Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1552
New gforge packages fix cross-site scripting
23 November 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: gforge
Publisher: Debian
Operating System: Debian GNU/Linux 5
Debian GNU/Linux 4
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Scripting -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2009-3303
Original Bulletin:
http://www.debian.org/security/2009/dsa-1937
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running gforge check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1937-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
November 21, 2009 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : gforge
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-3303
It was discovered that gforge, collaborative development tool, is prone
to a cross-site scripting attack via the helpname parameter. Beside
fixing this issue, the update also introduces some additional input
sanitising. However, there are no known attack vectors.
For the stable distribution (lenny), these problem have been fixed in
version 4.7~rc2-7lenny2.
The oldstable distribution (etch), these problems have been fixed in
version 4.5.14-22etch12.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 4.8.1-3.
We recommend that you upgrade your gforge packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Debian (oldstable)
- - ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12.diff.gz
Size/MD5 checksum: 203139 67406308953934e8d68ca1cd97154023
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12.dsc
Size/MD5 checksum: 953 2176dd5939538d180d60637d77260f19
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz
Size/MD5 checksum: 2161141 e85f82eff84ee073f80a2a52dd32c8a5
Architecture independent packages:
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch12_all.deb
Size/MD5 checksum: 705438 d40c97c6f0d0823b966b48b9b1b7eb6f
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12_all.deb
Size/MD5 checksum: 80534 c86b0696f707df2df400ef46838a2505
http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch12_all.deb
Size/MD5 checksum: 1011566 644f57ac3a902d69369806763b29e484
http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch12_all.deb
Size/MD5 checksum: 104034 43bb51625ea030e4bca2a1753720acd0
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch12_all.deb
Size/MD5 checksum: 86598 801eb1462e783877698f8181e93c7d37
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch12_all.deb
Size/MD5 checksum: 87402 9601350198b4a1c4946b26cbfc0089f0
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch12_all.deb
Size/MD5 checksum: 88868 9c73567d60ede088fe7c952c0d575a22
http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch12_all.deb
Size/MD5 checksum: 82348 ad231cb698733f3c3ce6cb65357aacee
http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch12_all.deb
Size/MD5 checksum: 86318 448d7f114da5ef2188aa56f8dcd130f4
http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch12_all.deb
Size/MD5 checksum: 95726 d6557e0016666a5e9c53f38fed49c322
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch12_all.deb
Size/MD5 checksum: 88766 c78075b8eab9c9b3ead54716d10cf370
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch12_all.deb
Size/MD5 checksum: 89386 2837d3a26850e5622294eb44aa49f3e2
http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch12_all.deb
Size/MD5 checksum: 212746 1c48e12e5e61d5f56edd0de46884af52
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch12_all.deb
Size/MD5 checksum: 76334 4e63c7735c92764d82dfdf4f742be2cb
Debian GNU/Linux 5.0 alias lenny
- - --------------------------------
Debian (stable)
- - ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny2.dsc
Size/MD5 checksum: 1487 0b1ce8a3757f45818006361e1eeb8140
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny2.diff.gz
Size/MD5 checksum: 104727 3ce01d7387d05990a61a28e831a62f7b
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2.orig.tar.gz
Size/MD5 checksum: 10225404 bd24808ce79363d4c7c529778f6f5324
Architecture independent packages:
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 100794 9e7c73b64c1929858089717fc32585b2
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 92854 e9c5d38f5fc5a51fe417b38b6c359702
http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmcvs_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 129406 053272d5f4440d75825890ddd6bf5169
http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 1112528 77f4e8dc932777a36cf941a1bd5b10a8
http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-mediawiki_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 213574 14405a0cb843748ba77c691eaa60d4b6
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 101554 3aa3bb38dfc4a8bb3834f3397b03c688
http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 97364 7a73fb6cd3af0addda1076f68b4ceaa7
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 95108 3dac1b4c78f967488693d3efb8b9f1b0
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 88522 ffb28f911b5b5a638376cfaa598dc443
http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmsvn_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 122034 565dcc6c8acccfa4c6ae12121b774fa6
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache2_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 1397340 47fdfdfda7355f12fe807d9f01e79d5c
http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 231012 3a6ff0778f890ca32ec7c8fae97ef996
http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 94622 b533f09eedfd0b9f29dd07d4f9e64e06
http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 106930 fcd1127a7c6c19ccf3c2a4a4931eb598
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 88790 428a7b29217a916f004c085507128f88
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksHem4ACgkQ62zWxYk/rQc8OwCeL/MYC9AWieVtnpBrtzn8Z79L
EqQAnjfyotsvfsH2Y6qJ1aC4g9+K1xTU
=UVaP
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLCcKfNVH5XJJInbgRAs/QAJ9QbT719i+Djf9ifALUvdXARPUPxACgiBb3
SACf/a7soNCMwU655fewt+4=
=JHV5
-----END PGP SIGNATURE-----