Debians sikkerhedsbulletin

DSA-1945-1 gforge -- symbolsk lænke-angreb

Rapporteret den:
3. dec 2009
Berørte pakker:
gforge
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2009-3304.
Yderligere oplysninger:

Sylvain Beucler opdagede at gforge, et værktøj til udviklingssamarbejde, var sårbart over for et symlinkangreb, hvilket gjorde det muligt for lokale brugere at udføre et lammelsesangreb ved at overskrive vilkårlige filer.

I den gamle stabile distribution (etch), er dette problem rettet i version 4.5.14-22etch13.

I den stabile distribution (lenny), er dette problem rettet i version 4.7~rc2-7lenny3.

I distributionen testing (squeeze), vil dette problem snart blive rettet.

I den ustabile distribution (sid), er dette problem rettet i version 4.8.2-1.

Vi anbefaler at du opgraderer dine gforge-pakker.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch13.dsc
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch13.diff.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch13_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch13_all.deb

Debian GNU/Linux 5.0 (lenny)

Kildekode:
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny3.diff.gz
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny3.dsc
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-mediawiki_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmsvn_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache2_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.7~rc2-7lenny3_all.deb
http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmcvs_4.7~rc2-7lenny3_all.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.