From rbu at gentoo.org Fri Aug 1 00:33:28 2008 From: rbu at gentoo.org (Robert Buchholz) Date: Fri, 1 Aug 2008 01:33:28 +0200 Subject: [Full-disclosure] [ GLSA 200807-16 ] Python: Multiple vulnerabilities Message-ID: <200808010133.31885.rbu@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Python: Multiple vulnerabilities Date: July 31, 2008 Bugs: #230640, #232137 ID: 200807-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Python may allow for the execution of arbitrary code. Background ========== Python is an interpreted, interactive, object-oriented programming language. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/python < 2.5.2-r6 *>= 2.4.4-r14 >= 2.5.2-r6 Description =========== Multiple vulnerabilities were discovered in Python: * David Remahl of Apple Product Security reported several integer overflows in core modules such as stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule (CVE-2008-2315). * David Remahl of Apple Product Security also reported an integer overflow in the hashlib module, leading to unreliable cryptographic digest results (CVE-2008-2316). * Justin Ferguson reported multiple buffer overflows in unicode string processing that only affect 32bit systems (CVE-2008-3142). * The Google Security Team reported multiple integer overflows (CVE-2008-3143). * Justin Ferguson reported multiple integer underflows and overflows in the PyOS_vsnprintf() function, and an off-by-one error when passing zero-length strings, leading to memory corruption (CVE-2008-3144). Impact ====== A remote attacker could exploit these vulnerabilities in Python applications or daemons that pass user-controlled input to vulnerable functions. Exploitation might lead to the execution of arbitrary code or a Denial of Service. Vulnerabilities within the hashlib might lead to weakened cryptographic protection of data integrity or authenticity. Workaround ========== There is no known workaround at this time. Resolution ========== All Python 2.4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r14" All Python 2.5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.5.2-r6" Please note that Python 2.3 is masked since June 24, and we will not be releasing updates to it. It will be removed from the tree in the near future. References ========== [ 1 ] CVE-2008-2315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315 [ 2 ] CVE-2008-2316 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2316 [ 3 ] CVE-2008-3142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142 [ 4 ] CVE-2008-3143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3143 [ 5 ] CVE-2008-3144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-16.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080801/a5eefafb/attachment.bin From Everhart at gce.com Fri Aug 1 01:29:13 2008 From: Everhart at gce.com (Mary and Glenn Everhart) Date: Thu, 31 Jul 2008 20:29:13 -0400 Subject: [Full-disclosure] Re DNS spoofing issue discussion Message-ID: <489258D9.1090008@gce.com> To: Valdis.Kletnieks at vt.edu Subject: RE: [Full-disclosure] DNS spoofing issue. Thoughts on I chose my wording to cover not only DNSSEC but possible alternatives that could be devised. Certs are not the only way to do it, but it needs to be installed all over. The BGP fixes were devised after the last meltdown, but question again is whether they are installed. If DNSSEC had been installed, Kaminsky's issue would not exist. Since the number of sites running BGP among themselves is not that huge, it is probably not as practical an attack vector. Last meltdown that happened was said to be solved largely because most of the BGP site operators knew each other well enough to recognize voices on the phone. Net's bigger now tho. The fact that the recent youtube route hijack and the kenya routing insecurity incidents happened suggests that the md5 security is not in fact in place much (needs predefined secrets installed and apparently people don't configure it to do anything). That being the case, a reminder that maybe it could be good to reexamine this seems not totally daft. Glenn Everhart Everhart at gce.com (posting from home; I am the same one who has posted from work also.) -----Original Message----- From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] Sent: Wednesday, July 30, 2008 11:30 AM To: Everhart, Glenn (Card Services) Cc: pschmehl_lists_nada at tx.rr.com; randallm at fidmail.com; full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] DNS spoofing issue. Thoughts on On Sun, 27 Jul 2008 14:07:03 EDT, Glenn.Everhart at ch.a.sx.com said: > The need for something more like ssl certs in there remains It's called DNSSEC, which has been out for a decade and more. > (Also needed for bgp I suspect). RFC2385 (TCP MD5 protection for BGP) addresses most of the issues, at least on a peer-to-peer basis, and has been out for a decade. There's a discussion of the issues in RFC5123. From don.bailey at gmail.com Fri Aug 1 04:17:00 2008 From: don.bailey at gmail.com (don bailey) Date: Thu, 31 Jul 2008 21:17:00 -0600 Subject: [Full-disclosure] Re DNS spoofing issue discussion In-Reply-To: <489258D9.1090008@gce.com> References: <489258D9.1090008@gce.com> Message-ID: <4892802C.2060801@gmail.com> > The BGP fixes were devised after the last meltdown, but question again > is whether they are installed. If DNSSEC had been installed, Kaminsky's > issue > would not exist. > That's probably not the case. It would only alter the scope of attack to include encryption and not simply port+xid. Since UDP is stateless one could could have theoretically kicked off some semblance of brute force attack against the key used for encryption. For algorithms that use bits larger than would be feasible for brute force attacks, the latest SNMPv3 vulnerability comes to mind, as does Tim Newsham's attack on WEP. In other words, there are always options. The attack wouldn't have gone away. As they say, there are 1,000,000 ways to get to Detroit. D From pschmehl_lists at tx.rr.com Fri Aug 1 04:37:20 2008 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Thu, 31 Jul 2008 22:37:20 -0500 Subject: [Full-disclosure] Re DNS spoofing issue discussion In-Reply-To: <4892802C.2060801@gmail.com> References: <489258D9.1090008@gce.com> <4892802C.2060801@gmail.com> Message-ID: <72B7D507D7C1A86FA3BB2333@Macintosh.local> --On July 31, 2008 9:17:00 PM -0600 don bailey wrote: >> The BGP fixes were devised after the last meltdown, but question again >> is whether they are installed. If DNSSEC had been installed, Kaminsky's >> issue >> would not exist. >> > > That's probably not the case. It would only alter the scope of > attack to include encryption and not simply port+xid. Since UDP > is stateless one could could have theoretically kicked off some > semblance of brute force attack against the key used for > encryption. For algorithms that use bits larger than would be > feasible for brute force attacks, the latest SNMPv3 vulnerability > comes to mind, as does Tim Newsham's attack on WEP. > > In other words, there are always options. The attack wouldn't have > gone away. As they say, there are 1,000,000 ways to get to Detroit. > Apples and oranges. *Attacks* will never go away, but dnssec, if fully implemented, would render Dan's attack moot. Unless you've factored 256 bit RSA keys, in which case you should be making six figures. Paul Schmehl If it isn't already obvious, my opinions are my own and not those of my employer. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3826 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080731/0a478ba4/attachment-0001.bin From don.bailey at gmail.com Fri Aug 1 05:02:00 2008 From: don.bailey at gmail.com (don bailey) Date: Thu, 31 Jul 2008 22:02:00 -0600 Subject: [Full-disclosure] Re DNS spoofing issue discussion In-Reply-To: <72B7D507D7C1A86FA3BB2333@Macintosh.local> References: <489258D9.1090008@gce.com> <4892802C.2060801@gmail.com> <72B7D507D7C1A86FA3BB2333@Macintosh.local> Message-ID: <48928AB8.805@gmail.com> > Apples and oranges. *Attacks* will never go away, but dnssec, if fully > implemented, would render Dan's attack moot. Unless you've factored 256 > bit RSA keys, in which case you should be making six figures. > Maybe I wasn't being clear, Mr. Paul Schmehl. The static port vulnerability allows for the effective attack against the xid name space. So, there are really two attacks here. One is based on the fact that there are static ports, the other is based on the small number of bits used. Two problems. Compounded together. Into one attack. If there was a weakness in a particular implementation of DNSSEC that was made more feasible by the fact that people still used static ports, we would still be having a large hullabaloo about "attack, attack!!!". So, Mr. Paul Schmehl, it is not "apples and oranges". It is simply a different way of thinking. And how do you know I don't already make six figures? Don't you have a Red Hat image to install on a workstation somewhere? D From pschmehl_lists at tx.rr.com Fri Aug 1 05:28:32 2008 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Thu, 31 Jul 2008 23:28:32 -0500 Subject: [Full-disclosure] Re DNS spoofing issue discussion In-Reply-To: <48928AB8.805@gmail.com> References: <489258D9.1090008@gce.com> <4892802C.2060801@gmail.com> <72B7D507D7C1A86FA3BB2333@Macintosh.local> <48928AB8.805@gmail.com> Message-ID: --On July 31, 2008 10:02:00 PM -0600 don bailey wrote: > > And how do you know I don't already make six figures? Oh, that's easy. If you were making six figures, you wouldn't be posting in FD. > Don't you have a Red Hat image to install on a workstation somewhere? I hate RedHat. It's worse than Windows (and that's hard to do.) Paul Schmehl If it isn't already obvious, my opinions are my own and not those of my employer. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3826 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080731/e950f73e/attachment.bin From don.bailey at gmail.com Fri Aug 1 07:50:04 2008 From: don.bailey at gmail.com (don bailey) Date: Fri, 01 Aug 2008 00:50:04 -0600 Subject: [Full-disclosure] Re DNS spoofing issue discussion In-Reply-To: References: <489258D9.1090008@gce.com> <4892802C.2060801@gmail.com> <72B7D507D7C1A86FA3BB2333@Macintosh.local> <48928AB8.805@gmail.com> Message-ID: <4892B21C.70401@gmail.com> >> And how do you know I don't already make six figures? > > Oh, that's easy. If you were making six figures, you wouldn't be > posting in FD. > Sadly, I can't find a flaw in your logic. D From James.Williams at ca.com Fri Aug 1 11:52:54 2008 From: James.Williams at ca.com (Williams, James K) Date: Fri, 1 Aug 2008 06:52:54 -0400 Subject: [Full-disclosure] CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability Message-ID: <649CDCB56C88AA458EFF2CBF494B620405315A2A@USILMS12.ca.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability CA Advisory Date: 2008-07-31 Reported By: Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company Impact: A remote attacker can execute arbitrary code or cause a denial of service condition. Summary: CA ARCserve Backup for Laptops and Desktops server contains a vulnerability that can allow a remote attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerability. The vulnerability, CVE-2008-3175, occurs due to insufficient bounds checking by the LGServer service. An attacker can make a request that can result in arbitrary code execution or crash the service. Mitigating Factors: Only the server installation of BrightStor ARCserve Backup for Laptops and Desktops is affected. The client installation is not affected. Severity: CA has given this vulnerability a High risk rating. Affected Products: CA ARCserve Backup for Laptops and Desktops r11.5 CA ARCserve Backup for Laptops and Desktops r11.1 SP2 CA ARCserve Backup for Laptops and Desktops r11.1 SP1 CA ARCserve Backup for Laptops and Desktops r11.1 CA ARCserve Backup for Laptops and Desktops r11.0 CA Desktop Management Suite 11.2 CA Desktop Management Suite 11.1 CA Protection Suites r2 CA Protection Suites 3.0 CA Protection Suites 3.1 Affected Platforms: Windows Status and Recommendation: CA has provided the following updates to address the vulnerability. CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1 SP2: Upgrade to 11.1 SP2 and apply RO00912. CA ARCserve Backup for Laptops and Desktops 11.5: RO00913. CA Protection Suites 3.0: RO00912. CA Protection Suites 3.1: RO00912. CA Desktop Management Suite 11.2: Upgrade to CA Desktop Management Suite 11.2 C1 and apply RO00913. CA Desktop Management Suite 11.1: RO01150. CA ARCserve Backup for Laptops and Desktops 11.0: Upgrade to ARCserve Backup for Laptops and Desktops version 11.1 SP2 and apply the latest patches. QI85497. Note: CA Protection Suites r2 includes CA ARCserve Backup for Laptops and Desktops 11.0. How to determine if you are affected: For Windows: 1. Using Windows Explorer, locate the file "rxRPC.dll". The file can be found in the following default locations: CA ARCserve Backup for Laptops and Desktops 11.5: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops and Desktops\Server CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1 SP2: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server CA Protection Suites 3.0: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server CA Protection Suites 3.1: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server CA Desktop Management Suite 11.2: C:\Program Files\CA\Unicenter DSM\BABLD\Server CA Desktop Management Suite 11.1: C:\Program Files\CA\Unicenter DSM\BABLD\Server 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file date is earlier than indicated in the below table, the installation is vulnerable. CA ARCserve Backup for Laptops and Desktops File Name File Size (bytes) File Date rxRPC.dll 131,072 June 11, 2008 CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1 SP2 File Name File Size (bytes) File Date rxRPC.dll 114,688 June 11, 2008 CA Protection Suites 3.0 File Name File Size (bytes) File Date rxRPC.dll 114,688 June 11, 2008 CA Protection Suites 3.1 File Name File Size (bytes) File Date rxRPC.dll 114,688 June 11, 2008 CA Desktop Management Suite 11.2 File Name File Size (bytes) File Date rxRPC.dll 131,072 June 11, 2008 CA Desktop Management Suite 11.1 File Name File Size (bytes) File Date rxRPC.dll 122,880 June 11, 2008 Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA ARCserve Backup for Laptops and Desktops Server LGServer https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181721 Solution Document Reference APARs: RO00912, RO00913, RO01150, QI85497 CA Security Response Blog posting: CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability community.ca.com/blogs/casecurityresponseblog/archive/2008/08/01.aspx Reported By: Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company. http://www.assurent.com/ CVE References: CVE-2008-3175 - LGServer buffer overflow http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3175 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to our product security response team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFIkur9eSWR3+KUGYURAv1PAJ9c5YGVNiFI8NFPJPMtm/OYPt/yTACfZBF/ VHC6TzSRxGCcErezrWiYC4g= =Q62K -----END PGP SIGNATURE----- From thomas at suse.de Fri Aug 1 12:35:27 2008 From: thomas at suse.de (Thomas Biege) Date: Fri, 01 Aug 2008 13:35:27 +0200 Subject: [Full-disclosure] SUSE Security Announcement: net-snmp (SUSE-SA:2008:039) Message-ID: <4892f4ff.HIqez12FotScq3lj%thomas@suse.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: net-snmp Announcement ID: SUSE-SA:2008:039 Date: Fri, 01 Aug 2008 13:00:00 +0000 Affected Products: openSUSE 10.2 openSUSE 10.3 openSUSE 11.0 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SLE SDK 10 SP2 SUSE Linux Enterprise Server 10 SP1 SUSE Linux Enterprise Desktop 10 SP2 SUSE Linux Enterprise Server 10 SP2 Vulnerability Type: authentication bypass, denial-of-service Severity (1-10): 6 SUSE Default Package: no Cross-References: CVE-2008-0960 CVE-2008-2292 Content of This Advisory: 1) Security Vulnerability Resolved: - authentication bypass - denial-of-service Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - viewvc/subversion 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The net-snmp daemon implements the "simple network management protocol". The version 3 of SNMP as implemented in net-snmp uses the length of the HMAC in a packet to verify against a local HMAC for authentication. An attacker can therefore send a SNMPv3 packet with a one byte HMAC and guess the correct first byte of the local HMAC with 256 packets (max). Additionally a buffer overflow in perl-snmp was fixed that can cause a denial-of-service/crash. 2) Solution or Work-Around Please install the update package. 3) Special Instructions and Notes Please restart net-snmp after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv to apply the update, replacing with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/libsnmp15-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/net-snmp-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/net-snmp-devel-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/perl-SNMP-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/snmp-mibs-5.4.1-77.2.i586.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/libsnmp15-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/net-snmp-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/net-snmp-devel-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/perl-SNMP-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/snmp-mibs-5.4.1-19.2.i586.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/net-snmp-5.4.rc2-8.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/net-snmp-devel-5.4.rc2-8.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/perl-SNMP-5.4.rc2-8.i586.rpm x86-64 Platform: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/x86_64/net-snmp-32bit-5.4.1-77.2.x86_64.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/net-snmp-32bit-5.4.1-19.2.x86_64.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/net-snmp-32bit-5.4.rc2-8.x86_64.rpm Sources: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/src/net-snmp-5.4.1-77.2.src.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/net-snmp-5.4.1-19.2.src.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/net-snmp-5.4.rc2-8.src.rpm Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 Novell Linux POS 9 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 Novell Linux Desktop 9 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE Linux Enterprise Server 10 SP1 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE Linux Enterprise Server 10 SP2 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SLE SDK 10 SP2 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SLE SDK 10 SP1 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE Linux Enterprise Desktop 10 SP1 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE Linux Enterprise Desktop 10 SP2 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE SLES 9 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - viewvc/subversion This update of subversion fixes multiple vulnerabilities. - CVE-2008-1290: list CVS or SVN commits on "all-forbidden" files - CVE-2008-1291: directly access hidden CVSROOT folders - CVE-2008-1292: expose restricted content via the revision view, the log history, or the diff view ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify replacing with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team " where is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig to verify the signature of the package, replacing with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build at suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security at opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to . opensuse-security-announce at opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to . ===================================================================== SUSE's security contact is or . The public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSJL0gHey5gA9JdPZAQI4IAf7BPqInfbAyzZObcX2vGZM0svDKclNQMAO 1tTE0O3Te0EYLOnkfEisqNe9AOioSUQqeWu7ud5Y8L5zVysmcGe3/Lg0Vqmie/he WJXCJtkvaPOcp7p/GcnWQByQ4T1cQ4+QoLhwg2+RpyAABn/7ZWBz+uG91134kOql JabvxLI05Le++uwFfJ0YEefkSzik9sMVz4Dk4eVJglMm6nioHnx6K6ZrR0+0HBRR z2Rczq0M3gYplfWpgydgtlFH4dhkXlhfuladf93Aagf6QWerwvxTEld7ti+Sx3dU uInx4nkLJHLeu1f/XD4i7ZpZ0DtBz0F9wWJFGmy2cXxW0Xnhtwdbnw== =QwLq -----END PGP SIGNATURE----- From kees at ubuntu.com Fri Aug 1 15:51:27 2008 From: kees at ubuntu.com (Kees Cook) Date: Fri, 1 Aug 2008 07:51:27 -0700 Subject: [Full-disclosure] [USN-632-1] Python vulnerabilities Message-ID: <20080801145127.GC21348@outflux.net> =========================================================== Ubuntu Security Notice USN-632-1 August 01, 2008 python2.4, python2.5 vulnerabilities CVE-2008-1679, CVE-2008-1721, CVE-2008-1887, CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, CVE-2008-3143, CVE-2008-3144 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: python2.4 2.4.3-0ubuntu6.2 python2.4-minimal 2.4.3-0ubuntu6.2 Ubuntu 7.04: python2.4 2.4.4-2ubuntu7.2 python2.4-minimal 2.4.4-2ubuntu7.2 python2.5 2.5.1-0ubuntu1.2 python2.5-minimal 2.5.1-0ubuntu1.2 Ubuntu 7.10: python2.4 2.4.4-6ubuntu4.2 python2.4-minimal 2.4.4-6ubuntu4.2 python2.5 2.5.1-5ubuntu5.2 python2.5-minimal 2.5.1-5ubuntu5.2 Ubuntu 8.04 LTS: python2.4 2.4.5-1ubuntu4.1 python2.4-minimal 2.4.5-1ubuntu4.1 python2.5 2.5.2-2ubuntu4.1 python2.5-minimal 2.5.2-2ubuntu4.1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: It was discovered that there were new integer overflows in the imageop module. If an attacker were able to trick a Python application into processing a specially crafted image, they could execute arbitrary code with user privileges. (CVE-2008-1679) Justin Ferguson discovered that the zlib module did not correctly handle certain archives. If an attacker were able to trick a Python application into processing a specially crafted archive file, they could execute arbitrary code with user privileges. (CVE-2008-1721) Justin Ferguson discovered that certain string manipulations in Python could be made to overflow. If an attacker were able to pass a specially crafted string through the PyString_FromStringAndSize function, they could execute arbitrary code with user privileges. (CVE-2008-1887) Multiple integer overflows were discovered in Python's core and modules including hashlib, binascii, pickle, md5, stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, and mmapmodule. If an attacker were able to exploit these flaws they could execute arbitrary code with user privileges or cause Python applications to crash, leading to a denial of service. (CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, CVE-2008-3143, CVE-2008-3144). Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2.diff.gz Size/MD5: 2659655 79cfb16c20f87377a79ae1068eefd7fe http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2.dsc Size/MD5: 1261 59b4e269522696105572fb2d23ecae75 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3.orig.tar.gz Size/MD5: 9328584 fd9dd825b8c680fa04c2fc2c957964b1 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/idle-python2.4_2.4.3-0ubuntu6.2_all.deb Size/MD5: 243158 237a537ba8a40032311ce70b9b142908 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-doc_2.4.3-0ubuntu6.2_all.deb Size/MD5: 3357934 424d51830d26cc3a80d8df9dae578b9a http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-examples_2.4.3-0ubuntu6.2_all.deb Size/MD5: 587390 a878b5a8ab9a6544106a8c779ef341a6 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 5568776 c5a350c0953b4eb23633e58c2a267799 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 1635048 ec18f029d34290df08cb2a1aaba8a9c5 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-gdbm_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 30072 b2c8e4c4437baa9c2cbd5949d86abe4f http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 793962 6c81a3e2e045cdf4c2684a05121218c9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-tk_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 113812 c463a7a7be42bd01f918ad9ff01bd6ae http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 2861788 41d6a96da599a5d09d436dee2292e793 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.3-0ubuntu6.2_i386.deb Size/MD5: 4828590 6b803d0ad098dbd0ea770bc3a321712f http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.3-0ubuntu6.2_i386.deb Size/MD5: 1466074 064333d1ce7d52c271dca3ffca1b73d9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-gdbm_2.4.3-0ubuntu6.2_i386.deb Size/MD5: 29310 be8ba92ee319623ad8e1dae2e46e850b http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.3-0ubuntu6.2_i386.deb Size/MD5: 703370 1d6f7f0a6649be443337d245bf1cf947 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-tk_2.4.3-0ubuntu6.2_i386.deb Size/MD5: 110160 020aabfe30e265b0c48995a9e3cd12c8 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2_i386.deb Size/MD5: 2739420 999ce42fcfacb4322fdb45e7976cdaa3 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.3-0ubuntu6.2_powerpc.deb Size/MD5: 5671080 30a519a3be8c332d483011002c283841 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.3-0ubuntu6.2_powerpc.deb Size/MD5: 1630992 6d69e39045790639a5d5bdbce36ed30f http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-gdbm_2.4.3-0ubuntu6.2_powerpc.deb Size/MD5: 31278 f7be4c74b7ae71ffa0032df26825e49c http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.3-0ubuntu6.2_powerpc.deb Size/MD5: 783202 a96948d6153e9ccdb86b9880aa77d241 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-tk_2.4.3-0ubuntu6.2_powerpc.deb Size/MD5: 113074 393ca0b1b2ee68533538d691fbc5c742 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2_powerpc.deb Size/MD5: 2887496 69d604dfbfcaf8db1b881a136f30e828 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.3-0ubuntu6.2_sparc.deb Size/MD5: 5004064 a07fd7a1b6425f06bc382c653b9096a7 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.3-0ubuntu6.2_sparc.deb Size/MD5: 1578922 3b77f095775183c6fa81c916c6113348 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-gdbm_2.4.3-0ubuntu6.2_sparc.deb Size/MD5: 29490 6bd9c5fa849ae8d641193eb3c5837d82 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.3-0ubuntu6.2_sparc.deb Size/MD5: 723648 f57275440a13ee0bc69e403482575ce9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-tk_2.4.3-0ubuntu6.2_sparc.deb Size/MD5: 110918 40dcac5ff4b112845c40994629de636b http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2_sparc.deb Size/MD5: 2803228 d40fcf17483d3cf3f7ab0db9445730c8 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-2ubuntu7.2.diff.gz Size/MD5: 2701347 b84fda955aa57371cc3fb36298f9c01e http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-2ubuntu7.2.dsc Size/MD5: 1330 147dfc5fef334b337e41e9b8e671f0f8 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4.orig.tar.gz Size/MD5: 9508940 f74ef9de91918f8927e75e8c3024263a http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-0ubuntu1.2.diff.gz Size/MD5: 2995766 b91a12102be5bfc9fd9c432f1b5e47e9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-0ubuntu1.2.dsc Size/MD5: 1452 81a359ebdca2b6e2ebc03ffde59c76a9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1.orig.tar.gz Size/MD5: 11073614 b7e26a0039645f1145ceb6f4dea4a758 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-doc_2.4.4-2ubuntu7.2_all.deb Size/MD5: 3467124 9b0d217aa828f74f9bfe2c494dff3242 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-examples_2.4.4-2ubuntu7.2_all.deb Size/MD5: 590720 b6c4a64c013757ebb242fd5795073dcc http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-doc_2.5.1-0ubuntu1.2_all.deb Size/MD5: 2504620 f17f63d4222e0c9443fc0ec6e5c0dc43 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-examples_2.5.1-0ubuntu1.2_all.deb Size/MD5: 647548 272e8cb7a7d3446eeea7db9d5e0ed86e http://security.ubuntu.com/ubuntu/pool/universe/p/python2.4/idle-python2.4_2.4.4-2ubuntu7.2_all.deb Size/MD5: 61950 ebede71649b619574e27af37f4f30ec2 http://security.ubuntu.com/ubuntu/pool/universe/p/python2.5/idle-python2.5_2.5.1-0ubuntu1.2_all.deb Size/MD5: 66330 821bee47fa6b2271353a3bfbab572c26 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-2ubuntu7.2_amd64.deb Size/MD5: 6980942 59ce0a2ad07d439fd2316b2397701370 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-2ubuntu7.2_amd64.deb Size/MD5: 1618280 92a5f4824b36bdefdf1fac46c2408d77 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-2ubuntu7.2_amd64.deb Size/MD5: 1047530 9dca597560b8fb8f71e5dc9fd0dd5262 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-2ubuntu7.2_amd64.deb Size/MD5: 2899052 1f0cdceec1bb1142b92bcd26fbf074c5 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-0ubuntu1.2_amd64.deb Size/MD5: 8055664 8b28335ab58c9c686351cbc850b1421f http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-0ubuntu1.2_amd64.deb Size/MD5: 1793064 07bdf1e57eb63f780acfd4cab8cf2a2d http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-0ubuntu1.2_amd64.deb Size/MD5: 1248758 2af929adf69381f29ee94efbe32c01fb http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-0ubuntu1.2_amd64.deb Size/MD5: 3208140 4976a32e3287d31f655dc7beb970d254 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-2ubuntu7.2_i386.deb Size/MD5: 6410254 f0e3e0404a8be84bd6152c6a9a2e3aa3 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-2ubuntu7.2_i386.deb Size/MD5: 1477124 a1ba850d8c2150896e57f7baada05442 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-2ubuntu7.2_i386.deb Size/MD5: 972230 1409d1329ceea6374910c139a656a3cb http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-2ubuntu7.2_i386.deb Size/MD5: 2799520 814cefbadf2ccf3a4d0233a4a7d436d2 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-0ubuntu1.2_i386.deb Size/MD5: 7429402 30aba61653609ec966490844113dec72 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-0ubuntu1.2_i386.deb Size/MD5: 1645714 2cfa05249742fef96e9f3e9921b4c83b http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-0ubuntu1.2_i386.deb Size/MD5: 1168856 d69a774f2300d0e3bebfa5026a0590b1 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-0ubuntu1.2_i386.deb Size/MD5: 3090648 512360defc19f2ca31abebf208cfc604 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-2ubuntu7.2_powerpc.deb Size/MD5: 7309592 ec89ecd19f6eb0b34312ff3827fb89e0 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-2ubuntu7.2_powerpc.deb Size/MD5: 1637656 23b507740d06aa06ec9a0a1c71cbccec http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-2ubuntu7.2_powerpc.deb Size/MD5: 1072396 958e96a0a05675f7287d72c98d8f2883 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-2ubuntu7.2_powerpc.deb Size/MD5: 2958110 9110078db67be9ff5c3aff37565f5e6a http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-0ubuntu1.2_powerpc.deb Size/MD5: 8419522 c19cfb1c5d00e3d1a340ae0945509502 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-0ubuntu1.2_powerpc.deb Size/MD5: 1811154 561a18fe8a51437a46d099964cde2216 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-0ubuntu1.2_powerpc.deb Size/MD5: 1277790 aa569520cd1a4d7c2d8524099045744f http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-0ubuntu1.2_powerpc.deb Size/MD5: 3284928 bd6da448cc2dd9a97191560afb4e1eb7 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-2ubuntu7.2_sparc.deb Size/MD5: 6591548 7a984306066b0648f2fc35e892ee9485 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-2ubuntu7.2_sparc.deb Size/MD5: 1570200 47f0a83ed70f97a7f541638363362931 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-2ubuntu7.2_sparc.deb Size/MD5: 998314 3d8bf6db785d502f57417aac842be74e http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-2ubuntu7.2_sparc.deb Size/MD5: 2829580 d50b08645a4b5346f683fe4ad9f1e7c4 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-0ubuntu1.2_sparc.deb Size/MD5: 7628064 8fd81cf0ff7ad80828c06a8e53143fb2 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-0ubuntu1.2_sparc.deb Size/MD5: 1747038 fcbf92c2ded2e2c339df7e17eaad2c98 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-0ubuntu1.2_sparc.deb Size/MD5: 1196320 41daa3cb6b2c970b849cc92248b778d0 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-0ubuntu1.2_sparc.deb Size/MD5: 3128594 d1c0a71bd660017181a115156d7ca540 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2.diff.gz Size/MD5: 2665505 d3b48d2d2363eae6e9311f32143fb166 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2.dsc Size/MD5: 1387 33390484e8187f5896007e11dc73d13b http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4.orig.tar.gz Size/MD5: 9508940 f74ef9de91918f8927e75e8c3024263a http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2.diff.gz Size/MD5: 3085721 c8d25c1eada232d40178aeb95e898476 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2.dsc Size/MD5: 1441 378bd6b5c0bb11e0dc46fdb824075e62 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1.orig.tar.gz Size/MD5: 11073614 b7e26a0039645f1145ceb6f4dea4a758 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-doc_2.4.4-6ubuntu4.2_all.deb Size/MD5: 3366838 86b53516b0d2651c0309445eb74cd220 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-examples_2.4.4-6ubuntu4.2_all.deb Size/MD5: 591332 00c1ad4ccb000a7a6231a07ddfbb8b10 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-doc_2.5.1-5ubuntu5.2_all.deb Size/MD5: 3724666 70e98768659d070e60a7f30c014572b7 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-examples_2.5.1-5ubuntu5.2_all.deb Size/MD5: 648892 d2bc23ec61ef990182527f0a4d25fab3 http://security.ubuntu.com/ubuntu/pool/universe/p/python2.4/idle-python2.4_2.4.4-6ubuntu4.2_all.deb Size/MD5: 62482 70d9d2268b9cfa97ea636fac97360800 http://security.ubuntu.com/ubuntu/pool/universe/p/python2.5/idle-python2.5_2.5.1-5ubuntu5.2_all.deb Size/MD5: 67300 36684dc3985d17d9fc20df38d4159bf6 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-6ubuntu4.2_amd64.deb Size/MD5: 6932036 d1843d75bcda73cbef1aae2acf110541 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-6ubuntu4.2_amd64.deb Size/MD5: 1623636 a4722bfc9d32de2ff2e2a42b58ce2e9a http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-6ubuntu4.2_amd64.deb Size/MD5: 1049154 33c7f2d43953817e6a51127d3e5cd3c1 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2_amd64.deb Size/MD5: 2902650 7ae0e26a366bcbef4721be1b986ea455 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-5ubuntu5.2_amd64.deb Size/MD5: 8008182 e5a849ec651c68e3ed05fa40deeba12f http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-5ubuntu5.2_amd64.deb Size/MD5: 2036908 7ea63a59e73a40e3739c595212b0b8c1 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-5ubuntu5.2_amd64.deb Size/MD5: 1252758 22238a8e564f0002dca9d3d7330254e0 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2_amd64.deb Size/MD5: 2992366 e071e0116893c7276bcda4ab7e76145e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-6ubuntu4.2_i386.deb Size/MD5: 6415256 3c8ddaaf54ca494c2110f7dd9a918660 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-6ubuntu4.2_i386.deb Size/MD5: 1479690 2c38233f9eada9e8f5ffe38e11500378 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-6ubuntu4.2_i386.deb Size/MD5: 973528 235558dce9adbd9e42902b179db493ce http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2_i386.deb Size/MD5: 2801720 83fb8fb3e4e6cb4cba7f358d7dd0e296 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-5ubuntu5.2_i386.deb Size/MD5: 7441082 a160a5e8c312e41b43a3625f94c48e52 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-5ubuntu5.2_i386.deb Size/MD5: 1880674 0d48d7b75ffceaa7c3d7f74036cffd2e http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-5ubuntu5.2_i386.deb Size/MD5: 1171198 8987698f641a027f5313d02fc0401493 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2_i386.deb Size/MD5: 2871008 b962811c9138713398ba656acc068a3f lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dbg_2.4.4-6ubuntu4.2_lpia.deb Size/MD5: 6557610 ec5a40c3c76ee7b039d3eb76104746cb http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dev_2.4.4-6ubuntu4.2_lpia.deb Size/MD5: 1482274 bcb624ab7ac3443242bf17f56f60f570 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-minimal_2.4.4-6ubuntu4.2_lpia.deb Size/MD5: 978296 fcf10a77a2ea47045c51024dcef9c8bd http://ports.ubuntu.com/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2_lpia.deb Size/MD5: 2809990 0ac942a92e9fce3aa23ff25817f20a2b http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dbg_2.5.1-5ubuntu5.2_lpia.deb Size/MD5: 7558660 9441ba23b2a4fa4789f40c82bfb5a951 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dev_2.5.1-5ubuntu5.2_lpia.deb Size/MD5: 1878546 899a53b2dcec9f51611021c4f0e3f2c7 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-minimal_2.5.1-5ubuntu5.2_lpia.deb Size/MD5: 1176698 57245ff934f1295dfe1664c3aa79e463 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2_lpia.deb Size/MD5: 2877828 9acbe0c10365c3fa0de46ba952ade420 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-6ubuntu4.2_powerpc.deb Size/MD5: 7224792 82ba59b25b54a95fd4a86c9af9316213 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-6ubuntu4.2_powerpc.deb Size/MD5: 1639076 230b59e095d8ef033ccf47320f114e7e http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-6ubuntu4.2_powerpc.deb Size/MD5: 1073736 5f32a92d1fe529d68603d0e73523a761 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2_powerpc.deb Size/MD5: 2959224 323021b2d48914a0611d85616a6a0182 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-5ubuntu5.2_powerpc.deb Size/MD5: 8339992 6d4c57d5531d7bb0077fa4b64fc9b298 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-5ubuntu5.2_powerpc.deb Size/MD5: 2050894 df0f1ae42f24a23ae71306f6154cecd0 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-5ubuntu5.2_powerpc.deb Size/MD5: 1279780 c5d9df3f094fc761cbd232e0f0f570b0 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2_powerpc.deb Size/MD5: 3066380 2027ebc2b326901e3daac24693bb36ac sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-6ubuntu4.2_sparc.deb Size/MD5: 6528160 dda7795f7cf234aa3ef81fbf4bfc993e http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-6ubuntu4.2_sparc.deb Size/MD5: 1570180 997078e6cb4879383c52000797d23bb8 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-6ubuntu4.2_sparc.deb Size/MD5: 998962 c75c4d8889dd8169e06f0f7fa0b54f1a http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2_sparc.deb Size/MD5: 2831116 6ec859f6d67a173c63b74a8cf68c0156 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-5ubuntu5.2_sparc.deb Size/MD5: 7563582 c0ce6a10b8b5427835b47bebc8564bf8 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-5ubuntu5.2_sparc.deb Size/MD5: 1985884 57377d3d739c50e80c6e73c70a6d7f7f http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-5ubuntu5.2_sparc.deb Size/MD5: 1199170 688de7bf6c1eb05737feddf5299f17be http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2_sparc.deb Size/MD5: 2909220 36bd139e9b931289d7f457e6e77062d1 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1.diff.gz Size/MD5: 2664328 b791317a007fef4552c2bf8ba55a13ec http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1.dsc Size/MD5: 1457 3271c840e59a8f68b52cde12a0fddd25 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.5.orig.tar.gz Size/MD5: 9523188 9a615c6868074f60872084ecd240de3e http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1.diff.gz Size/MD5: 2954400 432a052851cecca3bf0f3bb2e7619322 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1.dsc Size/MD5: 1628 515cdb24298d56b8b46d7608293853bc http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.2.orig.tar.gz Size/MD5: 11577883 87619e5bf07b3506fec639b7e4d86215 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-doc_2.4.5-1ubuntu4.1_all.deb Size/MD5: 3369502 77b604e32ec8be3d38004ced3d2913dc http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-examples_2.4.5-1ubuntu4.1_all.deb Size/MD5: 591744 c8bc2182eeafeafce1cf053d86f7f725 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-doc_2.5.2-2ubuntu4.1_all.deb Size/MD5: 3729274 1e20f6ea290807e6734823b437267716 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-examples_2.5.2-2ubuntu4.1_all.deb Size/MD5: 650848 8c69cd9104f936747ab07055dbeaeb13 http://security.ubuntu.com/ubuntu/pool/universe/p/python2.4/idle-python2.4_2.4.5-1ubuntu4.1_all.deb Size/MD5: 63660 0a7cec3255e8a3fdf85d8fbb3d603b51 http://security.ubuntu.com/ubuntu/pool/universe/p/python2.5/idle-python2.5_2.5.2-2ubuntu4.1_all.deb Size/MD5: 69920 3471e8296a305341663c6a0e2d7e12d3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.5-1ubuntu4.1_amd64.deb Size/MD5: 6880894 59fc6616382c6b3be06a5aa0e99ee908 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.5-1ubuntu4.1_amd64.deb Size/MD5: 1623462 de07524181fe7542eb2ec0c4fed8c188 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.5-1ubuntu4.1_amd64.deb Size/MD5: 1051750 468b4a0c355d69c80696c881fb044217 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1_amd64.deb Size/MD5: 2911726 70a036abacd3c3ef5247194b060e8bb0 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.2-2ubuntu4.1_amd64.deb Size/MD5: 7934918 8311de45b9e1a0e0935b10921d598ba9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.2-2ubuntu4.1_amd64.deb Size/MD5: 2036884 ffdb8e536dba3bbd50a55f7e165b50ad http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.2-2ubuntu4.1_amd64.deb Size/MD5: 1256342 9a898e693f08656566eaa11e8cfec1e2 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1_amd64.deb Size/MD5: 3018212 02326bdd7eb6ff8b54a9f9a0749f027a i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.5-1ubuntu4.1_i386.deb Size/MD5: 6357278 20f2772f2114370a357bb74bc5fb4ed1 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.5-1ubuntu4.1_i386.deb Size/MD5: 1486704 318eb4e469300f6523933cb3245fffd1 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.5-1ubuntu4.1_i386.deb Size/MD5: 976528 2dea5ac9a51b3ce713100d1053a86312 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1_i386.deb Size/MD5: 2813212 d1dcfb72638dd943c584b276cfc3a693 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.2-2ubuntu4.1_i386.deb Size/MD5: 7359816 c11f17e491af48ef2975603db2cce874 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.2-2ubuntu4.1_i386.deb Size/MD5: 1887972 30a72144a884e19125d46f96eb4e9a07 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.2-2ubuntu4.1_i386.deb Size/MD5: 1175566 fc4522bcd3cfd37d0c2e8a1685010282 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1_i386.deb Size/MD5: 2898404 b467f8e3b32c20575030a38cae4bf8b3 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dbg_2.4.5-1ubuntu4.1_lpia.deb Size/MD5: 6453538 fb5d36acc06c55f3a44e155ba29363a6 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dev_2.4.5-1ubuntu4.1_lpia.deb Size/MD5: 1483110 6c6de10c9e5195668a27a6ce9d55407b http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-minimal_2.4.5-1ubuntu4.1_lpia.deb Size/MD5: 980308 9f93d1ab422e5fe4a22f03d258ae5ee8 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1_lpia.deb Size/MD5: 2811346 6c9e254561c4a7d12fe191b8675f38cd http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dbg_2.5.2-2ubuntu4.1_lpia.deb Size/MD5: 7464684 0cbc5c070fb53ef2010b9c66a7af502c http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dev_2.5.2-2ubuntu4.1_lpia.deb Size/MD5: 1881994 b5174f4bb8ab70d9eb066adae062abf3 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-minimal_2.5.2-2ubuntu4.1_lpia.deb Size/MD5: 1180302 5e3fbff4ec243011cf91795ecc19d922 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1_lpia.deb Size/MD5: 2893664 ec96b8ed643304896e28df3d2fb6fcce powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dbg_2.4.5-1ubuntu4.1_powerpc.deb Size/MD5: 7112922 c51953d92698ec4abafafba488503a60 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dev_2.4.5-1ubuntu4.1_powerpc.deb Size/MD5: 1627356 999b775a73118f743cfe77073aa19911 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-minimal_2.4.5-1ubuntu4.1_powerpc.deb Size/MD5: 1075066 162652fcf9d0be540784c15e7058b8c6 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1_powerpc.deb Size/MD5: 2960838 b598804be180210c6c483d1d5c69e952 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dbg_2.5.2-2ubuntu4.1_powerpc.deb Size/MD5: 8197372 58238bee17c6263da3bd843719936b39 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dev_2.5.2-2ubuntu4.1_powerpc.deb Size/MD5: 2032736 9091810f6e7c7e1e5f149502e6388d9a http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-minimal_2.5.2-2ubuntu4.1_powerpc.deb Size/MD5: 1282966 bd3c93b79c97f0762509b3367a17e61d http://ports.ubuntu.com/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1_powerpc.deb Size/MD5: 3068794 bef00fa11c3adfb7e3b92a33f0ef060d sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dbg_2.4.5-1ubuntu4.1_sparc.deb Size/MD5: 6441580 90d57d762bca5953da492e0e7dbca661 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dev_2.4.5-1ubuntu4.1_sparc.deb Size/MD5: 1559836 8d40dd82f993c4e792193e64785b32b6 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-minimal_2.4.5-1ubuntu4.1_sparc.deb Size/MD5: 998482 303ab52af3356ba45d7c15193e4245b7 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1_sparc.deb Size/MD5: 2828918 7fcfa07199afa36d63d5f51256aea267 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dbg_2.5.2-2ubuntu4.1_sparc.deb Size/MD5: 7435650 f4ae9009a1fd3809a5b0848f44cf9a9f http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dev_2.5.2-2ubuntu4.1_sparc.deb Size/MD5: 1974952 60cf295076b2d6a7ecec4f606ca1c08b http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-minimal_2.5.2-2ubuntu4.1_sparc.deb Size/MD5: 1199130 1491c043e971f7f67b9306a309905ed3 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1_sparc.deb Size/MD5: 2921542 45322b5997c0cf7406471d8f0087f7e4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080801/a99abe8c/attachment.bin From kees at ubuntu.com Fri Aug 1 16:26:31 2008 From: kees at ubuntu.com (Kees Cook) Date: Fri, 1 Aug 2008 08:26:31 -0700 Subject: [Full-disclosure] [USN-633-1] libxslt vulnerabilities Message-ID: <20080801152631.GE21348@outflux.net> =========================================================== Ubuntu Security Notice USN-633-1 August 01, 2008 libxslt vulnerabilities CVE-2008-1767, CVE-2008-2935 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libxslt1.1 1.1.15-1ubuntu1.2 Ubuntu 7.04: libxslt1.1 1.1.20-0ubuntu2.2 Ubuntu 7.10: libxslt1.1 1.1.21-2ubuntu2.2 Ubuntu 8.04 LTS: libxslt1.1 1.1.22-1ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that long transformation matches in libxslt could overflow. If an attacker were able to make an application linked against libxslt process malicious XSL style sheet input, they could execute arbitrary code with user privileges or cause the application to crash, leading to a denial of serivce. (CVE-2008-1767) Chris Evans discovered that the RC4 processing code in libxslt did not correctly handle corrupted key information. If a remote attacker were able to make an application linked against libxslt process malicious XML input, they could crash the application, leading to a denial of service. (CVE-2008-2935) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.15-1ubuntu1.2.diff.gz Size/MD5: 64266 cf69a61672e61f708158980c7783ec87 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.15-1ubuntu1.2.dsc Size/MD5: 901 b434ae6f23ddc2f7e87e42ee72b9697d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.15.orig.tar.gz Size/MD5: 2657197 238de9eda71b570ff7b78aaf65308fc6 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/libx/libxslt/python-libxslt1_1.1.15-1ubuntu1.2_all.deb Size/MD5: 7918 7161007248bac7267ee7f5aa5dab3011 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.15-1ubuntu1.2_amd64.deb Size/MD5: 541836 103a0da6902354830120a7952cce618f http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.15-1ubuntu1.2_amd64.deb Size/MD5: 210278 9adf228fcce713c593268a5276655c2b http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python2.4-libxslt1_1.1.15-1ubuntu1.2_amd64.deb Size/MD5: 118280 c8d9b1fdda773b5d06fd72a72b191a54 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.15-1ubuntu1.2_amd64.deb Size/MD5: 96024 96fae1681c7a3729a502955e2f66a95c i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.15-1ubuntu1.2_i386.deb Size/MD5: 519334 9f8db410faec033dc3cff889cf36f9d2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.15-1ubuntu1.2_i386.deb Size/MD5: 195678 497843da4c7d88763eee863ec3914c07 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python2.4-libxslt1_1.1.15-1ubuntu1.2_i386.deb Size/MD5: 114540 f154fed16a115a4094dbb230ef0da63e http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.15-1ubuntu1.2_i386.deb Size/MD5: 95104 9e3137adb1d806a64ecbf35cdb37165e powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.15-1ubuntu1.2_powerpc.deb Size/MD5: 549370 7cdc93d810d869b7258ef8586d36c6ec http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.15-1ubuntu1.2_powerpc.deb Size/MD5: 206948 ebc3e8cd756ae02015c3374bc21025a8 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python2.4-libxslt1_1.1.15-1ubuntu1.2_powerpc.deb Size/MD5: 116582 ee0a5989a52bb6618251e085949b91f1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.15-1ubuntu1.2_powerpc.deb Size/MD5: 97538 7244b184d0a04f74b735244b9b8b557f sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.15-1ubuntu1.2_sparc.deb Size/MD5: 538122 c2a61153dd8439d5680f90e8821d5a4c http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.15-1ubuntu1.2_sparc.deb Size/MD5: 202950 6357aec33fa998ae1ffa665e896b63f3 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python2.4-libxslt1_1.1.15-1ubuntu1.2_sparc.deb Size/MD5: 115700 c804e21a583ad8728011bec63d3d0624 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.15-1ubuntu1.2_sparc.deb Size/MD5: 95702 814d52674a3128d4fe3e5b655e512dc4 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.20-0ubuntu2.2.diff.gz Size/MD5: 31176 ad0cfaa93c0c751b82d698273e2fa8de http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.20-0ubuntu2.2.dsc Size/MD5: 1025 a94480392f924017018e3438e5923f04 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.20.orig.tar.gz Size/MD5: 3689759 4ea2dc22a23bf2aa570f868aa86357f8 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.20-0ubuntu2.2_amd64.deb Size/MD5: 363690 4d8e0b3533ab4d53eea4bb5b5253f1f9 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.20-0ubuntu2.2_amd64.deb Size/MD5: 608510 838f1a4a1170f2307d28b53d6f9cf46b http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.20-0ubuntu2.2_amd64.deb Size/MD5: 229840 5121bb96c07a576309d87fa7151c9b5d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.20-0ubuntu2.2_amd64.deb Size/MD5: 268506 827d70aaaaaf64977589faa2978e46b4 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.20-0ubuntu2.2_amd64.deb Size/MD5: 159374 48b849d13858eab3dd4939e4ba3ffe28 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.20-0ubuntu2.2_amd64.deb Size/MD5: 108208 4ce2d5f3e30fa38391f2cfb8122ec811 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.20-0ubuntu2.2_i386.deb Size/MD5: 348208 a78bbe76123b499723915648c0977f46 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.20-0ubuntu2.2_i386.deb Size/MD5: 590508 6ee5ddf8795368a4c3a9bb99cbdac70d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.20-0ubuntu2.2_i386.deb Size/MD5: 218758 9f4d59fa825ea0a6bf1c5a2a6750155b http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.20-0ubuntu2.2_i386.deb Size/MD5: 247416 ae7c0c7ceadc522f0b5494c767ebf23d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.20-0ubuntu2.2_i386.deb Size/MD5: 153158 3a94fd4c9e96b4e9d0917fbd35860b55 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.20-0ubuntu2.2_i386.deb Size/MD5: 107320 4c788703060a0f5d5c76c9fa8a374418 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.20-0ubuntu2.2_powerpc.deb Size/MD5: 363428 f88c2ef73133684e83fd8fef79414d47 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.20-0ubuntu2.2_powerpc.deb Size/MD5: 617434 7c19b73e0e77ec34592318c2833737c9 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.20-0ubuntu2.2_powerpc.deb Size/MD5: 234612 3568043063885c8159d0d06b7480d345 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.20-0ubuntu2.2_powerpc.deb Size/MD5: 271254 09db21b96b201ab40d0111a02ab53eb7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.20-0ubuntu2.2_powerpc.deb Size/MD5: 159684 182a5a84ce93c43d680910261a66fed8 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.20-0ubuntu2.2_powerpc.deb Size/MD5: 110904 6ff6e079f8406b01823440c0d7899cb5 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.20-0ubuntu2.2_sparc.deb Size/MD5: 336696 c4e756c6e27623817320a501ca7098d1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.20-0ubuntu2.2_sparc.deb Size/MD5: 603682 b49e0aafcc966bc2e2a83d6d67d69876 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.20-0ubuntu2.2_sparc.deb Size/MD5: 221856 dcb03fb5e96fd95c4074b7f6635b3ca6 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.20-0ubuntu2.2_sparc.deb Size/MD5: 250254 de0dd392ffe9c17e316c2343c6b54b9e http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.20-0ubuntu2.2_sparc.deb Size/MD5: 154234 9161b281ea1b2ed55d22502c3d2a6761 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.20-0ubuntu2.2_sparc.deb Size/MD5: 108298 0415840880ef71235788ceac153a78c3 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.21-2ubuntu2.2.diff.gz Size/MD5: 191877 788089a700761fb82128b6cc1c4d350f http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.21-2ubuntu2.2.dsc Size/MD5: 1026 5b742326922b28bf564197640966e5cb http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.21.orig.tar.gz Size/MD5: 2780016 59fe34e85692f71df2a38c2ee291b3ca amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.21-2ubuntu2.2_amd64.deb Size/MD5: 362298 6b92220e91857ee34eab9914ee101a59 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.21-2ubuntu2.2_amd64.deb Size/MD5: 612778 e44b1bd1d80bcbcf0933ac18865e78b1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.21-2ubuntu2.2_amd64.deb Size/MD5: 231648 d139e9b0ce7b736be9f39a9b703ac090 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.21-2ubuntu2.2_amd64.deb Size/MD5: 267688 e3603768baf61a937467d6094e854ff6 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.21-2ubuntu2.2_amd64.deb Size/MD5: 160536 bb86459b4652221971b4beddf571c697 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.21-2ubuntu2.2_amd64.deb Size/MD5: 109520 2dfb1b0a34ca36ae7a37eb671ebd6f58 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.21-2ubuntu2.2_i386.deb Size/MD5: 349154 925a6c3de50381aa9859e8f4e8639c54 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.21-2ubuntu2.2_i386.deb Size/MD5: 595214 2226664f0469540c4def7973227251f7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.21-2ubuntu2.2_i386.deb Size/MD5: 220254 2786a031e34e8713f39b6673b4fd6b8d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.21-2ubuntu2.2_i386.deb Size/MD5: 248028 7a0536b5e5c6d8c103ea4702ef12461d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.21-2ubuntu2.2_i386.deb Size/MD5: 154744 1f7a80c73a5c8f51f4f8293da387b41a http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.21-2ubuntu2.2_i386.deb Size/MD5: 108660 adc4d45e5f4659deb565edc6b8036c0d lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dbg_1.1.21-2ubuntu2.2_lpia.deb Size/MD5: 353478 cf471cf9aebbf7ebe4b5813817e2319e http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dev_1.1.21-2ubuntu2.2_lpia.deb Size/MD5: 597170 e5824caafac76c93bbf7a0e7553ce664 http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1.1_1.1.21-2ubuntu2.2_lpia.deb Size/MD5: 220726 0def64d849054146ff8ad46ca23f7e56 http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.21-2ubuntu2.2_lpia.deb Size/MD5: 253318 4fb6e71fdbd8ec1028e610cd416da4b5 http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1_1.1.21-2ubuntu2.2_lpia.deb Size/MD5: 153676 681f9ae104d06073b3a8f94b20894dad http://ports.ubuntu.com/pool/main/libx/libxslt/xsltproc_1.1.21-2ubuntu2.2_lpia.deb Size/MD5: 108710 a280424aee4ced880986bb330f9b9c8c powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.21-2ubuntu2.2_powerpc.deb Size/MD5: 362880 5cf6a137cd3a6df672cdf0918a733f4d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.21-2ubuntu2.2_powerpc.deb Size/MD5: 621898 fe708fb294bf10a4fba4280d737edafa http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.21-2ubuntu2.2_powerpc.deb Size/MD5: 236082 6e9b2f0fce8f7dd2f8e65796b38ea61e http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.21-2ubuntu2.2_powerpc.deb Size/MD5: 271266 ba18540b950362b23b1d896ed115be57 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.21-2ubuntu2.2_powerpc.deb Size/MD5: 160772 b4240dbc0e1f26e7630b37f8313bbc18 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.21-2ubuntu2.2_powerpc.deb Size/MD5: 112182 0286d069b6091120cab9ff40c0a61ab4 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.21-2ubuntu2.2_sparc.deb Size/MD5: 336228 be25bcc2d4647942a3cdfcc133236b0c http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.21-2ubuntu2.2_sparc.deb Size/MD5: 609024 bdd5f270d76a95d1cb250c5134b2d32f http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.21-2ubuntu2.2_sparc.deb Size/MD5: 223384 d13ccffe0f7aa359367537d1889a7a45 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.21-2ubuntu2.2_sparc.deb Size/MD5: 250396 c658547ab958a5e76e2877f952b0b85a http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.21-2ubuntu2.2_sparc.deb Size/MD5: 155564 51d9bf29b67cbf6a16ffb7cf994081b1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.21-2ubuntu2.2_sparc.deb Size/MD5: 109618 260b74e4502517b319952e07a7d85d09 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.22-1ubuntu1.2.diff.gz Size/MD5: 150251 51649bee162255c1cda225fceb74f7e2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.22-1ubuntu1.2.dsc Size/MD5: 1026 7e45b5d02e8be4204a38f8c9888489fc http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.22.orig.tar.gz Size/MD5: 2783003 d6a9a020a76a3db17848d769d6c9c8a9 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.22-1ubuntu1.2_amd64.deb Size/MD5: 359522 698e72117365fc5b259901ac45ee7248 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.22-1ubuntu1.2_amd64.deb Size/MD5: 613764 99aaa0b0e2b881771335008db19393d3 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.22-1ubuntu1.2_amd64.deb Size/MD5: 230260 75deee14dd7c733c0ed1305e266e8b41 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.22-1ubuntu1.2_amd64.deb Size/MD5: 269988 5c56866bba98156c2496c6ab941a0862 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.22-1ubuntu1.2_amd64.deb Size/MD5: 161132 ba7a93754445906dd095917140122f94 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.22-1ubuntu1.2_amd64.deb Size/MD5: 110106 6d72c0beec8f5ad605f1e1f908f3d657 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.22-1ubuntu1.2_i386.deb Size/MD5: 344904 cf58efe7caa274026b267df6e4db4614 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.22-1ubuntu1.2_i386.deb Size/MD5: 596700 f61063f709ae6a183e45ef83a210d534 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.22-1ubuntu1.2_i386.deb Size/MD5: 219764 74a7de7d0e7167d57ea722165c9cafc6 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.22-1ubuntu1.2_i386.deb Size/MD5: 254216 7d0bf14d7fafac0803a3bd7bff7da95e http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.22-1ubuntu1.2_i386.deb Size/MD5: 155034 c77e26dedadebd59100f177594f53781 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.22-1ubuntu1.2_i386.deb Size/MD5: 109286 09cfbd1588efc34815796206ed71e646 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dbg_1.1.22-1ubuntu1.2_lpia.deb Size/MD5: 351186 c02d1b4df1dc37425f3c1ff04d7af912 http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dev_1.1.22-1ubuntu1.2_lpia.deb Size/MD5: 598572 78dffcebdb6df1e585882cd9ff18ab47 http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1.1_1.1.22-1ubuntu1.2_lpia.deb Size/MD5: 219616 bcb4873e55651abd183a1caf621ac784 http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.22-1ubuntu1.2_lpia.deb Size/MD5: 253246 b0948dec06fdec29cdac3e79abb760d8 http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1_1.1.22-1ubuntu1.2_lpia.deb Size/MD5: 153898 17655039f2965f06709f63263db54bdd http://ports.ubuntu.com/pool/main/libx/libxslt/xsltproc_1.1.22-1ubuntu1.2_lpia.deb Size/MD5: 109320 117af5dfe0c562e30fe61b8cd5267533 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dbg_1.1.22-1ubuntu1.2_powerpc.deb Size/MD5: 358558 71a69fd2d974158fc85c07879a4e4e63 http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dev_1.1.22-1ubuntu1.2_powerpc.deb Size/MD5: 624338 ef61b076b890411f689aaabc1cb5b24f http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1.1_1.1.22-1ubuntu1.2_powerpc.deb Size/MD5: 235338 a4793bbaf523df172e4e7338bd741361 http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.22-1ubuntu1.2_powerpc.deb Size/MD5: 268036 c6ebb4a2ca1262040b635580d6045ded http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1_1.1.22-1ubuntu1.2_powerpc.deb Size/MD5: 160524 def0bc29804f7adccab74433ce3512dc http://ports.ubuntu.com/pool/main/libx/libxslt/xsltproc_1.1.22-1ubuntu1.2_powerpc.deb Size/MD5: 112754 7ed9b642be56b9c7dd93def00a3ff681 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dbg_1.1.22-1ubuntu1.2_sparc.deb Size/MD5: 332666 79c598e359898b6883f0e1ec9e204935 http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dev_1.1.22-1ubuntu1.2_sparc.deb Size/MD5: 610368 242f7909eeab411d95bc1dda5f10488d http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1.1_1.1.22-1ubuntu1.2_sparc.deb Size/MD5: 222038 089b07bd91adb2237ccd756a64145dbc http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.22-1ubuntu1.2_sparc.deb Size/MD5: 255742 7dd2874192921154eaeafa98d4fdf0e0 http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1_1.1.22-1ubuntu1.2_sparc.deb Size/MD5: 155216 aaf79ab34eee2474c4782d376cd7e89d http://ports.ubuntu.com/pool/main/libx/libxslt/xsltproc_1.1.22-1ubuntu1.2_sparc.deb Size/MD5: 110174 e5b3782796aae108117c51690d5dc94d -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080801/317cfb3f/attachment.bin From kees at ubuntu.com Fri Aug 1 16:27:01 2008 From: kees at ubuntu.com (Kees Cook) Date: Fri, 1 Aug 2008 08:27:01 -0700 Subject: [Full-disclosure] [USN-634-1] OpenLDAP vulnerability Message-ID: <20080801152701.GF21348@outflux.net> =========================================================== Ubuntu Security Notice USN-634-1 August 01, 2008 openldap2.2, openldap2.3 vulnerability CVE-2008-2952 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: slapd 2.2.26-5ubuntu2.8 Ubuntu 7.04: slapd 2.3.30-2ubuntu0.3 Ubuntu 7.10: slapd 2.3.35-1ubuntu0.3 Ubuntu 8.04 LTS: slapd 2.4.9-0ubuntu0.8.04.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Cameron Hotchkies discovered that OpenLDAP did not correctly handle certain ASN.1 BER data. A remote attacker could send a specially crafted packet and crash slapd, leading to a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.8.diff.gz Size/MD5: 514393 4f9e265da3b3862538e819f77e2e3586 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.8.dsc Size/MD5: 1058 b22c78f0d48cc36e948b54e3af20edfd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz Size/MD5: 2626629 afc8700b5738da863b30208e1d3e9de8 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_amd64.deb Size/MD5: 130764 97be6915cd08b18f1cebd0278fdb6cbd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_amd64.deb Size/MD5: 166234 f033393ec3c64058c9a330f3ff8f3ffd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_amd64.deb Size/MD5: 961898 d2a6a9b40ae45ee16f07081caf554e1f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_i386.deb Size/MD5: 118560 6e725d3528b0fbf7603ffaca188fd058 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_i386.deb Size/MD5: 146330 c385cbad49d21de849f6deb69a3f24df http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_i386.deb Size/MD5: 873280 e2c56f6d1a5a372b90c416d4270a9136 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_powerpc.deb Size/MD5: 132924 3f6561c503b4aba5bdd7380ca16a9233 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_powerpc.deb Size/MD5: 157382 6b375c5e1da604ff063770a1bacdf9ae http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_powerpc.deb Size/MD5: 959922 18f40de968f784c06595986dc90ac2ba sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_sparc.deb Size/MD5: 120868 e36bb816e65f673852040cbdc9e99fb8 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_sparc.deb Size/MD5: 148406 5ee83d9e8ab2b6a7e43d4486ef4495fd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_sparc.deb Size/MD5: 903834 7fd3a71e6dfdfd629d15f1484eface61 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.3.diff.gz Size/MD5: 139053 aaea5b917bae9e40a49389eb18ee6b0b http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.3.dsc Size/MD5: 1333 4bf113a4b679696671b740e0602c0d0c http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz Size/MD5: 2971126 c40bcc23fa65908b8d7a86a4a6061251 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_amd64.deb Size/MD5: 187762 3daa694023d35e8d1d5906531f77184e http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_amd64.deb Size/MD5: 292432 5e91f231274471465056dab7ac915579 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_amd64.deb Size/MD5: 1228150 2f5c3cff26ded73113db5c3ae9da2c81 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_i386.deb Size/MD5: 156182 d70e186bfda981a71eee3c23b97c92c8 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_i386.deb Size/MD5: 267618 9d188f962935c72538564fe57dded98f http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_i386.deb Size/MD5: 1154914 83d7c5c110c5341d3d611dc9fad7cd47 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_powerpc.deb Size/MD5: 203784 f2bc7da688b35227c7f3f8fa171fc504 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_powerpc.deb Size/MD5: 294528 e22c51734656e016714aa23ac0822257 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_powerpc.deb Size/MD5: 1280558 b6ada4c71ffb98a27638af78f2aa945f sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_sparc.deb Size/MD5: 164516 441e58de64bed972d60fbba28e855d7b http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_sparc.deb Size/MD5: 264402 1f166e5072bfcf4059caf05e783e5fb4 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_sparc.deb Size/MD5: 1170022 c140469dc080ee8278d3ecdc235831d6 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.3.diff.gz Size/MD5: 151991 51ff8eebcede1f6fad3e31a2614e79d5 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.3.dsc Size/MD5: 1343 9b21ec600b40a024bb1f7de69a9e95fb http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35.orig.tar.gz Size/MD5: 2947629 5096146b7a7eb6ce3b0a97549347b5be amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_amd64.deb Size/MD5: 190088 5325d5369407eb873c98ee7f41615fde http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_amd64.deb Size/MD5: 347238 74514bf63a843d67b3d0910e75709490 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_amd64.deb Size/MD5: 1296502 6a572fccaab720d0e48c047e622dbb54 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_i386.deb Size/MD5: 155520 59776c8fa4c5860f7f6156d8b4914c5f http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_i386.deb Size/MD5: 314742 28a30e5baa754d2ae38af9b4ffbce9de http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_i386.deb Size/MD5: 1216458 2c90d198d1d43e88d7588abe53293c71 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_lpia.deb Size/MD5: 154744 8ad5d3c9c3560d8fea8fae38d8d75767 http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_lpia.deb Size/MD5: 307278 18d45b49ce6400456015193e6cf600fb http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_lpia.deb Size/MD5: 1211812 783b0db2a54143566988d54cf1a4dcbe powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_powerpc.deb Size/MD5: 205302 c623bf368b4109c62e90e373b9afe23f http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_powerpc.deb Size/MD5: 345962 f8c94186487abe14abd758cb55fec8b1 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_powerpc.deb Size/MD5: 1345648 cd8ea44a87c657b0ee27e182ff60fba2 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_sparc.deb Size/MD5: 166528 8bece260d735957a9aae4974419a8e46 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_sparc.deb Size/MD5: 306968 e7cdab9c3df1f7356132f47715e922ed http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_sparc.deb Size/MD5: 1229088 f513afe9b2301f2d6832b1ab1c890581 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9-0ubuntu0.8.04.1.diff.gz Size/MD5: 144671 58f945638d8a393778cb4df222717edb http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9-0ubuntu0.8.04.1.dsc Size/MD5: 1547 c6a52c38b25a2f9d5c601c16f178a049 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9.orig.tar.gz Size/MD5: 3694611 3c0b5ae3d45f5675e67aaf81ce7decc9 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 266934 6e5418f9691e9d706dca198030a16cbe http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 292184 86aa494fc2b80820183d32b044d16b5f http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 197958 090e06973eba26a1cff8e60a7f42a16c http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 868394 a5d7acae075d2c0826e0413272d018ad http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 3614964 3c49f3a956ad5db0ccf792d9b8d36dd1 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 1448036 808090c707d68dc9d9901a1c980b3f21 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 245424 9219d82631dbe22fa6145206cbe85a98 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 282694 39a3b506f3ee6d8c097dd7d56dcadec3 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 182138 cfc345ff59b93219e75ab3eb90b959e7 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 777646 4ce598932a7b6e36fee72664d31b77d3 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 3533272 002c831a1311521e015324200bb25c88 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 1354600 ebfd92f0ebc07663e5bdad585efe8259 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 246620 c573b1d987fd0b0f1d6e78b3fdd55e2d http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 285252 21e10a90681897f42e73c2d75891a829 http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 177840 beaddaca16ab416eb8b7213c8f7f21db http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 779066 8ad40229d8403ab67b89fffa5a5838d4 http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 3565372 471469186a53293b1ca37ae98214182d http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 1348534 7db3b6e67624f788898871bcdf4748ed powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 286564 9fdfd981184b736acf1ce3f23546fa8d http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 288262 2b41a700b9c68003a64552d5878db89e http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 192710 6f49c29d5c5a0d9057bceb5e3ae56096 http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 897520 ec87b7bb590ea7960f11d40820c10c4e http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 3670418 eba5c8dae9d82d03e92dbc84580f06a2 http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 1494264 8f0cf97e665d58b769f83d542c56acf4 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 248502 d4fbd44307a9920c36d2a6f9df7c1bcf http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 259242 a6743c6dd9c4409a13081c5ee035ddfd http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 178744 c92678408505baa4a7746140905a66b7 http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 767462 b9432320d29b5c5d1eb6b1e7541561c8 http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 3484818 ff70b240ab888a27628e3b3c3812e335 http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 1349498 66253c6ffd2cb831c24b9713c3edcc87 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080801/d8e8e513/attachment-0001.bin From thijs at debian.org Fri Aug 1 08:52:06 2008 From: thijs at debian.org (Thijs Kinkhorst) Date: Fri, 1 Aug 2008 09:52:06 +0200 (CEST) Subject: [Full-disclosure] [SECURITY] [DSA 1625-1] New cupsys packages fix arbitrary code execution Message-ID: <20080801075206.95B8C326EFC@morgana.loeki.tv> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1625-1 security at debian.org http://www.debian.org/security/ Thijs Kinkhorst August 01, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : cupsys Vulnerability : buffer overflows Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-0053 CVE-2008-1373 CVE-2008-1722 Debian Bug : 476305 Several remote vulnerabilities have been discovered in the Common Unix Printing System (CUPS). The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0053 Buffer overflows in the HP-GL input filter allowed to possibly run arbitrary code through crafted HP-GL files. CVE-2008-1373 Buffer overflow in the GIF filter allowed to possibly run arbitrary code through crafted GIF files. CVE-2008-1722 Integer overflows in the PNG filter allowed to possibly run arbitrary code through crafted PNG files. For the stable distribution (etch), these problems have been fixed in version 1.2.7-4etch4 of package cupsys. For the testing (lenny) and unstable distribution (sid), these problems have been fixed in version 1.3.7-2 of package cups. We recommend that you upgrade your cupsys package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz Size/MD5 checksum: 4214272 c9ba33356e5bb93efbcf77b6e142e498 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4.diff.gz Size/MD5 checksum: 107641 b1ae0953050580975ef0c6ff495e912d http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4.dsc Size/MD5 checksum: 1376 4f8938f4dac4a9732efd621f4aabb63a Architecture independent packages: http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch4_all.deb Size/MD5 checksum: 45758 fbb5c3eaf74a1207d887e12bb75f6182 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4etch4_all.deb Size/MD5 checksum: 924012 43e775475535e31f2f6963947c03525d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 1087542 cb6a29323e4cd1069b669c89963a1fac http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 53024 090d638da135798424a129257b51b157 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 142544 0d446b8acb588ec2b1c8c22067aa2364 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 1574904 cdd7afb0953a56cf8d213778cbe1773e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 80706 687de2f8bf779ca898863fb94a07a12b http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 85968 8d69f2ac63f2d4fbd923c2caa33c604d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 36352 02c24a715c2f06dd8bc62a851591948e http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 162230 0e2325c67bf23841038be68557ba8758 arm architecture (ARM) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_arm.deb Size/MD5 checksum: 48718 28a8ac4acad82bd582358e38c0c23013 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_arm.deb Size/MD5 checksum: 78910 6566d320a557b02cf94f379b84f0dba9 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_arm.deb Size/MD5 checksum: 35936 6ae06d35d6c40084adfd8bfd65866174 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_arm.deb Size/MD5 checksum: 1025732 5c3e851e94f3a41216d7a7149839c8d4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_arm.deb Size/MD5 checksum: 132040 3eb0b900c59ea118d768b1459898ea90 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_arm.deb Size/MD5 checksum: 154878 02d749b77969111a813a4cba408bd74d http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_arm.deb Size/MD5 checksum: 1568968 5c60803b01b551503017f750bea5526e http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_arm.deb Size/MD5 checksum: 85168 5b2a0162f00efdcc8cd1d93e0bc7486b hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 172120 3b9de8875c9be02866143463b0c919f0 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 91152 ab272c582600f995706b46709c510f32 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 1022644 b587ee12458f80bd76a1d7b84869b741 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 57192 4e117dab53e958404f958b99b08da4c1 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 154086 2a27882b763ce10df0fd172cfa8d22bb http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 86898 aebbadb4ddb70dde9a524fd56b7bfb46 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 1624440 67216c81ae5f4d2f1d8b571f7099492e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 39270 1bbd6351cb6cd5f686faaddbeb731c4f i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_i386.deb Size/MD5 checksum: 86844 5dd05c3c3f08b1e2a60405bcaef83146 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_i386.deb Size/MD5 checksum: 79334 2002dc686f12bb5250d9fafb9b63a268 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_i386.deb Size/MD5 checksum: 53272 1723eb6d5f00ce02702b52b60610c586 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_i386.deb Size/MD5 checksum: 36230 cda0348c0c9b6dbd145e3c02e0c44fd2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_i386.deb Size/MD5 checksum: 1004104 10a43e1b53f782d065362e92ff0998f9 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_i386.deb Size/MD5 checksum: 137972 203602cf657f98ee38a372c3922b7ae1 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_i386.deb Size/MD5 checksum: 160382 2fa7444168c9f43a22eb776bd9638827 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_i386.deb Size/MD5 checksum: 1559230 dfca65e3edd6f0fb4bdc18973efef89a ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 203930 b457e7ae7fb11f876225150e559a4272 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 46330 922f2bd1d98fcbb40badcebd7c0cc07c http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 106642 b61d48e93e413245d3fd5ebe47c31243 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 1107892 65945b9397a13a31fb8646cb71ef7794 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 192372 eea62b30397305acdf6f98a6df50cf8e http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 1770682 398872427b493f8206c38a3504fc1904 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 74158 e1f00e7e8be7549ac2b58adaeba0f5b2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 106226 fb838547edf473df7efaa8fe41cf42f1 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_mips.deb Size/MD5 checksum: 86546 02bd3a3bb274f21179f65edfb28c1f7e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_mips.deb Size/MD5 checksum: 76158 53a90a54e6cf7418b81e0b40db39566b http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_mips.deb Size/MD5 checksum: 36116 8d78c13d605160ee0caa835961667913 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_mips.deb Size/MD5 checksum: 150982 b48a8bcf9dbff3e842f83f4ca05e0421 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_mips.deb Size/MD5 checksum: 1097820 db2ff50e5555b022b54252f07b442992 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_mips.deb Size/MD5 checksum: 157742 94a7c2d49b7234c0a54291446c5ba06d http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_mips.deb Size/MD5 checksum: 1567460 dffd05c006a78e53bc8c03dc8beaa4ea http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_mips.deb Size/MD5 checksum: 57688 cbce6e984252bef94c0bd7ace9afdcdf mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 86688 7c91af84b2fab2419fa4939bb8080097 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 1552918 7d7af09023892fdd9e862ddcbb590fb3 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 150896 ba6b2f7c16957759b63e20d66d5964f2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 36064 702ec7fbc7b2716e10a97f7b7c11e75a http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 158270 0354f63d7126c3775cc74a95426052d4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 57846 2ee768d4dc5f9c8cbd046a801f154ef8 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 1084676 bb31572c9939fe22762ceef59550b25e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 77456 5884939dabb325cda97351bafdb62cfe powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 162918 05df3db670b3f2a4dbb9d8a2d666eaca http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 88204 4546a01b202669d3ffa97dca5b93bf03 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 1576028 67c38bd81585274c0844efeedca40153 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 51894 321b1c0c9d59643294a87b00f81f7895 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 41310 45f55f0797900433a145028d63f6a6ef http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 90004 61698739b3b436e6d1651dc388a89575 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 1142660 10680b3b7efdeb10e9d834e869944206 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 136880 e5c2d81190a9233eb291b519c3b83de6 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_s390.deb Size/MD5 checksum: 166424 a2a07e7c586a10000b519c6f6c2ec4e2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_s390.deb Size/MD5 checksum: 1586828 1e581be3892b978e7284de896c3121de http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_s390.deb Size/MD5 checksum: 87588 b3d0d3e7dbb84414f606b4670c6e2692 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_s390.deb Size/MD5 checksum: 1036620 bd1b35bd24260dfb340e0a3173a811a2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_s390.deb Size/MD5 checksum: 37430 622787f6d8b910f3657f98e0f5bf97bc http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_s390.deb Size/MD5 checksum: 82342 40a55f0afa5b2fa03285fd4d4cd8666c http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_s390.deb Size/MD5 checksum: 52468 470a81c78c7ececae0569e75bfab9ca7 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_s390.deb Size/MD5 checksum: 144932 9ab43b87566469af9e4a79c9c1fae493 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 139570 5f5faa6504275ed43f4a55787519fdfe http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 78516 7066d103f739cd570fd141aa4fa780f6 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 36032 c4e4289091dc19e5fbf7a6937ffb36f7 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 158816 f33bda24ec7774227b3bdb3dddcf1c46 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 51754 47ce5271662e6b980e34badfc9689009 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 84956 96aa28ac50548723754274f30db15379 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 991408 13a41c49f94085ca6a7f74a030506d3c http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 1562092 2bfd90bca7dbac40df73303f8e1e4b6f These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSJK+8mz0hbPcukPfAQL+2ggArkU0cevHFbynnNIAPflbwBMYNLW4GvDB IDgHshZ4efGYsnfrEl57h/8GoteXN2c3LWNaI2enBtIRfgpyavHRYqX+Vl+7JjJr +8SxXjqxTnJ+6b7iFQVD5UQlrw77vTVBLA4qVdn/+dMKVKZPKTaozjBzxm3cjzrQ owqSLI+l8MJrsY4Et7ajEUJWOJ0meXY2xIgE32hat5prH7vGJUKab5gxwl96oIyi LPaGSpANk4GJCMAV5YtSpY4zxr3WGrJOQVLrqYmdN0/jrLVuGoNyoy2jy/1k+yT7 QIqV4J748E+ftsMvX/4QxPigIpSqQxVXgXZS52YN/OxJLzUBapskpg== =SW1E -----END PGP SIGNATURE----- From thijs at debian.org Fri Aug 1 08:52:19 2008 From: thijs at debian.org (Thijs Kinkhorst) Date: Fri, 1 Aug 2008 09:52:19 +0200 (CEST) Subject: [Full-disclosure] [SECURITY] [DSA 1626-1] New httrack packages fix arbitrary code execution Message-ID: <20080801075219.89076326EFC@morgana.loeki.tv> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1626-1 security at debian.org http://www.debian.org/security/ Thijs Kinkhorst August 01, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : httrack Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no BugTraq ID : 30425 Joan Calvet discovered that httrack, a utility to create local copies of websites, is vulnerable to a buffer overflow potentially allowing to execute arbitrary code when passed excessively long URLs. For the stable distribution (etch), this problem has been fixed in version 3.40.4-3.1+etch1. For the testing (lenny) and unstable distribution (sid), this problem has been fixed in version 3.42.3-1. We recommend that you upgrade your httrack package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1.dsc Size/MD5 checksum: 950 277074178046b94ceebefa5f5eaee9de http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4.orig.tar.gz Size/MD5 checksum: 1626176 9e4de064afc1dfcb6f50b773f8081f1c http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1.diff.gz Size/MD5 checksum: 7597 005a605bfabc7f0830d8db87d3ee67fe Architecture independent packages: http://security.debian.org/pool/updates/main/h/httrack/httrack-doc_3.40.4-3.1+etch1_all.deb Size/MD5 checksum: 516676 9f2c726cbc7e6f97dfeda4f8a72c8e77 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 441370 a37aaf592b7ab95fd11eeec082d4919a http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 395946 7eea58a1b8a7d6d11501ec2e879f0167 http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 61108 0894913629340bd559c929d07a05f19f http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 31766 63db4ac65e705d74d1eab458b33f56e5 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 491618 e8a2076bb272020be529c39a53eea534 arm architecture (ARM) http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 33424 eed7c807ccebd9db0722545849938d0f http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 281686 1b4a63e9fea5cdbcd49eb02354fd0608 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 350912 9c85eea85e7bf24b734f259ecba0a303 http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 443078 64a26f96bfb086474c47a9f37d9db15d http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 59448 70d880740666db737ef8cbc8730e5377 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 34180 5ac05721cb623cf7c25b9bffbc81ad6d http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 65948 7a8fa1831ffadffab827c2a8ecc44068 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 321760 ee4562bcf5255b6addf8ac0b673d19fe http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 440990 594b8679acb8e05c9b0bede368a86ad3 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 438154 2bc91f3ebd931a161595b2c95253d15a i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_i386.deb Size/MD5 checksum: 32152 4f545c6163fc8516c6d0dae9ddf6082e http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_i386.deb Size/MD5 checksum: 59458 4c81a59964535c95ccdb08916fc47f63 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_i386.deb Size/MD5 checksum: 482448 8db927e07b642477f60cb0e4beeb2b3e http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_i386.deb Size/MD5 checksum: 438432 ae91317aa8eb3a32fdf6b5be6a3c153b http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_i386.deb Size/MD5 checksum: 365534 c38c17f82ea6b110c52d17d6a8098563 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_ia64.deb Size/MD5 checksum: 92114 88d98af0e94dbe1137db57341c0d7fe3 http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_ia64.deb Size/MD5 checksum: 35186 fcf89c422fdac82f9e436bd4ff13d161 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_ia64.deb Size/MD5 checksum: 736406 a4a9b2fdd5d4ba5e0147e56e39a81bb3 http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_ia64.deb Size/MD5 checksum: 450002 523074d62431c05143a8db9d0d3ca8b3 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_ia64.deb Size/MD5 checksum: 501600 b0b7938e039dc12e6289353407a66f24 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_mips.deb Size/MD5 checksum: 422550 ddefd0cf52d210266bc10c1d6dfec2f1 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_mips.deb Size/MD5 checksum: 272376 f4312876c36fe9da386f7d10115cc87a http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_mips.deb Size/MD5 checksum: 438438 d37c7460ca2f4a848b4d441d90911d9a http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_mips.deb Size/MD5 checksum: 33282 5f42aacc153fda5b4feac0932455b956 http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_mips.deb Size/MD5 checksum: 64622 aa402be8bab600e6f9a7cc901e11be8b mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_mipsel.deb Size/MD5 checksum: 417812 71a8ae7e5cf51716c6c78debc31ce6a2 http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_mipsel.deb Size/MD5 checksum: 64644 133bbfcee5935a205eb131dc9f363c08 http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_mipsel.deb Size/MD5 checksum: 33654 2b6df5a12a8f3457ee6e6353a73ed7f0 http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_mipsel.deb Size/MD5 checksum: 432074 ef11cd7c26b5330fbf1b744559cd8c14 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_mipsel.deb Size/MD5 checksum: 271738 ee6ee78ba71e8977f4c6ad954f5356f6 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_powerpc.deb Size/MD5 checksum: 64012 33554371d96a8d344f673f7310dbba34 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_powerpc.deb Size/MD5 checksum: 556868 b313c676177281c3f6a9c38d9304a741 http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_powerpc.deb Size/MD5 checksum: 433912 d51594790fad947486d48a744abf2823 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_powerpc.deb Size/MD5 checksum: 350286 59f98436ea6d2fe90a980fe3ce133db4 http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_powerpc.deb Size/MD5 checksum: 33998 1db2f2c7241c8274316c82e353213e00 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_s390.deb Size/MD5 checksum: 33560 7c3edeff7fd589d901f5c1dc67468c0c http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_s390.deb Size/MD5 checksum: 371182 7ef2888222cf6fd4f2751e140fc6f77b http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_s390.deb Size/MD5 checksum: 291818 063df1d6823a3489d3d859100bbe067a http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_s390.deb Size/MD5 checksum: 432386 6f88d4af48ee49e29f548ebde7308a43 http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_s390.deb Size/MD5 checksum: 63462 f6850ab5eb5acd7a870664fef6ec520c sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_sparc.deb Size/MD5 checksum: 58698 128e8fa3ec781b8a4bc8cdae7438ef40 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_sparc.deb Size/MD5 checksum: 379330 865d453bb4f80590a0d267b7aa8c5a84 http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_sparc.deb Size/MD5 checksum: 43