Debians sikkerhedsbulletin
DSA-1945-1 gforge -- symbolsk lænke-angreb
- Rapporteret den:
- 3. dec 2009
- Berørte pakker:
- gforge
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2009-3304.
- Yderligere oplysninger:
-
Sylvain Beucler opdagede at gforge, et værktøj til udviklingssamarbejde, var sårbart over for et symlinkangreb, hvilket gjorde det muligt for lokale brugere at udføre et lammelsesangreb ved at overskrive vilkårlige filer.
I den gamle stabile distribution (etch), er dette problem rettet i version 4.5.14-22etch13.
I den stabile distribution (lenny), er dette problem rettet i version 4.7~rc2-7lenny3.
I distributionen testing (squeeze), vil dette problem snart blive rettet.
I den ustabile distribution (sid), er dette problem rettet i version 4.8.2-1.
Vi anbefaler at du opgraderer dine gforge-pakker.
- Rettet i:
-
Debian GNU/Linux 4.0 (etch)
- Kildekode:
- http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch13.dsc
- http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz
- http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch13.diff.gz
- http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch13_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch13_all.deb
Debian GNU/Linux 5.0 (lenny)
- Kildekode:
- http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny3.diff.gz
- http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny3.dsc
- http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2.orig.tar.gz
- http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny3.dsc
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-mediawiki_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmsvn_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache2_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmcvs_4.7~rc2-7lenny3_all.deb
- http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.7~rc2-7lenny3_all.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.