Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1552 New gforge packages fix cross-site scripting 23 November 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gforge Publisher: Debian Operating System: Debian GNU/Linux 5 Debian GNU/Linux 4 UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2009-3303 Original Bulletin: http://www.debian.org/security/2009/dsa-1937 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running gforge check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1937-1 security@debian.org http://www.debian.org/security/ Steffen Joeris November 21, 2009 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : gforge Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2009-3303 It was discovered that gforge, collaborative development tool, is prone to a cross-site scripting attack via the helpname parameter. Beside fixing this issue, the update also introduces some additional input sanitising. However, there are no known attack vectors. For the stable distribution (lenny), these problem have been fixed in version 4.7~rc2-7lenny2. The oldstable distribution (etch), these problems have been fixed in version 4.5.14-22etch12. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 4.8.1-3. We recommend that you upgrade your gforge packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Debian (oldstable) - - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12.diff.gz Size/MD5 checksum: 203139 67406308953934e8d68ca1cd97154023 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12.dsc Size/MD5 checksum: 953 2176dd5939538d180d60637d77260f19 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz Size/MD5 checksum: 2161141 e85f82eff84ee073f80a2a52dd32c8a5 Architecture independent packages: http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch12_all.deb Size/MD5 checksum: 705438 d40c97c6f0d0823b966b48b9b1b7eb6f http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12_all.deb Size/MD5 checksum: 80534 c86b0696f707df2df400ef46838a2505 http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch12_all.deb Size/MD5 checksum: 1011566 644f57ac3a902d69369806763b29e484 http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch12_all.deb Size/MD5 checksum: 104034 43bb51625ea030e4bca2a1753720acd0 http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch12_all.deb Size/MD5 checksum: 86598 801eb1462e783877698f8181e93c7d37 http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch12_all.deb Size/MD5 checksum: 87402 9601350198b4a1c4946b26cbfc0089f0 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch12_all.deb Size/MD5 checksum: 88868 9c73567d60ede088fe7c952c0d575a22 http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch12_all.deb Size/MD5 checksum: 82348 ad231cb698733f3c3ce6cb65357aacee http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch12_all.deb Size/MD5 checksum: 86318 448d7f114da5ef2188aa56f8dcd130f4 http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch12_all.deb Size/MD5 checksum: 95726 d6557e0016666a5e9c53f38fed49c322 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch12_all.deb Size/MD5 checksum: 88766 c78075b8eab9c9b3ead54716d10cf370 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch12_all.deb Size/MD5 checksum: 89386 2837d3a26850e5622294eb44aa49f3e2 http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch12_all.deb Size/MD5 checksum: 212746 1c48e12e5e61d5f56edd0de46884af52 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch12_all.deb Size/MD5 checksum: 76334 4e63c7735c92764d82dfdf4f742be2cb Debian GNU/Linux 5.0 alias lenny - - -------------------------------- Debian (stable) - - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny2.dsc Size/MD5 checksum: 1487 0b1ce8a3757f45818006361e1eeb8140 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny2.diff.gz Size/MD5 checksum: 104727 3ce01d7387d05990a61a28e831a62f7b http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2.orig.tar.gz Size/MD5 checksum: 10225404 bd24808ce79363d4c7c529778f6f5324 Architecture independent packages: http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 100794 9e7c73b64c1929858089717fc32585b2 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 92854 e9c5d38f5fc5a51fe417b38b6c359702 http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmcvs_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 129406 053272d5f4440d75825890ddd6bf5169 http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 1112528 77f4e8dc932777a36cf941a1bd5b10a8 http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-mediawiki_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 213574 14405a0cb843748ba77c691eaa60d4b6 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 101554 3aa3bb38dfc4a8bb3834f3397b03c688 http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 97364 7a73fb6cd3af0addda1076f68b4ceaa7 http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 95108 3dac1b4c78f967488693d3efb8b9f1b0 http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 88522 ffb28f911b5b5a638376cfaa598dc443 http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmsvn_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 122034 565dcc6c8acccfa4c6ae12121b774fa6 http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache2_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 1397340 47fdfdfda7355f12fe807d9f01e79d5c http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 231012 3a6ff0778f890ca32ec7c8fae97ef996 http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 94622 b533f09eedfd0b9f29dd07d4f9e64e06 http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 106930 fcd1127a7c6c19ccf3c2a4a4931eb598 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.7~rc2-7lenny2_all.deb Size/MD5 checksum: 88790 428a7b29217a916f004c085507128f88 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAksHem4ACgkQ62zWxYk/rQc8OwCeL/MYC9AWieVtnpBrtzn8Z79L EqQAnjfyotsvfsH2Y6qJ1aC4g9+K1xTU =UVaP - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLCcKfNVH5XJJInbgRAs/QAJ9QbT719i+Djf9ifALUvdXARPUPxACgiBb3 SACf/a7soNCMwU655fewt+4= =JHV5 -----END PGP SIGNATURE-----