Debians sikkerhedsbulletin

DSA-034-1 ePerl -- root-fjernangreb

Rapporteret den:
7. mar 2001
Berørte pakker:
eperl
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 2464.
I Mitres CVE-ordbog: CVE-2001-0458.
Yderligere oplysninger:
Fumitoshi Ukai og Denis Barbier har opdaget flere potentielle buffer-overløbsfejl i vores version af ePerl som distribueres i alle vore distributioner.

Når ePerl er installeret setuid root, kan programmet skifte til scriptets ejers UID/GID. Selvom Debian ikke distribuerer programmet setuid root, er dette en nyttig funktion som folk kan have slået til lokalt. Når programmet anvendes om /usr/lib/cgi-bin/nph-eperl kan fejlene desuden medføre en fjern-sårbarhed.

Version 2.2.14-0.7potato2 retter dette; vi anbefaler at du omgående opgraderer din ePerl-pakke.

Rettet i:

Debian 2.2 (potato)

Kildekode:
http://security.debian.org/dists/stable/updates/main/source/eperl_2.2.14-0.7potato2.diff.gz
http://security.debian.org/dists/stable/updates/main/source/eperl_2.2.14-0.7potato2.dsc
http://security.debian.org/dists/stable/updates/main/source/eperl_2.2.14.orig.tar.gz
alpha:
http://security.debian.org/dists/stable/updates/main/binary-alpha/eperl_2.2.14-0.7potato2_alpha.deb
arm:
http://security.debian.org/dists/stable/updates/main/binary-arm/eperl_2.2.14-0.7potato2_arm.deb
i386:
http://security.debian.org/dists/stable/updates/main/binary-i386/eperl_2.2.14-0.7potato2_i386.deb
m68k:
http://security.debian.org/dists/stable/updates/main/binary-m68k/eperl_2.2.14-0.7potato2_m68k.deb
powerpc:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/eperl_2.2.14-0.7potato2_powerpc.deb
sparc:
http://security.debian.org/dists/stable/updates/main/binary-sparc/eperl_2.2.14-0.7potato2_sparc.deb