Re: New gzip packages fix several vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Doing upgrade.
(pfiou, lot of security issues lately)
lundi 11 juillet, vers 18h, Martin Schulze écrivit :
>
> --------------------------------------------------------------------------
> Debian Security Advisory DSA 752-1 security@debian.org
> http://www.debian.org/security/ Martin Schulze July 11th, 2005
> http://www.debian.org/security/faq
> --------------------------------------------------------------------------
>
> Package : gzip
> Vulnerability : several
> Problem-Type : local (remote)
> Debian-specific: no
> CVE ID : CAN-2005-0988 CAN-2005-1228
> Debian Bug : 305255
>
> Two problems have been discovered in gzip, the GNU compression
> utility. The Common Vulnerabilities and Exposures project
> identifies the following problems.
>
> CAN-2005-0988
>
> Imran Ghory discovered a race condition in the permissions setting
> code in gzip. When decompressing a file in a directory an
> attacker has access to, gunzip could be tricked to set the file
> permissions to a different file the user has permissions to.
>
> CAN-2005-1228
>
> Ulf Härnhammar discovered a path traversal vulnerability in
> gunzip. When gunzip is used with the -N option an attacker could
> this vulnerability to create files in an arbitrary directory with
> the permissions of the user.
>
> For the oldstable distribution (woody) these problems have been
> fixed in version 1.3.2-3woody5.
>
> For the stable distribution (sarge) these problems have been fixed
> in version 1.3.5-10.
>
> For the unstable distribution (sid) these problems have been fixed
> in version 1.3.5-10.
>
> We recommend that you upgrade your gzip package.
>
>
> Upgrade Instructions
> --------------------
>
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
>
> Debian GNU/Linux 3.0 alias woody
> --------------------------------
>
> Source archives:
>
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5.dsc
> Size/MD5 checksum: 577 b948bd1c9e50578a4a9109eed8090d20
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5.diff.gz
> Size/MD5 checksum: 7146 59a0d39e9d98109bc698c22d6803516f
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2.orig.tar.gz
> Size/MD5 checksum: 311011 57bff96b6b4bcbb060566bdbed29485d
>
> Alpha architecture:
>
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_alpha.deb
> Size/MD5 checksum: 76648 53d463707426c9f84d7d0cb7a6a1d742
>
> ARM architecture:
>
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_arm.deb
> Size/MD5 checksum: 68946 2610eba8ec765b72a82e8ff1c5e8efc1
>
> Intel IA-32 architecture:
>
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_i386.deb
> Size/MD5 checksum: 62238 c323f08a1c1c30e10800f36eed4ec3d4
>
> Intel IA-64 architecture:
>
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_ia64.deb
> Size/MD5 checksum: 87028 3c295aefd208e38f523d9719322f3bb4
>
> HP Precision architecture:
>
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_hppa.deb
> Size/MD5 checksum: 72788 41c9211dce59753260d83635e8212ce1
>
> Motorola 680x0 architecture:
>
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_m68k.deb
> Size/MD5 checksum: 61456 67ed89c721455f23c26735dc322c53a3
>
> Big endian MIPS architecture:
>
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_mips.deb
> Size/MD5 checksum: 71896 3907341326822557d0e2c8ed87af77e5
>
> Little endian MIPS architecture:
>
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_mipsel.deb
> Size/MD5 checksum: 71742 4ced896d0887f2a2a81c339ffff7544b
>
> PowerPC architecture:
>
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_powerpc.deb
> Size/MD5 checksum: 69550 06f8ffd3e7bb5709b0c1e5854bd0c1d8
>
> IBM S/390 architecture:
>
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_s390.deb
> Size/MD5 checksum: 66936 5ad01afb6c4c6f79785c18ea1d84d28e
>
> Sun Sparc architecture:
>
> http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_sparc.deb
> Size/MD5 checksum: 70416 ec2acb3ddfa0a6086665136ee4056e6e
>
>
> These files will probably be moved into the stable distribution on
> its next update.
>
> ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main For
> dpkg-ftp: ftp://security.debian.org/debian-security
> dists/stable/updates/main Mailing list:
> debian-security-announce@lists.debian.org Package info: `apt-cache
> show <pkg>' and http://packages.debian.org/<pkg>
- --
Mathieu Roy
+---------------------------------------------------------------------+
| General Homepage: http://yeupou.coleumes.org/ |
| Computing Homepage: http://alberich.coleumes.org/ |
| Not a native english speaker: |
| http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english |
+---------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC0qXTNl9/9y2hmbkRAippAJ9zi+jB+DIzmsa9zx9mBlo2Vn2nEwCfUswJ
WfVU/pCa7rcl3AFsc7ZXF5g=
=S7Of
-----END PGP SIGNATURE-----
Reply to: