|
|
ESB-2005.1012 -- [UNIX/Linux][Debian] -- New dhis-tools-dns packages fix insecure temporary file creation |
|
Date: 28 December 2005 Original URL: http://www.auscert.org.au/render.html?cid=33&it=5870 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.1012 -- [UNIX/Linux][Debian]
New dhis-tools-dns packages fix insecure temporary file creation
28 December 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: dhis-tools-dns
Publisher: Debian
Operating System: Debian GNU/Linux 3.1
UNIX variants (UNIX, Linux, OSX)
Impact: Overwrite Arbitrary Files
Access: Existing Account
CVE Names: CVE-2005-3341
Original Bulletin: http://www.debian.org/security/2005/dsa-928
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 928-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 27th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : dhis-tools-dns
Vulnerability : insecure temporary file
Problem type : local
Debian-specific: no
CVE ID : CVE-2005-3341
Javier Fernández-Sanguino Peña from the Debian Security Audit project
discovered that two scripts in the dhis-tools-dns package, DNS
configuration utilities for a dynamic host information System, which
are usually executed by root, create temporary files in an insecure
fashion.
The old stable distribution (woody) does not contain a dhis-tools-dns
package.
For the stable distribution (sarge) these problems have been fixed in
version 5.0-3sarge1.
For the unstable distribution (sid) these problems have been fixed in
version 5.0-5.
We recommend that you upgrade your dhis-tools-dns package.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1.dsc
Size/MD5 checksum: 623 b5bb7245baec1eaea19bca6fed93a20d
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1.diff.gz
Size/MD5 checksum: 4711 d2095bb5dbd01ad45eac91f17aa71dfa
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0.orig.tar.gz
Size/MD5 checksum: 3535 9674e661082ad955010efd6d06686b82
Alpha architecture:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_alpha.deb
Size/MD5 checksum: 7978 207fa0d62d5cf58685f7f0db185e08d4
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_alpha.deb
Size/MD5 checksum: 8678 61934b801e98457666f28fd80e43dd53
AMD64 architecture:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_amd64.deb
Size/MD5 checksum: 7592 c98df83e0c69f857ab6d098c4c09ec41
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_amd64.deb
Size/MD5 checksum: 8090 b6c4401b2cad0e2cb8fef248a783cc48
ARM architecture:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_arm.deb
Size/MD5 checksum: 7432 03343675acb57b139d29ce92e0dd7750
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_arm.deb
Size/MD5 checksum: 7854 d58346c9292b0b5991f83ef3d9dd7a1d
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_i386.deb
Size/MD5 checksum: 7330 29c880357067715b4ea639804f58ee6a
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_i386.deb
Size/MD5 checksum: 7632 523f6a69be038c1d8ccb75f5e0cc2da9
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_ia64.deb
Size/MD5 checksum: 8692 091e101db6ebe1088b9f204611d6d20d
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_ia64.deb
Size/MD5 checksum: 9396 3e1d7ed7784f23c2d1437a6c0e935287
HP Precision architecture:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_hppa.deb
Size/MD5 checksum: 8106 40ffc96aa7b1bdbdf075a45ff4a020ca
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_hppa.deb
Size/MD5 checksum: 8666 528294b6c32e7d694d7f5336294fccae
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_m68k.deb
Size/MD5 checksum: 7352 6c552aa90253a73c05203cc23fc08a49
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_m68k.deb
Size/MD5 checksum: 7774 6f56252d7552d86f1c26e61efe497b79
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_mips.deb
Size/MD5 checksum: 8292 5874ebc2df9870cf2fa8025d32954051
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_mips.deb
Size/MD5 checksum: 9970 8f0fe90a8941022445814684fb334f65
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_mipsel.deb
Size/MD5 checksum: 8320 21e2f84d584507d08c134775832b4adf
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_mipsel.deb
Size/MD5 checksum: 9938 16489ad8581b62e81b48da09b8b29fad
PowerPC architecture:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_powerpc.deb
Size/MD5 checksum: 7778 a8b6300d9aa94a46b3a0b58ed0ca8333
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_powerpc.deb
Size/MD5 checksum: 9404 064c6072f9f0aac62f474cff127dad15
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_s390.deb
Size/MD5 checksum: 7736 6f4731b8f9e8b433537ce710b048db0f
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_s390.deb
Size/MD5 checksum: 8182 cc1d5ed072b00670b6a5b970c2ac8629
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_sparc.deb
Size/MD5 checksum: 7494 48715a9189a4cb3cf514a8bca423d113
http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_sparc.deb
Size/MD5 checksum: 7802 8c3e13cc4b95da0e4abd1926f11cfc94
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDsUIMW5ql+IAeqTIRAhkhAKCsoTfQHUogYp88tvGFLQ1EXaXWvwCfXgYj
04twCj9EXBgTif0U63RjIOo=
=cIG1
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQ7H5ZCh9+71yA2DNAQIRVQP+J3iftqYjbg+jBDLWcaSs1UP64qGZlVR7
v28uAsb2Ntc0IXFyfYXIMSrwj8AWU01VkiPqZVuIR6tsfg4IIKS/fbZbSckwC415
tjYFmYKxkWlCtk4oZAOrlbget1VxfHSfCbjfF68NpwCRzUS5TSUvvTFWh1uBvCFy
+3D/FccMiCI=
=tDQR
-----END PGP SIGNATURE-----
|