Debians sikkerhedsbulletin

DSA-1402-1 gforge -- usikre midlertidige filer

Rapporteret den:

7. nov 2007

Berørte pakker:

gforge

Sårbar:

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2007-3921.

Yderligere oplysninger:

Steve Kemp fra Debian Security Audit-projektet opdagede at gforge, et samarbejdsudviklingsværktøj, anvendte midlertidige filer på en usikker måde, hvilket kunne gøre det muligt for lokale brugere at trunkere filer på systemet, med rettighederne hørende til gforge-brugeren, eller iværksætte lammelsesangreb (denial of service).

I den gamle stabile distribution (sarge), er dette problem rettet i version 3.1-31sarge4.

I den stabile distribution (etch), er dette problem rettet i version 4.5.14-22etch3.

Vi anbefaler at du opgraderer din gforge-pakke.

Rettet i:

Debian GNU/Linux 3.1 (sarge)

Kildekode:: http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4.dsc; http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1.orig.tar.gz; http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4.diff.gz
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/g/gforge/sourceforge_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-sourceforge-transition_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-cvs_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-common_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_3.1-31sarge4_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_3.1-31sarge4_all.deb

Debian GNU/Linux 4.0 (etch)

Kildekode:: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3.dsc; http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3.diff.gz; http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch3_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch3_all.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.