-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2010.0103
                  New fuse packages fix denial of service
                              3 February 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           fuse
Publisher:         Debian
Operating System:  Debian GNU/Linux
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-3297  

Original Bulletin: 
   http://www.debian.org/security/2010/dsa-1989

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running check for an updated version of the software for their 
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1989-1                  security@debian.org
http://www.debian.org/security/                        Giuseppe Iuculano
February 02, 2010                     http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Packages       : fuse
Vulnerability  : denial of service
Problem type   : local
Debian-specific: no
CVE Id         : CVE-2009-3297
Debian Bug     : 567633

Dan Rosenberg discovered a race condition in FUSE, a Filesystem in USErspace.
A local attacker, with access to use FUSE, could unmount arbitrary
locations, leading to a denial of service.


For the oldstable distribution (etch), this problem has been fixed in
version 2.5.3-4.4+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 2.7.4-1.1+lenny1.

For the unstable distribution (sid), this problem has been fixed in
version 2.8.1-1.2, and will migrate to the testing distribution (squeeze)
shortly.

We recommend that you upgrade your fuse packages.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian (oldstable)
- - ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/f/fuse/fuse_2.5.3-4.4+etch1.dsc
    Size/MD5 checksum:      627 5886da280cc253c8ec2c04f5423238ee
  http://security.debian.org/pool/updates/main/f/fuse/fuse_2.5.3.orig.tar.gz
    Size/MD5 checksum:   409443 9c7e8b6606b9f158ae20b8521ba2867c
  http://security.debian.org/pool/updates/main/f/fuse/fuse_2.5.3-4.4+etch1.diff.gz
    Size/MD5 checksum:    11785 884b1f0d8646b121d133bb62a42e23c3

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_alpha.deb
    Size/MD5 checksum:   109494 a46c800a39108d6a148e4db0e1d7d931
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_alpha.deb
    Size/MD5 checksum:    54860 4d1acaf1b078a4370c90e47fb4c015e6
  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_alpha.deb
    Size/MD5 checksum:    59726 414582a9494fd50bed1bc41fdb17bf29

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_amd64.deb
    Size/MD5 checksum:    98016 fcc2e4f1981cc75fbe341be0012490fc
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_amd64.deb
    Size/MD5 checksum:    53530 d3857a1f96067112cbe1e7a428178686
  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_amd64.deb
    Size/MD5 checksum:    58916 5b992f296e4fba939e27fa6bd961ea6d

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_arm.deb
    Size/MD5 checksum:    48512 7be71b3c68391c288d7992f2e135449b
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_arm.deb
    Size/MD5 checksum:    93024 5c703f36949e7f156e4b59245c224eff
  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_arm.deb
    Size/MD5 checksum:    57820 345ad9a6f3ada4facd993823eded7663

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_hppa.deb
    Size/MD5 checksum:    56194 6a57e0f225759c4c79e5686378834981
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_hppa.deb
    Size/MD5 checksum:   103676 afb7fd5cb28ea33c8b1b37f53349e7e9
  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_hppa.deb
    Size/MD5 checksum:    59130 fc3f13580d207f0fe6bf9cfe0034f312

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_i386.deb
    Size/MD5 checksum:    94356 c692a6cb705c58ff1cea736f51bec18c
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_i386.deb
    Size/MD5 checksum:    50812 55537e1c0561f86fff06f0a1319098de
  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_i386.deb
    Size/MD5 checksum:    58368 cfd1cee4477d2636b8b522a25310c984

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_ia64.deb
    Size/MD5 checksum:    63764 0c9b12e7c71d48e2bdc9f3de90c4f3c9
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_ia64.deb
    Size/MD5 checksum:   115500 8135a9f1b1aead628853749e447784fc
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_ia64.deb
    Size/MD5 checksum:    65680 f071d857c64ad4c22aa2266fd1089032

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_mipsel.deb
    Size/MD5 checksum:    58768 4162cfc57ba231f3af6d012d590e8375
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_mipsel.deb
    Size/MD5 checksum:   103580 095f061de8c350ae2141924b7529ed45
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_mipsel.deb
    Size/MD5 checksum:    51218 794ae7a598cdd02a60a410078562aa07

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_powerpc.deb
    Size/MD5 checksum:    58388 4a586a8d11c5bd2c6a8e6e8e0256e703
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_powerpc.deb
    Size/MD5 checksum:    98048 d15b93fa2fe7157366dc2eb37f8492a9
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_powerpc.deb
    Size/MD5 checksum:    51736 161e6dc0be6a51ab3f3f69be4dc10190

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_s390.deb
    Size/MD5 checksum:    58848 8c62551e8c465e2ef4e87d34f9277852
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_s390.deb
    Size/MD5 checksum:    53938 099298f6cc8b72fecb4d69ba742b9611
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_s390.deb
    Size/MD5 checksum:    98608 38aab54a2171cec7cf73d5cb9d1d295e

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_sparc.deb
    Size/MD5 checksum:    58206 be267abf6f16d40838c150374ef1fd4f
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_sparc.deb
    Size/MD5 checksum:    49212 3300d58324ba45d8e212c0e6b332cc9f
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_sparc.deb
    Size/MD5 checksum:    94000 16d5f583748d07192d25ea33fa345c05

Debian (stable)
- - ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/f/fuse/fuse_2.7.4.orig.tar.gz
    Size/MD5 checksum:   506658 4879f06570d2225667534c37fea04213
  http://security.debian.org/pool/updates/main/f/fuse/fuse_2.7.4-1.1+lenny1.diff.gz
    Size/MD5 checksum:    16066 f3a61d6fc003f1a2bf3ea9430f2c9a70
  http://security.debian.org/pool/updates/main/f/fuse/fuse_2.7.4-1.1+lenny1.dsc
    Size/MD5 checksum:     1171 889cfc800cd72828730f8bcbd9c777d9

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_alpha.deb
    Size/MD5 checksum:    20556 585cf2070a4ec688247a41646795131e
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.7.4-1.1+lenny1_alpha.deb
    Size/MD5 checksum:   131872 6955f5703677ceef1b77c75c8b34e629
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_alpha.deb
    Size/MD5 checksum:   180872 c23ac8be5311ee40fc3f1890b1a3ffb7

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_amd64.deb
    Size/MD5 checksum:    19042 36f5db5328ff4532c28c14bd956fb8c1
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.7.4-1.1+lenny1_amd64.deb
    Size/MD5 checksum:   129696 0ab699969dfd5437c91af3cafd9a27b2
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_amd64.deb
    Size/MD5 checksum:   162514 1d0f908363d1f1d8910b9b029bf1c5df

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.7.4-1.1+lenny1_arm.deb
    Size/MD5 checksum:   120050 1e1d2c35d13b5b610de23a51d6d6c365
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_arm.deb
    Size/MD5 checksum:   153696 46442d428f85f1354b1ae6661e65d561
  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_arm.deb
    Size/MD5 checksum:    17432 a9c572365292b5113af0f3a894215ed4

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_armel.deb
    Size/MD5 checksum:    17058 33f5fecaf1bac301e0521ec410e8c80e
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_armel.deb
    Size/MD5 checksum:   154480 c6e475b074e17c79edf3ff5eb7f9040a
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.7.4-1.1+lenny1_armel.deb
    Size/MD5 checksum:   121306 eafcfc5360cc53e3981e1dc9b37e4b89

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_hppa.deb
    Size/MD5 checksum:    19296 e10df02c43836209f2b5f6584356a92c
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_hppa.deb
    Size/MD5 checksum:   168740 738e2595ce106f27007e822015d18165
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.7.4-1.1+lenny1_hppa.deb
    Size/MD5 checksum:   131642 d7b2a7892867d4ec2864f735ab2cf0b2

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.7.4-1.1+lenny1_i386.deb
    Size/MD5 checksum:   124622 443691cc6cff7d375d3e58fc6ef7b6d0
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_i386.deb
    Size/MD5 checksum:   155244 1d33eb00f1912b128fa225e4032e6272
  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_i386.deb
    Size/MD5 checksum:    17894 fc0807ee515177aec7ebf4e90cd28262

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_ia64.deb
    Size/MD5 checksum:   190582 9abc959eb6696a72b65378cfde3b2d19
  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_ia64.deb
    Size/MD5 checksum:    24858 7955ac00698ff5d247020e6f71e0b482
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.7.4-1.1+lenny1_ia64.deb
    Size/MD5 checksum:   151516 2efac5863ec97b2c378b34ac2fae5c8d

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_mips.deb
    Size/MD5 checksum:    18146 1fc317ba48a3258b059fe881d372690a
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_mips.deb
    Size/MD5 checksum:   169262 a23d47c215a0f7af9ece5a36abeb954e
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.7.4-1.1+lenny1_mips.deb
    Size/MD5 checksum:   124082 a4b3ee554ee279fe3fea8828918d9f21

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_mipsel.deb
    Size/MD5 checksum:   168578 9dd6e832747412dbc9cd25f80693c3cb
  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_mipsel.deb
    Size/MD5 checksum:    18128 598595bc8251b576c17fcb7e549033be
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.7.4-1.1+lenny1_mipsel.deb
    Size/MD5 checksum:   123686 f0f2d7dd0022ecb02815054d2599cf7e

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_powerpc.deb
    Size/MD5 checksum:    19598 302d9576bcc31ca2cbd197d4acdc9937
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.7.4-1.1+lenny1_powerpc.deb
    Size/MD5 checksum:   131390 1edf1966d7d720723e605172c988efc8
  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_powerpc.deb
    Size/MD5 checksum:   161734 c4ae4d50ee835cd87e8ffbc2083a6f9f

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_s390.deb
    Size/MD5 checksum:   162644 68e1ef64d38ea794a096f142e6fefb5c
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.7.4-1.1+lenny1_s390.deb
    Size/MD5 checksum:   131750 c727c3d3652f50e366c6208d05d2087b
  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_s390.deb
    Size/MD5 checksum:    18780 75791fd3ebd09343e21baa7664425abd

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.7.4-1.1+lenny1_sparc.deb
    Size/MD5 checksum:   153900 17372c54b216f06f37622154f69477ff
  http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.7.4-1.1+lenny1_sparc.deb
    Size/MD5 checksum:   120200 45a7e205d213ba40869c74f8d6caf9e7
  http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.7.4-1.1+lenny1_sparc.deb
    Size/MD5 checksum:    17974 47802bb266babbf313f1d285f6aad652


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktorcQACgkQNxpp46476aq2ygCeOuipMSFahwlsgcr7/KxU17e0
oGUAnRKa5Ucxz8UsCMpb64LjaNKSsgDX
=SXN1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLaMBz/iFOrG6YcBERAnbFAKCjPKGoYc6DkDRw4IbCnd4efZz0oACgskHI
54vFSC7TcLmdcMc8xIQ6QEY=
=ijCy
-----END PGP SIGNATURE-----