Debians sikkerhedsbulletin
DSA-1205-2 thttpd -- usikre midlertidige filer
- Rapporteret den:
- 2. nov 2006
- Berørte pakker:
- thttpd
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Debians fejlsporingssystem: Fejl 396277.
I Mitres CVE-ordbog: CVE-2006-4248. - Yderligere oplysninger:
-
Den oprindelige bulletin for dette problem indeholdt ikke rettede pakker til alle understøttede arkitekturer, hvilket rettes med denne opdatering. Til reference er herunder den oprindelige bulletins tekst:
Marco d'Itri har opdaget at thttpd, en lille, hurtig og sikker webserver, anvendte usikre midlertidige filer når dens logfiler blev roteret, hvilket kunne føre til et lammelsesangreb (denial of service) gennem et symlinkangreb.
I den stabile distribution (sarge) er dette problem rettet i version 2.23beta1-3sarge2.
I den ustabile distribution (sid) er dette problem rettet i version 2.23beta1-5.
Vi anbefaler at du opgraderer din thttpd-pakke.
- Rettet i:
-
Debian GNU/Linux 3.1 (sarge)
- Kildekode:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2.dsc
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2.diff.gz
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1.orig.tar.gz
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_alpha.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_alpha.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_amd64.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_amd64.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_arm.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_arm.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_arm.deb
- HPPA:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_hppa.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_hppa.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_i386.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_i386.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_ia64.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_ia64.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_ia64.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_m68k.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_m68k.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_mips.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_mips.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_mipsel.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_mipsel.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_powerpc.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_powerpc.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_s390.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_s390.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_sparc.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_sparc.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.
MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.