Date: 12 January 2009
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0028 -- [UNIX/Linux][Debian]
New gforge packages fix SQL injection
12 January 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: gforge
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2008-2381
Original Bulletin: http://www.debian.org/security/2008/dsa-1698
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running gforge check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1698-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
January 09, 2009 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : gforge
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2381
It was discovered that GForge, a collaborative development tool,
insufficiently sanitises some input allowing a remote attacker to
perform SQL injection.
For the stable distribution (etch), this problem has been fixed in
version 4.5.14-22etch10.
For the testing (lenny) and unstable distribution (sid), this problem
has been fixed in version 4.7~rc2-7.
We recommend that you upgrade your gforge package.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz
Size/MD5 checksum: 2161141 e85f82eff84ee073f80a2a52dd32c8a5
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch9.diff.gz
Size/MD5 checksum: 199329 6414734bde3d1783cf0e2444132d64ff
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch10.diff.gz
Size/MD5 checksum: 199610 73b60a0e768f798d14102b84e44cd9b1
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch10.dsc
Size/MD5 checksum: 952 c2252c54ffade219203d006cdc64f91d
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch9.dsc
Size/MD5 checksum: 950 157db49aeacbdbee525e922defce5f16
Architecture independent packages:
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch10_all.deb
Size/MD5 checksum: 80422 a9b65d4e911add81e36120fbc544f81c
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch10_all.deb
Size/MD5 checksum: 705076 633d26be5fa1f2ade140c7da64fa6e6c
http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch10_all.deb
Size/MD5 checksum: 103914 676482196214c4a12639a02521c53a7d
http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch9_all.deb
Size/MD5 checksum: 212550 85b6f53b1e4a4ead87d775f11c77b49a
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch9_all.deb
Size/MD5 checksum: 705018 90f3187e48801bb2ec2db79378d2a591
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch9_all.deb
Size/MD5 checksum: 76138 243c034e04e560bda6c36bdc9dc7c507
http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch10_all.deb
Size/MD5 checksum: 212632 096dd8f5c46723d1380f9a167d6bb376
http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch9_all.deb
Size/MD5 checksum: 1010976 9e60171c74bc627e73e062c30e169d7e
http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch10_all.deb
Size/MD5 checksum: 86194 8bb823343c71101fa959b45765b597b6
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch9_all.deb
Size/MD5 checksum: 87206 ece177d2a29bad7645fd3814903b2e8b
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch9_all.deb
Size/MD5 checksum: 88566 6739e7cb336746e32645ed46f940e39f
http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch10_all.deb
Size/MD5 checksum: 1011010 516e5203afff464172b02ffd5c30a89e
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch9_all.deb
Size/MD5 checksum: 88670 8562b858d5e691eed636c51ac97575fe
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch10_all.deb
Size/MD5 checksum: 88650 ffb7e94dfcde242e63727afcbb5cf541
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch9_all.deb
Size/MD5 checksum: 80324 a7a10e2bb6da8f71778d39885741d9d6
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch9_all.deb
Size/MD5 checksum: 89178 4e859efc65d23de82d8254476467a092
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch10_all.deb
Size/MD5 checksum: 76234 7c50c3c5583f68804979efd5adf2992a
http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch9_all.deb
Size/MD5 checksum: 82138 3827dc51c27eeb10707339326e2af17c
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch9_all.deb
Size/MD5 checksum: 86392 ae8fc096931982372d6926e2633dbbd2
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch10_all.deb
Size/MD5 checksum: 89260 5508b317689cb6832109c3aed78cb58e
http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch10_all.deb
Size/MD5 checksum: 95648 33598476706a7884652666ca2ca1af28
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch10_all.deb
Size/MD5 checksum: 86482 0508b738b4b48b9f0f60f732b1e91d74
http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch9_all.deb
Size/MD5 checksum: 95592 1743291eb91467798186579f3aaf1d25
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch10_all.deb
Size/MD5 checksum: 87286 cda968a4ac1f7b4827fd3494334d31b6
http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch9_all.deb
Size/MD5 checksum: 86104 e4ed2bb5eb3dd6571bf98ffbbe8042e6
http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch10_all.deb
Size/MD5 checksum: 82230 e816404997ed010acc59c6662b483317
http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch9_all.deb
Size/MD5 checksum: 103826 abd5c30fc9a5b6f8c5beb50056333688
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch10_all.deb
Size/MD5 checksum: 88752 579a75816591e7c458ad57dbf3c3b32f
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSWcEimz0hbPcukPfAQKprQf9EkpamLQdvesde75HK9xWYD4s7Vskczm8
056nxgM8MHgE+TEWUIzX1vyFmbeqB9sNELo+EMvDKlaiqp28rwA9HtihQSPqiLsl
q2d6O9+E2i5XnCytrMCpYqbMB/LgLbRHlqtIHAipz5allC+gWlNT3iJza/o1t4c8
EdBAlYDURg9cA6KIVBNHbt/ywWMNBjqTPcO19XErGiF2xiFACUBMUnETP97OPW30
r0GkeQadkHaQm0+FjJ3I+Z1brFth9slv43rSRnhN0fHXuIxdFbRJPCwnUGW1eI61
sS27hJ8KH0b/ZMKjKtFEkEyPlYyJuIzX/0CY7OgkdR4VUUEZk3BBHg==
=f8dF
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSWp+ZSh9+71yA2DNAQICmgP8D4IOJbKJe3pexd3seljvNiH430pStmUc
dv0cJkRbUGCllU+085SAwz7pMZLgzUKVmSHNyP7RvsPfkA3VYcFCdV3HCwKbEjnP
fntvx5bhO6YGaruZ+MVxqwZ90wqnFd3qQhnYddVolPoyc/bFs9b3GTVkDKXS0wsv
cRXEH8wVAbk=
=Emio
-----END PGP SIGNATURE-----
|