d3d6329c2fbbd366c7979846be04 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_mipsel.deb Size/MD5 checksum: 1223924 88dab6a6625382e7d7531f9f45f2fb6d http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_mipsel.deb Size/MD5 checksum: 466916 3f54531dc562935768748e8626c3cd8a powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_powerpc.deb Size/MD5 checksum: 450082 4cb3cbeda69cd02ddc99b132d26998c5 http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_powerpc.deb Size/MD5 checksum: 1216856 ed85e75381a7bfdd094e21e0e16ecbfd s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_s390.deb Size/MD5 checksum: 1232366 5eafbb1dcf688fe54bd347afab8d6da8 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_s390.deb Size/MD5 checksum: 470580 9da53a0cc795e3943c250a44810f006d sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_sparc.deb Size/MD5 checksum: 419686 6177d561615f0c17f9e46e3642899870 http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_sparc.deb Size/MD5 checksum: 1186370 1f7db95ad501df7b756e3ccaf2dc754d These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkrKLEAACgkQXm3vHE4uylpXOACgy94wa4gsQtxO/emAzsvdqWfU UTIAoJJATXsEq2GO6BrEBTE/UVIVWZib =VSyK - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKyndsNVH5XJJInbgRAmSpAJ0SNC69BsRbBAsnQNtGob2Y03uwSACeI/Fz uflphpbF3gB4Ll9LFNU5Vwk= =s/dD -----END PGP SIGNATURE-----