Date: 03 January 2005
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0002 -- Debian Security Advisory DSA 620-1
New perl packages fix several vulnerabilities
3 January 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: perl
Publisher: Debian
Operating System: Debian GNU/Linux 3.0
Linux variants
Impact: Delete Arbitrary Files
Overwrite Arbitrary Files
Access: Existing Account
CVE Names: CAN-2004-0976 CAN-2004-0452
Original Bulletin: http://www.debian.org/security/2004/dsa-620
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 620-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 30th, 2004 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : perl
Vulnerability : insecure temporary files / directories
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0452 CAN-2004-0976
Several vulnerabilities have been discovered in Perl, the popular
scripting language. The Common Vulnerabilities and Exposures project
identifies the following problems:
CAN-2004-0452
Jeroen van Wolffelaar discovered that the rmtree() function in the
File::Path module removes directory trees in an insecure manner
which could lead to the removal of arbitrary files and directories
through a symlink attack.
CAN-2004-0976
Trustix developers discovered several insecure uses of temporary
files in many modules which allow a local attacker to overwrite
files via a symlink attack.
For the stable distribution (woody) these problems have been fixed in
version 5.6.1-8.8.
For the unstable distribution (sid) these problems have been fixed in
version 5.8.4-5.
We recommend that you upgrade your perl packages.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8.dsc
Size/MD5 checksum: 687 bdc819ee60db1a3b36c3dca291f52ace
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8.diff.gz
Size/MD5 checksum: 172848 fd37736eb59a9818267ee7d857392ad7
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1.orig.tar.gz
Size/MD5 checksum: 5983695 ec1ff15464809b562aecfaa2e65edba6
Architecture independent components:
http://security.debian.org/pool/updates/main/p/perl/libcgi-fast-perl_5.6.1-8.8_all.deb
Size/MD5 checksum: 31398 b3770a464c4829cffc57b6200d7aea5a
http://security.debian.org/pool/updates/main/p/perl/perl-doc_5.6.1-8.8_all.deb
Size/MD5 checksum: 3885590 67218848fb7f8d1c957c544e65cfec6f
http://security.debian.org/pool/updates/main/p/perl/perl-modules_5.6.1-8.8_all.deb
Size/MD5 checksum: 1278678 f9096ccecd9a4498710918630f5d1c33
Alpha architecture:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_alpha.deb
Size/MD5 checksum: 620330 89d10e31a2d585a5e21f03ced90588ae
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_alpha.deb
Size/MD5 checksum: 435780 f3f58d63f33ea7329643f3018557567c
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_alpha.deb
Size/MD5 checksum: 1217954 ddc314501497c8fccce05836440725b7
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_alpha.deb
Size/MD5 checksum: 209206 47f3505b8f00c927c8418ee7f738a4e4
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_alpha.deb
Size/MD5 checksum: 2826662 fcfc45b3c132e3cbe611e938f107dfc4
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_alpha.deb
Size/MD5 checksum: 34554 55824148ee93769d5cfa37b38e19ac8a
ARM architecture:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_arm.deb
Size/MD5 checksum: 516708 6282cf2711efc7fa7e5d64ee3cb1878a
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_arm.deb
Size/MD5 checksum: 362942 726aead8125fdf9511da4b9a78b7bbf0
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_arm.deb
Size/MD5 checksum: 1164478 13138bd197201c32b928e4e5c3e0da54
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_arm.deb
Size/MD5 checksum: 545864 650daeadb1be2bc86226e1807dc2e57c
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_arm.deb
Size/MD5 checksum: 2307242 7e28620ac4894efdb57f9b57a8af0309
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_arm.deb
Size/MD5 checksum: 29192 fadf45170059bf5215dd759c32c79c83
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_i386.deb
Size/MD5 checksum: 424662 217c74330cb9c12cbd906aec43abe92f
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_i386.deb
Size/MD5 checksum: 347978 15e1c64f422e6495fd92e09f02991814
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_i386.deb
Size/MD5 checksum: 1150484 1569e8cbc55a2ec5babdadac0b925b12
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_i386.deb
Size/MD5 checksum: 497242 250b97b266658e9b3c98967dd6947c99
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_i386.deb
Size/MD5 checksum: 2119362 13ab60aa1701b7fce4b96de9a78e9261
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_i386.deb
Size/MD5 checksum: 28422 e5235115cc02003dd3515a0d38f23b42
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_ia64.deb
Size/MD5 checksum: 703874 ea071c083351f2e07dc6e22bcc9dd1e8
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_ia64.deb
Size/MD5 checksum: 599450 87da2520a1ff7b157f7414999483ea7f
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_ia64.deb
Size/MD5 checksum: 1266726 2378fb694f478f3fe2549e0e792ceccb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_ia64.deb
Size/MD5 checksum: 226952 43de968717f3e066e7e45aca8a0bb2e7
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_ia64.deb
Size/MD5 checksum: 3312698 46633fe22b1172ff9308bcf84633ab09
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_ia64.deb
Size/MD5 checksum: 44922 cee01e78831eb62247721e2599e28111
HP Precision architecture:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_hppa.deb
Size/MD5 checksum: 623320 ffa469711a7cacb5da07c6792b6c1f8a
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_hppa.deb
Size/MD5 checksum: 473736 428829e842147dcb2f4ec7dbe796bf44
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_hppa.deb
Size/MD5 checksum: 1211876 c3aa141e650e34c176f4ef33679b28e9
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_hppa.deb
Size/MD5 checksum: 209036 fbe5e0e56e8bef503795adb8fb84f7e6
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_hppa.deb
Size/MD5 checksum: 2288242 c7332174e8aa431a6af401f56db5b0b0
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_hppa.deb
Size/MD5 checksum: 33804 b912570681c8ce55f5231136ec9dd0bc
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_m68k.deb
Size/MD5 checksum: 399798 49186a13c85be2507929b0088c80f936
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_m68k.deb
Size/MD5 checksum: 332256 89e19e7d6342f136eb61bad61f18ba25
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_m68k.deb
Size/MD5 checksum: 1149714 0371c82b59198887645e622b72e7773e
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_m68k.deb
Size/MD5 checksum: 192800 bc262c2f107d988d01f2225fe4a28045
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_m68k.deb
Size/MD5 checksum: 2132060 43e96b020e61cffc3a8424bc4456e6c7
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_m68k.deb
Size/MD5 checksum: 27480 e02b54b1d96473086606a0186de84fb9
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_mips.deb
Size/MD5 checksum: 522884 ee28c8b9de23b790c88b09d911200c71
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_mips.deb
Size/MD5 checksum: 364942 623317099dcf47d9f965540f85bdf61d
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_mips.deb
Size/MD5 checksum: 1159462 2ebd6824e7dca7f318e34c503c892c87
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_mips.deb
Size/MD5 checksum: 186418 f34f09eaa7c7cb665a853e67bd8bc5ca
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_mips.deb
Size/MD5 checksum: 2408728 004e8b320e65ebaf43c214f17315fd4f
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_mips.deb
Size/MD5 checksum: 28782 ef0b0c2d068d59101a0e6a7a52394d9f
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_mipsel.deb
Size/MD5 checksum: 516638 f5d7aa7fd6a188e52343715f565cd985
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_mipsel.deb
Size/MD5 checksum: 361566 20506e6d81d71a9f524ba8c9f0b46766
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_mipsel.deb
Size/MD5 checksum: 1160560 6e52910c6d52fef4af1854273efc6b97
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_mipsel.deb
Size/MD5 checksum: 185892 cb780795dc3a9f89dd3e928916d5697b
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_mipsel.deb
Size/MD5 checksum: 2265696 faf3e90cf33d4a05ee89ad2dce10a731
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_mipsel.deb
Size/MD5 checksum: 28350 8e100b6ffcc92dbb7ad8c39141a8fc13
PowerPC architecture:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_powerpc.deb
Size/MD5 checksum: 567822 a389ce2f331fa7c6179b6acfe74b6fba
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_powerpc.deb
Size/MD5 checksum: 400788 d7aa3166a880255702741a6ce677451d
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_powerpc.deb
Size/MD5 checksum: 1183696 0516786d16de1fe0dc8d2bfbbb75802e
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_powerpc.deb
Size/MD5 checksum: 202748 e0bc5ac3f0db9994cc5daee971ceb8ef
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_powerpc.deb
Size/MD5 checksum: 2301288 1949a1e1e17ce1d72a8a4e63d9ae265b
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_powerpc.deb
Size/MD5 checksum: 30562 ec46e881824909b063e7cefabb447232
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_s390.deb
Size/MD5 checksum: 456372 22ecdb672891c78e7a470879e10c52ff
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_s390.deb
Size/MD5 checksum: 405162 71f677c4161e3facd5495072f8b2e0d8
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_s390.deb
Size/MD5 checksum: 1168228 90823f3eb7a2dfcf8dd3daa1ae001c80
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_s390.deb
Size/MD5 checksum: 191856 88ef0c0df432ed437a279c4945317833
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_s390.deb
Size/MD5 checksum: 2210676 f7b7b1cbcda411f528eba1f8e6da1e85
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_s390.deb
Size/MD5 checksum: 32538 15fe4b25d51edf730c078b49e16ac349
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_sparc.deb
Size/MD5 checksum: 529204 c90d262455edb178c5ed486a84ce2c96
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_sparc.deb
Size/MD5 checksum: 404524 f7b7312b2e051d98c16278d329c0dfaf
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_sparc.deb
Size/MD5 checksum: 1192124 97287b68053e822bca53f5ae70e69eb4
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_sparc.deb
Size/MD5 checksum: 211732 0eb3277630c94eba2a98fa06a5fcd13e
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_sparc.deb
Size/MD5 checksum: 2285598 07d4569b34a0c0ec031b692ef4e06dc1
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_sparc.deb
Size/MD5 checksum: 30726 d5aaccf1c638201fdcaa9796f853fd50
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB1DHNW5ql+IAeqTIRAqyiAKCD1/wwqeL8Ducrcc/ofu1AtEjUUgCgsFhd
ygk4bUA3X+eVrXHnxR5zn/Y=
=1IvP
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQdk1Xih9+71yA2DNAQLhngP+OE3zV8aafJ/2WA8+TsVaPKv7rz9NErU0
uSFs/HReE3PY9q0/Mhco33NHtWnyZicZqBLq4M2hi50YKr+/zipzFOKjxzCLRMm+
GyIMAACY3T0jV049tluTMD/5dI7KJgaJGsam07eAxczGYIqONtJYFJO+22XN71ul
7wZB4U6Up5I=
=Mvqr
-----END PGP SIGNATURE-----
|