Debians sikkerhedsbulletin

DSA-314-1 atftp -- bufferoverløb

Rapporteret den:
11. jun 2003
Berørte pakker:
atftp
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2003-0380.
Yderligere oplysninger:

Rick Patel har opdaget af atftpd er sårbar overfor et bufferoverløb når et langt filnavn sendes til serveren. En angriber kunne fjernudnytte denne fejl til at udføre vilkårlig kode på serveren.

I den stabile distribution (woody) er dette problem rette i version 0.6.1.1.0woody1.

Den gamle stabile distribution (potato) indeholder ikke en atftp-pakke.

I den ustabile distribution (sid) vil dette problem snart blive rettet.

Vi anbefaler at du opdaterer din atftp-pakke.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1.dsc
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_alpha.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_arm.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_i386.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_ia64.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_hppa.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_m68k.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_mips.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_mipsel.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_powerpc.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_s390.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_sparc.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.