Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0442 -- [Debian] New open-iscsi packages fix several vulnerabilities 20 June 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: open-iscsi Publisher: Debian Operating System: Debian GNU/Linux 4.0 Impact: Denial of Service Access: Existing Account CVE Names: CVE-2007-3100 CVE-2007-3099 Ref: ESB-2007.0418 Original Bulletin: http://www.debian.org/security/2007/dsa-1314 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 1314-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff June 19th, 2007 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : open-iscsi Vulnerability : several Problem-Type : local/remote Debian-specific: no CVE ID : CVE-2007-3099 CVE-2007-3100 Several local and remote vulnerabilities have been discovered in open-iscsi, a transport-independent iSCSI implementation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3099 Olaf Kirch discovered that due to a programming error access to the management interface socket was insufficiently protected, which allows denial of service. CVE-2007-3100 Olaf Kirch discovered that access to a semaphore used in the logging code was insufficiently protected, allowing denial of service. The oldstable distribution (sarge) doesn't include open-iscsi. For the stable distribution (etch) these problems have been fixed in version 2.0.730-1etch1. For the unstable distribution (sid) these problems have been fixed in version 2.0.865-1. We recommend that you upgrade your open-iscsi packages. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1.dsc Size/MD5 checksum: 592 c3ca52812e7394fbd46d4890d543d4e3 http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1.diff.gz Size/MD5 checksum: 7611 55cd1fbd431d428bd16d0afd2137c875 http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730.orig.tar.gz Size/MD5 checksum: 178486 6aea522b7e5699d4934ec37a11c82b78 Alpha architecture: http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1_alpha.deb Size/MD5 checksum: 139992 b567b7256f9c8895af6b08bb647612f2 AMD64 architecture: http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1_amd64.deb Size/MD5 checksum: 126726 66d7ebc09fcedebb449686ff3906d8bd ARM architecture: http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1_arm.deb Size/MD5 checksum: 123180 fcdbeb68b4d9793b9f28ef72059bed38 HP Precision architecture: http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1_hppa.deb Size/MD5 checksum: 123422 0215cb45c1061c9233ee5c883307c479 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1_i386.deb Size/MD5 checksum: 112012 1a821f05ed1a9cc9d95d05a07a050f26 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1_ia64.deb Size/MD5 checksum: 188172 cb60c8853f7c7206b0764707ac47e78b Big endian MIPS architecture: http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1_mips.deb Size/MD5 checksum: 125214 e0c95f7b635638fef66818b1eea0b2bf Little endian MIPS architecture: http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1_mipsel.deb Size/MD5 checksum: 124264 25b970039344dd406244ec9ca454cedb PowerPC architecture: http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1_powerpc.deb Size/MD5 checksum: 114856 ab099a8dcb293c4452f14ad9c1e030a0 IBM S/390 architecture: http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1_s390.deb Size/MD5 checksum: 137232 2d5a617312409bf401e38c65cc3a0b69 Sun Sparc architecture: http://security.debian.org/pool/updates/main/o/open-iscsi/open-iscsi_2.0.730-1etch1_sparc.deb Size/MD5 checksum: 114362 3df414bd3d53afe5878a4079e3165f81 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGeDNdXm3vHE4uyloRAt7TAJ4gec8zADGuzjJM/1IvLZf0FU8v8ACg1bO2 cZpDxDek2ZdU3CscoiZxpDM= =UG1Q - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRnh/5Sh9+71yA2DNAQKtfQP+I4wKAybQ4wbWH+xkhohHJggrTGnwJINU QdT4xK1Z1bjHZIO0lapONPwTkjOzXnnOFgNj9OWoWuXmbpxynSlEIX9TzvGI4dNH 6DIbjveA7tb8QWHhjDGfMyhvAdmRzIm6T+pewBiTQOY+4fCxOvvAUvfR2fWo4Cj6 EUZmAPlWLIw= =BmsQ -----END PGP SIGNATURE-----