Debians sikkerhedsbulletin

DSA-1205-2 thttpd -- usikre midlertidige filer

Rapporteret den:
2. nov 2006
Berørte pakker:
thttpd
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Debians fejlsporingssystem: Fejl 396277.
I Mitres CVE-ordbog: CVE-2006-4248.
Yderligere oplysninger:

Den oprindelige bulletin for dette problem indeholdt ikke rettede pakker til alle understøttede arkitekturer, hvilket rettes med denne opdatering. Til reference er herunder den oprindelige bulletins tekst:

Marco d'Itri har opdaget at thttpd, en lille, hurtig og sikker webserver, anvendte usikre midlertidige filer når dens logfiler blev roteret, hvilket kunne føre til et lammelsesangreb (denial of service) gennem et symlinkangreb.

I den stabile distribution (sarge) er dette problem rettet i version 2.23beta1-3sarge2.

I den ustabile distribution (sid) er dette problem rettet i version 2.23beta1-5.

Vi anbefaler at du opgraderer din thttpd-pakke.

Rettet i:

Debian GNU/Linux 3.1 (sarge)

Kildekode:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2.dsc
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2.diff.gz
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_alpha.deb
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_amd64.deb
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_arm.deb
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_arm.deb
HPPA:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_hppa.deb
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_i386.deb
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_ia64.deb
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_ia64.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_m68k.deb
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_mips.deb
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_s390.deb
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_sparc.deb
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.

MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.