Debians sikkerhedsbulletin

DSA-137-1 mm -- usikre midlertidige filer

Rapporteret den:
30. jul 2002
Berørte pakker:
mm
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 5352.
I Mitres CVE-ordbog: CVE-2002-0658.
Yderligere oplysninger:

Marcus Meissner og Sebastian Krahmer har opdaget og rettet et sårbarhedsproblem med midlertidige problemer i det delte hukommelsesbibliotek mm. Problemet kan udnyttes til at få root-adgang til en maskine som kører Apache som er linket til dette bibliotek, hvis shell-adgang til brugeren "www-data" allerede er tilgængelig (hvilket nemt kunne ske via PHP).

Problemet er rettet i opstrøms version 1.2.0 af mm, som vil blive uploadet til Debians ustabile distribution mens denne bulletin frigives. Der er links til rettede pakker til potato (Debian 2.2) og woody (Debian 3.0) nedenfor.

Vi anbefaler at du omgående opgraderer dine libmm-pakker og genstarter din Apache-server.

Rettet i:

Debian GNU/Linux 2.2 (potato)

Kildekode:
http://security.debian.org/pool/updates/main/m/mm/mm_1.0.11-1.2.dsc
http://security.debian.org/pool/updates/main/m/mm/mm_1.0.11.orig.tar.gz
http://security.debian.org/pool/updates/main/m/mm/mm_1.0.11-1.2.diff.gz
Alpha:
http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_alpha.deb
http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_arm.deb
http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_arm.deb
Intel ia32:
http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_i386.deb
http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_i386.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_m68k.deb
http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_m68k.deb
PowerPC:
http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_powerpc.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_sparc.deb
http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_sparc.deb

Debian GNU/Linux 3.0 (woody)

Kildekode:
http://security.debian.org/pool/updates/main/m/mm/mm_1.1.3-6.1.dsc
http://security.debian.org/pool/updates/main/m/mm/mm_1.1.3.orig.tar.gz
http://security.debian.org/pool/updates/main/m/mm/mm_1.1.3-6.1.diff.gz
Alpha:
http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_alpha.deb
http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_arm.deb
http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_arm.deb
Intel ia32:
http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_i386.deb
http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_i386.deb
Intel ia64:
http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_ia64.deb
http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_ia64.deb
HP Precision:
http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_hppa.deb
http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_m68k.deb
http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_mips.deb
http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_mipsel.deb
http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_powerpc.deb
http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_s390.deb
http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_sparc.deb
http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.