Debians sikkerhedsbulletin

DSA-1402-1 gforge -- usikre midlertidige filer

Rapporteret den:
7. nov 2007
Berørte pakker:
gforge
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2007-3921.
Yderligere oplysninger:

Steve Kemp fra Debian Security Audit-projektet opdagede at gforge, et samarbejdsudviklingsværktøj, anvendte midlertidige filer på en usikker måde, hvilket kunne gøre det muligt for lokale brugere at trunkere filer på systemet, med rettighederne hørende til gforge-brugeren, eller iværksætte lammelsesangreb (denial of service).

I den gamle stabile distribution (sarge), er dette problem rettet i version 3.1-31sarge4.

I den stabile distribution (etch), er dette problem rettet i version 4.5.14-22etch3.

Vi anbefaler at du opgraderer din gforge-pakke.

Rettet i:

Debian GNU/Linux 3.1 (sarge)

Kildekode:
http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4.dsc
http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1.orig.tar.gz
http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4.diff.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/g/gforge/sourceforge_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-sourceforge-transition_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-cvs_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-common_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_3.1-31sarge4_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_3.1-31sarge4_all.deb

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3.dsc
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3.diff.gz
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch3_all.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.