From openpkg-announce-owner@openpkg.org Sun Jan 13 10:23:41 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id 79C111C180B; Sun, 13 Jan 2002 10:23:41 +0100 (CET) Received: from visp.engelschall.com (master.openpkg.org [195.27.176.150]) by mail.openpkg.org (Postfix) with ESMTP id B20E51C1802 for ; Fri, 11 Jan 2002 18:29:17 +0100 (CET) Received: by visp.engelschall.com (Postfix, from userid 1005) id 8C3084CE523; Fri, 11 Jan 2002 18:29:17 +0100 (CET) Received: by en1.engelschall.com (Sendmail 8.11.0+) for openpkg-announce@openpkg.org id g0BHT4m63708; Fri, 11 Jan 2002 18:29:04 +0100 (CET) Date: Fri, 11 Jan 2002 18:29:04 +0100 From: "Ralf S. Engelschall" To: openpkg-announce@openpkg.org Subject: [ANNOUNCE] OpenPKG 1.0 Message-ID: <20020111172904.GA63697@engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: Now available: OpenPKG 1.0-RELEASE www.openpkg.org A flexible and powerful software packaging facility, OpenPKG eases installation and administration of Unix software across several platforms. It primarily targets the Unix platforms FreeBSD, Linux and Solaris, but is portable across mostly all modern Unix flavors. Consolidating different vendor approaches into a unified architecture, it assists in administration of large networks previously complicated by nonconformant systems. OpenPKG leverages proven technologies like Red Hat Package Manager (RPM) and neatly provides an additional system layer on top of the operating system. It is a fully self-contained with minimal external dependencies (no RPM pre-installation required), and installs itself by means of a tricky bootstrapping procedure with minimal operating system intrusion. OpenPKG especially supports multiple installation instances on the same system. OpenPKG was created in November 2000 and after over one year of development it is already a mature technology in production use. It is available as Open Source and is further maintained by both Ralf S. Engelschall's development team at Cable & Wireless Germany and their contributors. For more details visit: http://www.openpkg.org/ ftp://ftp.openpkg.org/ Ralf S. Engelschall rse@engelschall.com www.engelschall.com From openpkg-announce-owner@openpkg.org Fri Mar 8 10:48:07 2002 Received: from visp.engelschall.com (master.openpkg.org [195.27.176.150]) by mail.openpkg.org (Postfix) with ESMTP id 25EEE1C1816 for ; Fri, 8 Mar 2002 10:48:07 +0100 (CET) Received: by visp.engelschall.com (Postfix, from userid 7000) id 0C9A84CE695; Fri, 8 Mar 2002 10:48:07 +0100 (CET) Date: Fri, 8 Mar 2002 10:48:06 +0100 From: OpenPKG Project To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.001] OpenPKG Security Advisory (php) Message-ID: <20020308094806.GA37461@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.001 28-Feb-2002 ________________________________________________________________________ Package: php Vulnerability: remote exploit OpenPKG Specific: no Affected Releases: OpenPKG 1.0 Affected Packages: <= php-4.0.6-1.0.0 Corrected Packages: >= php-4.0.6-1.0.1 Dependent Packages: - Description: According to an e-matters Security Advisory [5] and the PHP Team [6], Stefan Esser , also a member of the PHP team, found several flaws in the way PHP handles multipart/form-data HTTP POST requests (as described in RFC1867), known as POST file uploads. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system. Please check whether you are affected by running "/bin/rpm -qa php". If you have the "php" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Additionally, we recommend that you rebuild and reinstall all dependent OpenPKG packages, too. [2] Workaround: Perform the following operations to temporarily workaround the security problem (be careful, it deactivates the whole service): $ su - # /bin/rpm -e php Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [3] or a mirror location, verify its integrity [1], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [2]. For the latest OpenPKG 1.0 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.0/UPD ftp> get php-4.0.6-1.0.1.src.rpm ftp> bye $ /bin/rpm --checksig php-4.0.6-1.0.1.src.rpm $ /bin/rpm --rebuild php-4.0.6-1.0.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/php-4.0.6-1.0.1.*.rpm ________________________________________________________________________ References: [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/php-4.0.6-1.0.1.src.rpm [5] http://security.e-matters.de/advisories/012002.html [6] http://www.php.net/distributions/rfc1867.c.diff-4.0.6.gz ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAjyIf9YACgkQgHWT4GPEy58oDgCeJNx8BORx14gfAyi7mi9jZZNy E9EAnRttdn1nZ+BbhbB0LTnXhZwPBugI =OwAy -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Mar 8 10:49:14 2002 Received: from visp.engelschall.com (master.openpkg.org [195.27.176.150]) by mail.openpkg.org (Postfix) with ESMTP id 498911C1816 for ; Fri, 8 Mar 2002 10:49:14 +0100 (CET) Received: by visp.engelschall.com (Postfix, from userid 7000) id 3A1214CE696; Fri, 8 Mar 2002 10:49:14 +0100 (CET) Date: Fri, 8 Mar 2002 10:49:14 +0100 From: OpenPKG Project To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.002] OpenPKG Security Advisory (openssh) Message-ID: <20020308094914.GA37540@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.001 08-Mar-2002 ________________________________________________________________________ Package: openssh Vulnerability: root exploit OpenPKG Specific: no Affected Releases: OpenPKG 1.0 Affected Packages: <= openssh-3.0.2-1.0.1 Corrected Packages: >= openssh-3.0.2-1.0.2 Dependent Packages: - Description: According to an OpenSSH Security Advisory [5] and the original PINE Internet Security Advisory [6] from Joost Pol , there is an off-by-one bug in OpenSSH's channel code that could be used by an attacker with a local account on the victim's machine to obtain root privileges on that machine. Another scenario for this vulnerability is that of a malicious SSH server exploiting a vulnerable SSH client connecting to it. Please check whether you are affected by running "/bin/rpm -qa openssh". If you have the "openssh" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Additionally, we recommend that you rebuild and reinstall all dependent OpenPKG packages, too. [2] Workaround: Perform the following operations to temporarily workaround the security problem (be careful, it deactivates the whole service): $ su - # /etc/rc openssh stop # /bin/rpm -e openssh Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [3] or a mirror location, verify its integrity [1], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [2]. For the latest OpenPKG 1.0 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.0/UPD ftp> get openssh-3.0.2p1-1.0.2.src.rpm ftp> bye $ /bin/rpm --checksig openssh-3.0.2p1-1.0.2.src.rpm $ /bin/rpm --rebuild openssh-3.0.2p1-1.0.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssh-3.0.2p1-1.0.2.*.rpm ________________________________________________________________________ References: [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/openssh-3.0.2p1-1.0.2.src.rpm [5] http://www.openbsd.org/advisories/ssh_channelalloc.txt [6] http://www.pine.nl/advisories/pine-cert-20020301.txt ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAjyIf9wACgkQgHWT4GPEy58ouwCgkpeOs5LsVTYxYJ8tD+vDoWYM LFcAnAvxMpGgzy0sh2y2ReYUpxgvZiov =3apc -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Mar 12 21:36:56 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id 3AEFF1C181D; Tue, 12 Mar 2002 21:36:56 +0100 (CET) Date: Tue, 12 Mar 2002 21:36:56 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.003] OpenPKG Security Advisory (zlib) Message-ID: <20020312203656.GA90950@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.003 12-Mar-2002 ________________________________________________________________________ Package: zlib, cvs, gnupg, rrdtool, rsync Vulnerability: denial of service, information leakage, code execution OpenPKG Specific: no Affected Releases: OpenPKG 1.0 Affected Packages: <= zlib-1.1.3-1.0.0 <= cvs-1.11.1p1-1.0.0 <= gnupg-1.0.6-1.0.1 <= rrdtool-1.0.33-1.0.0 <= rsync-2.5.0-1.0.0 Corrected Packages: >= zlib-1.1.3-1.0.1 >= cvs-1.11.1p1-1.0.1 >= gnupg-1.0.6-1.0.2 >= rrdtool-1.0.33-1.0.1 >= rsync-2.5.0-1.0.1 Dependent Packages: gd, ircd, libxml, lynx, mng, openssh, png, snmp, xdelta Description: According to a Zlib Security Advisory [5] and the original CERT Security Advisory [6] from Jeffrey P. Lanza, there is a bug in the Zlib compression library that may manifest itself as a vulnerability in programs that are linked with Zlib. This may allow an attacker to conduct a denial-of-service attack, gather information, or execute arbitrary code. The vulnerability results from a programming error that causes segments of dynamically allocated memory to be released more than once. Please check whether you are affected by running "/bin/rpm -qa zlib". If you have the "zlib" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Additionally, we recommend that you rebuild and reinstall all dependent OpenPKG packages, too. [2] Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [3] or a mirror location, verify its integrity [1], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [2]. For the latest OpenPKG 1.0 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.0/UPD ftp> get zlib-1.1.3-1.0.1.src.rpm ftp> bye $ /bin/rpm --checksig zlib-1.1.3-1.0.1.src.rpm $ /bin/rpm --rebuild zlib-1.1.3-1.0.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/zlib-1.1.3-1.0.1.*.rpm Now repeat these steps accordingly for all other affected packages [7][8][9][10]. Finally, rebuild and reinstall the dependent packages. ________________________________________________________________________ References: [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/zlib-1.1.3-1.0.1.src.rpm [5] http://www.gzip.org/zlib/advisory-2002-03-11.txt [6] http://www.kb.cert.org/vuls/id/368819 [7] ftp://ftp.openpkg.org/release/1.0/UPD/cvs-1.11.1p1-1.0.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.0/UPD/gnupg-1.0.6-1.0.2.src.rpm [9] ftp://ftp.openpkg.org/release/1.0/UPD/rrdtool-1.0.33-1.0.1.src.rpm [10] ftp://ftp.openpkg.org/release/1.0/UPD/rsync-2.5.0-1.0.1.src.rpm ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAjyOZRkACgkQgHWT4GPEy5+QVQCfQ0Y32tqvBImcdOnR+9BKc+XP ya0AoIhIkhCkMBzS5MzZtBkevUwIw7Gg =D3Av -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Jun 19 18:04:37 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id 149831C189C; Wed, 19 Jun 2002 18:04:37 +0200 (CEST) Date: Wed, 19 Jun 2002 18:04:37 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.004] OpenPKG Security Advisory (apache) Message-ID: <20020619160436.GA43440@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.004 19-Jun-2002 ________________________________________________________________________ Package: apache Vulnerability: remote DoS / exploit OpenPKG Specific: no Affected Releases: OpenPKG 1.0 Affected Packages: <= apache-1.3.22-1.0.1 Corrected Packages: >= apache-1.3.22-1.0.2 Dependent Packages: - Description: According to a Security Bulletin from the Apache Software Foundation [5] and a corresponding CERT Security Advisory [6], there is a remotely exploitable vulnerability in the way that the Apache web server handles data encoded in chunks. This bug can be triggered remotely by sending a carefully crafted invalid request. This functionality is enabled by default. Please check whether you are affected by running "/bin/rpm -qa apache". If you have the "apache" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [3] or a mirror location, verify its integrity [1], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [2]. For the latest OpenPKG 1.0 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.0/UPD ftp> get apache-1.3.22-1.0.2.src.rpm ftp> bye $ /bin/rpm --checksig apache-1.3.22-1.0.2.src.rpm $ /bin/rpm --rebuild apache-1.3.22-1.0.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/apache-1.3.22-1.0.2.*.rpm # /etc/rc apache stop start ________________________________________________________________________ References: [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.2.src.rpm [5] http://httpd.apache.org/info/security_bulletin_20020617.txt [6] http://www.cert.org/advisories/CA-2002-17.html ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj0QqR8ACgkQgHWT4GPEy5/43wCfW/ZSOmr2Fnha/7Uhj2+/Bgv0 rcQAn2/8Lyl0Bd5hJKuQbPT8e5Dnp6vb =fFlQ -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Jun 26 22:33:41 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id 8D7961C18B6; Wed, 26 Jun 2002 22:33:41 +0200 (CEST) Date: Wed, 26 Jun 2002 22:33:41 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.005] OpenPKG Security Advisory (openssh) Message-ID: <20020626203341.GA76234@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.005 26-Jun-2002 ________________________________________________________________________ Package: openssh Vulnerability: DoS / remote exploit OpenPKG Specific: no Affected Releases: OpenPKG 1.0 Affected Packages: <= openssh-3.0.2p1-1.0.2 Corrected Packages: >= openssh-3.0.2p1-1.0.3 Dependent Packages: - Description: According to an OpenSSH Security Advisory [5] and a corresponding Internet Security Systems (ISS) Security Advisory [6] there is a vulnerability within the "challenge-response" authentication mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2 protocol, verifies a user's identity by generating a challenge and forcing the user to supply a number of responses. It is possible for a remote attacker to send a specially-crafted reply that triggers an overflow. This can result in a remote denial of service attack on the OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs with superuser privilege, so remote attackers can gain superuser access by exploiting this vulnerability. OpenSSH supports the SKEY and BSD_AUTH authentication options. These are compile-time options. At least one of these options must be enabled before the OpenSSH binaries are compiled for the vulnerable condition to be present. So OpenPKG's OpenSSH is *not* vulnerable by default, because the S/Key authentication option is disabled ("%define with_skey no") by default. But if users enabled this manually when building the OpenPKG "openssh" package, OpenPKG's OpenSSH is vulnerable,too. Please check whether you are affected by running "/bin/rpm -qa openssh". If you have the "openssh" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Additionally, we recommend that you rebuild and reinstall all dependent OpenPKG packages, too. [2] Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [3] or a mirror location, verify its integrity [1], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [2]. For the latest OpenPKG 1.0 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.0/UPD ftp> get openssh-3.0.2p1-1.0.3.src.rpm ftp> bye $ /bin/rpm --checksig openssh-3.0.2p1-1.0.3.src.rpm $ /bin/rpm --rebuild openssh-3.0.2p1-1.0.3.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssh-3.0.2p1-1.0.3.*.rpm ________________________________________________________________________ References: [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/openssh-3.0.2p1-1.0.3.src.rpm [5] http://www.openssh.org/txt/preauth.adv [6] http://www.openssh.org/txt/iss.adv ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj0aJCoACgkQgHWT4GPEy59flwCfaxMTjP1YZDbT7ukOTqVOhdod 8cwAnjUQLaJfN/b4ZxM541N4Vu2NKrBl =Zmg+ -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jul 4 16:15:21 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id 1AC8E1C1831; Thu, 4 Jul 2002 16:15:21 +0200 (CEST) Date: Thu, 4 Jul 2002 16:15:20 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.006] OpenPKG Security Advisory (bind) Message-ID: <20020704141520.GA54716@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.006 04-Jul-2002 ________________________________________________________________________ Package: bind Vulnerability: buffer overflow vulnerability OpenPKG Specific: no Affected Releases: OpenPKG 1.0 Affected Packages: <= bind-8.2.5-1.0.0 Corrected Packages: >= bind-8.2.6-1.0.1 Dependent Packages: - Description: According to CERT Advisory CA-2002-19 [5] a buffer overflow vulnerability exists in multiple implementations of DNS resolver libraries. Applications that utilize vulnerable DNS resolver libraries may be affected. For the OpenPKG bind package this means that the included utilities dig, host, nslookup and nsupdate are affected. Please note that the named server itself is not affected. A remote attacker who is able to send malicious DNS responses could potentially exploit this vulnerability to execute arbitrary code or cause a denial of service on a vulnerable system. Note that a possible attack would be performed by a DNS response, thus bypassing any firewall. For more details and background information see the corresponding NetBSD Security Advisory 2002-006 [6]. The Internet Software Consortium (ISC) Berkeley Internet Name Domain (BIND) Vulnerabilities Summary table [7] shows that for the 8.2.x track of BIND the DNS resolver library (libbind) issue is fixed in 8.2.6. Please check whether you are affected by running "/bin/rpm -q bind". If you have the "bind" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [3] or a mirror location, verify its integrity [1], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [2]. For the latest OpenPKG 1.0 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.0/UPD ftp> get bind-8.2.6-1.0.1.src.rpm ftp> bye $ /bin/rpm --checksig bind-8.2.6-1.0.1.src.rpm $ /bin/rpm --rebuild bind-8.2.6-1.0.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/bind-8.2.6-1.0.1.*.rpm # /etc/rc bind stop start ________________________________________________________________________ References: [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/bind-8.2.6-1.0.1.src.rpm [5] http://www.cert.org/advisories/CA-2002-19.html [6] ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc [7] http://www.isc.org/products/BIND/bind-security.html ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj0kV/0ACgkQgHWT4GPEy5947gCeMeR04Bag/GP3Oo7CzJxyHx2n RwkAnA5vN0nnuPNEZ7uiFFhgG07o2w0k =fugf -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Jul 30 15:10:15 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id A50421C18CB; Tue, 30 Jul 2002 15:10:15 +0200 (CEST) Date: Tue, 30 Jul 2002 15:10:15 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.007] OpenPKG Security Advisory (mm) Message-ID: <20020730131015.GA45940@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.007 30-Jul-2002 ________________________________________________________________________ Package: mm Vulnerability: local root exploit OpenPKG Specific: no Affected Releases: OpenPKG 1.0 OpenPKG CURRENT Affected Packages: <= mm-1.1.3-1.0.0 <= mm-1.1.3 Corrected Packages: >= mm-1.1.3-1.0.1 >= mm-1.2.0 Dependent Packages: apache apache Description: Marcus Meissner and Sebastian Krahmer discovered a race condition on creating temporary files in the OSSP mm library. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-0658 [5] to the problem. The bug affects all programs which are linked with OSSP mm. This may allow an attacker to conduct a local root exploit. OSSP mm is often used in Apache setups using mod_ssl and/or mod_php. Here the vulnerability can be exploited to obtain root privilege if shell access to the Apache run-time user is already obtained. Please check whether you are affected by running "/bin/rpm -q mm". If you have the "mm" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Additionally, we recommend that you rebuild and reinstall all dependent OpenPKG packages, too. [2] Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [3] or a mirror location, verify its integrity [1], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [2]. For the latest OpenPKG 1.0 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.0/UPD ftp> get mm-1.1.3-1.0.1.src.rpm ftp> bye $ /bin/rpm --checksig mm-1.1.3-1.0.1.src.rpm $ /bin/rpm --rebuild mm-1.1.3-1.0.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/mm-1.1.3-1.0.1.*.rpm Now proceed and rebuild and reinstall all dependent OpenPKG packages, too. [6] ________________________________________________________________________ References: [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/mm-1.1.3-1.0.1.src.rpm [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0658 [6] ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.4.src.rpm ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj1GjiIACgkQgHWT4GPEy5+dRwCdGCpZ3TCpxh39dB0ZgbieXvLd QiQAoOUJCijAwnAaHGdf/cVC3RhFDISy =LA85 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Jul 30 15:10:40 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id 3CCAE1C191F; Tue, 30 Jul 2002 15:10:40 +0200 (CEST) Date: Tue, 30 Jul 2002 15:10:40 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.008] OpenPKG Security Advisory (openssl) Message-ID: <20020730131040.GA46004@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.008 30-Jul-2002 ________________________________________________________________________ Package: openssl Vulnerability: denial of service / remote root exploit OpenPKG Specific: no Affected Releases: OpenPKG 1.0 OpenPKG CURRENT Affected Packages: <= openssl-0.9.6b-1.0.0 <= openssl-0.9.6d Corrected Packages: >= openssl-0.9.6b-1.0.1 >= openssl-0.9.6e Dependent Packages: apache apache curl bind fetchmail cadaver imapd cpu inn curl links dsniff lynx exim mutt fetchmail openldap imapd openssh inn perl-ssl links postfix lynx postgresql mutt qpopper neon samba openldap sasl openssh scanssh openvpn sendmail perl-ssl siege postfix sitecopy postgresql snmp qpopper stunnel rdesktop tcpdump samba w3m sasl scanssh sendmail siege sitecopy snmp stunnel sysmon tcpdump w3m Description: According to an official security advisory from the OpenSSL team, there are four remotely exploitable buffer overflows that affect various OpenSSL client and server implementations [5]. There are also parsing problems in the ASN.1 library used by OpenSSL. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2002-0655 [6], CAN-2002-0656 [7], CAN-2002-0657 [8] and CAN-2002-0659 [9] to the problems. Several of these vulnerabilities could be used by a remote attacker to execute arbitrary code on the target system. All could be used to create a denial of service. Please check whether you are affected by running "/bin/rpm -q openssl". If you have the "openssl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Additionally, you have to rebuild and reinstall all dependent OpenPKG packages, too. [2] Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [3] or a mirror location, verify its integrity [1], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [2]. For the latest OpenPKG 1.0 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.0/UPD ftp> get openssl-0.9.6b-1.0.1.src.rpm ftp> bye $ /bin/rpm --checksig openssl-0.9.6b-1.0.1.src.rpm $ /bin/rpm --rebuild openssl-0.9.6b-1.0.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssl-0.9.6b-1.0.1.*.rpm Now proceed and rebuild and reinstall all dependent OpenPKG packages, too (see list above). ________________________________________________________________________ References: [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/openssl-0.9.6b-1.0.1.src.rpm [5] http://www.openssl.org/news/secadv_20020730.txt [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657 [9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj1GjigACgkQgHWT4GPEy5+F4wCgu8B6yxJsB6Lu7bygw9FKUAhH 4xsAoKTteo/qotFgoki3JYpuGufyp4vL =k9ol -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Aug 28 21:11:09 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id B98B9277A0C; Wed, 28 Aug 2002 21:11:09 +0200 (CEST) Date: Wed, 28 Aug 2002 21:11:09 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [ANNOUNCE] OpenPKG 1.1 Message-ID: <20020828191109.GA28860@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: FOR IMMEDIATE RELEASE - 28-Aug-2002 The OpenPKG project releases version 1.1 of the unique cross-platform software packaging facility. http://www.openpkg.org/ -- Munich, DE -- August 28, 2002 -- The OpenPKG project today announces the availability of the OpenPKG 1.1 software. A flexible and powerful software packaging facility, OpenPKG eases the cross-platform installation and administration of Unix software. Consolidating different vendor approaches into a unified architecture, it serves system administrators of large networks previously burdened by non-conformant systems. OpenPKG leverages proven technologies like Red Hat Package Manager (RPM) and provides an additional system layer on top of the operating system. With OpenPKG, a new and unique method of cross-platform software deployment is taking form. Compared with earlier releases, OpenPKG 1.1 offers even more. Previously with 167 released packages, the official OpenPKG repository has grown by over 60% to 274 software packages. Preexisting packages are in top form after upgrades to newer versions. Packages are also now divided into CORE, BASE, and PLUS categories for more accurate security assessment. Administrators have asked for more portability, and OpenPKG has responded by increasing the number of supported platforms. Previously on only three platforms, OpenPKG users now enjoy official support on FreeBSD 4, RedHat Linux 7, Debian GNU/Linux 2, Debian GNU/Linux 3, Sun Solaris 8 and Sun Solaris 9. Improvements in OpenPKG's inherently strong security model now provide more flexible user accounting, with finer granularity and control. Previous versions used only the "manager" and "nobody" users and groups. OpenPKG 1.1 adds the "superuser" and "restricted" users and groups. Packages make use of these additional accounts to better abstract security-sensitive code from generic functionality. OpenPKG 1.1 also encapsulates its software base even more by integrating a "sane" build environment into each OpenPKG instance. This prevents access to system components not residing in OpenPKG's well defined scope, and avoids package inconsistency between seemingly identical instances. Also useful in testing, an administrator can now expect really reproducible results from a package build. To relieve cautious administrators, OpenPKG 1.1 software packages do not alter system files anymore (like kernel parameters or /etc files). In cases where such alteration is needed, OpenPKG recommends changes that the administrator should manually undertake. Even such recommendation is avoided however, and OpenPKG takes this course only when it cannot provide the needed functionality inside the borders of its own instance. As always, the only evidence of an OpenPKG introduction are three system entry points (run-command scripts, cron table, and user/group additions). These changes are made only during bootstrapping a new OpenPKG instance, and all such changes are completely undone upon deinstallation of OpenPKG. During activation, all daemon packages inside an OpenPKG instance now pay attention to special enable switches. This new feature allows an administrator to deactivate a daemon by merely setting a switch variable to "yes" or "no", whereas previously a daemon package had to be completely deinstalled. To avoid the precarious editing of an OpenPKG specification file, "--define" RPM command line options are now honored during package build time. This allows an administrator to install software variants by building custom binary packages. The results of RPM queries include descriptions of all options that a package offers. Proxy packages are first supported in OpenPKG 1.1, and allow an administrator to reduce maintainance complexity through package reuse. Should packages in several OpenPKG instances depend on the same base package, it can now be installed only once in an arbitrary OpenPKG master instance. Dependent packages can refer to the common base package through natively installed proxy packages, created with the OpenPKG-specific RPM option "--makeproxy". HIGHLIGHTS OF OPENPKG * Entirely based on Open Source technology. * Portable across all major Unix platforms. * Official support for FreeBSD, RedHat, Debian and Solaris. * Minimum operating system intrusion. * Minimum overhead in software packaging. * Easy installation, updating and deinstallation of packages. * Over 270 software packages available. * Bundled with useful package preconfigurations. * Support for multiple system instances. * Support for proxy packages. * Abstracted run-command facility. ABOUT THE OPENPKG PROJECT OpenPKG is a software packaging facility for Unix computers, and targets the major server platforms FreeBSD, Linux and Solaris. While internally based on RPM version 4, OpenPKG is a self-contained system with minimal dependencies (no RPM preinstallation required) and installs itself by means of a tricky bootstrapping procedure. OpenPKG eases and controls the management of a large or diverse base of software across one or more of its supported platforms. OpenPKG is a project founded 2000 by the Development Team from Cable & Wireless Germany's Internet Services division. In January 2002 it was released by Cable & Wireless to the public as Open Source software. Since then OpenPKG is maintained and improved by its original developers and contributors from the Open Source community and is a mature technology in production use. OpenPKG is the brainchild of Ralf S. Engelschall, team leader of Development in Internet Services and principal author of numerous other widely used Open Source Software technologies like Apache SSL/TLS Engine (mod_ssl), Apache URL Rewriting Engine (mod_rewrite), GNU Portable Threads (Pth), GNU Portable Shell Tool (Shtool), and Website META Language (WML). MORE INFORMATION The OpenPKG Project Ralf S. Engelschall rse@openpkg.org +49-172-8986801 (CET) From openpkg-announce-owner@openpkg.org Fri Oct 4 21:52:23 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id 51680277A21; Fri, 4 Oct 2002 21:52:23 +0200 (CEST) Date: Fri, 4 Oct 2002 21:52:23 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.009] OpenPKG Security Advisory (apache) Message-ID: <20021004195223.GA54286@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.009 04-Oct-2002 ________________________________________________________________________ Package: apache Vulnerability: denial of service OpenPKG Specific: no Affected Releases: OpenPKG 1.0 OpenPKG 1.1 Affected Packages: <= apache-1.3.22-1.0.4 <= apache-1.3.26-1.1.0 Corrected Packages: >= apache-1.3.22-1.0.5 >= apache-1.3.26-1.1.1 Dependent Packages: none none Description: According to the Apache HTTP Server Project [1][2], there are several remotely exploitable vulnerabilities which could allow an attacker to enact a denial of service against a server. The Common Vulnerabilities and Exposures (CVE) project identified the following three vulnerabilities: 1. CAN-2002-0839 [3]: A vulnerability exists on platforms using System V shared memory based scoreboards. This vulnerability allows an attacker who can execute under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial of service attack. 2. CAN-2002-0840 [4]: Apache is susceptible to a cross site scripting vulnerability in the default 404 page of any web server hosted on a domain that allows wildcard DNS lookups. 3. CAN-2002-0843 [5]: There were some possible overflows in the utility ApacheBench (ab) which could be exploited by a malicious server. Please check whether you are affected by running "/bin/rpm -q apache". If you have an affected version of the "apache" package (see above), upgrade it according to the solution below. Remember to also rebuild and reinstall any dependent OpenPKG packages. [6] Solution: Select the updated source RPM appropriate for your OpenPKG release [7][9], fetch it from the OpenPKG FTP service [8][10] or a mirror location, verify its integrity [11], build a corresponding binary RPM from it and update your OpenPKG installation by finally installing the binary RPM [6]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get apache-1.3.26-1.1.1.src.rpm ftp> bye $ /bin/rpm --checksig apache-1.3.26-1.1.1.src.rpm $ /bin/rpm --rebuild apache-1.3.26-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/apache-1.3.26-1.1.1.*.rpm # /etc/rc apache stop start ________________________________________________________________________ References: [1] http://httpd.apache.org/ [2] http://www.apache.org/dist/httpd/Announcement.html [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843 [6] http://www.openpkg.org/tutorial.html#regular-source [7] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.5.src.rpm [10] ftp://ftp.openpkg.org/release/1.0/UPD/ [11] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj2d8PwACgkQgHWT4GPEy5+q/wCdEeH+NYJKsMJH/Y77Avk1Y/wT NtsAoLyGvajiwgosGOYEoXWpfxHzTirq =OPWn -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Oct 16 21:40:22 2002 Received: from visp.engelschall.com (master.openpkg.org [195.27.176.150]) by mail.openpkg.org (Postfix) with ESMTP id A727A277A21 for ; Wed, 16 Oct 2002 21:40:22 +0200 (CEST) Received: by visp.engelschall.com (Postfix, from userid 1005) id 8AD6D4CE691; Wed, 16 Oct 2002 21:40:22 +0200 (CEST) Received: by en1.engelschall.com (Postfix, from userid 10000) id 17F672873B; Wed, 16 Oct 2002 21:29:50 +0200 (CEST) Date: Wed, 16 Oct 2002 21:29:50 +0200 From: "Ralf S. Engelschall" To: openpkg-announce@openpkg.org Subject: Sys Admin Magazine article on OpenPKG online Message-ID: <20021016192949.GA57757@engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: A few months ago the OpenPKG team wrote a large-size overall English article about OpenPKG for the US magazine Sys Admin (http://www.samag.com/). This article now finally was published in their November 2002 issue on Interoperability. As the issue leading article, it is also available online. You can read it now under http://www.samag.com/documents/sam0211a/ Thanks go to the whole OpenPKG team for their joint efforts plus Cable & Wireless Germany for sponsoring the writing of this article. Ralf S. Engelschall rse@engelschall.com www.engelschall.com From openpkg-announce-owner@openpkg.org Wed Oct 23 14:27:12 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id 1A8AE277A21; Wed, 23 Oct 2002 14:27:12 +0200 (CEST) Date: Wed, 23 Oct 2002 14:27:12 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.010] OpenPKG Security Advisory (apache) Message-ID: <20021023122711.GA31650@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.010 23-Oct-2002 ________________________________________________________________________ Package: apache Vulnerability: cross side scripting OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= apache-1.3.22-1.0.5 >= apache-1.3.22-1.0.6 OpenPKG 1.1 <= apache-1.3.26-1.1.1 >= apache-1.3.26-1.1.2 OpenPKG CURRENT <= apache-1.3.27-20021009 >= apache-1.3.27-20021023 Description: Joe Orton discovered a cross site scripting (XSS) bug [3] in mod_ssl [1], the SSL/TLS component for the Apache webserver [2]. Like the other recent Apache XSS bugs, this only affects servers using a combination of "UseCanonicalName off" (_not_ the default in OpenPKG package of Apache) and a wildcard A record of the server in the DNS. Although this combination for HTTPS servers is even less common than with plain HTTP servers, this nevertheless could allow remote attackers to execute client-side script code as other web page visitors via the HTTP "Host" header. Please check whether you are affected by running "/bin/rpm -q apache". If you have an affected version of the "apache" package (see above), upgrade it according to the solution below. Remember to also rebuild and reinstall any dependent OpenPKG packages. [4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6][7], fetch it from the OpenPKG FTP service or a mirror location, verify its integrity [8], build a corresponding binary RPM from it and update your OpenPKG installation by finally installing the binary RPM [4]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get apache-1.3.26-1.1.2.src.rpm ftp> bye $ /bin/rpm --checksig apache-1.3.26-1.1.2.src.rpm $ /bin/rpm --rebuild apache-1.3.26-1.1.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/apache-1.3.26-1.1.2.*.rpm # /etc/rc apache stop start ________________________________________________________________________ References: [1] http://www.modssl.org/ [2] http://httpd.apache.org/ [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840 [4] http://www.openpkg.org/tutorial.html#regular-source [5] ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.6.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.2.src.rpm [7] ftp://ftp.openpkg.org/current/SRC/apache-1.3.27-20021023.src.rpm [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj22lVEACgkQgHWT4GPEy595bwCg2zHHb8+/azQ7ojk/LBOzprf4 o9IAmgO4UPUntvqTd0dnlDEfKG6a3LeT =KgyW -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Nov 15 19:17:30 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id 5791A277A26; Fri, 15 Nov 2002 19:17:30 +0100 (CET) Date: Fri, 15 Nov 2002 19:17:30 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.011] OpenPKG Security Advisory (bind, bind8) Message-ID: <20021115181730.GA1200@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.011 15-Nov-2002 ________________________________________________________________________ Package: bind, bind8 Vulnerability: denial of service, arbitrary code execution OpenPKG Specific: no Dependent Packages: none Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= bind-8.2.6-1.0.1 >= bind-8.2.6-1.0.2 OpenPKG 1.1 <= bind8-8.3.3-1.1.0 >= bind8-8.3.3-1.1.1 OpenPKG CURRENT <= bind8-8.3.3-2002082 >= bind8-8.3.3-20021114 Description: The Internet Software Consortium (ISC) [1] has discovered or has been notified of several bugs which can result in vulnerabilities of varying levels of severity in BIND [2][3]. These problems include buffer overflows, stack revealing, divide by zero, null pointer dereferencing, and more [4]. A subset of these vulnerabilities exist in the BIND packages distributed by OpenPKG. Please check whether you are affected by running "/bin/rpm -qa | grep bind". If you have an affected version of the "bind" or "bind8" package (see above), upgrade it according to the solution below. Workaround: Because disabling recursion or disabling DNSSEC is a workaround to only a subset of the aforementioned problems, it is not a recommended aproach. Solution: Since these vulnerabilities do not exist in BIND version 9.2.1, one solution simply involves upgrading to it. The packages bind-9.2.1-1.1.0 in OpenPKG 1.1 [5], and bind-9.2.1-20021111 in OpenPKG CURRENT [6] are both candidates in this respect. Be warned that although such later versions of BIND are stable, there exist large differences between BIND 8 and BIND 9 software. A lighter approach involves updating existing packages to newly patched versions of BIND 8. Select the updated source RPM appropriate for your OpenPKG release [7][8][9], and fetch it from the OpenPKG FTP service or a mirror location. Verify its integrity [10], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [11]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get bind8-8.3.3-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig bind8-8.3.3-1.1.1.src.rpm $ /bin/rpm --rebuild bind8-8.3.3-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/bind8-8.3.3-1.1.1.*.rpm # /etc/rc bind8 stop start ________________________________________________________________________ References: [1] http://www.isc.org/ [2] http://www.isc.org/products/BIND/ [3] http://www.cert.org/advisories/CA-2002-31.html [4] http://www.isc.org/products/BIND/bind-security.html [5] ftp://ftp.openpkg.org/release/1.1/SRC/bind-9.2.1-1.1.0.src.rpm [6] ftp://ftp.openpkg.org/current/SRC/bind-9.2.1-20021111.src.rpm [7] ftp://ftp.openpkg.org/release/1.0/UPD/bind-8.2.6-1.0.2.src.rpm [8] ftp://ftp.openpkg.org/release/1.1/UPD/bind8-8.3.3-1.1.1.src.rpm [9] ftp://ftp.openpkg.org/current/SRC/bind8-8.3.3-20021114.src.rpm [10] http://www.openpkg.org/security.html#signature [11] http://www.openpkg.org/tutorial.html#regular-source ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj3VOcwACgkQgHWT4GPEy5/vEACgmA+lr37ybByyTT7Q9ZBgzJAU rvMAoOZMy6lDJryPLPg1NV+Wn21wE1qA =gSdl -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Nov 29 11:11:56 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id F32E4277B2A; Fri, 29 Nov 2002 11:11:55 +0100 (CET) Date: Fri, 29 Nov 2002 11:11:55 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.012] OpenPKG Security Advisory (samba) Message-ID: <20021129101155.GA74028@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.012 29-Nov-2002 ________________________________________________________________________ Package: samba Vulnerability: code execution, root exploit OpenPKG Specific: no Dependent Packages: none Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= samba-2.2.2-1.0.0 >= samba-2.2.2-1.0.1 OpenPKG 1.1 <= samba-2.2.5-1.1.0 >= samba-2.2.5-1.1.1 OpenPKG CURRENT <= samba-2.2.6-20021017 >= samba-2.2.7-20021120 Description: A vulnerability in Samba [0] versions 2.2.2 through 2.2.6 was discovered by the Debian Samba maintainers [1]. A bug in the length checking for encrypted password change requests from clients could be exploited using a buffer overrun attack on the smbd(8) stack. This attack would have to be crafted in such a way that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code. Check whether you are affected by running "/bin/rpm -q samba". If you have an affected version of the samba package (see above), please upgrade it according to the solution below. Solution: Update existing packages to newly patched versions of Samba. Select the updated source RPM appropriate for your OpenPKG release [2][3][4], and fetch it from the OpenPKG FTP service or a mirror location. Verify its integrity [5], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [6]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get samba-2.2.5-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig samba-2.2.5-1.1.1.src.rpm $ /bin/rpm --rebuild samba-2.2.5-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/samba-2.2.5-1.1.1.*.rpm # /etc/rc samba stop start ________________________________________________________________________ References: [0] http://www.samba.org/ [1] http://www.debian.org/security/2002/dsa-200 [2] ftp://ftp.openpkg.org/release/1.0/UPD/ [3] ftp://ftp.openpkg.org/release/1.1/UPD/ [4] ftp://ftp.openpkg.org/current/SRC/ [5] http://www.openpkg.org/security.html#signature [6] http://www.openpkg.org/tutorial.html#regular-source ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj3nO9UACgkQgHWT4GPEy59p5QCfct5flSu1iV1a7dJGasM0J8iN kOMAoNvn9Q1524xufDzZb12THUscFpKd =HEHz -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Dec 16 17:41:08 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id 0A891277CE1; Mon, 16 Dec 2002 17:41:08 +0100 (CET) Date: Mon, 16 Dec 2002 17:41:07 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.013] OpenPKG Security Advisory (mysql) Message-ID: <20021216164107.GA51552@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.013 16-Dec-2002 ________________________________________________________________________ Package: mysql Vulnerability: password bypass, arbitrary code execution OpenPKG Specific: no Dependent Packages: apache, myodbc, perl-dbi, postfix Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= mysql-3.23.46-1.0.0 >= mysql-3.23.46-1.0.1 OpenPKG 1.1 <= mysql-3.23.52-1.1.0 >= mysql-3.23.52-1.1.1 OpenPKG CURRENT <= mysql-3.23.53-20021204 >= mysql-3.23.54-20021212 Description: The e-matters [0] company discovered two flaws [1] within the MySQL [2] server that can be used by any MySQL user to crash the server. One of the flaws can be used to bypass the MySQL password check or to execute arbitrary code with the privileges of the user running mysqld(8). They also discovered an arbitrary size heap overflow within the MySQL client library and another vulnerability that allows to write '\0' to any memory address. Both flaws could allow DOS attacks against or arbitrary code execution within anything linked against libmysqlclient. Check whether you are affected by running "/bin/rpm -q mysql". If you have an affected version of the "mysql" package (see above), please upgrade it according to the solution below. Solution: Update existing packages to newly patched versions of MySQL. Select the updated source RPM appropriate for your OpenPKG release [3][4][5], and fetch it from the OpenPKG FTP service or a mirror location. Verify its integrity [6], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [7]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get mysql-3.23.52-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig mysql-3.23.52-1.1.1.src.rpm $ /bin/rpm --rebuild mysql-3.23.52-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/mysql-3.23.52-1.1.1.*.rpm # /etc/rc mysql stop start ________________________________________________________________________ References: [0] http://www.e-matters.de/ [1] http://security.e-matters.de/advisories/042002.html [2] http://www.mysql.com/ [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.1/UPD/ [5] ftp://ftp.openpkg.org/current/SRC/ [6] http://www.openpkg.org/security.html#signature [7] http://www.openpkg.org/tutorial.html#regular-source ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj39rFwACgkQgHWT4GPEy59OOQCfRNp25g3jXbRoIITZnwnpT7lo 0q8AoMCazmZmwIs0sqxUJF4wfwbsC6Zz =6WvF -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Dec 16 17:41:25 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id 5721B277C83; Mon, 16 Dec 2002 17:41:25 +0100 (CET) Date: Mon, 16 Dec 2002 17:41:25 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.014] OpenPKG Security Advisory (perl) Message-ID: <20021216164125.GA51651@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.014 16-Dec-2002 ________________________________________________________________________ Package: perl Vulnerability: unsafe Safe compartment OpenPKG Specific: no Dependent Packages: none Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= perl-5.6.1-1.0.1 >= perl-5.6.1-1.0.2 OpenPKG 1.1 <= perl-5.6.1-1.1.0 >= perl-5.6.1-1.1.1 OpenPKG CURRENT <= perl-5.8.0-20021129 >= perl-5.8.0-20021216 Description: Andreas Jurenda discovered [0] a security hole in Safe.pm for Perl [1]. When a Safe compartment has already been used, there's no guarantee that it's safe any longer, because there's a way for code executed within the Safe compartment to alter its operation mask. Programs that use a Safe compartment only once aren't affected by this bug. Check whether you are affected by running "/bin/rpm -q perl". If you have an affected version of the Perl package (see above), please upgrade it according to the solution below. Solution: Update existing packages to newly patched versions of Perl. Select the updated source RPM appropriate for your OpenPKG release [2][3][4], and fetch it from the OpenPKG FTP service or a mirror location. Verify its integrity [5], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [6]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get perl-5.6.1-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig perl-5.6.1-1.1.1.src.rpm $ /bin/rpm --rebuild perl-5.6.1-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/perl-5.6.1-1.1.1.*.rpm ________________________________________________________________________ References: [0] http://bugs6.perl.org/rt2/Ticket/Display.html?user=guest&pass=guest&id=17744 [1] http://www.perl.com/ [2] ftp://ftp.openpkg.org/release/1.0/UPD/ [3] ftp://ftp.openpkg.org/release/1.1/UPD/ [4] ftp://ftp.openpkg.org/current/SRC/ [5] http://www.openpkg.org/security.html#signature [6] http://www.openpkg.org/tutorial.html#regular-source ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj3+AJgACgkQgHWT4GPEy58V+gCg7izWdygkK12AbXPpY2izzuWb wA4AoMG3rg9EUfy1fkimlOl5zxoAsLho =ZxAt -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Dec 16 17:41:44 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id 6CD01277CE1; Mon, 16 Dec 2002 17:41:44 +0100 (CET) Date: Mon, 16 Dec 2002 17:41:44 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.015] OpenPKG Security Advisory (tetex) Message-ID: <20021216164144.GA51703@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.015 16-Dec-2002 ________________________________________________________________________ Package: tetex Vulnerability: remote command execution OpenPKG Specific: no Dependent Packages: none Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= tetex-1.0.7-1.0.0 >= tetex-1.0.7-1.0.1 OpenPKG 1.1 <= tetex-1.0.7-1.1.0 >= tetex-1.0.7-1.1.1 OpenPKG CURRENT <= tetex-1.0.7-20021204 >= tetex-1.0.7-20021216 Description: A vulnerability [1] in the kpathsea(3) library of teTeX was discovered. This library is used by xdvi(1) and dvips(1). Both programs call the system(3) function insecurely, which allows a remote attacker to execute arbitrary commands via cleverly crafted DVI files. If dvips(1) is used in a print filter, this allows a local or remote attacker with print permission execute arbitrary code as the printing system user. Check whether you are affected by running "/bin/rpm -q tetex". If you have an affected version of the samba package (see above), please upgrade it according to the solution below. Solution: Update existing packages to newly patched versions of teTeX. Select the updated source RPM appropriate for your OpenPKG release [2][3][4], and fetch it from the OpenPKG FTP service or a mirror location. Verify its integrity [5], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [6]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get tetex-1.0.7-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig tetex-1.0.7-1.1.1.src.rpm $ /bin/rpm --rebuild tetex-1.0.7-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/tetex-1.0.7-1.1.1.*.rpm ________________________________________________________________________ References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0836 [2] ftp://ftp.openpkg.org/release/1.0/UPD/ [3] ftp://ftp.openpkg.org/release/1.1/UPD/ [4] ftp://ftp.openpkg.org/current/SRC/ [5] http://www.openpkg.org/security.html#signature [6] http://www.openpkg.org/tutorial.html#regular-source ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj3+AOwACgkQgHWT4GPEy59EaQCg3nIl3ru+vU27i/Wcqm+cUH5N /tAAn0QY3lN4bmUtNXIwMGsGitW2LMsz =6F8t -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Dec 17 17:23:50 2002 Received: by mail.openpkg.org (Postfix, from userid 7000) id A4433277B47; Tue, 17 Dec 2002 17:23:50 +0100 (CET) Date: Tue, 17 Dec 2002 17:23:50 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2002.016] OpenPKG Security Advisory (fetchmail) Message-ID: <20021217162350.GA4449@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.016 17-Dec-2002 ________________________________________________________________________ Package: fetchmail Vulnerability: crashing or remote command execution OpenPKG Specific: no Dependent Packages: none Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= fetchmail-5.9.5-1.0.0 >= fetchmail-5.9.5-1.0.1 OpenPKG 1.1 <= fetchmail-5.9.13-1.1.0 >= fetchmail-5.9.13-1.1.1 OpenPKG CURRENT <= fetchmail-6.1.3-20021128 >= fetchmail-6.2.0-20021213 Description: The e-matters security team has reaudited Fetchmail and discovered a remote vulnerability [1] within the default install. Headers are searched for local addresses to append a @ and the hostname of the mailserver. The sizing of the buffer to store the modified addresses is too short by one character per address. This vulnerability allows crashing or remote code execution. Depending on the confiuration this can lead to a remote root compromise. Check whether you are affected by running "/bin/rpm -q fetchmail". If you have an affected version of the fetchmail package (see above), please upgrade it according to the solution below. Solution: Update existing packages to newly patched versions of fetchmail. Select the updated source RPM appropriate for your OpenPKG release [2][3][4], and fetch it from the OpenPKG FTP service or a mirror location. Verify its integrity [5], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [6]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get fetchmail-5.9.13-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig fetchmail-5.9.13-1.1.1.src.rpm $ /bin/rpm --rebuild fetchmail-5.9.13-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/fetchmail-5.9.13-1.1.1.*.rpm ________________________________________________________________________ References: [1] http://security.e-matters.de/advisories/052002.html [2] ftp://ftp.openpkg.org/release/1.0/UPD/ [3] ftp://ftp.openpkg.org/release/1.1/UPD/ [4] ftp://ftp.openpkg.org/current/SRC/ [5] http://www.openpkg.org/security.html#signature [6] http://www.openpkg.org/tutorial.html#regular-source ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj3/SiIACgkQgHWT4GPEy58OygCffa9srrGX6bLI3NuFXqXI1AIa dIsAoJwKFZSO0oAkSJr8WplNmiKtYS6S =BD0i -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Jan 15 16:41:11 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 4E353277A0B; Wed, 15 Jan 2003 16:41:11 +0100 (CET) Date: Wed, 15 Jan 2003 16:41:11 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.001] OpenPKG Security Advisory (png) Message-ID: <20030115154111.GA33835@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.001 15-Jan-2003 ________________________________________________________________________ Package: png Vulnerability: buffer overflow vulnerability OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= png-1.2.5-20021003 >= png-1.2.5-20030115 OpenPKG 1.1 <= png-1.2.4-1.1.0 >= png-1.2.4-1.1.1 OpenPKG 1.0 <= png-1.2.0-1.0.0 >= png-1.2.0-1.0.1 Affected Releases: Dependent Packages: OpenPKG CURRENT apache emacs gd gd1 gif2png gnuplot graphviz imagemagick libwmf netpbm perl-gd perl-tk pstoedit webalizer wml OpenPKG 1.1 apache emacs gd gd1 gnuplot graphviz imagemagick perl-gd wml OpenPKG 1.0 apache gd perl-gd Description: According to a Debian security advisory based on hints from Glenn Randers-Pehrson [0], a buffer overflow vulnerability exists in the Portable Network Graphics (PNG) library libpng [1] in connection with 16-bit samples. The starting offsets for the loops are calculated incorrectly which may cause a buffer overrun beyond the beginning of the row buffer. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-1363 [2] to the problem. Please check whether you are affected by running "/bin/rpm -qa png". If you have the "png" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and it's dependent packages (see above), if any, too. [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get png-1.2.4-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig png-1.2.4-1.1.1.src.rpm $ /bin/rpm --rebuild png-1.2.4-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/png-1.2.4-1.1.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too. [3][4] ________________________________________________________________________ References: [0] http://www.debian.org/security/2002/dsa-213 [1] http://www.libpng.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.0/UPD/png-1.2.0-1.0.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/png-1.2.4-1.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.0/UPD/ [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+JYCpgHWT4GPEy58RAk3eAJ9dG8BbE6BNmvWA2GOZuRNWL5lLZQCghoWd P4HMyx1pxytvcak6xgBPRPM= =Ulpx -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jan 16 15:59:21 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 61E49277A0A; Thu, 16 Jan 2003 15:59:21 +0100 (CET) Date: Thu, 16 Jan 2003 15:59:21 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.002] OpenPKG Security Advisory (dhcpd) Message-ID: <20030116145921.GA44309@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.002 16-Jan-2003 ________________________________________________________________________ Package: dhcpd Vulnerability: buffer overflows in minires library OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= dhcpd-3.0.1rc10-20021108 >= dhcpd-3.0.1rc11-20030116 OpenPKG 1.1 <= dhcpd-3.0.1rc9-1.1.0 >= dhcpd-3.0.1rc9-1.1.1 OpenPKG 1.0 <= dhcpd-3.0.1rc4-1.0.0 >= dhcpd-3.0.1rc4-1.0.1 Affected Releases: Dependent Packages: none Description: According to CERT advisory CA-2003-01 [0] a buffer overflow exists in the minires library embedded in ISC DHCPD versions 3.0 through 3.0.1RC10 [1]. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0026 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q dhcpd". If you have the "dhcpd" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get dhcpd-3.0.1rc9-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig dhcpd-3.0.1rc9-1.1.1.src.rpm $ /bin/rpm --rebuild dhcpd-3.0.1rc9-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/dhcpd-3.0.1rc9-1.1.1.*.rpm ________________________________________________________________________ References: [0] http://www.cert.org/advisories/CA-2003-01.html [1] http://www.isc.org/products/DHCP/dhcp-v3.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0026 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.0/UPD/dhcpd-3.0.1rc4-1.0.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/dhcpd-3.0.1rc9-1.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.0/UPD/ [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+JshhgHWT4GPEy58RAhJVAKDDyq95KbovjxEFtUhJ7COTPvYRfgCgi1PK PNfustgyqqzWMxnnsY0YsUY= =W8CQ -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Jan 21 09:51:50 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 3A079277AF5; Tue, 21 Jan 2003 09:51:50 +0100 (CET) Date: Tue, 21 Jan 2003 09:51:50 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.003] OpenPKG Security Advisory (vim) Message-ID: <20030121085150.GA74703@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.003 21-Jan-2003 ________________________________________________________________________ Package: vim Vulnerability: arbitrary command execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= vim-6.1.264-20021223 >= vim-6.1.266-20021224 OpenPKG 1.1 <= vim-6.1.165-1.1.0 >= vim-6.1.165-1.1.1 OpenPKG 1.0 <= vim-6.0.92-1.0.1 >= vim-6.0.92-1.0.2 Affected Releases: Dependent Packages: none Description: According to a security advisory from Georgi Guninski [0] a vulnerability exists in the Vim (Vi Improved) text editor [1] which allows arbitrary command execution using the libcall feature in modelines. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-1377 [2] to the problem. Both versions 6.0 and 6.1 are affected. The necessary patch was incorporated into the 6.1 source tree beginning with patchlevel 265. We have backported the patch to the 6.0.92 and 6.1.165 releases. Please check whether you are affected by running "/bin/rpm -q vim". If you have the "vim" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get vim-6.1.165-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig vim-6.1.165-1.1.1.src.rpm $ /bin/rpm --rebuild vim-6.1.165-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/1.1.*.rpm ________________________________________________________________________ References: [0] http://www.guninski.com/vim1.html [1] http://www.vim.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1377 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.0/UPD/vim-6.0.92-1.0.2.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/vim-6.1.165-1.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.0/UPD/ [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+LQmJgHWT4GPEy58RAnk6AKDfv6ITdoQQc/DaPReKpPrkjcw4wQCfV7QY zbz/d6jfXkRWc8Uyzl0JnUk= =JeMp -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Jan 21 16:31:01 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 5593F277A2D; Tue, 21 Jan 2003 16:31:01 +0100 (CET) Date: Tue, 21 Jan 2003 16:31:00 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.004] OpenPKG Security Advisory (cvs) Message-ID: <20030121153100.GA89727@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.004 21-Jan-2003 ________________________________________________________________________ Package: cvs Vulnerability: remote root compromise OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= cvs-1.11.4-20030114 >= cvs-1.11.5-20030121 OpenPKG 1.1 <= cvs-1.11.2-1.1.0 >= cvs-1.11.2-1.1.1 OpenPKG 1.0 <= cvs-1.11.1p1-1.0.1 >= cvs-1.11.1p1-1.0.2 Affected Releases: Dependent Packages: none Description: According to an e-matters Security Advisory [0] from Stefan Esser , a vulnerability exists in the Concurrent Versions System (CVS) [1] which allows remote compromise of CVS servers. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0015 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q cvs". If you have the "cvs" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get cvs-1.11.2-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig cvs-1.11.2-1.1.1.src.rpm $ /bin/rpm --rebuild cvs-1.11.2-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/cvs-1.11.2-1.1.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too. [3][4] ________________________________________________________________________ References: [0] http://security.e-matters.de/advisories/012003.html [1] http://www.cvshome.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.0/UPD/cvs-1.11.1p1-1.0.2.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/cvs-1.11.2-1.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.0/UPD/ [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+LWa/gHWT4GPEy58RAmvaAJ0Q6Ct64M9KOqbgVZr9vaAI+Mo9JACfeXV8 nSwBtkam6zJpwg04522ysSU= =7rSt -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Jan 22 14:33:16 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id F129E277AFD; Wed, 22 Jan 2003 14:33:15 +0100 (CET) Date: Wed, 22 Jan 2003 14:33:15 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.005] OpenPKG Security Advisory (php) Message-ID: <20030122133315.GA65306@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.005 22-Jan-2003 ________________________________________________________________________ Package: php, apache Vulnerability: buffer overflow in "wordwrap" function OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= php-4.2.3-20020907 >= php-4.3.0-20021228 <= apache-1.3.27-20021129 >= apache-1.3.27-20021228 OpenPKG 1.2 none N.A. OpenPKG 1.1 <= php-4.2.2-1.1.0 >= php-4.2.2-1.1.1 <= apache-1.3.26-1.1.2 >= apache-1.3.26-1.1.3 OpenPKG 1.0 none N.A. Description: According to a bug report [0] from David F. Skoll a buffer overflow problem exists in the "wordwrap" function of Personal HomePage (PHP) [1], a HTML-embedded scripting language. Thanks to Davids input and help, the source of the problem was tracked down and corrected by the vendor. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-1396 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q php". If you have the "php" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Also run "/bin/rpm -qi apache". If you have the "apache" package installed having the "with_mod_php" option set to "yes" and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7] or a mirror location, verify its integrity [8], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get php-4.2.2-1.1.1.src.rpm ftp> get apache-1.3.26-1.1.3.src.rpm ftp> bye $ /bin/rpm -v --checksig php-4.2.2-1.1.1.src.rpm $ /bin/rpm -v --checksig apache-1.3.26-1.1.3.src.rpm $ /bin/rpm --rebuild php-4.2.2-1.1.1.src.rpm $ /bin/rpm --rebuild apache-1.3.26-1.1.3.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/php-4.2.2-1.1.1.*.rpm # /bin/rpm -Fvh /RPM/PKG/apache-1.3.26-1.1.3.*.rpm ________________________________________________________________________ References: [0] http://bugs.php.net/bug.php?id=20927 [1] http://www.php.net/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/php-4.2.2-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.3.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+Lp0igHWT4GPEy58RArl+AJ9/w1U0RwTAHxUooOo/OUpCx9yJagCg8KlV yRQ54kIUxzdQn/bmmfpHZMo= =9ZrR -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Jan 22 15:06:50 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 49B3A277A08; Wed, 22 Jan 2003 15:06:50 +0100 (CET) Date: Wed, 22 Jan 2003 15:06:50 +0100 From: OpenPKG To: openpkg-announce@openpkg.org, openpkg-users@openpkg.org, openpkg-dev@openpkg.org Subject: [ANNOUNCE] OpenPKG 1.2 released Message-ID: <20030122140650.GA31739@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: FOR IMMEDIATE RELEASE - 22-Jan-2003 The OpenPKG project releases version 1.2 of the unique cross-platform software packaging facility. http://www.openpkg.org/ -- Munich, DE -- January 22, 2003 -- The OpenPKG project is proud to announce version 1.2 of its OpenPKG software. A flexible and powerful software packaging facility, OpenPKG eases the cross-platform installation and administration of Unix software. Consolidating different vendor approaches into a unified architecture, it serves system administrators of large networks previously burdened by non-conforming systems. OpenPKG leverages proven technologies like Red Hat Package Manager (RPM) and provides an additional system layer on top of the operating system. With OpenPKG, a unique method of cross-platform software deployment is taking form. Administrators using OpenPKG 1.2 benefit from official support on FreeBSD 4.7 and 5.0, Debian GNU/Linux 2.2 and 3.0, and Sun Solaris 8 and 9. Thanks to its portable nature, other platforms with limited support include NetBSD, OpenBSD, RedHat Linux, HP Tru64, SCO UnixWare and QNX. WHAT'S NEW IN VERSION 1.2 Over the last 5 months, since the release of OpenPKG 1.1, the official OpenPKG repository has grown from 320 to over 450 packages. From this packaging pool 185 release-grade CORE and BASE classified packages were carefully selected for inclusion into the official OpenPKG 1.2 release. These packages are fully supported on all of the above six platforms, including full security tracking and updating until at least two forthcoming releases are based on it. An additional 176 PLUS classified packages were identified which are provided for convenience reasons as an unsupported set of add-on packages to OpenPKG 1.2. So, in total OpenPKG 1.2 consists of 361 released packages which include proven versions of popular Unix software like Apache, BIND, GCC, GnuPG, MySQL, OpenSSH, Perl, Postfix, Samba and teTeX -- all carefully packaged for easy deployment. Additionally, several new appealing features are introduced with OpenPKG 1.2. A new approach for package option handling now allows flexibility and precise building and dependency tracking of package build-time variations. The most prominent example is the "apache" package, by default providing only a bare-bone Apache installation. Through the simple specification of up to 44 build-time options the administrator easily can build a fully customized variation which could include mod_ssl, mod_php and more. The packaging of the Perl language was fully reorganized and extended to now optionally provide 220 proven extension modules from CPAN, clustered into 25 OpenPKG packages. An additional utility package "openpkg-tool" eases maintenance of whole OpenPKG instances, and can especially be useful in updating packages with complex dependencies and used build options. Finally, a new faking "syslog" package allows an administrator to redirect log entries of lots of daemons that would otherwise wind up in the generic syslog facility of the underlying operating system. HIGHLIGHTS OF OPENPKG * Entirely based on Open Source Software technology. * Portable across mostly all major Unix platforms. * Official support for FreeBSD 4/5, Debian 2/3 and Solaris 8/9. * Minimum operating system intrusion. * Minimum overhead in software packaging. * Easy installation, updating and deinstallation of packages. * Over 360 carefully selected and released packages available. * Bundled with useful package preconfigurations. * Support for multiple system instances. * Support for proxy packages. * Support for build-time variations of packages. * Abstracted run-command facility. ABOUT THE OPENPKG PROJECT OpenPKG is a software packaging facility for Unix computers, and targets the major server platforms FreeBSD, Linux and Solaris. While internally based on RPM version 4, OpenPKG is a fully self-contained system with minimal dependencies (no RPM preinstallation required) and installs itself by means of a tricky bootstrapping procedure. OpenPKG eases and controls the management of a large or diverse base of software across one or more of its supported platforms. OpenPKG is a project founded 2000 by Cable & Wireless Germany's Internet Services division. In January 2002 it was released by Cable & Wireless to the public as Open Source software. Since then OpenPKG is maintained and improved by its original developers and contributors from the Open Source community and is a mature technology in production use. OpenPKG is the brainchild of Ralf S. Engelschall, team leader of Development in Internet Services and principal author of numerous other widely used Open Source Software technologies like Apache SSL/TLS Engine (mod_ssl), Apache URL Rewriting Engine (mod_rewrite), GNU Portable Threads (Pth), GNU Portable Shell Tool (Shtool), and Website META Language (WML). MORE INFORMATION The OpenPKG Project Ralf S. Engelschall rse@openpkg.org +49-89-92699-251 (CET) +49-172-8986801 (CET) From openpkg-announce-owner@openpkg.org Thu Jan 23 11:38:24 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 37ADA277A13; Thu, 23 Jan 2003 11:38:24 +0100 (CET) Date: Thu, 23 Jan 2003 11:38:24 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.006] OpenPKG Security Advisory (python) Message-ID: <20030123103823.GA82381@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.006 23-Jan-2003 ________________________________________________________________________ Package: python Vulnerability: predictable filename allows arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= python-2.2.1-20020820 >= python-2.2.2-20021015 OpenPKG 1.2 none N.A. OpenPKG 1.1 <= python-2.2.1-1.1.0 >= python-2.2.1-1.1.1 Affected Releases: Dependent Packages: none Description: Zack Weinberg discovered an insecure use of a predictable file name [0] in the Python programming language [1]. Python attempts to execute a file which is assumed to not exist just to find out what error the operating system returns in this situation. It uses a constant filename for this task which could lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-1119 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q python". If you have the "python" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get python-2.2.1-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig python-2.2.1-1.1.1.src.rpm $ /bin/rpm --rebuild python-2.2.1-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/python-2.2.1-1.1.1.*.rpm ________________________________________________________________________ References: [0] http://mail.python.org/pipermail/python-dev/2002-August/027223.html [1] http://www.python.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1119 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/python-2.2.1-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+L8WAgHWT4GPEy58RAtl5AJ40nGCQKxI5yrs4KnKMaRI5veFM4ACePHmi z8mwYutcBLXjOsWlMf5CEZM= =OSaV -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jan 23 15:40:40 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 7B5C1277A13; Thu, 23 Jan 2003 15:40:40 +0100 (CET) Date: Thu, 23 Jan 2003 15:40:40 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.007] OpenPKG Security Advisory (wget) Message-ID: <20030123144040.GA95529@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.007 23-Jan-2003 ________________________________________________________________________ Package: wget Vulnerability: directory traversal vulnerability OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= wget-1.8.2-20021206 >= wget-1.8.2-20021216 OpenPKG 1.2 <= none N.A. OpenPKG 1.1 <= wget-1.8.2-1.1.0 >= wget-1.8.2-1.1.1 Affected Releases: Dependent Packages: none Description: According to research done by Steve Christey [0], directory traversal vulnerabilities exist in many FTP clients including wget [1]. Resolution of this issue was handled primarily through Mark Cox of Red Hat whose patches were incorporated into the wget 1.8.2 HEAD development branch of the vendor. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-1344 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q wget". If you have the "wget" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ rpm --rebuild ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get wget-1.8.2-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig wget-1.8.2-1.1.1.src.rpm $ /bin/rpm --rebuild wget-1.8.2-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/wget-1.8.2-1.1.1.*.rpm ________________________________________________________________________ References: [0] http://marc.theaimsgroup.com/?l=bugtraq&m=103962838628940&w=2 [1] http://sunsite.dk/wget/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/wget-1.8.2-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+L/1tgHWT4GPEy58RAkSaAKCFkDghupTl/uAchoMWTLOfbhx6/QCcD08v 9+6wRt4YmmvQUQBcpstM2vM= =/Zek -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Jan 29 15:51:37 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 09D97277A0A; Wed, 29 Jan 2003 15:51:36 +0100 (CET) Date: Wed, 29 Jan 2003 15:51:36 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.008] OpenPKG Security Advisory (mysql) Message-ID: <20030129145136.GA1310@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.008 29-Jan-2003 ________________________________________________________________________ Package: mysql Vulnerability: double free can cause denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= mysql-3.23.54a-20030116 >= mysql-3.23.55-20030124 OpenPKG 1.2 <= mysql-3.23.54a-1.2.0 >= mysql-3.23.54a-1.2.1 OpenPKG 1.1 <= mysql-3.23.52-1.1.1 >= mysql-3.23.52-1.1.2 Affected Releases: Dependent Packages: none Description: Vincent Danen of Mandrake Linux noticed that according to the change log [0] for MySQL release 3.23.55 [1] a vulnerbility has been fixed where a double-free pointer bug in mysql_change_user() handling enabled a specially hacked version of MySQL client to crash mysqld. The vendor states that one needs to successfully login to the server by using a valid user account to be able to exploit this bug. Please check whether you are affected by running "/bin/rpm -q mysql". If you have the "mysql" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [2][3] Solution: Select the updated source RPM appropriate for your OpenPKG release [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror location, verify its integrity [8], build a corresponding binary RPM from it [2] and update your OpenPKG installation by applying the binary RPM [3]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get mysql-3.23.54a-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig mysql-3.23.54a-1.2.1.src.rpm $ /bin/rpm --rebuild mysql-3.23.54a-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/mysql-3.23.54a-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.mysql.com/doc/en/News-3.23.55.html [1] http://www.mysql.com/ [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary [4] ftp://ftp.openpkg.org/release/1.1/UPD/mysql-3.23.52-1.1.2.src.rpm [5] ftp://ftp.openpkg.org/release/1.2/UPD/mysql-3.23.54a-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/ [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+N9gEgHWT4GPEy58RAqygAJ99b9BRMrnG8b5/RermS5QQz08tkQCeLq3s e3UDxVtK5aGXWeiQvXIHVOM= =egoK -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Feb 18 13:37:54 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id F1699277A0B; Tue, 18 Feb 2003 13:37:53 +0100 (CET) Date: Tue, 18 Feb 2003 13:37:53 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.009] OpenPKG Security Advisory (w3m) Message-ID: <20030218123753.GA65626@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.009 18-Feb-2003 ________________________________________________________________________ Package: w3m Vulnerability: cookie information leak OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= w3m-0.3.2.1-20021126 >= w3m-0.3.2.2-20021205 OpenPKG 1.2 N.A. >= w3m-0.3.2.2-1.2.0 OpenPKG 1.1 <= w3m-0.3.1-1.1.0 >= w3m-0.3.1-1.1.1 Affected Releases: Dependent Packages: none Description: According to Hironori Sakamoto, one of the w3m developers, two security vulnerabilities exist in w3m [0]. Releases before 0.3.2.1 do not escape an HTML tag in a frame, which allows remote attackers to access files or cookies [1]. Releases before 0.3.2.2 do not properly escape HTML tags in the ALT attribute of an IMG tag, which could allow remote attackers to access files or cookies [2]. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2002-1335 [3] and CAN-2002-1348 [4] to these problems. We have backported the patch to the 0.3.1 release. Please check whether you are affected by running "/bin/rpm -q w3m". If you have the "w3m" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [5][6]. Solution: Select the updated source RPM appropriate for your OpenPKG release [7], fetch it from the OpenPKG FTP service [8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [5] and update your OpenPKG installation by applying the binary RPM [6]. For the release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get w3m-0.3.1-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig w3m-0.3.1-1.1.1.src.rpm $ /bin/rpm --rebuild w3m-0.3.1-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/w3m-0.3.1-1.1.1.*.rpm ________________________________________________________________________ References: [0] http://w3m.sourceforge.net/ [1] http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200211.month/838.html [2] http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200212.month/843.html [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1335 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1348 [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/1.1/UPD/w3m-0.3.1-1.1.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+UijXgHWT4GPEy58RAmIIAJ9EmK4PGY36CKa5yGJkUHUQN0mzfACdE4GJ vO43TJW7bwzDxDWOKu9jH4I= =lrjv -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Feb 18 17:30:31 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 7598C277A0B; Tue, 18 Feb 2003 17:30:31 +0100 (CET) Date: Tue, 18 Feb 2003 17:30:31 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.010] OpenPKG Security Advisory (php) Message-ID: <20030218163031.GA83389@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.010 18-Feb-2003 ________________________________________________________________________ Package: php, apache Vulnerability: arbitrary file access and code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT == php-4.3.0-20030115 >= php-4.3.1-20030218 <= apache-1.3.27-20030212 >= apache-1.3.27-20030218 >= apache-1.3.27-20021228 >= apache-1.3.27-20030218 OpenPKG 1.2 == php-4.3.0-1.2.0 >= php-4.3.0-1.2.1 == apache-1.3.27-1.2.0 >= apache-1.3.27-1.2.1 OpenPKG 1.1 none N.A. Dependent Packages: none Description: Kosmas Skiadopoulos discovered a serious security vulnerability [0] in the CGI SAPI of PHP version 4.3.0. PHP [1] contains code for preventing direct access to the CGI binary with configure option "--enable-force-cgi-redirect" and php.ini option "cgi.force_redirect". In PHP 4.3.0 there is a bug which renders these options useless. Please note that this bug does NOT affect any of the other SAPI modules such as the Apache or ISAPI modules. Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs. A remote attacker could also trick PHP into executing arbitrary PHP code if attacker is able to inject the code into files accessible by the CGI. This could be for example the web server access-logs. Please check whether you are affected by running "/bin/rpm -q php apache" and "/bin/rpm -qi apache | grep with_mod_php". If you have either the "php" or "apache" with option "with_mod_php" packages installed and their version is affected (see above), we recommend that you immediately upgrade (see Solution) [2][3]. Solution: Select the updated source RPM appropriate for your OpenPKG release [4][5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [2] and update your OpenPKG installation by applying the binary RPM [3]. For the release OpenPKG 1.2, perform the following operations to permanently fix the security problem for apache with mod_php. For other releases adjust this recipe accordingly. $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get apache-1.3.27-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig apache-1.3.27-1.2.1.src.rpm $ /bin/rpm --rebuild --define 'with_mod_php yes' \ apache-1.3.27-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/apache-1.3.27-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.php.net/release_4_3_1.php [1] http://www.php.net/ [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary [4] ftp://ftp.openpkg.org/release/1.2/UPD/php-4.3.0-1.2.1.src.rpm [5] ftp://ftp.openpkg.org/release/1.2/UPD/apache-1.3.27-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+Ul0CgHWT4GPEy58RAiylAJ0UMcYLUNYbOOl1oFIuqfAxWALcagCgxUsx I0CUzWnNLnX57B9wHXCwWWQ= =dpIT -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Feb 18 17:31:42 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id A5B7D277B01; Tue, 18 Feb 2003 17:31:42 +0100 (CET) Date: Tue, 18 Feb 2003 17:31:42 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.011] OpenPKG Security Advisory (lynx) Message-ID: <20030218163142.GA87453@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.011 18-Feb-2003 ________________________________________________________________________ Package: lynx Vulnerability: CRLF injection vulnerability OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= lynx-2.8.4-20020206 >= lynx-2.8.4-20021216 OpenPKG 1.2 <= N.A. >= lynx-2.8.4-1.2.0 OpenPKG 1.1 <= lynx-2.8.4-1.1.0 >= lynx-2.8.4-1.1.1 Affected Releases: Dependent Packages: none Description: Ulf Harnhammar posted information [0] reporting a "CRLF Injection" problem with Lynx [1] 2.8.4 and earlier. It is possible to inject false HTTP headers into an HTTP request that is provided on the command line, via a URL containing encoded carriage return, line feed, and other whitespace characters. This way, scripts that use Lynx for downloading files access the wrong site on a web server with multiple virtual hosts. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-1405 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q lynx". If you have the "lynx" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get lynx-2.8.4-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig lynx-2.8.4-1.1.1.src.rpm $ /bin/rpm --rebuild lynx-2.8.4-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/lynx-2.8.4-1.1.1.*.rpm ________________________________________________________________________ References: [0] http://www.mail-archive.com/bugtraq@securityfocus.com/msg08897.html [1] http://lynx.isc.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1405 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/lynx-2.8.4-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+UlhugHWT4GPEy58RAr9NAKC7MXEp1KbGF9hBdS54B0lAg5ZeSACg0tKk ugQtWNDCopogBsrxmMgAlx0= =+o01 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Feb 19 15:23:48 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id EC1E9277A20; Wed, 19 Feb 2003 15:23:47 +0100 (CET) Date: Wed, 19 Feb 2003 15:23:47 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.012] OpenPKG Security Advisory (dhcpd) Message-ID: <20030219142347.GA89094@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.012 19-Feb-2003 ________________________________________________________________________ Package: dhcpd Vulnerability: denial of service (packet storm) OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= dhcpd-3.0.1rc11-20030116 >= dhcpd-3.0.1rc11-20030219 OpenPKG 1.2 <= dhcpd-3.0.1rc11-1.2.0 >= dhcpd-3.0.1rc11-1.2.1 OpenPKG 1.1 <= dhcpd-3.0.1rc9-1.1.1 >= dhcpd-3.0.1rc9-1.1.2 Affected Releases: Dependent Packages: none Description: Florian Lohoff discovered a bug [0] in dhcrelay which is part of the ISC DHCP Distribution [1]. The bug is causing the relay agent to send a continuing packet storm towards the configured DHCP server(s) in case of a malicious BOOTP packet. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0039 [2] to the problem. Our update does not ultimately fix the root cause of the problem. However, it improves dhcrelay's compliance to RFC1542 [10] by rigorously supporting the requirements listed in section "4.1.1 BOOTREQUEST Messages" and thus limiting havoc wreaked to the network: "The relay agent MUST silently discard BOOTREQUEST messages whose 'hops' field exceeds the value 16. A configuration option SHOULD be provided to set this threshold to a smaller value if desired by the network manager. The default setting for a configurable threshold SHOULD be 4." The added configuration option is named "-c". Its default value to 4 and the allowed range of the value is between 0 and 16. Please check whether you are affected by running "/bin/rpm -q dhcpd". If you have the "dhcpd" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get dhcpd-3.0.1rc11-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig dhcpd-3.0.1rc11-1.2.1.src.rpm $ /bin/rpm --rebuild dhcpd-3.0.1rc11-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/dhcpd-3.0.1rc11-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://marc.theaimsgroup.com/?l=bugtraq&m=104310927813830&w=2 [1] http://www.isc.org/products/DHCP/dhcp-v3.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0039 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/dhcpd-3.0.1rc9-1.1.2.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/dhcpd-3.0.1rc11-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature [10] ftp://ftp.rfc-editor.org/in-notes/rfc1542.txt ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+U5MDgHWT4GPEy58RAu2qAKDMZ71rpxv4YgazQQw2fSi2mlfTIACfflr6 OF+yy6uSaCRuw/RlzUVzhic= =kWcV -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Feb 19 19:09:51 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 31147277AF0; Wed, 19 Feb 2003 19:09:51 +0100 (CET) Date: Wed, 19 Feb 2003 19:09:51 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl) Message-ID: <20030219180950.GA20102@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.013 19-Feb-2003 ________________________________________________________________________ Package: openssl Vulnerability: obtain plaintext of SSL/TLS communication OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssl-0.9.7-20030111 >= openssl-0.9.7a-20030219 OpenPKG 1.2 <= openssl-0.9.7-1.2.0 >= openssl-0.9.7-1.2.1 OpenPKG 1.1 <= openssl-0.9.6g-1.1.0 >= openssl-0.9.6g-1.1.1 Affected Releases: Dependent Packages: OpenPKG CURRENT apache cadaver cpu curl dsniff easysoap ethereal exim fetchmail imap imapd inn linc links lynx mico mixmaster mozilla mutt nail neon openldap openvpn perl-ssl postfix postgresql qpopper samba sendmail siege sio sitecopy socat stunnel subversion sysmon w3m wget OpenPKG 1.2 apache cpu curl ethereal fetchmail imap inn links lynx mico mutt nail neon openldap perl-ssl postfix postgresql qpopper samba sendmail siege sitecopy socat stunnel sysmon w3m wget OpenPKG 1.1 apache curl fetchmail inn links lynx mutt neon openldap perl-ssl postfix postgresql qpopper samba siege sitecopy socat stunnel sysmon w3m Description: In an upcoming CRYPTO 2003 paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and demonstrate a timing-based attack on SSL/TLS with CBC ciphersuites. According to an OpenSSL security advisory [0], the OpenSSL implementation is vulnerable to this attack. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0078 [2] to the problem. The attack assumes that multiple SSL/TLS connections involve a common fixed plaintext block, such as a password. An active attacker can substitute specifically made-up ciphertext blocks for blocks sent by legitimate SSL/TLS parties and measure the time until a response arrives. SSL/TLS includes data authentication to ensure that such modified ciphertext blocks will be rejected by the peer (and the connection aborted), but the attacker may be able to use timing observations to distinguish between two different error cases, namely block cipher padding errors and MAC verification errors. This is sufficient for an adaptive attack that finally can obtain the complete plaintext block. Although this cannot be easily exploited, because the attack requires the ability to be a man-in-the-middle, repeated communications that have a common plaintext block, decoding failures not signaling problems on the client and server side, and a network between the attacker and the server sufficient enough to reasonably observe timing differences. OpenSSL version since 0.9.6c supposedly treat block cipher padding errors like MAC verification errors during record decryption [1], but MAC verification was still skipped after detection of a padding error, which allowed the timing attack. Please check whether you are affected by running "/bin/rpm -q openssl". If you have the "openssl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and it's dependent packages (see above), if any, too. [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get openssl-0.9.7-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig openssl-0.9.7-1.2.1.src.rpm $ /bin/rpm --rebuild openssl-0.9.7-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssl-0.9.7-1.2.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too. [3][4] ________________________________________________________________________ References: [0] http://www.openssl.org/news/secadv_20030219.txt [1] http://www.openssl.org/~bodo/tls-cbc.txt [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0078 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/openssl-0.9.6g-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+U68fgHWT4GPEy58RAgFGAKDFc5Uqd/Vywgo/hIVc7XfUY7dg2ACeMBjK a46TdeF9PpJpy44I21Mpo8A= =AI7g -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Mar 4 12:03:58 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id B6A4E277A18; Tue, 4 Mar 2003 12:03:57 +0100 (CET) Date: Tue, 4 Mar 2003 12:03:56 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.014] OpenPKG Security Advisory (tcpdump) Message-ID: <20030304110356.GA94210@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.014 04-Mar-2003 ________________________________________________________________________ Package: tcpdump Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= tcpdump-3.7.1-20020822 >= tcpdump-3.7.2-20030227 OpenPKG 1.2 <= tcpdump-3.7.1-1.2.0 >= tcpdump-3.7.1-1.2.1 OpenPKG 1.1 <= tcpdump-3.7.1-1.1.0 >= tcpdump-3.7.1-1.1.1 Dependent Packages: none Description: Andrew Griffiths and iDEFENSE Labs discovered [1] a vulnerability in tcpdump [0] which can result in a Denial of Service (DoS) attack due to an endless processing loop consuming CPU resources when parsing malformed ISAKMP packets (UDP, port 500). The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0108 [2] to the problem. Similarily, another DoS attack is possible because tcpdump enters also an endless processing loop consuming CPU resources when parsing malformed BGP packets (TCP, port 179). Finally, a buffer overflow is possible when parsing malformed NFS packets (UDP, port 2049). Please check whether you are affected by running "/bin/rpm -q tcpdump". If you have the "tcpdump" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and it's dependent packages (see above), if any, too. [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get tcpdump-3.7.1-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig tcpdump-3.7.1-1.2.1.src.rpm $ /bin/rpm --rebuild tcpdump-3.7.1-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/tcpdump-3.7.1-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.tcpdump.org/ [1] http://www.idefense.com/advisory/02.27.03.txt [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0108 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/tcpdump-3.7.1-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/tcpdump-3.7.1-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+ZIEOgHWT4GPEy58RArsmAKCJSLg7vWFHOJFsXG/Xq/wbtSazNgCgq8zg MOen3HEaFOKBcfB471+2kJk= =NyPy -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Mar 4 17:47:35 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 9E95B277A00; Tue, 4 Mar 2003 17:47:34 +0100 (CET) Date: Tue, 4 Mar 2003 17:47:34 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.015] OpenPKG Security Advisory (zlib) Message-ID: <20030304164734.GA8673@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.015 04-Mar-2003 ________________________________________________________________________ Package: zlib Vulnerability: denial of service, code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= zlib-1.1.4-20020312 >= zlib-1.1.4-20030227 OpenPKG 1.2 <= zlib-1.1.4-1.2.0 >= zlib-1.1.4-1.2.1 OpenPKG 1.1 <= zlib-1.1.4-1.1.0 >= zlib-1.1.4-1.1.1 Affected Releases: Dependent Packages: OpenPKG CURRENT none (see NOTICE 2 below) OpenPKG 1.2 none (see NOTICE 2 below) OpenPKG 1.1 none (see NOTICE 2 below) Description: The zlib [0] compression library provides an API function gzprintf() which is a convenient printf(3) style formatted output function based on zlib's raw output function gzwrite(). Richard Kettlewell discovered [1] that the implementation of gzprintf() by default uses the portable but insecure vsprintf(3) and sprintf(3) functions (subject to buffer overflows), although optionally one was able to use the secure vsnprintf(3) and snprintf(3) functions. Unfortunately, even the optional use of vsnprintf(3) and snprintf(3) did not take the function return value (number of characters which were written or which would have been written in case a truncation took place) into account. As a result gzprintf() will smash the run-time stack if called with arguments that expand to more than Z_PRINTF_BUFSIZE (= 4096 by default) bytes. This allows attackers to cause a Denial of Service (DoS) or possibly execute arbitrary code. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0107 [2] to the problem. The OpenPKG zlib packages were fixed by adding the necessary configure script checks to always use the secure vsnprintf(3) and snprintf(3) functions. Additionally, the code was adjusted to correctly take into account the return value of vsnprintf(3) and snprintf(3) and especially makes sure that truncated writes are not performed (which in turn can lead to new security issues). NOTICE 1: Keep in mind that our particular code changes fix the problems on our six officially supported Unix platforms only (FreeBSD 4/5, Debian 2.2/3.0 and Solaris 8/9). It is not a general solution applicable to arbitrary Unix platforms where OpenPKG might also work. Please check whether you are affected by running "/bin/rpm -q zlib". If you have the "zlib" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. NOTICE 2: OpenPKG CURRENT currently has 49 packages depending on the "zlib" package and 7 packages which have a local copy of zlib embedded. Fortunately, none of those 56 packages use the affected gzprintf() function -- neither directly nor indirectly. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get zlib-1.1.4-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig zlib-1.1.4-1.2.1.src.rpm $ /bin/rpm --rebuild zlib-1.1.4-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/zlib-1.1.4-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.gzip.org/zlib/ [1] http://online.securityfocus.com/archive/1/312869 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0107 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/zlib-1.1.4-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/zlib-1.1.4-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+ZNXUgHWT4GPEy58RAorLAJ42kiOkr5DK4LNMJpBQi77vrIBjkwCdHqKz mgzAuVVj36YHDmRp95U2uFc= =eLZA -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Mar 4 17:48:33 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id E92F1277A00; Tue, 4 Mar 2003 17:48:32 +0100 (CET) Date: Tue, 4 Mar 2003 17:48:32 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.016] OpenPKG Security Advisory (sendmail) Message-ID: <20030304164832.GA9687@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.016 04-Mar-2003 ________________________________________________________________________ Package: sendmail Vulnerability: code execution, root exploit OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= sendmail-8.12.7-20030205 >= sendmail-8.12.8-20030304 OpenPKG 1.2 <= sendmail-8.12.7-1.2.0 >= sendmail-8.12.7-1.2.1 OpenPKG 1.1 none N.A. Dependent Packages: none Description: According to an ISS X-Force advisory [1], a buffer overflow vulnerability exists in all versions from 5.79 to 8.12.7 of the Sendmail MTA [0]. Attackers may remotely exploit this vulnerability to gain "root" or superuser control of any vulnerable Sendmail server. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-1337 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q sendmail". If you have the "sendmail" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get sendmail-8.12.7-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig sendmail-8.12.7-1.2.1.src.rpm $ /bin/rpm --rebuild sendmail-8.12.7-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/sendmail-8.12.7-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.sendmail.org/ [1] http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/sendmail-8.12.7-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+ZMGBgHWT4GPEy58RAtQGAKDkUV6WstyfpRq9s0OB8fEA6HwAgACfTWpo waJlboSvEDpzn/L1VhRSVDI= =D3I1 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Mar 4 17:49:52 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 6FE98277AF1; Tue, 4 Mar 2003 17:49:52 +0100 (CET) Date: Tue, 4 Mar 2003 17:49:52 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.017] OpenPKG Security Advisory (file) Message-ID: <20030304164952.GA10221@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.017 04-Mar-2003 ________________________________________________________________________ Package: file Vulnerability: memory allocation problem, stack overflow OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= file-3.40-20030209 >= file-3.41-20030228 OpenPKG 1.2 <= file-3.39-1.2.0 >= file-3.39-1.2.1 OpenPKG 1.1 <= file-3.39-1.1.1 >= file-3.39-1.1.2 Dependent Packages: none N.A. Description: Jeff Johnson found a memory allocation problem and David Endler found a stack overflow corruption problem in the file [1] "Automatic File Content Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section and program header handling in file [1] version 3.40. We believe that file versions without those modifications are vulnerable to memory allocation and stack overflow problems which put security at risk. We have backported the security relevant pieces of the 3.41 and 3.40 vendor changes into OpenPKG releases using vendor version 3.39. Please check whether you are affected by running "/bin/rpm -q file". If you have the "file" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [2][3] Solution: Select the updated source RPM appropriate for your OpenPKG release [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror location, verify its integrity [8], build a corresponding binary RPM from it [2] and update your OpenPKG installation by applying the binary RPM [3]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get file-3.39-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig file-3.39-1.2.1.src.rpm $ /bin/rpm --rebuild file-3.39-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/file-3.39-1.2.1.*.rpm ________________________________________________________________________ References: [1] ftp://ftp.astron.com/pub/file/ [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary [4] ftp://ftp.openpkg.org/release/1.1/UPD/file-3.39-1.1.2.src.rpm [5] ftp://ftp.openpkg.org/release/1.2/UPD/file-3.39-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/ [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+ZNa8gHWT4GPEy58RAv/sAJ9Jq+8xFwUuLlDs1HmzfLmao3WouQCgnyMH rWtiA32e/FZ17nwKHRAuiL0= =ec0v -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Mar 14 22:29:46 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id E32CB277A0B; Fri, 14 Mar 2003 22:29:45 +0100 (CET) Date: Fri, 14 Mar 2003 22:29:45 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.018] OpenPKG Security Advisory (qpopper) Message-ID: <20030314212945.GA5674@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.018 14-Mar-2003 ________________________________________________________________________ Package: qpopper Vulnerability: remote code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= qpopper-4.0.4-20030226 >= qpopper-4.0.5-20030313 OpenPKG 1.2 <= qpopper-4.0.4-1.2.0 >= qpopper-4.0.4-1.2.1 OpenPKG 1.1 <= qpopper-4.0.4-1.1.1 >= qpopper-4.0.4-1.1.2 Dependent Packages: none Description: According to Florian Heinz [0] a remote code execution vulnerability exists in the QPopper POP3 server [1]. Attackers may remotely exploit this vulnerability to execute arbitrary code under the user id of a mailbox owner and the "mail" group id. Please check whether you are affected by running "/bin/rpm -q qpopper". If you have the "qpopper" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [2][3] Solution: Select the updated source RPM appropriate for your OpenPKG release [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror location, verify its integrity [8], build a corresponding binary RPM from it [2] and update your OpenPKG installation by applying the binary RPM [3]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get qpopper-4.0.4-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig qpopper-4.0.4-1.2.1.src.rpm $ /bin/rpm --rebuild qpopper-4.0.4-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/qpopper-4.0.4-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.securityfocus.com/archive/1/314643/2003-03-04/2003-03-10/0 [1] http://www.eudora.com/qpopper/ [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary [4] ftp://ftp.openpkg.org/release/1.1/UPD/qpopper-4.0.4-1.1.2.src.rpm [5] ftp://ftp.openpkg.org/release/1.2/UPD/qpopper-4.0.4-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/ [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+ckkwgHWT4GPEy58RAosEAJ9ROxlBdCptZ096uBg1KF9eaFw6oQCgy7gT uzDTkM+4oxfNfMVrF0U+kcA= =NNhb -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Mar 18 11:19:25 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id EA12A277A00; Tue, 18 Mar 2003 11:19:24 +0100 (CET) Date: Tue, 18 Mar 2003 11:19:24 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.019] OpenPKG Security Advisory (openssl) Message-ID: <20030318101924.GA13205@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.019 18-Mar-2003 ________________________________________________________________________ Package: openssl Vulnerability: local and remote extraction of RSA private key OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssl-0.9.7a-20030219 >= openssl-0.9.7a-20030317 OpenPKG 1.2 <= openssl-0.9.7-1.2.1 >= openssl-0.9.7-1.2.2 OpenPKG 1.1 <= openssl-0.9.6g-1.1.1 >= openssl-0.9.6g-1.1.2 Affected Releases: Dependent Packages: OpenPKG CURRENT apache cadaver cpu curl dsniff easysoap ethereal exim fetchmail imap imapd inn linc links lynx mico mixmaster mozilla mutt nail neon openldap openvpn perl-ssl postfix postgresql qpopper samba sendmail siege sio sitecopy socat stunnel subversion sysmon w3m wget OpenPKG 1.2 apache cpu curl ethereal fetchmail imap inn links lynx mico mutt nail neon openldap perl-ssl postfix postgresql qpopper samba sendmail siege sitecopy socat stunnel sysmon w3m wget OpenPKG 1.1 apache curl fetchmail inn links lynx mutt neon openldap perl-ssl postfix postgresql qpopper samba siege sitecopy socat stunnel sysmon w3m Description: David Brumley and Dan Boneh of Stanford University have researched and documented a timing attack on OpenSSL which allows local and remote attackers to extract the RSA private key of a server. [0] The OpenSSL [1] RSA implementation is generally vulnerable to these type of attacks unless RSA blinding has been turned on [2]. Typically, RSA blinding is not enabled by OpenSSL based applications, mainly because it is not obvious how to do so when using OpenSSL to provide SSL/TLS. This problem affects mostly all applications using OpenSSL and have to be rebuilded against the fixed OpenSSL version (where RSA blinding is now enabled by default) or have to enable RSA blinding explicitly their own. The performance impact of RSA blinding appears to be small (a few percent only) and the RSA functionality is still fully compatible. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0147 [3] to the problem. Please check whether you are affected by running "/bin/rpm -q openssl". If you have the "openssl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and it's dependent packages (see above), if any, too. [4][5] Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get openssl-0.9.7-1.2.2.src.rpm ftp> bye $ /bin/rpm -v --checksig openssl-0.9.7-1.2.2.src.rpm $ /bin/rpm --rebuild openssl-0.9.7-1.2.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssl-0.9.7-1.2.2.*.rpm Additionally, you have to rebuild and reinstall all dependent packages (see above), too. [4][5] ________________________________________________________________________ References: [0] http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf [1] http://www.openssl.org/ [2] http://www.openssl.org/news/secadv_20030317.txt [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0147 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/1.1/UPD/openssl-0.9.6g-1.1.2.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.2.src.rpm [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] ftp://ftp.openpkg.org/release/1.2/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+dvGTgHWT4GPEy58RAlXaAJ90QOgj+C9+Lwe7NLu/FTt8e2XV8ACfZfyf C3hwua723fCPNbHTCyi5Zcw= =hEKo -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Mar 18 16:31:38 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id B3055277A00; Tue, 18 Mar 2003 16:31:37 +0100 (CET) Date: Tue, 18 Mar 2003 16:31:37 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.020] OpenPKG Security Advisory (modssl) Message-ID: <20030318153137.GA67448@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.020 18-Mar-2003 ________________________________________________________________________ Package: apache (option "with_mod_ssl" only) Vulnerability: local and remote extraction of RSA private key OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= apache-1.3.27-20030305 >= apache-1.3.27-20030318 OpenPKG 1.2 <= apache-1.3.27-1.2.1 >= apache-1.3.27-1.2.2 OpenPKG 1.1 <= apache-1.3.26-1.1.3 >= apache-1.3.26-1.1.4 Dependent Packages: none Description: David Brumley and Dan Boneh of Stanford University have researched and documented a timing attack on OpenSSL which allows local and remote attackers to extract the RSA private key of an SSL/TLS server like Apache/mod_ssl. [0] The OpenSSL [1] RSA implementation is generally vulnerable to these type of attacks unless RSA blinding has been turned on [2]. RSA blinding previously was not explicitly enabled by mod_ssl. If Apache/mod_ssl is linked against the already fixed OpenSSL versions (see security advisory OpenPKG-SA-2003.019 [3]), the problem is already implicitly fixed inside OpenSSL. Nevertheless, mod_ssl 2.8.13 now explicitly enables RSA blinding for RSA private keys. For older versions, we include this prevention change in OpenPKG, too. Please check whether you are affected by running "/bin/rpm -q apache" and "/bin/rpm -qi apache | grep with_mod_ssl". If you have the "apache" package with option "with_mod_ssl" installed and its version is affected (see above), we recommend that you immediately upgrade (see Solution) [4][5]. Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get apache-1.3.27-1.2.2.src.rpm ftp> bye $ /bin/rpm -v --checksig apache-1.3.27-1.2.2.src.rpm $ /bin/rpm --rebuild apache-1.3.27-1.2.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/apache-1.3.27-1.2.2.*.rpm ________________________________________________________________________ References: [0] http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf [1] http://www.openssl.org/ [2] http://www.openssl.org/news/secadv_20030317.txt [3] http://www.openpkg.org/security/OpenPKG-SA-2003.019-openssl.html [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.4.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/apache-1.3.27-1.2.2.src.rpm [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] ftp://ftp.openpkg.org/release/1.2/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+dztWgHWT4GPEy58RApBVAJ9+50Nlwfhuu7ORHF3aPwRWyMrOdACcCJjf Q+69FxYxCzvkPEwNeX+9sLU= =/TMJ -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Mar 18 16:46:16 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 93EA4277A00; Tue, 18 Mar 2003 16:46:16 +0100 (CET) Date: Tue, 18 Mar 2003 16:46:16 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.021] OpenPKG Security Advisory (samba) Message-ID: <20030318154616.GA75254@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.021 18-Mar-2003 ________________________________________________________________________ Package: samba Vulnerability: remote root exploit / chown race condition OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= samba-2.2.7a-20030207 >= samba-2.2.8-20030316 OpenPKG 1.2 <= samba-2.2.7a-1.2.0 >= samba-2.2.7a-1.2.1 OpenPKG 1.1 <= samba-2.2.5-1.1.1 >= samba-2.2.5-1.1.2 Dependent Packages: none Description: Sebastian Krahmer, SuSE Security Team, [0] has alerted the Samba Team to two serious vulnerabilities in all versions of Samba [1] up to and including version 2.2.7a. We have backported the security relevant pieces of the 2.2.8 vendor changes into releases used by OpenPKG. If exploited correctly, it could lead to an anonymous user gaining root access on a Samba serving system. All versions of Samba up to and including Samba 2.2.7a are vulnerable. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0085 [2] to the problem. In addition he pointed out a chown(2) race condition which could allow overwriting of critical system files if exploited. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0086 [3] to the problem. Please check whether you are affected by running "/bin/rpm -q samba". If you have the "samba" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [4][5] Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get samba-2.2.7a-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig samba-2.2.7a-1.2.1.src.rpm $ /bin/rpm --rebuild samba-2.2.7a-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/samba-2.2.7a-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.suse.de/de/security/ [1] http://www.samba.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/1.1/UPD/samba-2.2.5-1.1.2.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/samba-2.2.7a-1.2.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] ftp://ftp.openpkg.org/release/1.2/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+dz6GgHWT4GPEy58RAsiNAKC+2Z6xASbe/P3fsqe6MZsCQHlSOQCg4Ds7 AQDR5amxuodObmeEmincdpM= =hgQX -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Mar 18 16:57:13 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 236CC277A00; Tue, 18 Mar 2003 16:57:13 +0100 (CET) Date: Tue, 18 Mar 2003 16:57:13 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.022] OpenPKG Security Advisory (mysql) Message-ID: <20030318155712.GA77967@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.022 18-Mar-2003 ________________________________________________________________________ Package: mysql Vulnerability: remote root exploit OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= mysql-3.23.55-20030211 >= mysql-3.23.56-20030318 OpenPKG 1.2 <= mysql-3.23.54a-1.2.1 >= mysql-3.23.54a-1.2.2 OpenPKG 1.1 <= mysql-3.23.52-1.1.2 >= mysql-3.23.52-1.1.3 Dependent Packages: none Description: According to a report on BugTraq [0], a remote root exploit vulnerability exists in version 3.23.55 and earlier versions of the MySQL server [1]. If the MySQL server is launched by root, as it is often done by system startup scripts, any database users with the "FILE" privilege can write a configuration file (usually my.cnf) that causes the MySQL server to run under an arbitrary user id including the user id of the super-user on the next restart. Please check whether you are affected by running "/bin/rpm -q mysql". If you have the "mysql" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [2][3] Solution: Select the updated source RPM appropriate for your OpenPKG release [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror location, verify its integrity [8], build a corresponding binary RPM from it [2] and update your OpenPKG installation by applying the binary RPM [3]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get mysql-3.23.54a-1.2.2.src.rpm ftp> bye $ /bin/rpm -v --checksig mysql-3.23.54a-1.2.2.src.rpm $ /bin/rpm --rebuild mysql-3.23.54a-1.2.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/mysql-3.23.54a-1.2.2.*.rpm ________________________________________________________________________ References: [0] http://www.securityfocus.com/archive/1/314391/2003-03-04/2003-03-10/0 [1] http://www.mysql.com/ [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary [4] ftp://ftp.openpkg.org/release/1.1/UPD/mysql-3.23.52-1.1.3.src.rpm [5] ftp://ftp.openpkg.org/release/1.2/UPD/mysql-3.23.54a-1.2.2.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/ [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+d0EdgHWT4GPEy58RAhGxAKDAaLrjSbB4V2ItfrOCjj8nB13+/ACgqfW9 unh+dQiYexu1PGIWMLA9F+U= =415D -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Mar 19 15:52:23 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id A3160277A00; Wed, 19 Mar 2003 15:52:23 +0100 (CET) Date: Wed, 19 Mar 2003 15:52:23 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.023] OpenPKG Security Advisory (delegate) Message-ID: <20030319145223.GA17902@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-SA-2003.023 19-Mar-2003 ________________________________________________________________________ Package: delegate Vulnerability: remote code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= delegate-8.3.4-20030222 >= delegate-8.5.0-20030306 OpenPKG 1.2 <= delegate-8.3.3-1.2.0 >= delegate-8.3.3-1.2.1 OpenPKG 1.1 <= delegate-7.9.11-1.1.0 >= delegate-7.9.11-1.1.1 Dependent Packages: none Description: According to a SNS security advisory [0], a remote code execution vulnerability exists in the application level gateway DeleGate [1] version 8.4.0 and earlier. Fetching a large robots.txt file through DeleGate HTTP proxy could result in a buffer overflow. Please check whether you are affected by running "/bin/rpm -q delegate". If you have the "delegate" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [2][3] Solution: Select the updated source RPM appropriate for your OpenPKG release [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror location, verify its integrity [8], build a corresponding binary RPM from it [2] and update your OpenPKG installation by applying the binary RPM [3]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get delegate-8.3.3-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig delegate-8.3.3-1.2.1.src.rpm $ /bin/rpm --rebuild delegate-8.3.3-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/delegate-8.3.3-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.lac.co.jp/security/english/snsadv_e/63_e.html [1] http://www.delegate.org/ [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary [4] ftp://ftp.openpkg.org/release/1.1/UPD/delegate-7.9.11-1.1.1.src.rpm [5] ftp://ftp.openpkg.org/release/1.2/UPD/delegate-8.3.3-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/ [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+eIPogHWT4GPEy58RAjk9AKCpX55H/+HUu2cpdmtM/SNdDNeA+ACgvMTE Dh1C6hKWEKzhXj+k89E8CpI= =6xux -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Mar 19 16:03:23 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id E6C8B277A00; Wed, 19 Mar 2003 16:03:22 +0100 (CET) Date: Wed, 19 Mar 2003 16:03:22 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.024] OpenPKG Security Advisory (ircii) Message-ID: <20030319150322.GA26278@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.024 19-Mar-2003 ________________________________________________________________________ Package: ircii Vulnerability: buffer overflow vulnerability OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= ircii-20030314-20030315 >= ircii-20030315-20030316 OpenPKG 1.2 <= ircii-20021103-1.2.0 >= ircii-20021103-1.2.1 OpenPKG 1.1 <= ircii-20020403-1.1.0 >= ircii-20020403-1.1.1 Dependent Packages: none Description: Timo Sirainen audited ircII based clients [1] and found some buffer overflow vulnerabilities in ircii-20020912 [2]. According to his report these problems were fixed in ircii-20030313. We have backported the security relevant pieces of the more recent ircii-20030315 vendor changes into releases used by OpenPKG. Please check whether you are affected by running "/bin/rpm -q ircii". If you have the "ircii" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get ircii-20021103-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig ircii-20021103-1.2.1.src.rpm $ /bin/rpm --rebuild ircii-20021103-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/ircii-20021103-1.2.1.*.rpm ________________________________________________________________________ References: [1] http://www.securityfocus.com/archive/1/315057 [2] http://www.irchelp.org/irchelp/ircii/ [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/ircii-20020403-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/ircii-20021103-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+eIZngHWT4GPEy58RAleYAJ4xmlL78sJFnmZ48XONR3NCTcxOTwCgrShv PO52bUXnK9qzPMon2U9TXvo= =Vnet -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Mar 20 17:38:51 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 752A2277A22; Thu, 20 Mar 2003 17:38:51 +0100 (CET) Date: Thu, 20 Mar 2003 17:38:51 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.025] OpenPKG Security Advisory (mutt) Message-ID: <20030320163851.GA29825@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.025 20-Mar-2003 ________________________________________________________________________ Package: mutt Vulnerability: buffer overflow in IMAP client OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= mutt-1.4i-20030103 >= mutt-1.4.1i-20030320 OpenPKG 1.2 <= mutt-1.4i-1.2.0 >= mutt-1.4i-1.2.1 OpenPKG 1.1 <= mutt-1.4i-1.1.0 >= mutt-1.4i-1.1.1 Dependent Packages: none Description: According to a posting on Bugtraq [0], Edmund Grimley Evans fixed a buffer overflow which exists in the IMAP client code of the mail user agent Mutt [1]. The bug was found by Core Security Technologies [2]. Please check whether you are affected by running "/bin/rpm -q mutt". If you have the "mutt" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get mutt-1.4i-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig mutt-1.4i-1.2.1.src.rpm $ /bin/rpm --rebuild mutt-1.4i-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/mutt-1.4i-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.securityfocus.com/archive/1/315679 [1] http://www.mutt.org/ [2] http://www.corest.com/common/showdoc.php?idx=310&idxseccion=10 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/mutt-1.4i-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/mutt-1.4i-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+eeyKgHWT4GPEy58RArpCAKDcaOeLoSA5Z9OvQ0U/vT38ZXi4wwCg1ZNF M+mSz6l/Oi9I43eNw8wB4s4= =r1SF -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Mar 20 21:27:48 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 5961F277A00; Thu, 20 Mar 2003 21:27:48 +0100 (CET) Date: Thu, 20 Mar 2003 21:27:48 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.026] OpenPKG Security Advisory (openssl) Message-ID: <20030320202748.GA76625@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.026 20-Mar-2003 ________________________________________________________________________ Package: openssl Vulnerability: information leakage OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssl-0.9.7a-20030317 >= openssl-0.9.7a-20030320 OpenPKG 1.2 <= openssl-0.9.7-1.2.2 >= openssl-0.9.7-1.2.3 OpenPKG 1.1 <= openssl-0.9.6g-1.1.2 >= openssl-0.9.6g-1.1.3 Affected Releases: Dependent Packages: OpenPKG CURRENT apache cadaver cpu curl dsniff easysoap ethereal exim fetchmail imap imapd inn linc links lynx mico mixmaster mozilla mutt nail neon openldap openvpn perl-ssl postfix postgresql qpopper samba sendmail siege sio sitecopy socat stunnel subversion sysmon w3m wget OpenPKG 1.2 apache cpu curl ethereal fetchmail imap inn links lynx mico mutt nail neon openldap perl-ssl postfix postgresql qpopper samba sendmail siege sitecopy socat stunnel sysmon w3m wget OpenPKG 1.1 apache curl fetchmail inn links lynx mutt neon openldap perl-ssl postfix postgresql qpopper samba siege sitecopy socat stunnel sysmon w3m Description: According to an OpenSSL [0] security advisory [1], Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. The attack was documented in their report "Attacking RSA-based Sessions in SSL/TLS" [2]. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0147 [3] to the problem. Their attack requires the attacker to open millions of SSL/TLS connections to the server under attack. The server's behaviour when faced with specially made-up RSA ciphertexts can reveal information that in effect allows the attacker to perform a single RSA private key operation on a ciphertext of its choice using the server's RSA key. Note that the server's RSA key is not compromised in this attack. Please check whether you are affected by running "/bin/rpm -q openssl". If you have the "openssl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and it's dependent packages (see above), if any, too. [4][5] Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get openssl-0.9.7-1.2.3.src.rpm ftp> bye $ /bin/rpm -v --checksig openssl-0.9.7-1.2.3.src.rpm $ /bin/rpm --rebuild openssl-0.9.7-1.2.3.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssl-0.9.7-1.2.3.*.rpm Additionally, you have to rebuild and reinstall all dependent packages (see above), too. [4][5] ________________________________________________________________________ References: [0] http://www.openssl.org/ [1] http://www.openssl.org/news/secadv_20030319.txt [2] http://eprint.iacr.org/2003/052/ [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/1.1/UPD/openssl-0.9.6g-1.1.3.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.3.src.rpm [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] ftp://ftp.openpkg.org/release/1.2/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+eiKhgHWT4GPEy58RAqHmAKCc3shS04jp9yf7nidbRICYwPCjlACgwD0B MS3AX0PNpAWSRzlTmGr6nDg= =6fnm -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Sun Mar 30 14:42:53 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 02731277B04; Sun, 30 Mar 2003 14:42:52 +0200 (CEST) Date: Sun, 30 Mar 2003 14:42:52 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.027] OpenPKG Security Advisory (sendmail) Message-ID: <20030330124252.GA72105@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-SA-2003.027 30-Mar-2003 ________________________________________________________________________ Package: sendmail Vulnerability: remote root exploit OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= sendmail-8.12.8-20030328 >= sendmail-8.12.9-20030329 OpenPKG 1.2 <= sendmail-8.12.7-1.2.1 >= sendmail-8.12.7-1.2.2 OpenPKG 1.1 none N.A. Dependent Packages: none Description: Michal Zalewski discovered [1] a confirmed [2] buffer overflow vulnerability in all version of the Sendmail [0] MTA earlier than 8.12.9. The mail address parser performs insufficient bounds checking in certain conditions due to a "char" to "int" data type conversion, making it possible for an attacker to take control of the application. Attackers may remotely exploit this vulnerability to gain "root" access of any vulnerable Sendmail server. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0161 [3] to the problem. Please check whether you are affected by running "/bin/rpm -q sendmail". If you have the "sendmail" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [4][5] Solution: Select the updated source RPM appropriate for your OpenPKG release [6], fetch it from the OpenPKG FTP service [7] or a mirror location, verify its integrity [8], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get sendmail-8.12.7-1.2.2.src.rpm ftp> bye $ /bin/rpm -v --checksig sendmail-8.12.7-1.2.2.src.rpm $ /bin/rpm --rebuild sendmail-8.12.7-1.2.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/sendmail-8.12.7-1.2.2.*.rpm ________________________________________________________________________ References: [0] http://www.sendmail.org/ [1] http://lists.netsys.com/pipermail/full-disclosure/2003-March/008973.html [2] http://www.securityfocus.com/archive/1/316760/2003-03-26/2003-04-01/0 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/1.2/UPD/sendmail-8.12.7-1.2.2.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+huYSgHWT4GPEy58RAhdpAKDGqKOKSGwfuxVT5imK+1H0LBDcPACgu1nq cia1t2PI8lNReMIeza3KLKI= =38Sm -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Mar 31 17:30:48 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 7D61D277A18; Mon, 31 Mar 2003 17:30:48 +0200 (CEST) Date: Mon, 31 Mar 2003 17:30:48 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: Now available: OpenPKG in a box! Message-ID: <20030331153048.GA42238@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: FOR IMMEDIATE RELEASE - 31-Mar-2003 OpenPKG commercially available. http://www.openpkg.com/ -- Munich, DE -- March 31, 2003 -- The OpenPKG project is proud to announce the commercial availability of version 1.2 of its OpenPKG software product. A flexible and powerful software packaging facility, OpenPKG eases the cross-platform installation and administration of Unix software. After two years of strong Open Source development, OpenPKG is now available as a commercial closed-source product, too. You can choose between three carefully selected product licenses: Personal Edition, Server Edition and Enterprise Edition. Each designed to maximize your particular business revenue through lowest possible total cost of ownership. Get even more out of OpenPKG with our additional offerings. Upgrade Protection for steadily decreasing budgets, Care Pack for ultimate security, annual subscription to our --rebuild magazine for expert information, plus numerous brand new merchandising articles for your daily Unix administration experience. Shipping of "OpenPKG in a box" starts tomorrow. Visit now the new online store under http://www.openpkg.com/ and be one of the first already ordering this exciting product. HIGHLIGHTS OF OPENPKG * Entirely based on Open Source Software technology. * Portable across mostly all major Unix platforms. * Official support for FreeBSD 4/5, Debian 2/3 and Solaris 8/9. * Minimum operating system intrusion. * Minimum overhead in software packaging. * Easy installation, updating and deinstallation of packages. * Over 500 carefully selected and released packages available. * Bundled with useful package preconfigurations. * Support for multiple system instances. * Support for proxy packages. * Support for build-time variations of packages. * Abstracted run-command facility. MORE INFORMATION The OpenPKG Project http://www.openpkg.com/ 0800-1STAPRIL From openpkg-announce-owner@openpkg.org Mon Apr 7 18:05:07 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id A5371277A0B; Mon, 7 Apr 2003 18:05:07 +0200 (CEST) Date: Mon, 7 Apr 2003 18:05:07 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.028] OpenPKG Security Advisory (samba) Message-ID: <20030407160507.GA25445@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.028 07-Apr-2003 ________________________________________________________________________ Package: samba Vulnerability: remote root exploit OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= samba-2.2.8-20030405 >= samba-2.2.8a-20030407 OpenPKG 1.2 <= samba-2.2.7a-1.2.1 >= samba-2.2.7a-1.2.2 OpenPKG 1.1 <= samba-2.2.5-1.1.2 >= samba-2.2.5-1.1.3 Dependent Packages: none Description: Digital Defense Inc. has discovered [1] a buffer overflow vulnerability in the Samba SMB/CIFS server [0]. An intruder exploiting this vulnerability could gain root access on the affected host system. An active exploit is publically available [2]. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0201 [3] to the problem. Additional buffer overflows were detected by an internal code audit by the Samba team in response to the original report. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0196 [4] to these additional problems. Please check whether you are affected by running "/bin/rpm -q samba". If you have the "samba" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [5][6] Solution: Select the updated source RPM appropriate for your OpenPKG release [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror location, verify its integrity [11], build a corresponding binary RPM from it [5] and update your OpenPKG installation by applying the binary RPM [6]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get samba-2.2.7a-1.2.2.src.rpm ftp> bye $ /bin/rpm -v --checksig samba-2.2.7a-1.2.2.src.rpm $ /bin/rpm --rebuild samba-2.2.7a-1.2.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/samba-2.2.7a-1.2.2.*.rpm ________________________________________________________________________ References: [0] http://www.samba.org/ [1] http://www.digitaldefense.net/labs/advisories/DDI-1013.txt [2] http://www.digitaldefense.net/labs/tools/trans2root.pl [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196 [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/1.1/UPD/samba-2.2.5-1.1.3.src.rpm [8] ftp://ftp.openpkg.org/release/1.2/UPD/samba-2.2.7a-1.2.2.src.rpm [9] ftp://ftp.openpkg.org/release/1.1/UPD/ [10] ftp://ftp.openpkg.org/release/1.2/UPD/ [11] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+kaEtgHWT4GPEy58RAiOoAKCVvWMPRzUqm9z4toFnmBTRzWIa+wCgkmAL NMckFEnCJ6J9IvDj7GnPDBk= =9+Gp -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri May 16 11:41:39 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 8B906277AC2; Fri, 16 May 2003 11:41:39 +0200 (CEST) Date: Fri, 16 May 2003 11:41:39 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.029] OpenPKG Security Advisory (gnupg) Message-ID: <20030516094139.GA34526@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.029 16-May-2003 ________________________________________________________________________ Package: gnupg Vulnerability: incorrect key validation OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= gnupg-1.2.1-20030408 >= gnupg-1.2.2-20030501 OpenPKG 1.2 <= gnupg-1.2.1-1.2.0 >= gnupg-1.2.1-1.2.1 OpenPKG 1.1 <= gnupg-1.0.7-1.1.0 >= gnupg-1.0.7-1.1.1 Dependent Packages: none Description: The GNU Privacy Guard (GnuPG) [0] development team discovered [1] that the key validation code in GnuPG 1.2.1 and older versions does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0255 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q gnupg". If you have the "gnupg" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get gnupg-1.2.1-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig gnupg-1.2.1-1.2.1.src.rpm $ /bin/rpm --rebuild gnupg-1.2.1-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/gnupg-1.2.1-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.gnupg.org/ [1] http://lists.gnupg.org/pipermail/gnupg-announce/2003q2/000268.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0255 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/gnupg-1.2.1-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/gnupg-1.0.7-1.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+xLGPgHWT4GPEy58RAoFQAKDxdRNPzG9PB8F0YX33WpOSmPG+IACeJGx4 YY3l/yqBcbWF9S4RM72IM7I= =IkHZ -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Jun 3 15:47:32 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 353B5277A18; Tue, 3 Jun 2003 15:47:32 +0200 (CEST) Date: Tue, 3 Jun 2003 15:47:32 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.030] OpenPKG Security Advisory (ghostscript) Message-ID: <20030603134731.GA10194@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.030 03-Jun-2003 ________________________________________________________________________ Package: ghostscript Vulnerability: execute arbitrary commands OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= ghostscript-7.04-20021013 >= ghostscript-8.00-20021122 OpenPKG 1.2 none N.A. OpenPKG 1.1 <= ghostscript-7.04-1.1.0 >= ghostscript-7.04-1.1.1 Dependent Packages: none Description: According to a Red Hat security advisory [0], a flaw in versions of Ghostscript [1] before 7.07 allows malicious Postscript files to execute arbitrary commands even with command line option -dSAFER enabled. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0354 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q ghostscript". If you have the "ghostscript" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the affected release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get ghostscript-7.04-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig ghostscript-7.04-1.1.1.src.rpm $ /bin/rpm --rebuild ghostscript-7.04-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/ghostscript-7.04-1.1.1.*.rpm ________________________________________________________________________ References: [0] http://rhn.redhat.com/errata/RHSA-2003-181.html [1] http://www.ghostscript.com/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0354 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/ghostscript-7.04-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+3KXxgHWT4GPEy58RArfyAKCKyv2LwPP8USQ0cJ3pWrMim6YsjwCg9WVC xg22arGdd28YhSOM8TRoHNE= =sLls -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Jun 11 13:06:06 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 2AA0D277A13; Wed, 11 Jun 2003 13:06:06 +0200 (CEST) Date: Wed, 11 Jun 2003 13:06:06 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.031] OpenPKG Security Advisory (gzip) Message-ID: <20030611110606.GA24065@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.031 11-Jun-2003 ________________________________________________________________________ Package: gzip Vulnerability: insecure creation of temporary files OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= gzip-1.3.5-20030409 >= gzip-1.3.5-20030610 OpenPKG 1.2 <= gzip-1.3.5-1.2.0 >= gzip-1.3.5-1.2.1 OpenPKG 1.1 <= gzip-1.3.3-1.1.0 >= gzip-1.3.3-1.1.1 Dependent Packages: none Description: According to a Debian security advisory [0], based on hints from Paul Szabo, a vulnerability exists in the creation of temporary files in the znew(1) utility contained in GNU Zip (gzip) [1]. The GNU Bash based znew(1) shell script tried to prevent itself from overwriting existing files on shell redirection by using the POSIX "noclobber" shell option, but accidentally forgot to check for the results, and in case of existing files, stop further processing. This allowed a classical "symlink" attack. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0367 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q gzip". If you have the "gzip" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get gzip-1.3.5-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig gzip-1.3.5-1.2.1.src.rpm $ /bin/rpm --rebuild gzip-1.3.5-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/gzip-1.3.5-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.debian.org/security/2003/dsa-308 [1] http://www.gzip.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0367 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/gzip-1.3.3-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/gzip-1.3.5-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE+5wxwgHWT4GPEy58RAo7HAJ9wSKcl4OYE8REbyFh78RLVdUrgkwCggtov FVTXv08CamBk5CgoW3mYDWM= =ClM5 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Jul 7 16:27:23 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id C664C277A18; Mon, 7 Jul 2003 16:27:23 +0200 (CEST) Date: Mon, 7 Jul 2003 16:27:23 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.032] OpenPKG Security Advisory (php) Message-ID: <20030707142723.GA17885@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.032 07-Jul-2003 ________________________________________________________________________ Package: php, apache Vulnerability: XSS; bypass safe mode OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= php-4.3.1-20030516 >= php-4.3.2-20030529 <= apache-1.3.27-20030516 >= apache-1.3.27-20030529 OpenPKG 1.2 none N.A. OpenPKG 1.1 <= php-4.2.2-1.1.1 >= php-4.2.2-1.1.2 <= apache-1.3.26-1.1.4 >= apache-1.3.26-1.1.5 Dependent Packages: none Description: A security advisory [3] states that in PHP [1] version 4.3.1 (but we at OpenPKG believe 4.2.x) and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use, which allows remote attackers to insert arbitrary script via the PHPSESSID parameter. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0442 [6] to this problem. Additionally, Wojciech Purczynski some time ago found out [2] that it is possible to allow remote attackers to by-pass "safe mode" restrictions in PHP [1] 4.x to 4.2.2 and modify command line arguments to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing commands. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-0985 [4] to this problem. Wojciech Purczynski also reported [2] that the mail function in PHP [1] 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy." The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-0986 [5] to this problem. Please check whether you are affected by running "/bin/rpm -q php". If you have the "php" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Solution: Select the updated source RPM appropriate for your OpenPKG release [9], fetch it from the OpenPKG FTP service [10] or a mirror location, verify its integrity [11], build a corresponding binary RPM from it [7] and update your OpenPKG installation by applying the binary RPM [8]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get php-4.2.2-1.1.2.src.rpm ftp> bye $ /bin/rpm -v --checksig php-4.2.2-1.1.2.src.rpm $ /bin/rpm --rebuild php-4.2.2-1.1.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/php-4.2.2-1.1.2.*.rpm ________________________________________________________________________ References: [1] http://www.php.net/ [2] http://isec.pl/vulnerabilities/0005.txt [3] http://shh.thathost.com/secadv/2003-05-11-php.txt [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0442 [7] http://www.openpkg.org/tutorial.html#regular-source [8] http://www.openpkg.org/tutorial.html#regular-binary [9] ftp://ftp.openpkg.org/release/1.1/UPD/php-4.2.2-1.1.2.src.rpm [10] ftp://ftp.openpkg.org/release/1.1/UPD/ [11] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/CYL2gHWT4GPEy58RAnF0AKDY5SbvJIffi3gXHt26g8BUA0AjHACgubJR VIB2rswM6mLBz8FN6ooXf0o= =Cp7d -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jul 10 14:05:31 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 41894277A1D; Thu, 10 Jul 2003 14:05:31 +0200 (CEST) Date: Thu, 10 Jul 2003 14:05:31 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.033] OpenPKG Security Advisory (infozip) Message-ID: <20030710120530.GA69356@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.033 10-Jul-2003 ________________________________________________________________________ Package: infozip Vulnerability: overwrite arbitrary files OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= infozip-20030306-20030708 >= infozip-20030710-20030710 OpenPKG 1.2 <= infozip-1.2.0-1.2.0 >= infozip-1.2.0-1.2.1 OpenPKG 1.1 <= infozip-1.1.0-1.1.0 >= infozip-1.1.0-1.1.1 Dependent Packages: none Description: A directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two "." (dot) characters, which are filtered and result in a ".." sequence. The corrected packages include a patch taken from RedHat [1] ensuring that non-printable characters do not make it possible for a malicious .zip file to write to parent directories unless the "-:" command line parameter is specified. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0282 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q infozip". If you have the "infozip" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get infozip-1.2.0-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig infozip-1.2.0-1.2.1.src.rpm $ /bin/rpm --rebuild infozip-1.2.0-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/infozip-1.2.0-1.2.1.*.rpm ________________________________________________________________________ References: [1] http://rhn.redhat.com/errata/RHSA-2003-199.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/infozip-1.1.0-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/infozip-1.2.0-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/DVYpgHWT4GPEy58RAisWAKCfTyhAL0ZEt7XAUArYbNLES/QQkwCghv5N AvflUCxv94iCNmCRHbk6L4g= =Ki6S -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jul 10 16:52:51 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 0AE8B277A1D; Thu, 10 Jul 2003 16:52:51 +0200 (CEST) Date: Thu, 10 Jul 2003 16:52:50 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.034] OpenPKG Security Advisory (imagemagick) Message-ID: <20030710145250.GA19985@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.034 10-Jul-2003 ________________________________________________________________________ Package: imagemagick Vulnerability: create or overwrite files OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= imagemagick-5.5.6.0-20030409 >= imagemagick-5.5.7.0-20030512 OpenPKG 1.2 <= imagemagick-5.5.3.2-1.2.0 >= imagemagick-5.5.3.2-1.2.1 OpenPKG 1.1 <= imagemagick-5.4.8.2-1.1.0 >= imagemagick-5.4.8.2-1.1.1 Dependent Packages: none Description: According to a Debian security advisory [0] ImageMagick's [1] libmagick library, under certain circumstances, creates temporary files without taking appropriate security precautions. This vulnerability could be exploited by a local user to create or overwrite files with the privileges of another user who is invoking a program using this library. Research has shown that all versions of ImageMagick before 5.5.7.0 are affected on the officially supported OpenPKG platforms. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0455 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q imagemagick". If you have the "imagemagick" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get imagemagick-5.5.3.2-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig imagemagick-5.5.3.2-1.2.1.src.rpm $ /bin/rpm --rebuild imagemagick-5.5.3.2-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/imagemagick-5.5.3.2-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.debian.org/security/2003/dsa-331 [1] http://www.imagemagick.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0455 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/imagemagick-5.4.8.2-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/imagemagick-5.5.3.2-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/DX14gHWT4GPEy58RAlUoAJ4kSBB5Lm7pfM+n8xcjhPclOh7EYQCg4uAR zkHx7KjUZ5Uajob90z+PAIE= =xh5h -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Aug 4 10:40:43 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id F3D72277A00; Mon, 4 Aug 2003 10:40:42 +0200 (CEST) Date: Mon, 4 Aug 2003 10:40:42 +0200 From: OpenPKG To: openpkg-announce@openpkg.org, openpkg-dev@openpkg.org, openpkg-users@openpkg.org Subject: [ANNOUNCE] OpenPKG 1.3 released Message-ID: <20030804084042.GA4421@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: FOR IMMEDIATE RELEASE - 04-Aug-2003 The OpenPKG project releases version 1.3 of the unique cross-platform software packaging facility. http://www.openpkg.org/ -- Munich, DE -- August 04, 2003 -- The OpenPKG project is proud to announce version 1.3 of its OpenPKG software. Well known by vigilant Unix system administrators, OpenPKG is the world leading instrument for deployment and maintenance of Open Source software when administration crosses Unix platform boundaries. The unique OpenPKG architecture leverages proven technologies like Red Hat Package Manager (RPM) to establish a unified administration environment, independent of the underlying operating system. NEW IN VERSION 1.3 OpenPKG 1.3 now fully supports FreeBSD 4.8 and 5.1, Debian GNU/Linux 2.2 and 3.0, Red Hat Linux 9, SuSE Linux 8.2, and Sun Solaris 8 and 9. Thanks to its portable nature, other platforms with partial support include NetBSD, OpenBSD, Gentoo Linux, HP Tru64, SCO UnixWare and QNX. Since the previous release a half year ago, the OpenPKG package repository has again grown by 25%. A subset of 400 packages were carefully selected for inclusion into the OpenPKG 1.3 release, including proven versions of popular Open Source Unix software like Apache, BIND, GCC, INN, MySQL, OpenSSH, PostgreSQL, Samba, Squid, and Vim. All packages were tuned to work with the latest GNU C/C++ compiler. Package quality was enhanced by the rigorous application of fully automated package input and output checking ("linting"). This was achieved by applying programmatic constraints on style, syntax and semantics of package specifications. The run-command (RC) facility was improved and now provides consistent log file rotation and allows smarter package upgrade/erase procedures. Over 40 daemon packages were enabled for logging via either the more flexible OSSP fsl or the native syslog(3) facility. Finally, the essential bootstrapping package was functionally enhanced, reduced in distribution size, made more robust and its system requirements were relaxed even further. HIGHLIGHTS OF OPENPKG * Portable across major Unix platforms. * Supports FreeBSD 4/5, Debian 2/3, RedHat 9, SuSE 8.2 and Solaris 8/9. * Entirely based on Open Source Software technology. * Minimum operating system intrusion and dependency. * Minimum overhead in software packaging. * Provides 400 carefully selected packages. * Easy installation, updating and deinstallation of packages. * Bundled with useful and secure package preconfigurations. * Includes an abstracted and powerful run-command facility. * Virtual hosting through multiple instances on a single system. * Proxy packages for reusing packages across instances. * Build-time package variations for maximum flexibility. * Foundation to build encapsulated and self-contained environments. HISTORY OF THE OPENPKG PROJECT The OpenPKG project was founded in 2000 by Cable & Wireless, who first released it as Open Source software in January 2002. Today OpenPKG is a mature technology in production use, and is further on maintained and improved by its original developers and volunteer contributors. OpenPKG is the brainchild of Ralf S. Engelschall, principal author of numerous other popular Open Source Software technologies like Apache SSL/TLS Engine (mod_ssl), Apache URL Rewriting Engine (mod_rewrite), GNU Portable Threads (Pth), GNU Portable Shell Tool (Shtool), Website META Language (WML) and more. MORE INFORMATION The OpenPKG Project openpkg@openpkg.org +49-89-92699-251 (CET) +49-172-8986801 (CET) From openpkg-announce-owner@openpkg.org Mon Aug 4 15:36:27 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 5B56D277B00; Mon, 4 Aug 2003 15:36:27 +0200 (CEST) Date: Mon, 4 Aug 2003 15:36:27 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: OpenPKG Security Engineering now covering 1.2 and 1.3 only Message-ID: <20030804133627.GA55790@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: Starting with todays release of OpenPKG 1.3 (see press release http://www.openpkg.org/press/PR-004-openpkg-1.3.html for more details) the (one year old) OpenPKG 1.1 release becomes deprecated. Following our community commitment to provide security updates for the last two releases, the OpenPKG Security Team now officially abandons the support of OpenPKG 1.1 and from now on provides security updates for the OpenPKG releases 1.2 and 1.3. If you're still having OpenPKG 1.1 (or even older) instances installed on your machines, please consider upgrading to OpenPKG 1.3 or at least OpenPKG 1.2 now. The OpenPKG Project openpkg@openpkg.org www.openpkg.org From openpkg-announce-owner@openpkg.org Wed Aug 6 15:39:25 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id D2783277A00; Wed, 6 Aug 2003 15:39:24 +0200 (CEST) Date: Wed, 6 Aug 2003 15:39:24 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh) Message-ID: <20030806133924.GA8524@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.035 06-Aug-2003 ________________________________________________________________________ Package: openssh Vulnerability: information leakage OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssh-3.6.1p1-20030423 >= openssh-3.6.1p2-20030429 OpenPKG 1.3 none N.A. OpenPKG 1.2 <= openssh-3.5p1-1.2.1 >= openssh-3.5p1-1.2.2 Dependent Packages: none Description: According to a Mediaservice.net security advisory [0], an information leakage exists in OpenSSH [1] 3.6.1p1 and earlier if PAM support is enabled. When a user does not exists, an error message is sent immediately (without any delays) which allows remote attackers to determine valid usernames via a timing attack. OpenPKG installations are only affected if the package was build with option "with_pam" set to "yes" -- which is not the default. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0190 [2] to the problem. We could only reproduce the problem on Linux. FreeBSD and Solaris are not vulnerable, the patch does not affect their behaviour. However, the problem is related to the PAM configuration, not the operating system. Using a non-default configuration might leak information on other operating systems, too. On Linux systems, a valid workaround is to add a "nodelay" option to the pam_unix.so auth. Please check whether you are affected by running "/bin/rpm -q openssh". If you have the "openssh" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get openssh-3.5p1-1.2.2.src.rpm ftp> bye $ /bin/rpm -v --checksig openssh-3.5p1-1.2.2.src.rpm $ /bin/rpm --rebuild openssh-3.5p1-1.2.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssh-3.5p1-1.2.2.*.rpm ________________________________________________________________________ References: [0] http://lab.mediaservice.net/advisory/2003-01-openssh.txt [1] http://www.openssh.com/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/openssh-3.5p1-1.2.2.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/MQR9gHWT4GPEy58RAiKkAKCpACytbxQN0ERLBbqNfmbZYYc59wCg6V33 XFH1dFEVD0jBbdBvvdIdIZM= =GtfK -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Aug 6 17:54:58 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id AE5C1277D09; Wed, 6 Aug 2003 17:54:58 +0200 (CEST) Date: Wed, 6 Aug 2003 17:54:58 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.036] OpenPKG Security Advisory (perl-www) Message-ID: <20030806155458.GA92774@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.036 06-Aug-2003 ________________________________________________________________________ Package: perl-www (CGI.pm) Vulnerability: cross site scripting OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= perl-www-20030726-20030726 >= perl-www-20030802-20030802 OpenPKG 1.3 <= perl-www-1.3.0-1.3.0 >= perl-www-1.3.1-1.3.1 OpenPKG 1.2 <= perl-www-1.2.0-1.2.0 >= perl-www-1.2.1-1.2.1 Dependent Packages: none Description: According to a security advisory [0] from obscure@eyeonsecurity.org a cross site scripting vulnerability exists in the start_form() function from CGI.pm [1]. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0615 [2] to the problem. Note that beginning with perl-www-20030609-20030609 and perl-www-1.3.0-1.3.0 a preliminary vendor patch was already included which fixes the specific issue discussed in the original advisory. Our corrected packages now include the more generalized patch the author uses in his latest version. Please check whether you are affected by running "/bin/rpm -q perl-www". If you have the "perl-www" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get perl-www-1.3.1-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig perl-www-1.3.1-1.3.1.src.rpm $ /bin/rpm --rebuild perl-www-1.3.1-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/perl-www-1.3.1-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://eyeonsecurity.org/advisories/CGI.pm/adv.html [1] http://stein.cshl.org/WWW/software/CGI/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/perl-www-1.2.1-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/perl-www-1.3.1-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/MSSjgHWT4GPEy58RAlaqAJ49iP6zlG2gSZlgtXxcLs+zQ+GTmwCfdqlN qp8sAC7Ygzpz7bMP3nk6aL4= =YeNJ -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Aug 28 10:40:08 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 19C18277B00; Thu, 28 Aug 2003 10:40:08 +0200 (CEST) Date: Thu, 28 Aug 2003 10:40:08 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.037] OpenPKG Security Advisory (sendmail) Message-ID: <20030828084007.GA19936@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.037 28-Aug-2003 ________________________________________________________________________ Package: sendmail Vulnerability: Denial of Service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT none N.A. OpenPKG 1.3 none N.A. OpenPKG 1.2 <= sendmail-8.12.7-1.2.2 >= sendmail-8.12.7-1.2.3 Dependent Packages: none Description: Oleg Bulyzhin reported to FreeBSD [1] a confirmed [2] Denial of Service (DoS) vulnerability in all version of the Sendmail MTA [0] earlier than 8.12.9. Due to a wrong initialization of an internal structure, if Sendmail gets a bad DNS reply (with actual reply size not equal the announced reply size), it later calls free() on a random address. This usually cause Sendmail to crash. Please check whether you are affected by running "/bin/rpm -q sendmail". If you have the "sendmail" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the affected release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get sendmail-8.12.7-1.2.3.src.rpm ftp> bye $ /bin/rpm -v --checksig sendmail-8.12.7-1.2.3.src.rpm $ /bin/rpm --rebuild sendmail-8.12.7-1.2.3.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/sendmail-8.12.7-1.2.3.*.rpm ________________________________________________________________________ References: [0] http://www.sendmail.org/ [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/54367 [2] http://www.sendmail.org/dnsmap1.html [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/sendmail-8.12.7-1.2.3.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/Tb+ZgHWT4GPEy58RAsYCAJ9ZCxyvh1cHAc3yodParNpttFQlCQCg3Esl aNgXgF5F2UNtdcjd8JUblII= =Yd9K -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Sep 15 13:48:25 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 7BA5B277ACD; Mon, 15 Sep 2003 13:48:25 +0200 (CEST) Date: Mon, 15 Sep 2003 13:48:25 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.038] OpenPKG Security Advisory (mysql) Message-ID: <20030915114825.GA22658@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.038 15-Sep-2003 ________________________________________________________________________ Package: mysql Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= mysql-4.0.14-20030904 >= mysql-4.0.15-20030910 OpenPKG 1.3 <= mysql-4.0.14-1.3.1 >= mysql-4.0.14-1.3.2 OpenPKG 1.2 <= mysql-3.23.54a-1.2.3 >= mysql-3.23.54a-1.2.4 Dependent Packages: none Description: Frank Denis reported a vulnerability [0] in MySQL [1] affecting MySQL3 versions 3.0.57 and earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users are stored in the "Password" field of the "User" table, part of the "mysql" database. The passwords are hashed and stored as a 16 characters long hexadecimal value. Unfortunately, a function involved in password checking misses correct bounds checking. By filling a "Password" field a value wider than 16 characters, a buffer overflow will occur. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0780 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q mysql". If you have the "mysql" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get mysql-4.0.14-1.3.2.src.rpm ftp> bye $ /bin/rpm -v --checksig mysql-4.0.14-1.3.2.src.rpm $ /bin/rpm --rebuild mysql-4.0.14-1.3.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/mysql-4.0.14-1.3.2.*.rpm ________________________________________________________________________ References: [0] http://www.securityfocus.com/archive/1/337012/2003-09-05/2003-09-11/0 [1] http://www.mysql.com/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0780 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/mysql-3.23.54a-1.2.4.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/mysql-4.0.14-1.3.2.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/ZabegHWT4GPEy58RAm2UAKDodjxqqZjLVRCxGaVAMURybF7ATwCdGM/p 6rOU5UPeEUK6fynl5TrS0l4= =jZfi -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Sep 15 17:02:32 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 06442277ACD; Mon, 15 Sep 2003 17:02:31 +0200 (CEST) Date: Mon, 15 Sep 2003 17:02:31 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.039] OpenPKG Security Advisory (perl) Message-ID: <20030915150231.GA61881@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.039 15-Sep-2003 ________________________________________________________________________ Package: perl (CGI.pm) Vulnerability: cross site scripting OpenPKG Specific: yes Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= perl-5.8.0-20030903 >= perl-5.8.0-20030915 OpenPKG 1.3 <= perl-5.8.0-1.3.0 >= perl-5.8.0-1.3.1 OpenPKG 1.2 <= perl-5.8.0-1.2.0 >= perl-5.8.0-1.2.1 Dependent Packages: none Description: This message is a continuation of OpenPKG-SA-2003.036-perl-www [0]. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0615 [1] to the problem described. This document also outlines an important problematic regarding the native load order of Perl modules. The CGI.pm module not only comes with the "perl-www" package but an ancient version 2.81 is also embedded into the "perl" package. The corrected packages mentioned above have the official fix backported to the embedded version. Be aware that all releases of OpenPKG up to and including 1.3 use Perl's native load order for modules where embedded modules are preferred over additional modules. This means that the CGI.pm embedded into the "perl" package is loaded before the sibling from the additional "perl-www" package is found. This inhibits the use and correction of additional modules with same name as embedded ones. It should be noted that beginning with perl-5.8.0-20030903 the load order is adjusted to prefer additional modules over embedded ones [2]. There are no plans modifiying the module load order of the "perl" package in existing releases. Although more intuitive, it would change existing behaviour and is likely to break existing installations. During the support lifecycle, security advisories and corrected packages will be issued for both embedded and additional packages. Please check whether you are affected by running "/bin/rpm -q perl". If you have the "perl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get perl-5.8.0-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig perl-5.8.0-1.3.1.src.rpm $ /bin/rpm --rebuild perl-5.8.0-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/perl-5.8.0-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://www.openpkg.org/security/OpenPKG-SA-2003.036-perl-www.html [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 [2] http://cvs.openpkg.org/chngview?cn=11997 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/perl-5.8.0-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/perl-5.8.0-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/ZdREgHWT4GPEy58RAkkGAKCRUtKz9JKDcvN/arW5+jrL+0UqIgCgw7U9 98GlCzZqIAZilnkwX39/jNs= =Sb5R -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Sep 17 10:31:37 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 85656277AFA; Wed, 17 Sep 2003 10:31:37 +0200 (CEST) Date: Wed, 17 Sep 2003 10:31:37 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.040] OpenPKG Security Advisory (openssh) Message-ID: <20030917083137.GA410@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.040 17-Sep-2003 ________________________________________________________________________ Package: openssh Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssh-3.7p1-20030916 >= openssh-3.7.1p1-20030917 OpenPKG 1.3 <= openssh-3.6.1p2-1.3.1 >= openssh-3.6.1p2-1.3.2 OpenPKG 1.2 <= openssh-3.5p1-1.2.3 >= openssh-3.5p1-1.2.4 Dependent Packages: none Description: According to an OpenSSH [1] Security Advisory [0], 2nd revision, all versions of OpenSSH's sshd(8) prior to version 3.7.1 contain buffer management errors. The discovery of additional similar errors by Solar Designer show that version 3.7.1 is affected, too. Those errors may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be cleared and corrupting the heap on fatal cleanups. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0693 [2] to the problem, as initially explained in the 1st revision of the OpenSSH Security Advisory [0]. In the current 2nd revision, similar problems were described and fixed, too. Additionally, Solaris Designer found 4 more problematic instances of similar memory management errors. The corrected OpenPKG packages (see versions above) contain the collected bug fixes for all of those errors. Please check whether you are affected by running "/bin/rpm -q openssh". If you have the "openssh" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Notice that the previous package versions openssh-3.7p1-20030916, openssh-3.6.1p2-1.3.1 and openssh-3.5p1-1.2.3 contain the bug fixes from the OpenSSH Security Advisory [0], 1st revision, only. You are strongly advised to upgrade to the latest package versions because of the contained additional bug fixes. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get openssh-3.6.1p2-1.3.2.src.rpm ftp> bye $ /bin/rpm -v --checksig openssh-3.6.1p2-1.3.2.src.rpm $ /bin/rpm --rebuild openssh-3.6.1p2-1.3.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssh-3.6.1p2-1.3.2.*.rpm ________________________________________________________________________ References: [0] http://www.openssh.com/txt/buffer.adv [1] http://www.openssh.com/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/openssh-3.6.1p2-1.3.2.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/openssh-3.5p1-1.2.4.src.rpm [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/aBsSgHWT4GPEy58RAuzEAJ9nHSDAWuei8cKha78J96d80capfgCgk+o7 4tYQRFxKe/DU86lAynKHRpo= =i3sR -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Sep 19 10:13:31 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 5F79C277AEC; Fri, 19 Sep 2003 10:13:31 +0200 (CEST) Date: Fri, 19 Sep 2003 10:13:31 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.041] OpenPKG Security Advisory (sendmail) Message-ID: <20030919081331.GA57344@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.041 19-Sep-2003 ________________________________________________________________________ Package: sendmail Vulnerability: remote root exploit OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= sendmail-8.12.9-20030801 >= sendmail-8.12.10-20030917 OpenPKG 1.3 <= sendmail-8.12.9-1.3.0 >= sendmail-8.12.9-1.3.1 OpenPKG 1.2 <= sendmail-8.12.7-1.2.3 >= sendmail-8.12.7-1.2.4 Dependent Packages: none Description: According to a confirmed [1] security advisory from Michal Zalewski [2], a remotely exploitable vulnerability exists in all versions prior to 8.12.10 of the Sendmail [0] MTA. An error in its prescan() function could allow an attacker to write past the end of a buffer, corrupting memory structures. Depending on platform and operating system architecture, the attacker may be able to execute arbitrary code with a specially crafted email message. The email attack vector is message-oriented as opposed to connection-oriented. This means that the vulnerability is triggered by the contents of a specially crafted email message rather than by lower-level network traffic. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0694 [3] to the problem. Additionally, we have included a fix for a potential buffer overflow in Sendmail's ruleset parsing. This problem is not exploitable in the default Sendmail configuration; it is exploitable only if non-standard rulesets recipient (2), final (4), or mailer-specific envelope recipients rulesets are used. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0681 [4] to this problem. Please check whether you are affected by running "/bin/rpm -q sendmail". If you have the "sendmail" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [5][6] Solution: Select the updated source RPM appropriate for your OpenPKG release [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror location, verify its integrity [11], build a corresponding binary RPM from it [5] and update your OpenPKG installation by applying the binary RPM [6]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get sendmail-8.12.9-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig sendmail-8.12.9-1.3.1.src.rpm $ /bin/rpm --rebuild sendmail-8.12.9-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/sendmail-8.12.9-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://www.sendmail.org/ [1] http://www.sendmail.org/8.12.10.html [2] http://www.securityfocus.com/archive/1/337839/2003-09-16/2003-09-22/0 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0694 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0681 [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/1.2/UPD/sendmail-8.12.7-1.2.4.src.rpm [8] ftp://ftp.openpkg.org/release/1.3/UPD/sendmail-8.12.9-1.3.1.src.rpm [9] ftp://ftp.openpkg.org/release/1.2/UPD/ [10] ftp://ftp.openpkg.org/release/1.3/UPD/ [11] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD4DBQE/arnPgHWT4GPEy58RAsmLAJiH9OqLxetLP4nGrjxpt0+ChXRRAJ9n0IqN c/jaIaEn3EpRDeHv5p5gAQ== =xfNO -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Sep 24 13:27:51 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 173A1277AD1; Wed, 24 Sep 2003 13:27:51 +0200 (CEST) Date: Wed, 24 Sep 2003 13:27:50 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.042] OpenPKG Security Advisory (openssh) Message-ID: <20030924112750.GA93973@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.042 24-Sep-2003 ________________________________________________________________________ Package: openssh Vulnerability: remote root exploit OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssh-3.7.1p1-20030917 >= openssh-3.7.1p2-20030923 OpenPKG 1.3 none N.A. OpenPKG 1.2 none N.A. Dependent Packages: none Description: According to a OpenSSH Security Advisory [0], versions 3.7p1 and 3.7.1p1 of OpenSSH [1] contain multiple vulnerabilities in its Pluggable Authentication Modules (PAM) related code. At least one of these bugs is remotely exploitable if Privilege Separation is disabled and PAM support is enabled. Older versions of OpenSSH are not vulnerable. OpenPKG installations are only affected if the package was built with option "with_pam" set to "yes" -- which is not the default. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0786 [2] to the problem where SSH1 PAM challenge response authentication ignored the result of the authentication with Privilege Separation off. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0787 [3] to the problem where the PAM conversation function trashed the stack. Please check whether you are affected by running "/bin/rpm -q openssh". If you have the "openssh" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [4][5] Solution: Select the updated source RPM appropriate for OpenPKG CURRENT [6] (or any later version), fetch it from the OpenPKG FTP service [7] or a mirror location, build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. Perform the following operations to permanently fix the security problem. $ ftp ftp.openpkg.org ftp> bin ftp> cd current/SRC ftp> get openssh-3.7.1p2-20030923.src.rpm ftp> bye $ /bin/rpm --rebuild openssh-3.7.1p2-20030923.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssh-3.7.1p2-20030923.*.rpm ________________________________________________________________________ References: [0] http://www.openssh.com/txt/sshpam.adv [1] http://www.openssh.com/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0786 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0787 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/current/SRC/openssh-3.7.1p2-20030923.src.rpm [7] ftp://ftp.openpkg.org/current/SRC/ ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/cX+AgHWT4GPEy58RAp3JAJ46cRQk51b2jBpvZZEswymlFQOT4gCguLGT JAo61VhgBMZZLPFoqOhET/A= =nd/0 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Sep 25 09:50:02 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 82F8F277AD1; Thu, 25 Sep 2003 09:50:02 +0200 (CEST) Date: Thu, 25 Sep 2003 09:50:02 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.043] OpenPKG Security Advisory (proftpd) Message-ID: <20030925075002.GA93566@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.043 25-Sep-2003 ________________________________________________________________________ Package: proftpd Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= proftpd-1.2.9rc2-20030911 >= proftpd-1.2.9rc2-20030923 OpenPKG 1.3 <= proftpd-1.2.8-1.3.0 >= proftpd-1.2.8-1.3.1 OpenPKG 1.2 <= proftpd-1.2.7-1.2.0 >= proftpd-1.2.7-1.2.1 Dependent Packages: none Description: According to an ISS X-Force security advisory [0], a vulnerability exists in the ProFTPD FTP server [1], versions between 1.2.7 and 1.2.9rc2 (both inclusive). It can be triggered by remote attackers when transferring files from the FTP server in ASCII mode. To trigger the vulnerability, the attacker must have the ability to first upload a file to the server (not necessarily via FTP), and then attempt to download the same file via FTP. During ASCII transfer, file data is examined in 1024 byte chunks to check for newline characters. The translation of these newline characters is not handled correctly, and a buffer overflow can manifest if ProFTPD parses a specially crafted file. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0831 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q proftpd". If you have the "proftpd" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get proftpd-1.2.8-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig proftpd-1.2.8-1.3.1.src.rpm $ /bin/rpm --rebuild proftpd-1.2.8-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/proftpd-1.2.8-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://xforce.iss.net/xforce/alerts/id/154 [1] http://www.proftpd.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0831 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/proftpd-1.2.7-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/proftpd-1.2.8-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/cp2RgHWT4GPEy58RAkMpAJ44rts7A+xnFwvAYfaeOw7A/RlP7ACg41l0 HI21gWgPtilljTqbNfadgAw= =HdGn -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Sep 26 10:37:35 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 292F9277AD1; Fri, 26 Sep 2003 10:37:35 +0200 (CEST) Date: Fri, 26 Sep 2003 10:37:35 +0200 From: OpenPKG To: openpkg-announce@openpkg.org, openpkg-dev@openpkg.org, openpkg-users@openpkg.org Subject: OpenPKG Community Feedback Message-ID: <20030926083735.GA41209@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: Feedback from our community is very important to us. So, if you want to support our project, please take 5 minutes and fill out the little feedback form we have established for you under http://www.openpkg.org/feedback.html Your feedback will allow us to better understand our community and especially to develop the OpenPKG project towards your requirements and wishes. The feedback form content is directly sent to the OpenPKG team for manual consideration and treated confidentially. Feel free to leave out whatever question you don't want to answer and answer just those who like (mostly all answers are optional). We appreciate any amount of feedback. And please do not hesitate to criticize us if appropriate. Please also notice that we have included the possibility for you to voluntarily give a "Public Advocacy Statement" about our project in case you like it. We would appreciate to receive your personal quotable point of view expressed here in one or two sentences. It might be added to a possibly forthcoming Community Advocacy page (http://www.openpkg.org/advocacy.html). This would allow us to especially provide new members of our community to get a better impression about our project and activity from (more objective) third-party point of views. Thanks for being a member of the steadily growing OpenPKG community! Ralf S. Engelschall The OpenPKG Project openpkg@openpkg.org From openpkg-announce-owner@openpkg.org Tue Sep 30 14:58:37 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id F2D1B277AD1; Tue, 30 Sep 2003 14:58:36 +0200 (CEST) Date: Tue, 30 Sep 2003 14:58:36 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.044] OpenPKG Security Advisory (openssl) Message-ID: <20030930125836.GA93915@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.044 30-Sep-2003 ________________________________________________________________________ Package: openssl Vulnerability: denial of service, possibly arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssl-0.9.7b-20030806 >= openssl-0.9.7b-20030930 OpenPKG 1.3 <= openssl-0.9.7b-1.3.1 >= openssl-0.9.7b-1.3.2 OpenPKG 1.2 <= openssl-0.9.7-1.2.3 >= openssl-0.9.7-1.2.4 Affected Releases: Dependent Packages: OpenPKG CURRENT apache* bind blender cadaver cfengine cpu cups curl distcache dsniff easysoap ethereal* exim fetchmail imap imapd imaputils inn jabberd kde-base kde-libs linc links lynx mailsync meta-core mico* mixmaster monit* mozilla mutt mutt15 nail neon nessus-libs nmap openldap openssh openvpn perl-ssl pgadmin php* pine* postfix* postgresql pound proftpd* qpopper rdesktop samba samba3 sasl scanssh sendmail* siege sio* sitecopy snmp socat squid* stunnel subversion suck sysmon tcpdump tinyca w3m wget xmlsec OpenPKG 1.3 apache* bind cfengine cpu curl ethereal* fetchmail imap imapd inn links lynx mico* mutt nail neon openldap openssh perl-ssl php* postfix* postgresql proftpd* qpopper rdesktop samba sasl scanssh sendmail* siege sio* sitecopy snmp socat squid* stunnel suck sysmon tcpdump tinyca w3m wget xmlsec OpenPKG 1.2 apache* bind cpu curl ethereal* fetchmail imap inn links lynx mico* mutt nail neon openldap openssh perl-ssl postfix* postgresql qpopper rdesktop samba sasl scanssh sendmail* siege sitecopy snmp socat stunnel sysmon tcpdump tinyca w3m wget (*) marked packages are only affected if certain build options ("with_xxx") were used at build time. See Appendix below for details. Description: According to an OpenSSL [0] security advisory [1], multiple vulnerabilities exist in OpenSSL versions up to and including 0.9.6j and 0.9.7b: 1. Certain ASN.1 encodings that are rejected as invalid by the ASN.1 parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. 2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances. 3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors (which is usually not the case, except for debugging purposes). 4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This means that all OpenSSL based SSL/TLS servers can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2003-0543 [2], CAN-2003-0544 [3] and CAN-2003-0545 [4] to the problems. Please check whether you are affected by running "/bin/rpm -q openssl". If you have the "openssl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and it's dependent packages (see above), too. [5][6] Solution: Select the updated source RPM appropriate for your OpenPKG release [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror location, verify its integrity [11], build a corresponding binary RPM from it [5] and update your OpenPKG installation by applying the binary RPM [6]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get openssl-0.9.7b-1.3.2.src.rpm ftp> bye $ /bin/rpm -v --checksig openssl-0.9.7b-1.3.2.src.rpm $ /bin/rpm --rebuild openssl-0.9.7b-1.3.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssl-0.9.7b-1.3.2.*.rpm Additionally, we you have to rebuild and reinstall all dependent packages (see above), too. [5][6] ________________________________________________________________________ Appendix: Some packages are only affected if certain package options ("with_xxx") were used at build time. Please check whether you are affected by running "/bin/rpm -qi ". The table below lists all those packages, their options and values that make up the difference regarding this advisory for OpenPKG CURRENT, 1.3 and 1.2. Packages or options that were not available in a particular release are marked "=". package option "with_" CUR 1.3 1.2 ----------------------------------------- apache mod_ssl yes yes yes : mod_php_pgsql yes yes = : mod_php_openssl yes yes yes : mod_php_openldap yes yes yes : mod_php_imap yes yes = : mod_php3_openssl yes yes yes : mod_auth_ldap yes yes yes ethereal openssl yes yes yes mico ssl yes yes yes monit ssl yes = = php openssl yes yes = : imap yes yes = pine ssl yes = = postfix tls yes yes yes : ldap yes yes = proftpd pgsql yes yes = : ldap yes yes = sendmail tls yes yes yes : sasl yes yes yes : ldap yes yes yes sio bio yes yes = squid ssl yes yes = ________________________________________________________________________ References: [0] http://www.openssl.org/ [1] http://www.openssl.org/news/secadv_20030930.txt [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545 [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.4.src.rpm [8] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.2.src.rpm [9] ftp://ftp.openpkg.org/release/1.2/UPD/ [10] ftp://ftp.openpkg.org/release/1.3/UPD/ [11] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/eX0UgHWT4GPEy58RAplhAJ0c+GMqHgDjrgIYdcCkgKi/jzgWtgCeLc5T B84GXRZS675YJYwrEc5Audk= =+vWe -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Sun Oct 19 09:45:10 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id E6AC8277A02; Sun, 19 Oct 2003 09:45:09 +0200 (CEST) Date: Sun, 19 Oct 2003 09:45:09 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.045] OpenPKG Security Advisory (ircd) Message-ID: <20031019074509.GA43902@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.045 19-Oct-2003 ________________________________________________________________________ Package: ircd Vulnerability: remote denial of service vulnerability OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= ircd-2.10.3p3-20030725 >= ircd-2.10.3p4-20031012 OpenPKG 1.3 <= ircd-2.10.3p3-1.3.0 >= ircd-2.10.3p3-1.3.1 OpenPKG 1.2 <= ircd-2.10.3p3-1.2.0 >= ircd-2.10.3p3-1.2.1 Dependent Packages: none Description: According to a report from Piotr Kucharski [0] a buffer overflow vulnerability exists in ircd [1] that allows a remote attacker to crash the ircd server, thus causing a denial of service condition. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0864 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q ircd". If you have the "ircd" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get ircd-2.10.3p3-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig ircd-2.10.3p3-1.3.1.src.rpm $ /bin/rpm --rebuild ircd-2.10.3p3-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/ircd-2.10.3p3-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://www.securityfocus.com/archive/1/341099 [1] http://www.irc.org/servers.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0864 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/ircd-2.10.3p3-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/ircd-2.10.3p3-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD4DBQE/kj9MgHWT4GPEy58RAh9KAKDHD9O9cQEsIjgqY8724eEHj0Aj/gCVEH41 X7y9bIkFm8XAEMOQ/95SNA== =SF0k -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Oct 28 16:15:52 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 76334277A03; Tue, 28 Oct 2003 16:15:51 +0100 (CET) Date: Tue, 28 Oct 2003 16:15:51 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.046] OpenPKG Security Advisory (apache) Message-ID: <20031028151550.GA81124@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.046 28-Oct-2003 ________________________________________________________________________ Package: apache Vulnerability: local buffer overflow OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= apache-1.3.28-20031009 >= apache-1.3.29-20031028 OpenPKG 1.3 <= apache-1.3.28-1.3.0 >= apache-1.3.28-1.3.1 OpenPKG 1.2 <= apache-1.3.27-1.2.2 >= apache-1.3.27-1.2.3 Dependent Packages: none Description: André Malo discovered buffer overflows [0] in the mod_alias and mod_rewrite modules of the Apache [1] webserver. These occurred if a regular expression with more than 9 capturing parenthesis was configured. To exploit this, an attacker would need to be able to locally create a carefully crafted configuration file (.htaccess or httpd.conf). The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0542 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q apache". If you have the "apache" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get apache-1.3.28-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig apache-1.3.28-1.3.1.src.rpm $ /bin/rpm --rebuild apache-1.3.28-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/apache-1.3.28-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://marc.theaimsgroup.com/?l=apache-cvs&m=106701190026083 [1] http://httpd.apache.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/apache-1.3.27-1.2.3.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/noeSgHWT4GPEy58RAoXAAJ4v/EYluJUzbQueyCI8VncYhnhoPgCfRg5v VHLblOpScHN9zU9rrXFwMIo= =kWUY -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Oct 30 11:49:28 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 1AD7B277A03; Thu, 30 Oct 2003 11:49:28 +0100 (CET) Date: Thu, 30 Oct 2003 11:49:28 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.047] OpenPKG Security Advisory (postgresql) Message-ID: <20031030104927.GA74266@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.047 30-Oct-2003 ________________________________________________________________________ Package: postgresql Vulnerability: remote code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= postgresql-7.3.3-20030723 >= postgresql-7.3.4-20030725 OpenPKG 1.3 N.A. none OpenPKG 1.2 <= postgresql-7.3.1-1.2.2 >= postgresql-7.3.1-1.2.3 Dependent Packages: none Description: Two bugs leading to a buffer overflow in the PostgreSQL [0] RDBMS, versions 7.2.x and 7.3.x prior to 7.3.4, were discovered. The vulnerability exists in the PostgreSQL abstract data type (ADT) to ASCII conversion functions. It has been conjectured that excessive data passed to the involved to_ascii_xxx() functions may overrun the bounds of an insufficient buffer reserved in heap memory, resulting in the corruption of heap based memory management structures that are adjacent to it. It is currently believed that under the correct circumstances an attacker may use this to execute arbitrary instructions in the context of the PostgreSQL server. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0901 [1] to the problem. Please check whether you are affected by running "/bin/rpm -q postgresql". If you have the "postgresql" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [2][3] Solution: Select the updated source RPM appropriate for the OpenPKG release [4], fetch it from the OpenPKG FTP service [5] or a mirror location, verify its integrity [6], build a corresponding binary RPM from it [2] and update your OpenPKG installation by applying the binary RPM [3]. For the release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get postgresql-7.3.1-1.2.3.src.rpm ftp> bye $ /bin/rpm -v --checksig postgresql-7.3.1-1.2.3.src.rpm $ /bin/rpm --rebuild postgresql-7.3.1-1.2.3.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/postgresql-7.3.1-1.2.3.*.rpm ________________________________________________________________________ References: [0] http://www.postgresql.org/ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0901 [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary [4] ftp://ftp.openpkg.org/release/1.2/UPD/postgresql-7.3.1-1.2.3.src.rpm [5] ftp://ftp.openpkg.org/release/1.2/UPD/ [6] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/oOungHWT4GPEy58RAlPhAJ9sOmflrvsVKaKXsIhBO5QwH1RZpQCgzrSm /YtFwDlJBS8SqrviUZQAcvU= =Q4fx -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Nov 11 21:08:56 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 56012277A15; Tue, 11 Nov 2003 21:08:56 +0100 (CET) Date: Tue, 11 Nov 2003 21:08:56 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.048] OpenPKG Security Advisory (postgresql) Message-ID: <20031111200856.GA29281@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.048 11-Nov-2003 ________________________________________________________________________ Package: postgresql Vulnerability: remote code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= postgresql-7.3.3-20030723 >= postgresql-7.3.4-20030725 OpenPKG 1.3 N.A. none OpenPKG 1.2 <= postgresql-7.3.1-1.2.3 >= postgresql-7.3.1-1.2.4 Dependent Packages: none Notice: This is an update for the OpenPKG security advisory OpenPKG-SA-2003.047 [7], released on 30-Oct-2003. Unfortunately, the package postgresql-7.3.1-1.2.3 (for OpenPKG 1.2 only) accompanying the original security advisory was broken because the created security patch was accidentally not included into the resulting source RPM package. Thanks to Andreas from Conectiva for discovering this packaging bug. The package postgresql-7.3.1-1.2.4 accompanying this updated security advisory is now fixed by correctly including the necessary security patch. Description: Two bugs leading to a buffer overflow in the PostgreSQL [0] RDBMS, versions 7.2.x and 7.3.x prior to 7.3.4, were discovered. The vulnerability exists in the PostgreSQL abstract data type (ADT) to ASCII conversion functions. It has been conjectured that excessive data passed to the involved to_ascii_xxx() functions may overrun the bounds of an insufficient buffer reserved in heap memory, resulting in the corruption of heap based memory management structures that are adjacent to it. It is currently believed that under the correct circumstances an attacker may use this to execute arbitrary instructions in the context of the PostgreSQL server. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0901 [1] to the problem. Please check whether you are affected by running "/bin/rpm -q postgresql". If you have the "postgresql" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [2][3] Solution: Select the updated source RPM appropriate for the OpenPKG release [4], fetch it from the OpenPKG FTP service [5] or a mirror location, verify its integrity [6], build a corresponding binary RPM from it [2] and update your OpenPKG installation by applying the binary RPM [3]. For the release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get postgresql-7.3.1-1.2.4.src.rpm ftp> bye $ /bin/rpm -v --checksig postgresql-7.3.1-1.2.4.src.rpm $ /bin/rpm --rebuild postgresql-7.3.1-1.2.4.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/postgresql-7.3.1-1.2.4.*.rpm ________________________________________________________________________ References: [0] http://www.postgresql.org/ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0901 [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary [4] ftp://ftp.openpkg.org/release/1.2/UPD/postgresql-7.3.1-1.2.4.src.rpm [5] ftp://ftp.openpkg.org/release/1.2/UPD/ [6] http://www.openpkg.org/security.html#signature [7] http://www.openpkg.org/security/OpenPKG-SA-2003.047-postgresql.html ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/sUFYgHWT4GPEy58RApsCAJ0Z5dkfQ1Leat0onVjQ1Nxj65EttgCeMUHk dz0qNGVmCWV+frfjVaMqxbg= =H1WA -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Nov 25 14:57:38 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 84E46277A00; Tue, 25 Nov 2003 14:57:38 +0100 (CET) Date: Tue, 25 Nov 2003 14:57:38 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.049] OpenPKG Security Advisory (zebra) Message-ID: <20031125135738.GA62686@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.049 25-Nov-2003 ________________________________________________________________________ Package: zebra Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= zebra-0.93b-20031001 >= zebra-0.93b-20031113 OpenPKG 1.3 <= zebra-0.93b-1.3.0 >= zebra-0.93b-1.3.1 OpenPKG 1.2 <= zebra-0.93b-1.2.0 >= zebra-0.93b-1.2.1 Dependent Packages: none Description: Jonny Robertson reported [0] that Zebra can be remotely crashed if a remote attacker can connect to the Zebra telnet management ports. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0795 [1] to the problem. Herbert Xu reported [2] that Zebra can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0858 [3] to the problem. Please check whether you are affected by running "/bin/rpm -q zebra". If you have the "zebra" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [4][5] Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get zebra-0.93b-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig zebra-0.93b-1.3.1.src.rpm $ /bin/rpm --rebuild zebra-0.93b-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/zebra-0.93b-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0795 [2] http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=108571 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0858 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/1.2/UPD/zebra-0.93b-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/zebra-0.93b-1.3.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] ftp://ftp.openpkg.org/release/1.3/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/w17bgHWT4GPEy58RArU6AKC9fZylkM+kJnqfANvAjE8xdmUv8QCg7P7C gNbfNm/Qb8T/EAoGPLzpGUo= =D/VD -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Nov 28 13:21:13 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 13AEE2FEAFA; Fri, 28 Nov 2003 13:21:13 +0100 (CET) Date: Fri, 28 Nov 2003 13:21:12 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.050] OpenPKG Security Advisory (screen) Message-ID: <20031128122112.GA1810@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.050 28-Nov-2003 ________________________________________________________________________ Package: screen Vulnerability: privilege escalation OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= screen-4.0.1-20031009 >= screen-4.0.1-20031127 OpenPKG 1.3 <= screen-3.9.15-1.3.0 >= screen-3.9.15-1.3.1 OpenPKG 1.2 <= screen-3.9.13-1.2.0 >= screen-3.9.13-1.2.1 Dependent Packages: none Description: Timo Sirainen reported and fixed [1] a buffer overflow bug which allows privilege escalation in the Virtual Screen Manager GNU screen [2], whose executable is installed setuid-root. It also has some potential for attackers getting control of another user's screen. Transfer of approximately two gigabytes of data is required to exploit this vulnerability. Please check whether you are affected by running "/bin/rpm -q screen". If you have the "screen" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get screen-3.9.15-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig screen-3.9.15-1.3.1.src.rpm $ /bin/rpm --rebuild screen-3.9.15-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/screen-3.9.15-1.3.1.*.rpm ________________________________________________________________________ References: [1] http://www.securityfocus.com/archive/1/345844/2003-11-24/2003-11-30/0 [2] http://www.gnu.org/software/screen/ [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/screen-3.9.13-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/screen-3.9.15-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/xzdegHWT4GPEy58RAsiFAJ9SdpiGcqdkGM7N3CAs7DcXz1XKnQCePeyh gVxYO/LqYBpzsrGNEkY3omc= =Yp8p -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Dec 4 17:04:17 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 2C4FA3012F7; Thu, 4 Dec 2003 17:04:17 +0100 (CET) Date: Thu, 4 Dec 2003 17:04:17 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.051] OpenPKG Security Advisory (rsync) Message-ID: <20031204160417.GA71555@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.051 04-Dec-2003 ________________________________________________________________________ Package: rsync Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= rsync-2.5.6-20030807 >= rsync-2.5.7-20031204 OpenPKG 1.3 <= rsync-2.5.6-1.3.0 >= rsync-2.5.6-1.3.1 OpenPKG 1.2 <= rsync-2.5.5-1.2.0 >= rsync-2.5.5-1.2.1 Dependent Packages: none Description: According to a rsync security advisory [0], a heap overflow vulnerability exists in rsync [1] version 2.5.6 and earlier when used as a rsync server which typically listens on TCP port 873. An exploit is already known. A successful attack can lead to arbitrary code execution in the run-time environment of the rsync server process. The attack is known to be considerably easier when the "use chroot = no" option is set in rsync.conf, which is not the default in OpenPKG. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0962 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q rsync". If you have the "rsync" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get rsync-2.5.6-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig rsync-2.5.6-1.3.1.src.rpm $ /bin/rpm --rebuild rsync-2.5.6-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/rsync-2.5.6-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://marc.theaimsgroup.com/?l=rsync-announce&m=107051741303720 [1] http://rsync.samba.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/rsync-2.5.5-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/rsync-2.5.6-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/z1qTgHWT4GPEy58RAlxXAKCch/r7WEGUK7Mhb1097usmXCAgfgCg6+MS LxFw05CYw9iXSegnHARtuuc= =YPfZ -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Dec 17 13:01:18 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 005B12FEBD6; Wed, 17 Dec 2003 13:01:16 +0100 (CET) Date: Wed, 17 Dec 2003 13:01:14 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.052] OpenPKG Security Advisory (cvs) Message-ID: <20031217120114.GA89067@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.052 17-Dec-2003 ________________________________________________________________________ Package: cvs Vulnerability: filesystem intrusion OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= cvs-1.12.2-20031027 >= cvs-1.12.3-20031205 OpenPKG 1.3 <= cvs-1.12.1-1.3.0 >= cvs-1.12.1-1.3.1 OpenPKG 1.2 <= cvs-1.11.5-1.2.2 >= cvs-1.11.5-1.2.3 Dependent Packages: none Description: According to a CVS [0] security update [1], a malformed module request can cause the CVS server to attempt to create directories and possibly files at the root of the filesystem holding the CVS repository. Even though filesystem permissions usually prevent the creation of these misplaced directories, the corrected OpenPKG packages include a CVS server which rejects such malformed requests. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0977 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q cvs". If the "cvs" package is indeed installed and its version is affected (see above), please upgrade it immediately according to OpenPKG recommendations (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get cvs-1.12.1-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig cvs-1.12.1-1.3.1.src.rpm $ /bin/rpm --rebuild cvs-1.12.1-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/cvs-1.12.1-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://www.cvshome.org/ [1] http://ccvs.cvshome.org/servlets/NewsItemView?newsID=85 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/cvs-1.11.5-1.2.3.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/cvs-1.12.1-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/4ESigHWT4GPEy58RAqlHAKDWNcptxAw/fBrCZlCt9EB3oOZYHQCg4/yJ 2L2AHtnVJFxsDz7DosQUeeI= =NJuM -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Dec 17 13:02:55 2003 Received: by mail.openpkg.org (Postfix, from userid 7000) id 94AA62FEBD6; Wed, 17 Dec 2003 13:02:55 +0100 (CET) Date: Wed, 17 Dec 2003 13:02:55 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2003.053] OpenPKG Security Advisory (lftp) Message-ID: <20031217120255.GA93589@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.053 17-Dec-2003 ________________________________________________________________________ Package: lftp Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= lftp-2.6.9-20031120 >= lftp-2.6.10-20031211 OpenPKG 1.3 <= lftp-2.6.6-1.3.0 >= lftp-2.6.6-1.3.1 OpenPKG 1.2 <= lftp-2.6.4-1.2.0 >= lftp-2.6.4-1.2.1 Dependent Packages: none Description: According to a security advisory from Ulf Härnhammar [0], a buffer overflow bug exists in the FTP/HTTP/HTTPS client LFTP [1] bug in versions up to and including 2.6.9. An attacker could create a carefully crafted directory on a website such that, if a user connects to that directory using the LFTP client and subsequently issues a "ls" or "rels" command, the attacker could execute arbitrary code on the users machine. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0963 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q lftp". If you have the "lftp" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get lftp-2.6.6-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig lftp-2.6.6-1.3.1.src.rpm $ /bin/rpm --rebuild lftp-2.6.6-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/lftp-2.6.6-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://www.securityfocus.com/archive/1/347587/2003-12-13/2003-12-19/0 [1] http://lftp.yar.ru/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0963 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/lftp-2.6.4-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/lftp-2.6.6-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE/4ES3gHWT4GPEy58RAhWvAJ0XtJea7vqBrAx9OfsWiUNlLBVn0QCgub7I eKC4m/yFGSRs+3syLFg26U0= =5dTH -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jan 8 16:39:14 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 44997302A15; Thu, 8 Jan 2004 16:39:14 +0100 (CET) Date: Thu, 8 Jan 2004 16:39:14 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.001] OpenPKG Security Advisory (inn) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.001 08-Jan-2004 ________________________________________________________________________ Package: inn Vulnerability: remote code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= inn-2.4.0-20031111 >= inn-2.4.0-20040108 OpenPKG 1.3 <= inn-2.4.0-1.3.0 >= inn-2.4.0-1.3.1 OpenPKG 1.2 none N.A. Description: According to INN [0] announcement postings from Russ Allbery [1][2], Dan Riley discovered a buffer overflow in a portion of the control message handling code, first introduced in INN 2.4.0. It is fairly likely that this overflow is remotely exploitable to gain access and execute code under the user innd(8) runs as. INN 2.3.x and earlier versions are not affected. Please check whether you are affected by running "/bin/rpm -q inn". If you have the "inn" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get inn-2.4.0-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig inn-2.4.0-1.3.1.src.rpm $ /bin/rpm --rebuild inn-2.4.0-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/inn-2.4.0-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://www.isc.org/products/INN/ [1] http://lists.litech.org/pipermail/inn-workers/2004q1/002762.html [2] http://lists.litech.org/pipermail/inn-workers/2004q1/002763.html [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/inn-2.4.0-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQE//XjOgHWT4GPEy58RAh2tAJ915Qugh7sdKr0LcBY8VtGlcCiWRACg7qQK xtoMatcN5fTBUhVveS092Z4= =KLDc -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Jan 16 14:09:43 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 492062FEA3B; Fri, 16 Jan 2004 14:09:43 +0100 (CET) Date: Fri, 16 Jan 2004 14:09:43 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.002] OpenPKG Security Advisory (tcpdump) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.002 16-Jan-2004 ________________________________________________________________________ Package: tcpdump Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= tcpdump-3.8.1-20040108 >= tcpdump-3.8.1-20040116 OpenPKG 1.3 <= tcpdump-3.7.2-1.3.0 >= tcpdump-3.7.2-1.3.1 OpenPKG 1.2 <= tcpdump-3.7.1-1.2.1 >= tcpdump-3.7.1-1.2.2 Dependent Packages: none Description: A bunch of vulnerabilities in tcpdump [0] were found and addressed in the past. All of them are in the area of packet decoding. Faulty decoder functions can result in denial of service attacks through infinite loops, memory starvation and application crashes. In the worst case arbitrary code execution is possible. This OpenPKG update resolves all issues currently known, as shown in the following table: tcpdump 371 371 372 381 OpenPKG 120 121 130 20020822 --- --- --- --- CAN-2002-0380 [2] nfs X - - - see past OpenPKG-SA [1] CAN-2002-1350 [3] bgp X - - - see past OpenPKG-SA [1] CAN-2003-0108 [4] isakmp X - - - see past OpenPKG-SA [1] depth X X X - (*) CAN-2003-0989 [5] isakmp X X X - updates CAN-2003-0108-isakmp CAN-2003-1029 [6] l2tp X X - - CAN-2004-0055 [7] radius X X X X CAN-2004-0057 [8] isakmp X X X X (*) the vendor code fix for CAN-2003-0108 had two other unrelated code changes piggybacked. We removed the cosmetics (constify) and extracted an enhancement (depth). Please check whether you are affected by running "/bin/rpm -q tcpdump". If you have the "tcpdump" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [9][10] Solution: Select the updated source RPM appropriate for your OpenPKG release [11][12], fetch it from the OpenPKG FTP service [13][14] or a mirror location, verify its integrity [15], build a corresponding binary RPM from it [9] and update your OpenPKG installation by applying the binary RPM [10]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get tcpdump-3.7.2-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig tcpdump-3.7.2-1.3.1.src.rpm $ /bin/rpm --rebuild tcpdump-3.7.2-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/tcpdump-3.7.2-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://www.tcpdump.org/ [1] http://www.openpkg.org/security/OpenPKG-SA-2003.014-tcpdump.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0380 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1350 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0108 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0989 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1029 [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0055 [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0057 [9] http://www.openpkg.org/tutorial.html#regular-source [10] http://www.openpkg.org/tutorial.html#regular-binary [11] ftp://ftp.openpkg.org/release/1.2/UPD/tcpdump-3.7.1-1.2.2.src.rpm [12] ftp://ftp.openpkg.org/release/1.3/UPD/tcpdump-3.7.2-1.3.1.src.rpm [13] ftp://ftp.openpkg.org/release/1.2/UPD/ [14] ftp://ftp.openpkg.org/release/1.3/UPD/ [15] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAB+J2gHWT4GPEy58RAjtQAKDwMRrx2TaBI9mgyMVtAJIQ22ssqgCg202L OiXM0uFoFr4W9k6JRCmZ4hY= =T9PY -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Feb 25 14:49:45 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 6CCAE2FF6F7; Wed, 25 Feb 2004 14:49:45 +0100 (CET) Date: Wed, 25 Feb 2004 14:49:45 +0100 From: OpenPKG To: openpkg-announce@openpkg.org, openpkg-users@openpkg.org, openpkg-dev@openpkg.org Subject: [ANNOUNCE] OpenPKG 2.0 Message-ID: <20040225134945.GA60810@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: FOR IMMEDIATE RELEASE - 25-Feb-2004 The OpenPKG project releases version 2.0 of the unique cross-platform software packaging facility. http://www.openpkg.org/ -- Munich, DE -- February 25, 2004 -- The OpenPKG project is proud to announce version 2.0 of its OpenPKG software, another evolutionary step after a series of four predecessors. Much valued by IT decision makers and beloved by Unix system administrators, OpenPKG is the world leading instrument for deployment and maintenance of Open Source software when administration crosses Unix platform boundaries. The unique OpenPKG architecture leverages proven technologies like Red Hat Package Manager (RPM) and OSSP and GNU components to establish a unified software administration environment, independent of the underlying operating system. NEW IN VERSION 2.0 OpenPKG platform support has doubled and OpenPKG 2.0 is now available for 16 different Unix flavors. Most notably, it is supported on FreeBSD 4.9 and 5.2, Debian GNU/Linux 3.0, Red Hat Enterprise Linux 3, Red Hat Fedora Core 1, SuSE Linux 9.0, and Sun Solaris 8 and 9. Additionally, all CORE and the vast majority of BASE class packages are already available for the tentative platforms Debian GNU/Linux 3.1, Gentoo Linux 1.4.3, Sun Solaris 10 and still available for the obsoleted (end-of-life) platforms Debian GNU/Linux 2.2, Red Hat Linux 9, SuSE Linux 8.2, and Sun Solaris 2.6. Since the previous release a half year ago, the OpenPKG package repository has again grown by 20%. A subset of 473 packages were carefully selected for inclusion into the OpenPKG 2.0 release, including latest versions of popular Open Source Unix software like Apache, Bash, BIND, GCC, INN, MySQL, OpenSSH, Perl, Postfix, PostgreSQL, Samba, Squid, and Vim. The major technical efforts for this release were spent on the RPM-based OpenPKG packaging framework. The most prominent change is the upgrade from RPM 4.0.2 to RPM 4.2.1 which contributes over three years of development, including support for concurrent package database operations and transactional safety. On top of this OpenPKG greatly enhanced RPM's portability and added tools for improved RPM database maintenance and troubleshooting. The complete packaging was revamped to use GNU shtool's new platform identification. This allows both product and technology recognition in order to enable unambiguous naming and more accurate packaging. Finally, OpenPKG extended the RPM capabilities by adding specification headers and sections to allow even more complete packaging, including package classification and automated vendor source tracking. To allow enterprise grade deployment and inventory integration, OpenPKG 2.0 provides ISO/IEC 11578:1996 compliant Universally Unique Identifiers (UUID) for reasonable OpenPKG instance identification. VOICE OF THE COMMUNITY OpenPKG has been tremendously helpful in our efforts to make Open Source software available to the entire campus. -- Dennis McRitchie, Princeton University. Deployment of the OpenPKG infrastructure on a fleet of Sun Solaris machines has allowed our organization to migrate away from a convoluted, out-of-date, shared NFS directory to a cleanly managed and easily upgraded package system. This is light-years ahead of any vendor alternative from Sun. -- Matt Hoosier, Kansas State University. OpenPKG has proven itself time and time again as an excellent base for the Kolab E-mail server. Nowhere else can one deploy such a rich set of applications, so consistently, across so many different platforms. The ability to move between different Unix platforms and GNU/Linux distributions while maintaining a consistent, high quality, environment is an invaluable tool for any administrator. OpenPKG is a natural choice for any organization or Free Software project that need to support various applications on a plethora of Unix systems. -- Stephan Buys, Code Fusion. I would like to see every Unix operating system make use of this approach so that installation and upgrade of software finally lose the aura of magic and adventure. -- Christian Reiber, Zeppelin. We are moving all our internal and customer's systems to OpenPKG which has simplified our development and support. -- Bill Campbell, Celestial Software. HIGHLIGHTS OF OPENPKG * Portable across major Unix flavors. * Available for the supported platforms: FreeBSD 4.9/5.2, Debian Linux 3.0, Red Hat Enterprise Linux 3, Red Hat Fedora Core 1, SuSE Linux 9.0 and Solaris 8 and 9. * Already available for the tentative platforms: Debian GNU/Linux 3.1, Gentoo Linux 1.4.3, Sun Solaris 10. * Still available for the obsoleted platforms: Debian GNU/Linux 2.2, Red Hat Linux 9, SuSE Linux 8.2, and Sun Solaris 2.6. * Entirely based on Open Source software technology. * Minimum operating system intrusion and dependency. * Minimum overhead in software packaging. * Sources of 473 CORE+BASE+PLUS packages released. * Binaries of CORE+BASE class packages provided for supported platforms. * Binaries of CORE class packages provided for all platforms. * Easy installation, updating and deinstallation of packages. * Bundled with useful and secure package preconfigurations. * Includes an abstracted and powerful run-command facility. * Virtual hosting through multiple instances on a single system. * Proxy packages for reusing packages across instances. * Build-time package variations for maximum flexibility. * Foundation to build encapsulated and self-contained environments. HISTORY OF THE OPENPKG PROJECT The OpenPKG project was founded in 2000 by Cable & Wireless, who first released it as Open Source software in January 2002. Today OpenPKG is a mature technology in production use, and is maintained and improved by its original developers and volunteer contributors. OpenPKG is the brainchild of Ralf S. Engelschall, principal author of numerous other popular Open Source Software technologies like OSSP components, Apache SSL/TLS Engine (mod_ssl), Apache URL Rewriting Engine (mod_rewrite), GNU Portable Threads (Pth), GNU Portable Shell Tool (Shtool), Website META Language (WML) and more. MORE INFORMATION The OpenPKG Project openpkg@openpkg.org +49-89-92699-251 (CET) +49-172-8986801 (CET) From openpkg-announce-owner@openpkg.org Fri Mar 5 18:35:10 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 7D05E2FF6FD; Fri, 5 Mar 2004 18:35:10 +0100 (CET) Date: Fri, 5 Mar 2004 18:35:10 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.003] OpenPKG Security Advisory (libxml) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.003 05-Mar-2004 ________________________________________________________________________ Package: libxml Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= libxml-2.6.5-20040126 >= libxml-2.6.6-20040212 OpenPKG 2.0 none N.A. OpenPKG 1.3 <= libxml-2.5.8-1.3.0 >= libxml-2.5.8-1.3.1 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_dom perl-xml::with_libxml php::with_dom php5::with_xml php5::with_dom cadaver dia kde-libs libgdome libglade libwmf libxslt neon pan ripe-dbase roadrunner scli scrollkeeper sitecopy subversion wv xmlsec xmlstarlet xmlto xmms OpenPKG 1.3 apache::with_mod_php_dom perl-xml::with_libxml php::with_dom libgdome libwmf libxslt neon sitecopy xmlsec Description: A flaw in the HTTP and FTP client sub-library of libxml2 [0] found by Yuuichi Teranishi can be exploited to cause a buffer overflow if passed a very long URL [1]. This could be used by an attacker to execute arbitrary code on the host computer. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0110 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q libxml". If you have the "libxml" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see solution) and any dependent packages (see above). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the affected release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get libxml-2.5.8-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig libxml-2.5.8-1.3.1.src.rpm $ /bin/rpm --rebuild libxml-2.5.8-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/libxml-2.5.8-1.3.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too. [3][4] ________________________________________________________________________ References: [0] http://xmlsoft.org/ [1] http://xmlsoft.org/news.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0110 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/libxml-2.5.8-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFASLo3gHWT4GPEy58RAr+bAKDII0jb/BQ94576qHt2KDt7akiqEwCg2aUT IuYPKcQCRD4xwJbjDNj9QHs= =zN3S -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Mar 8 15:32:55 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id C2A2730146E; Mon, 8 Mar 2004 15:32:54 +0100 (CET) Date: Mon, 8 Mar 2004 15:32:54 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.004] OpenPKG Security Advisory (libtool) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.004 08-Mar-2004 ________________________________________________________________________ Package: libtool Vulnerability: insecure creation of temporary directory OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= libtool-1.5.2-20040207 >= libtool-1.5.2-20040308 OpenPKG 2.0 <= libtool-1.5.2-2.0.0 >= libtool-1.5.2-2.0.1 OpenPKG 1.3 <= libtool-1.5-1.3.0 >= libtool-1.5-1.3.1 Dependent Packages: none Description: According to a posting on Bugtraq [0], an issue regarding the insecure creation of a temporary directory exists in GNU libtool [1] versions before 1.5.2. Use of mkdir(1) along with option "-p" makes libtool vulnerable to symlink attacks. Stefan Nordhausen commited a fix that removes the use of option "-p" in version 1.5.2. Discussion on Bugtraq further indicates that an additional race condition issue exists in the same context using chmod(1), reported by Joseph S. Myers back in March 2000 [2]. The updated OpenPKG versions of libtool contain fixes for both issues. Please check whether you are affected by running "/bin/rpm -q libtool". If you have the "libtool" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get libtool-1.5.2-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig libtool-1.5.2-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild libtool-1.5.2-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/libtool-1.5.2-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://marc.theaimsgroup.com/?l=bugtraq&m=107577516526919&w=4 [1] http://www.gnu.org/software/libtool/ [2] http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/libtool-1.5-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/libtool-1.5.2-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFATIP9gHWT4GPEy58RAo6FAKCnG7b3CxcdfRAKsUufQMg1YxcWAQCgjO5a syMZ6CTgVMFNKv1D/eTbN/4= =kQMN -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Mar 9 16:05:33 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 871AE300502; Tue, 9 Mar 2004 16:05:33 +0100 (CET) Date: Tue, 9 Mar 2004 16:05:33 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.005] OpenPKG Security Advisory (mutt) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.005 09-Mar-2004 ________________________________________________________________________ Package: mutt Vulnerability: buffer overflow in the index menu code OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= mutt-1.4.1i-20040207 >= mutt-1.4.2.1i-20040214 OpenPKG 2.0 none N.A. OpenPKG 1.3 <= mutt-1.4.1i-1.3.1 >= mutt-1.4.1i-1.3.2 Dependent Packages: none Description: According to a posting on Bugtraq [0], a buffer overflow exists in the mail user agent Mutt [1]. It can be triggered by incoming messages and there are reports about spam that has actually triggered this problem and crashed Mutt. The bug was reported to Red Hat by Niels Heinen. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0078 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q mutt". If you have the "mutt" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the affected release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get mutt-1.4.1i-1.3.2.src.rpm ftp> bye $ /bin/rpm -v --checksig mutt-1.4.1i-1.3.2.src.rpm $ /bin/rpm --rebuild mutt-1.4.1i-1.3.2.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/mutt-1.4.1i-1.3.2.*.rpm ________________________________________________________________________ References: [0] http://marc.theaimsgroup.com/?l=bugtraq&m=107651677817933 [1] http://www.mutt.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0078 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/mutt-1.4.1i-1.3.2.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFATd0pgHWT4GPEy58RAteQAKC8DHDhGMWB7RzQLfF2NtI/m/CS5QCcCj30 PCeLKMvWr0g3HM4Dcsi9Mmw= =S02K -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Mar 12 16:16:19 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 99398300F93; Fri, 12 Mar 2004 16:16:18 +0100 (CET) Date: Fri, 12 Mar 2004 16:16:18 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.006] OpenPKG Security Advisory (uudeview) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.006 12-Mar-2004 ________________________________________________________________________ Package: uudeview Vulnerability: insecure temp file handling, buffer overflow OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= uudeview-0.5.20-20040302 >= uudeview-0.5.20-20040312 OpenPKG 2.0 <= uudeview-0.5.19-2.0.0 >= uudeview-0.5.19-2.0.1 OpenPKG 1.3 <= uudeview-0.5.18-1.3.0 >= uudeview-0.5.18-1.3.1 Dependent Packages: none Description: Alerted by a posting on Bugtraq [1] the UUDeview [2] package was reviewed. It was found that 0.5.19 and later contains a bug which leads to failure retrieving the filename during decode. All versions suffered from insecure temporary file handling. Version 0.5.20 contains bug fixes for the parsing of header lines, exact handling of maximum line length and fixes for two buffer overflows which needed backporting. The corected packages listed above remedy all of these problems. Please check whether you are affected by running "/bin/rpm -q uudeview". If you have the "uudeview" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get uudeview-0.5.19-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig uudeview-0.5.19-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild uudeview-0.5.19-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/uudeview-0.5.19-2.0.1.*.rpm ________________________________________________________________________ References: [1] http://marc.theaimsgroup.com/?l=bugtraq&m=107789846720924 [2] http://www.fpx.de/fp/Software/UUDeview/ [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/uudeview-0.5.18-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/uudeview-0.5.19-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAUdQsgHWT4GPEy58RAlYkAKCeapN+4xx6Q2acF29Sr2ZxqCxPZgCeMsb/ Mc2nhcVu62xu1RQp65aa/Xk= =mu4H -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Mar 18 14:21:16 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id D52B2301942; Thu, 18 Mar 2004 14:21:15 +0100 (CET) Date: Thu, 18 Mar 2004 14:21:15 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.007] OpenPKG Security Advisory (openssl) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.007 18-Mar-2004 ________________________________________________________________________ Package: openssl Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssl-0.9.7c-20040207 >= openssl-0.9.7d-20040318 OpenPKG 2.0 <= openssl-0.9.7c-2.0.0 >= openssl-0.9.7c-2.0.1 OpenPKG 1.3 <= openssl-0.9.7b-1.3.2 >= openssl-0.9.7b-1.3.3 Affected Releases: Dependent Packages: (*) OpenPKG CURRENT apache blender cadaver cpu cups curl distcache dsniff easysoap ethereal ettercap exim fetchmail firefox gq imap imapd imaputils inn jabberd kde-base kde-libs ldapdiff ldapvi libnetdude linc links lynx lyx mailsync mico mixmaster monit mozilla mutt mutt15 mysqlcc nagios nail neon nessus-libs nessus-tool netdude nmap openldap openssh openvpn orbit2 perl-ldap perl-net perl-ssl perl-www pgadmin php php3 php5 pine postfix postgresql pound proftpd qpopper qt samba samba3 sasl scribus sendmail siege sio sitecopy snort socat squid stunnel subversion suck tcpdump tinyproxy vorbis-tools w3m wget xine-ui OpenPKG 2.0 apache cadaver cpu curl distcache ethereal fetchmail imap imapd imaputils inn ldapdiff ldapvi links lynx mailsync mico mozilla mutt nail neon nessus-libs nessus-tool nmap openldap openssh perl-ldap perl-net perl-ssl perl-www php pine postfix postgresql proftpd qpopper qt samba sasl sendmail siege sio sitecopy snort socat squid stunnel subversion suck tcpdump tinyproxy vorbis-tools w3m wget OpenPKG 1.3 apache cpu curl ethereal fetchmail imap imapd inn links lynx mico mutt nail neon nmap openldap openssh perl-ldap perl-net perl-ssl perl-www php postfix postgresql proftpd qpopper samba sasl sendmail siege sio sitecopy snort socat squid stunnel suck tcpdump vorbis-tools w3m wget (*) many packages are only affected if they (or their underlying packages) used certain TLS/SSL related options ("with_xxx") during build time. Above is a worst case list. Packages known to only use libcrypo without libssl are not affected and were already omitted from the list. Description: According to an OpenSSL [0] security advisory [1], a denial of service vulnerabilities exist in OpenSSL versions 0.9.6c to 0.9.6l inclusive and versions 0.9.7a to 0.9.7c inclusive. Testing performed by the OpenSSL group uncovered a null-pointer assignment in the do_change_cipher_spec() function. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0079 [2] to the problem. Stephen Henson discovered a flaw in SSL/TLS handshaking code when using Kerberos ciphersuites. The OpenPKG packages make no use of this functionality but the patch was included anyway. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0112 [3] to the problem. Please check whether you are affected by running "/bin/rpm -q openssl". If you have the "openssl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and it's dependent packages (see above), if any, too. [4][5] Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get openssl-0.9.7c-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig openssl-0.9.7c-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild openssl-0.9.7c-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/openssl-0.9.7c-2.0.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too. [4][5] ________________________________________________________________________ References: [0] http://www.openssl.org/ [1] http://www.openssl.org/news/secadv_20040317.txt [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.3.src.rpm [7] ftp://ftp.openpkg.org/release/2.0/UPD/openssl-0.9.7c-2.0.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] ftp://ftp.openpkg.org/release/2.0/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAWaI6gHWT4GPEy58RAno0AJ9tgZtLU1hS1tZ2rlgTfL/DLOuSlQCfZMyY p260tn2cKSH49rGk8H4aft0= =ur9l -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Apr 1 20:11:57 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 68F02302020; Thu, 1 Apr 2004 20:11:57 +0200 (CEST) Date: Thu, 1 Apr 2004 20:11:57 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.008] OpenPKG Security Advisory (squid) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.008 01-Apr-2004 ________________________________________________________________________ Package: squid Vulnerability: URL concealement OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= squid-2.5.4-20040116 >= squid-2.5.5-20040301 OpenPKG 2.0 <= squid-2.5.4-2.0.0 >= squid-2.5.4-2.0.1 OpenPKG 1.3 <= squid-2.5.3-1.3.0 >= squid-2.5.3-1.3.1 Dependent Packages: none Description: According to a security advisory [0] from the vendor, a vulnerability exists in the URL unescaping logic of the Squid Web Proxy Cache [1]. This bug could allow an attacker to bypass certain access controls by inserting a NUL character into decoded URLs. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0189 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q squid". If you have the "squid" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get squid-2.5.4-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig squid-2.5.4-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild squid-2.5.4-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/squid-2.5.4-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://www.squid-cache.org/Advisories/SQUID-2004_1.txt [1] http://www.squid-cache.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0189 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/squid-2.5.3-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/squid-2.5.4-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAbFtXgHWT4GPEy58RAt1SAKDymC6Hi3okV++USIqJYPwcpdJ63gCePF2s ErmhPGDaL/b4DSNeE5+LaqI= =2Odh -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Apr 5 16:08:34 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 3E2033020C3; Mon, 5 Apr 2004 16:08:34 +0200 (CEST) Date: Mon, 5 Apr 2004 16:08:34 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.009] OpenPKG Security Advisory (mc) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.009 05-Apr-2004 ________________________________________________________________________ Package: mc Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= mc-4.6.0-20040207 >= mc-4.6.0-20040405 OpenPKG 2.0 <= mc-4.6.0-2.0.0 >= mc-4.6.0-2.0.1 OpenPKG 1.3 <= mc-4.6.0-1.3.0 >= mc-4.6.0-1.3.1 Dependent Packages: none Description: According to a message from Ilya Teterin posted on Bugtraq [0], the Midnight Commander application [1] uses a uninitialized buffer to handle symlinks in VFS. This allows attackers to execute arbitrary code during symlink conversion. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-1023 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q mc". If you have the "mc" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get mc-4.6.0-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig mc-4.6.0-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild mc-4.6.0-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/mc-4.6.0-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://marc.theaimsgroup.com/?l=bugtraq&m=106399528518704 [1] http://www.ibiblio.org/mc/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1023 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/mc-4.6.0-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/mc-4.6.0-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAcWgJgHWT4GPEy58RApYiAJ4nJ+kWlLotGNU8QH50xr+YV+6i4ACg6ILB 9s8Q/a827DQu8aiiPy51KXg= =VGjp -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Apr 7 22:22:48 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 334D43020D7; Wed, 7 Apr 2004 22:22:48 +0200 (CEST) Date: Wed, 7 Apr 2004 22:22:48 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.010] OpenPKG Security Advisory (tcpdump) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.010 07-Apr-2004 ________________________________________________________________________ Package: tcpdump Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= tcpdump-3.8.1-20040207 >= tcpdump-3.8.2-20040330 OpenPKG 2.0 <= tcpdump-3.8.1-2.0.0 >= tcpdump-3.8.1-2.0.1 OpenPKG 1.3 <= tcpdump-3.7.2-1.3.1 >= tcpdump-3.7.2-1.3.2 Dependent Packages: none Description: According to a security advisory published by Rapid7 [0], two vulnerabilities exists in the ISAKMP packet display functions of tcpdump [1]. The Common Vulnerabilities and Exposures (CVE) project has reviewed both problems. CAN-2004-0183 [2] identifies an overflow when displaying ISAKMP delete payloads with large number of SPIs, while CAN-2004-0184 [3] identifies an integer underflow when displaying ISAKMP identification payload. These vulnerabilities appear only when verbose packet display is enabled by running tcpdump with the -v option. Please check whether you are affected by running "/bin/rpm -q tcpdump". If you have the "tcpdump" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [4][5] Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the most current release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get tcpdump-3.8.1-2.0.1.src.rpm ftp> bye $ /bin/rpm -v --checksig tcpdump-3.8.1-2.0.1.src.rpm $ /bin/rpm --rebuild tcpdump-3.8.1-2.0.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/tcpdump-3.8.1-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://www.rapid7.com/advisories/R7-0017.html [1] http://www.tcpdump.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0183 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0184 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/1.3/UPD/tcpdump-3.7.2-1.3.2.src.rpm [7] ftp://ftp.openpkg.org/release/2.0/UPD/tcpdump-3.8.1-2.0.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] ftp://ftp.openpkg.org/release/2.0/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAdGLXgHWT4GPEy58RAmKKAKCwqjk2hr6Lt67NjjFy3mVesKKTiQCeI590 lhEYVCle+2OMsgLZDG4B6Jo= =2I+B -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Apr 7 22:24:13 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 37CDC3020DF; Wed, 7 Apr 2004 22:24:13 +0200 (CEST) Date: Wed, 7 Apr 2004 22:24:13 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.011] OpenPKG Security Advisory (sharutils) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.011 07-Apr-2004 ________________________________________________________________________ Package: sharutils Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= sharutils-4.2.1-20011201 >= sharutils-4.2.1-20040407 OpenPKG 2.0 <= sharutils-4.2.1-2.0.0 >= sharutils-4.2.1-2.0.1 OpenPKG 1.3 <= sharutils-4.2.1-1.3.0 >= sharutils-4.2.1-1.3.1 Dependent Packages: none Description: According to a posting on Bugtraq [1], Shaun Colley discovered and researched a stack-based buffer overflow vulnerability which exists in the GNU Sharutils [2] due to lack of bounds checking when handling the '-o' command-line option. Please check whether you are affected by running "/bin/rpm -q sharutils". If you have the "sharutils" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get sharutils-4.2.1-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig sharutils-4.2.1-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild sharutils-4.2.1-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/sharutils-4.2.1-2.0.1.*.rpm ________________________________________________________________________ References: [1] http://www.securityfocus.com/archive/1/359639 [2] http://www.gnu.org/software/sharutils/ [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/sharutils-4.2.1-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/sharutils-4.2.1-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAdGMzgHWT4GPEy58RAsZuAKDSh3FdkQsjfqT4nUsd1Vv13S3usQCguVO8 XXHwppXg6f1oPAs2ewAqB9k= =c2IQ -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Apr 8 17:21:07 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 48A32302025; Thu, 8 Apr 2004 17:21:07 +0200 (CEST) Date: Thu, 8 Apr 2004 17:21:07 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.012] OpenPKG Security Advisory (fetchmail) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.012 08-Apr-2004 ________________________________________________________________________ Package: fetchmail Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= fetchmail-6.2.4-20031008 >= fetchmail-6.2.5-20031016 OpenPKG 1.3 <= fetchmail-6.2.3-1.3.0 >= fetchmail-6.2.3-1.3.1 OpenPKG 2.0 none N.A. Dependent Packages: none Description: According to a Mandrake Linux security advisory [0], a denial of service (DoS) vulnerability exists in the header rewriting code of Fetchmail [1]. The code's intention is to hack message headers so replies work properly. However, logic in the reply_hack() function fails to allocate enough memory for long lines and may write past a memory boundary. This could allow an attacker to cause a denial of service by sending a specially crafted email and crashing fetchmail. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0792 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q fetchmail". If you have the "fetchmail" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the OpenPKG 1.3 release, perform the following operations to permanently fix the security problem. $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get fetchmail-6.2.3-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig fetchmail-6.2.3-1.3.1.src.rpm $ /bin/rpm --rebuild fetchmail-6.2.3-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/fetchmail-6.2.3-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:101 [1] http://www.catb.org/~esr/fetchmail/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0792 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/fetchmail-6.2.3-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAdW3RgHWT4GPEy58RAutIAKDLPwHQnlNAhlQmCi1XYEYQryqyCACgn30q IYKyk6HlwUhG0JOiI615w90= =muqI -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Apr 14 20:35:49 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 5FF4A301DA1; Wed, 14 Apr 2004 20:35:49 +0200 (CEST) Date: Wed, 14 Apr 2004 20:35:49 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.013] OpenPKG Security Advisory (cvs) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.013 14-Apr-2004 ________________________________________________________________________ Package: cvs Vulnerability: remote code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= cvs-1.12.6-20040413 >= cvs-1.12.7-20040414 OpenPKG 2.0 <= cvs-1.12.5-2.0.0 >= cvs-1.12.5-2.0.1 OpenPKG 1.3 <= cvs-1.12.1-1.3.3 >= cvs-1.12.1-1.3.4 Dependent Packages: none Description: Sebastian Krahmer from the SuSE Security Team discovered [1] a flaw in Concurrent Versions System (CVS) [0] clients where RCS "diff files" can create files with absolute pathnames. An attacker could create a fake malicious CVS server that would cause arbitrary files to be created or overwritten when a victim connects to it. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0180 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q cvs". If you have the "cvs" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get cvs-1.12.5-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig cvs-1.12.5-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild cvs-1.12.5-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/cvs-1.12.5-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://www.cvshome.org/ [1] http://www.suse.com/de/security/2004_08_cvs.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0180 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/cvs-1.12.1-1.3.4.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/cvs-1.12.5-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAfYRYgHWT4GPEy58RArpMAKDMgxz5dlP8Y6CsGehQdBSWslDPrACgmqwK 7Q7IuwFb556bhWZ7QD+LBbo= =7pJi -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Apr 14 22:48:03 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 4F35B3020AE; Wed, 14 Apr 2004 22:48:03 +0200 (CEST) Date: Wed, 14 Apr 2004 22:48:03 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.014] OpenPKG Security Advisory (mysql) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.014 14-Apr-2004 ________________________________________________________________________ Package: mysql Vulnerability: insecure temporary file creation OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= mysql-4.0.18-20040214 >= mysql-4.0.18-20040414 OpenPKG 2.0 <= mysql-4.0.18-2.0.0 >= mysql-4.0.18-2.0.1 OpenPKG 1.3 <= mysql-4.0.14-1.3.2 >= mysql-4.0.14-1.3.3 Dependent Packages: none Description: Shaun Colley discovered [1] that the scripts "mysqlbug" and "mysqld_multi" of the MySQL RDBMS [0] perform insecure creations of temporary files. An attacker could create symbolic links in /tmp to achieve the overwriting of files with the privileges of the user invoking the scripts. The RDBMS startup wrapper "mysqld_multi" is currently not used in OpenPKG, although it is contained in the "mysql" package. The "mysqlbug" script could be run manually by the administrator. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2004-0381 [2] and CAN-2004-0388 [3] to the problem. Please check whether you are affected by running "/bin/rpm -q mysql". If you have the "mysql" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [4][5] Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get mysql-4.0.18-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig mysql-4.0.18-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild mysql-4.0.18-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/mysql-4.0.18-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://www.mysql.com/ [1] http://www.nettwerked.co.uk/advisories/mysqlbug [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0381 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0388 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/1.3/UPD/mysql-4.0.14-1.3.3.src.rpm [7] ftp://ftp.openpkg.org/release/2.0/UPD/mysql-4.0.18-2.0.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] ftp://ftp.openpkg.org/release/2.0/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAfaNfgHWT4GPEy58RAgwEAKDpIRVD8RvfCSqKJI+ku38foCTpfQCfUAUM rKbhklY4c7khNgWxkGxrBNo= =Lk27 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Apr 15 21:05:00 2004 Received: from visp.engelschall.com (visp.engelschall.com [195.27.176.148]) by mail.openpkg.org (Postfix) with ESMTP id 200002FE9A1 for ; Thu, 15 Apr 2004 21:05:00 +0200 (CEST) Received: by visp.engelschall.com (Postfix, from userid 1005) id 0A1B84CE70F; Thu, 15 Apr 2004 21:05:00 +0200 (CEST) Received: by en1.engelschall.com (Postfix, from userid 10000) id 761F62862B; Thu, 15 Apr 2004 21:04:46 +0200 (CEST) Date: Thu, 15 Apr 2004 21:04:46 +0200 From: "Ralf S. Engelschall" To: openpkg-announce@openpkg.org Subject: New OpenPKG slideset now available online! Message-ID: <20040415190446.GA21069@engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: During the last weeks we've prepared a completely new official slideset for OpenPKG which now replaces the old one. You can find it in both web (HTML+PNG) and print (PDF 1.3) format under: http://www.openpkg.org/doc/slideset/openpkg/ http://www.openpkg.org/doc/slideset/openpkg.pdf This slideset is intentionally an all-in-one mega slideset, i.e., it tries to summarize mostly all essentials from the OpenPKG world -- currently on 47 slides with even more to come. There are parts for IT decision makers, for users and for developers. Hence it is not intended to be presented as a whole in a speaker session. Instead, it is a material set which makes all essential summary information about OpenPKG available online -- in a concise and visually pleasant format. It also allows us to more comfortably create individual OpenPKG speaker sessions by sub-selecting slides for real presentations. So, don't be confused by the increasing size of the whole slideset and the partly not seamless semantical transition between some slides ;-) Please review the slideset in detail and send your feedback to either openpkg-dev@openpkg.org (if you want it to be public) or openpkg-team@openpkg.org (if you want it to be private). And please do not hesitate to drop us a message for both trivial errors (typos, etc) and conceptional problems. Any feedback counts! Now, enjoy the new slideset... Ralf S. Engelschall OpenPKG Project Leader rse@openpkg.org From openpkg-announce-owner@openpkg.org Fri Apr 16 17:52:24 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 762CF2FE9E6; Fri, 16 Apr 2004 17:52:24 +0200 (CEST) Date: Fri, 16 Apr 2004 17:52:24 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.015] OpenPKG Security Advisory (ethereal) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.015 16-Apr-2004 ________________________________________________________________________ Package: ethereal Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= ethereal-0.10.2-20040329 >= ethereal-0.10.3-20040330 OpenPKG 2.0 <= ethereal-0.10.0a-2.0.0 >= ethereal-0.10.0a-2.0.1 OpenPKG 1.3 <= ethereal-0.9.14-1.3.0 >= ethereal-0.9.14-1.3.1 Dependent Packages: none Description: According to a vendor security advisory [0] based on hints from Stefan Esser and Jonathan Heussser, several vulnerabilities of various types exist in the Ethereal network protocol analyzer [1]. Namely, it may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, by convincing someone to read a malformed packet trace file, or by creating a malformed color filter file. The Common Vulnerabilities and Exposures (CVE) project assigned the identifiers CAN-2004-0176 [2] and CAN-2004-0365 [3] to the problems concerning protocol dissectors and RADIUS packets. The zero-length presentation protocol selector vulnerability named in the Ethereal vendor advisory does not affect OpenPKG though, because such presentation protocol selectors are not implemented in any Ethereal versions released by OpenPKG. Please check whether you are affected by running "/bin/rpm -q ethereal". If you have the "ethereal" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [4][5]. Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get ethereal-0.10.0a-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig ethereal-0.10.0a-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild ethereal-0.10.0a-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/ethereal-0.10.0a-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://www.ethereal.com/appnotes/enpa-sa-00013.html [1] http://www.ethereal.com/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0365 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/1.3/UPD/ethereal-0.9.14-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.0/UPD/ethereal-0.10.0a-2.0.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] ftp://ftp.openpkg.org/release/2.0/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAgAEggHWT4GPEy58RAi9aAKDnBOkyWmBg0h7oUnW+7xu2C6gQRgCgj7lc MG/GWc5NEXxBIA+9w+H21mg= =VIHq -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Apr 16 18:50:36 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 984F12FE9EF; Fri, 16 Apr 2004 18:50:36 +0200 (CEST) Date: Fri, 16 Apr 2004 18:50:36 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.016] OpenPKG Security Advisory (neon) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.016 16-Apr-2004 ________________________________________________________________________ Package: neon, subversion, cadaver, sitecopy, tla Vulnerability: remote code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= neon-0.24.4-20040207 >= neon-0.24.5-20040414 <= subversion-1.0.1-20040313 >= subversion-1.0.1-20040416 <= cadaver-0.22.0-20040207 >= cadaver-0.22.1-20040415 <= sitecopy-0.13.4-20040207 >= sitecopy-0.13.4-20040416 <= tla-1.2-20040227 >= tla-1.2-20040416 OpenPKG 2.0 <= neon-0.24.4-2.0.0 >= neon-0.24.4-2.0.1 <= subversion-1.0.0-2.0.0 >= subversion-1.0.0-2.0.1 <= cadaver-0.22.0-2.0.0 >= cadaver-0.22.0-2.0.1 <= sitecopy-0.13.4-2.0.0 >= sitecopy-0.13.4-2.0.1 OpenPKG 1.3 <= neon-0.24.0-1.3.0 >= neon-0.24.0-1.3.1 <= sitecopy-0.13.3-1.3.0 >= sitecopy-0.13.3-1.3.1 Dependent Packages: none Description: Greuff of VOID.AT discovered various format string vulnerabilities in the error output handling routines of the Neon HTTP and WebDAV client library [1]. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0179 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q neon" (respectively for "subversion", "cadaver", "sitecopy" and "tla"). If you have one of the packages installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6][7][8][9], fetch it from the OpenPKG FTP service [11][12] or a mirror location, verify its integrity [13], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get neon-0.24.4-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig neon-0.24.4-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild neon-0.24.4-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/neon-0.24.4-2.0.1.*.rpm Additionally, perform similar steps for the "subversion", "cadaver", "sitecopy" and "tla" packages. ________________________________________________________________________ References: [1] http://www.webdav.org/neon/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0179 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/neon-0.24.0-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/sitecopy-0.13.3-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.0/UPD/neon-0.24.4-2.0.1.src.rpm [8] ftp://ftp.openpkg.org/release/2.0/UPD/subversion-1.0.0-2.0.1.src.rpm [9] ftp://ftp.openpkg.org/release/2.0/UPD/cadaver-0.22.0-2.0.1.src.rpm [10] ftp://ftp.openpkg.org/release/2.0/UPD/sitecopy-0.13.4-2.0.1.src.rpm [11] ftp://ftp.openpkg.org/release/1.3/UPD/ [12] ftp://ftp.openpkg.org/release/2.0/UPD/ [13] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAgA7GgHWT4GPEy58RAmFPAKD0v+UgdvryqEn8n1Jw/6LKeNUNOQCg119x o9sy8KDOBDkKtT68XccSVrQ= =7zcy -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Apr 29 22:37:24 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 90195302105; Thu, 29 Apr 2004 22:37:24 +0200 (CEST) Date: Thu, 29 Apr 2004 22:37:24 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.017] OpenPKG Security Advisory (png) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.017 29-Apr-2004 ________________________________________________________________________ Package: png Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= abiword-2.1.1-20040406 >= abiword-2.1.2-20040429 <= analog-5.32-20040207 >= analog-5.32-20040429 <= doxygen-1.3.6-20040212 >= doxygen-1.3.6-20040429 <= firefox-0.8-20040210 >= firefox-0.8-20040429 <= ghostscript-8.14-20040220 >= ghostscript-8.14-20040429 <= kde-3.2.3-20040406 >= kde-qt-3.2.3-20040429 <= mozilla-1.7rc1-20040423 >= mozilla-1.7rc1-20040429 <= pdflib-5.0.3-20040212 >= pdflib-5.0.3-20040429 <= perl-tk-5.8.4-20040422 >= perl-tk-5.8.4-20040429 <= png-1.2.5-20040207 >= png-1.2.5-20040429 <= qt-3.3.2-20040428 >= qt-3.3.2-20040429 <= rrdtool-1.0.48-20040407 >= rrdtool-1.0.48-20040429 <= tetex-2.0.2-20040207 >= tetex-2.0.2-20040429 <= wx-2.4.2-20040425 >= wx-2.4.2-20040429 OpenPKG 2.0 <= analog-5.32-2.0.0 >= analog-5.32-2.0.1 <= doxygen-1.3.6-2.0.0 >= doxygen-1.3.6-2.0.1 <= ghostscript-8.13-2.0.0 >= ghostscript-8.13-2.0.1 <= mozilla-1.6-2.0.0 >= mozilla-1.6-2.0.1 <= pdflib-5.0.3-2.0.0 >= pdflib-5.0.3-2.0.1 <= perl-tk-5.8.3-2.0.0 >= perl-tk-5.8.3-2.0.1 <= png-1.2.5-2.0.0 >= png-1.2.5-2.0.1 <= qt-3.2.3-2.0.0 >= qt-3.2.3-2.0.1 <= rrdtool-1.0.46-2.0.0 >= rrdtool-1.0.46-2.0.1 <= tetex-2.0.2-2.0.0 >= tetex-2.0.2-2.0.1 OpenPKG 1.3 <= analog-5.32-1.3.0 >= analog-5.32-1.3.1 <= doxygen-1.3.3-1.3.0 >= doxygen-1.3.3-1.3.1 <= ghostscript-8.10-1.3.0 >= ghostscript-8.10-1.3.1 <= pdflib-5.0.1-1.3.0 >= pdflib-5.0.1-1.3.1 <= perl-tk-1.3.0-1.3.0 >= perl-tk-1.3.0-1.3.1 <= png-1.2.5-1.3.0 >= png-1.2.5-1.3.1 <= rrdtool-1.0.45-1.3.0 >= rrdtool-1.0.45-1.3.1 <= tetex-2.0.2-1.3.0 >= tetex-2.0.2-1.3.1 Affected Releases: Dependent Packages: OpenPKG CURRENT apache autotrace blender cups emacs gd gdk-pixbuf gif2png gimp gnuplot gqview graphviz gtk2 imagemagick imlib latex2html lbreakout libwmf mplayer mrtg nagios netpbm perl-gd php php3 php5 povray pstoedit scribus transfig webalizer wml wv xemacs xfig xine-ui xplanet xv zimg OpenPKG 2.0 apache autotrace emacs gd gdk-pixbuf ghostscript gif2png gimp gnuplot graphviz gtk2 imagemagick imlib latex2html libwmf mozilla netpbm perl-gd perl-tk php png pstoedit qt transfig webalizer wml xfig xv OpenPKG 1.3 apache autotrace emacs gd gdk-pixbuf gif2png gimp gnuplot graphviz gtk2 imagemagick imlib latex2html libwmf netpbm perl-gd php pstoedit webalizer wml xv Description: Steve Grubb discovered that the Portable Network Graphics (PNG) library libpng [1] accesses memory that is out of bounds when creating an error message. Depending on machine architecture, bounds checking and other protective measures, this problem could cause the program to crash if a defective or intentionally prepared PNG image file is handled by libpng. This can even lead to a Denial of Service (DoS) situation. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0421 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q png" (and similarly for the other affected packages which have PNG included). If you have the "png" package (or one of the others) installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above), if any, too [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get png-1.2.5-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig png-1.2.5-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild png-1.2.5-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/png-1.2.5-2.0.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too [3][4]. ________________________________________________________________________ References: [1] http://www.libpng.org/pub/png/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/png-1.2.5-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/png-1.2.5-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAkWdagHWT4GPEy58RAhUzAJ91BK7ra6vUQfzOxYR0tF6OJKD9ZACcDu9K bQeFjP+LBoyEg6ikl+zNOf4= =EMRS -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Apr 30 13:50:45 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 7F968302D28; Fri, 30 Apr 2004 13:50:45 +0200 (CEST) Date: Fri, 30 Apr 2004 13:50:45 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.018] OpenPKG Security Advisory (proftpd) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.018 30-Apr-2004 ________________________________________________________________________ Package: proftpd Vulnerability: privilege escalation OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= proftpd-1.2.9-20040207 >= proftpd-1.2.10rc1-20040429 OpenPKG 2.0 <= proftpd-1.2.9-2.0.0 >= proftpd-1.2.9-2.0.1 OpenPKG 1.3 N.A. none Dependent Packages: none Description: A portability workaround was applied in version 1.2.9 of the FTP server ProFTPD [1]. As a side-effect, CIDR based (aaa.bbb.ccc.ddd/NN) ACL entries in "Allow" and "Deny" directives act like an "AllowAll" directive and so FTP clients are granted access to files and directories although the server configuration might explicitly deny this [2]. Please check whether you are affected by running "/bin/rpm -q proftpd". If you have the "proftpd" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get proftpd-1.2.9-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig proftpd-1.2.9-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild proftpd-1.2.9-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/proftpd-1.2.9-2.0.1.*.rpm ________________________________________________________________________ References: [1] http://www.proftpd.org/ [2] http://bugs.proftpd.org/show_bug.cgi?id=2267 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.0/UPD/proftpd-1.2.9-2.0.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAkj15gHWT4GPEy58RAqZSAJ92m41X9yTMz5SVG1uKyjdnBxZrJwCgn7U/ 3BHlVabxWM1RDqtmSv6OqMI= =WZLY -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed May 5 16:25:56 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 61D62302685; Wed, 5 May 2004 16:25:56 +0200 (CEST) Date: Wed, 5 May 2004 16:25:56 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.019] OpenPKG Security Advisory (kolab) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.019 05-May-2004 ________________________________________________________________________ Package: kolab Vulnerability: information leakage, privilege escalation OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= kolab-20040426-20040426 >= kolab-20040503-20040503 <= perl-kolab-5.8.4-20040503 >= perl-kolab-5.8.4-20040505 OpenPKG 2.0 <= kolab-20040217-2.0.1 >= kolab-20040217-2.0.2 <= perl-kolab-5.8.3-2.0.1 >= perl-kolab-5.8.3-2.0.2 OpenPKG 1.3 none N.A. Dependent Packages: none Description: Luca Villani reported [1] the disclosure of critical configuration information within Kolab [2], the KDE Groupware server. The affected versions store OpenLDAP passwords in plain text. The heart of Kolab is an engine written in Perl that rewrites configuration for certain applications based on templates. OpenPKG packages come with both the genuine and a modular replacement engine, both creating wrong permissions. The genuine engine is part of the "kolab" package and the replacement engine is a module in the "perl-kolab" package. The build() function in both engines left slapd.conf world-readable exhibiting the OpenLDAP "rootpw". Please check whether you are affected by running "/bin/rpm -q kolab". If you have the "kolab" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get kolab-20040217-2.0.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig kolab-20040217-2.0.2.src.rpm $ /bin/openpkg rpm --rebuild kolab-20040217-2.0.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/kolab-20040217-2.0.2.*.rpm ________________________________________________________________________ References: [1] http://www.kolab.org/pipermail/kolab-users/2004-April/000215.html [2] http://www.kolab.org/ [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.0/UPD/kolab-20040217-2.0.2.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAmPlfgHWT4GPEy58RAmh1AJ0UgFibDQE9uk64FmjgUe9o86goMgCgxtby xBmfRHC1CpRnUPaZJntQMpg= =1G7c -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri May 7 22:01:55 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 412023030F0; Fri, 7 May 2004 22:01:54 +0200 (CEST) Date: Fri, 7 May 2004 22:01:54 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.020] OpenPKG Security Advisory (ssmtp) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.020 07-May-2004 ________________________________________________________________________ Package: ssmtp Vulnerability: denial of service, code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= ssmtp-2.48-20040207 >= ssmtp-2.60.8-20040507 OpenPKG 2.0 <= ssmtp-2.48-2.0.0 >= ssmtp-2.48-2.0.1 OpenPKG 1.3 <= ssmtp-2.48-1.3.0 >= ssmtp-2.48-1.3.1 Dependent Packages: none Description: Two format string bugs were discovered in sSMTP [1], a simple sending-only Mail Transport Agent (MTA). Untrusted values in the functions die() and log_event() were passed to printf(3)-like functions as format strings. These vulnerabilities could potentially allow remote mail relays to cause a Denial of Service (DoS) and possibly execute arbitrary code. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0156 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q ssmtp". If you have the "ssmtp" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get ssmtp-2.48-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig ssmtp-2.48-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild ssmtp-2.48-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/ssmtp-2.48-2.0.1.*.rpm ________________________________________________________________________ References: [1] ftp://ftp.debian.org/debian/pool/main/s/ssmtp/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0156 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/ssmtp-2.48-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/ssmtp-2.48-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAm+sHgHWT4GPEy58RAoFBAKC9kbFPY0qTlByig5Wn1Ap0SLzGegCdGsJM /GRUxOM0aISYf8fbvxpPqlc= =JXhQ -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed May 12 14:56:04 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id C42D5300928; Wed, 12 May 2004 14:56:03 +0200 (CEST) Date: Wed, 12 May 2004 14:56:03 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.021 12-May-2004 ________________________________________________________________________ Package: apache Vulnerability: privilege escalation, denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= apache-1.3.29-20040421 >= apache-1.3.31-20040511 OpenPKG 2.0 <= apache-1.3.29-2.0.0 >= apache-1.3.29-2.0.1 OpenPKG 1.3 <= apache-1.3.28-1.3.2 >= apache-1.3.28-1.3.3 Dependent Packages: none Description: With the release of the Apache HTTP Server [0] version 1.3.31, four security issues were fixed [1]: 1. Access Control List (ACL) Handling: mod_access in Apache 1.3 before 1.3.30, when running on big-endian 64-bit platforms, did not properly parse Allow/Deny rules using IP addresses without a netmask. This could allow remote attackers to bypass intended access restrictions. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0993 [2] to the problem. 2. Error Log Escape Sequence Filtering: Apache 1.3 before 1.3.30 did not filter terminal escape sequences from its error logs. This could make it easier for attackers to insert those sequences into the terminal emulators (of administrators viewing the error logs) containing vulnerabilities related to escape sequence handling. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0020 [3] to the problem. 3. Nonce Verification in Digest Authentication: mod_digest in Apache 1.3 before 1.3.31 did not properly verify the nonce of a client response by using a AuthNonce secret. Apache now verifies the nonce returned in the client response to check whether it was issued by itself by means of a "AuthDigestRealmSeed" secret exposed as an MD5 checksum. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0987 [4] to the problem. 4. Starvation Issue in Serialized accept(2) Handling: Apache 1.3 before 1.3.30, when using multiple listening sockets on certain platforms, allows remote attackers to cause a Denial of Service (blocked new connections) via a short-lived connection on a rarely-accessed listening socket. This starvation situation caused a child to hold the accept(2) mutual exclusion lock and block out new connections (on any socket) until another connection arrives on that rarely-accessed listening socket. The source of the problem seems to be that under some Unix platforms accept(2) unexpectedly blocks after select(2) flagged a socket as readable. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0174 [5] to the problem. Please check whether you are affected by running "/bin/rpm -q apache". If you have the "apache" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [6][7]. Solution: Select the updated source RPM appropriate for your OpenPKG release [8][9], fetch it from the OpenPKG FTP service [10][11] or a mirror location, verify its integrity [12], build a corresponding binary RPM from it [6] and update your OpenPKG installation by applying the binary RPM [7]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get apache-1.3.29-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig apache-1.3.29-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild apache-1.3.29-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/apache-1.3.29-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://httpd.apache.org/ [1] http://www.apache.org/dist/httpd/CHANGES_1.3 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174 [6] http://www.openpkg.org/tutorial.html#regular-source [7] http://www.openpkg.org/tutorial.html#regular-binary [8] ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.3.src.rpm [9] ftp://ftp.openpkg.org/release/2.0/UPD/apache-1.3.29-2.0.1.src.rpm [10] ftp://ftp.openpkg.org/release/1.3/UPD/ [11] ftp://ftp.openpkg.org/release/2.0/UPD/ [12] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAoh68gHWT4GPEy58RAj8AAKDAS62t6ZsSCS7TpVD8P96QboDy9gCfTea5 X7ToXybIkgWSavmLEQUwoBg= =wAmy -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed May 19 21:50:16 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 237413000CC; Wed, 19 May 2004 21:50:16 +0200 (CEST) Date: Wed, 19 May 2004 21:50:15 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.022] OpenPKG Security Advisory (cvs) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.022 19-May-2004 ________________________________________________________________________ Package: cvs Vulnerability: remote code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= cvs-1.12.7-20040414 >= cvs-1.12.8-20040519 OpenPKG 2.0 <= cvs-1.12.5-2.0.1 >= cvs-1.12.5-2.0.2 OpenPKG 1.3 <= cvs-1.12.1-1.3.4 >= cvs-1.12.1-1.3.5 Dependent Packages: none Description: Stefan Esser discovered [1] a remote vulnerability in Concurrent Versions System (CVS) [0] servers. CVS up to version 1.12.7 contains a flaw when deciding if a CVS entry line should get a modified or unchanged flag attached. This results in a heap overflow which can be exploited to execute arbitrary code on the CVS server. This could allow a repository compromise. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0396 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q cvs". If you have the "cvs" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get cvs-1.12.5-2.0.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig cvs-1.12.5-2.0.2.src.rpm $ /bin/openpkg rpm --rebuild cvs-1.12.5-2.0.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/cvs-1.12.5-2.0.2.*.rpm ________________________________________________________________________ References: [0] http://www.cvshome.org/ [1] http://security.e-matters.de/advisories/072004.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/cvs-1.12.1-1.3.5.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/cvs-1.12.5-2.0.2.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAq7pegHWT4GPEy58RAmOdAJ9oEXtVcEjwX81JNeQwKmxEQ1yWwgCfQ52r 9a3G06r8K+fX+2o0t6D32Gc= =ZobV -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed May 19 21:51:17 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 431E13000F8; Wed, 19 May 2004 21:51:17 +0200 (CEST) Date: Wed, 19 May 2004 21:51:17 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.023] OpenPKG Security Advisory (subversion) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.023 19-May-2004 ________________________________________________________________________ Package: subversion Vulnerability: remote code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= subversion-1.0.2-20040518 >= subversion-1.0.3-20040519 OpenPKG 2.0 <= subversion-1.0.0-2.0.1 >= subversion-1.0.0-2.0.2 OpenPKG 1.3 N.A. N.A. Dependent Packages: none Description: Stefan Esser discovered [1] a remote vulnerability in the Subversion [0] version control system. Subversion versions up to 1.0.2 are vulnerable to a date parsing vulnerability which can be abused to allow remote code execution on Subversion servers and therefore could lead to a repository compromise. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0397 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q subversion". If you have the "subversion" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get subversion-1.0.0-2.0.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig subversion-1.0.0-2.0.2.src.rpm $ /bin/openpkg rpm --rebuild subversion-1.0.0-2.0.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/subversion-1.0.0-2.0.2.*.rpm ________________________________________________________________________ References: [0] http://subversion.tigris.org/ [1] http://security.e-matters.de/advisories/082004.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0397 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.0/UPD/subversion-1.0.0-2.0.2.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAq7p9gHWT4GPEy58RAnO9AJ9PZdFHZ4fiEQ32YnmKLpv5DwkgpACg+mmd dK8h2s2C+EXUjQnRvQCEevg= =iBLp -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed May 19 22:55:33 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id E5FEB2FED41; Wed, 19 May 2004 22:55:32 +0200 (CEST) Date: Wed, 19 May 2004 22:55:32 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.024] OpenPKG Security Advisory (neon) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.024 19-May-2004 ________________________________________________________________________ Package: neon, subversion, cadaver, sitecopy, tla Vulnerability: remote code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= neon-0.24.5-20040414 >= neon-0.24.6-20040519 <= subversion-1.0.2-20040518 >= subversion-1.0.3-20040519 <= cadaver-0.22.1-20040415 >= cadaver-0.22.2-20040519 <= sitecopy-0.13.4-20040416 >= sitecopy-0.13.4-20040519 <= tla-1.2-20040416 >= tla-1.2-20040519 OpenPKG 2.0 <= neon-0.24.4-2.0.1 >= neon-0.24.4-2.0.2 <= subversion-1.0.0-2.0.1 >= subversion-1.0.0-2.0.2 <= cadaver-0.22.0-2.0.1 >= cadaver-0.22.0-2.0.2 <= sitecopy-0.13.4-2.0.1 >= sitecopy-0.13.4-2.0.2 OpenPKG 1.3 <= neon-0.24.0-1.3.1 >= neon-0.24.0-1.3.2 <= sitecopy-0.13.3-1.3.1 >= sitecopy-0.13.3-1.3.2 Dependent Packages: none Description: Stefan Esser discovered [1] a vulnerability within a date parsing function in the Neon HTTP and WebDAV client library [0]. If a special crafted date string is passed to the ne_rfc1036_parse() function it may trigger a sscanf() string overflow into static heap variables. Exploitability heavily depends on the application linked against Neon, but is considered trivial in cases where an out-of-memory condition can be triggered, because the overflowing variable is placed in front of the Neon out-of-memory callback function pointer. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0398 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q neon" (respectively for "subversion", "cadaver", "sitecopy" and "tla"). If you have one of the packages installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6][7][8][9], fetch it from the OpenPKG FTP service [11][12] or a mirror location, verify its integrity [13], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get neon-0.24.4-2.0.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig neon-0.24.4-2.0.2.src.rpm $ /bin/openpkg rpm --rebuild neon-0.24.4-2.0.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/neon-0.24.4-2.0.2.*.rpm Additionally, perform similar steps for the "subversion", "cadaver", "sitecopy" and "tla" packages. ________________________________________________________________________ References: [0] http://www.webdav.org/neon/ [1] http://security.e-matters.de/advisories/062004.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0398 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/neon-0.24.0-1.3.2.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/sitecopy-0.13.3-1.3.2.src.rpm [7] ftp://ftp.openpkg.org/release/2.0/UPD/neon-0.24.4-2.0.2.src.rpm [8] ftp://ftp.openpkg.org/release/2.0/UPD/subversion-1.0.0-2.0.2.src.rpm [9] ftp://ftp.openpkg.org/release/2.0/UPD/cadaver-0.22.0-2.0.2.src.rpm [10] ftp://ftp.openpkg.org/release/2.0/UPD/sitecopy-0.13.4-2.0.2.src.rpm [11] ftp://ftp.openpkg.org/release/1.3/UPD/ [12] ftp://ftp.openpkg.org/release/2.0/UPD/ [13] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAq8mzgHWT4GPEy58RAt4UAJ9Rmkb2p8hUofMJK4D9WdDOvBnUegCgknv5 lfvBQWamox0hDjNA4Wa/uB8= =fVnD -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri May 21 18:20:22 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id DD31C30010A; Fri, 21 May 2004 18:20:21 +0200 (CEST) Date: Fri, 21 May 2004 18:20:21 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.025] OpenPKG Security Advisory (rsync) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.025 21-May-2004 ________________________________________________________________________ Package: rsync Vulnerability: filesystem intrusion OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= rsync-2.6.0-20040324 >= rsync-2.6.1-20040428 OpenPKG 2.0 <= rsync-2.6.0-2.0.0 >= rsync-2.6.0-2.0.1 OpenPKG 1.3 <= rsync-2.5.6-1.3.1 >= rsync-2.5.6-1.3.2 Dependent Packages: none Description: According to a Rsync [0] security advisory [1], versions before 2.6.1 do not properly sanitize paths when running as a read/write daemon without using chroot(2). This allows remote attackers to write files outside of the module's path. The OpenPKG default is to run a read-only daemon using chroot(2). The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0426 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q rsync". If you have the "rsync" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get rsync-2.6.0-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig rsync-2.6.0-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild rsync-2.6.0-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/rsync-2.6.0-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://rsync.samba.org/ [1] http://rsync.samba.org/index.html#security_apr04 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/rsync-2.5.6-1.3.2.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/rsync-2.6.0-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFArivtgHWT4GPEy58RAnEFAJ44zlK748Yrc6UT/1a1iIESRxJJ+wCePQFs NmRw90v1Pry2EhTfrDO2D+U= =zbta -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu May 27 15:55:09 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 773A9300726; Thu, 27 May 2004 15:55:09 +0200 (CEST) Date: Thu, 27 May 2004 15:55:09 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.026] OpenPKG Security Advisory (apache) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.026 27-May-2004 ________________________________________________________________________ Package: apache (option "with_mod_ssl" only) Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= apache-1.3.31-20040524 >= apache-1.3.31-20040527 OpenPKG 2.0 <= apache-1.3.29-2.0.1 >= apache-1.3.29-2.0.2 OpenPKG 1.3 <= apache-1.3.28-1.3.3 >= apache-1.3.28-1.3.4 Dependent Packages: none Description: Georgi Guninski discovered [1] a stack-based buffer overflow in the "SSLOptions +FakeBasicAuth" implementation of Apache's SSL/TLS extension module mod_ssl [0]. The overflow can occur if the Subject-DN in the client certificate exceeds 6KB in length and mod_ssl is configured to trust the issuing CA. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0488 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q apache" and "/bin/rpm -qi apache | grep with_mod_ssl". If you have the "apache" package with option "with_mod_ssl" installed and its version is affected (see above), we recommend that you immediately upgrade (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get apache-1.3.29-2.0.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig apache-1.3.29-2.0.2.src.rpm $ /bin/openpkg rpm --rebuild --with mod_ssl apache-1.3.29-2.0.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/apache-1.3.29-2.0.2.*.rpm ________________________________________________________________________ References: [0] http://www.modssl.org/ [1] http://lists.netsys.com/pipermail/full-disclosure/2004-May/021610.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.4.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/apache-1.3.29-2.0.2.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAtfL+gHWT4GPEy58RAiHXAJ9sFlOogbuUgnwzcLAam4kLK2jo/ACffjv6 giSMaA/9esxIATuQipW17rg= =agtL -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Jun 11 11:02:46 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 80D8C301437; Fri, 11 Jun 2004 11:02:45 +0200 (CEST) Date: Fri, 11 Jun 2004 11:02:45 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.027 11-Jun-2004 ________________________________________________________________________ Package: cvs Vulnerability: multiple remote compromises OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= cvs-1.12.8-20040607 >= cvs-1.12.9-20040609 OpenPKG 2.0 <= cvs-1.12.5-2.0.2 >= cvs-1.12.5-2.0.3 OpenPKG 1.3 <= cvs-1.12.1-1.3.5 >= cvs-1.12.1-1.3.6 Affected Releases: Dependent Packages: none Description: According to an e-matters Security Advisory [0] multiple vulnerabilities exist in the Concurrent Versions System (CVS) [1]. Derek Price, Stefan Esser and Sebastian Krahmer discovered and fixed several security issues. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2004-0414 [2], CAN-2004-0416 [3], CAN-2004-0417 [4] and CAN-2004-0418 [5] to the problems. Please check whether you are affected by running "/bin/rpm -q cvs". If you have the "cvs" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [6][7] Solution: Select the updated source RPM appropriate for your OpenPKG release [8][9], fetch it from the OpenPKG FTP service [10][11] or a mirror location, verify its integrity [12], build a corresponding binary RPM from it [6] and update your OpenPKG installation by applying the binary RPM [7]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get cvs-1.12.5-2.0.3.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig cvs-1.12.5-2.0.3.src.rpm $ /bin/openpkg rpm --rebuild cvs-1.12.5-2.0.3.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/cvs-1.12.5-2.0.3.*.rpm ________________________________________________________________________ References: [0] http://security.e-matters.de/advisories/092004.html [1] http://www.cvshome.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0414 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0416 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0417 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0418 [6] http://www.openpkg.org/tutorial.html#regular-source [7] http://www.openpkg.org/tutorial.html#regular-binary [8] ftp://ftp.openpkg.org/release/1.3/UPD/cvs-1.12.1-1.3.6.src.rpm [9] ftp://ftp.openpkg.org/release/2.0/UPD/cvs-1.12.5-2.0.3.src.rpm [10] ftp://ftp.openpkg.org/release/1.3/UPD/ [11] ftp://ftp.openpkg.org/release/2.0/UPD/ [12] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAyXTYgHWT4GPEy58RAp93AKDKea45fXYm6b4bGo/vtaYptkHKcQCfT2Be iPAfGSx6YEXwHXw6gQXa2Lg= =5PbF -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Jun 11 14:29:13 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 56C40301410; Fri, 11 Jun 2004 14:29:12 +0200 (CEST) Date: Fri, 11 Jun 2004 14:29:12 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.028] OpenPKG Security Advisory (subversion) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.028 11-Jun-2004 ________________________________________________________________________ Package: subversion Vulnerability: denial of service, arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= subversion-1.0.4-20040522 >= subversion-1.0.5-20040611 OpenPKG 2.0 <= subversion-1.0.0-2.0.2 >= subversion-1.0.0-2.0.3 OpenPKG 1.3 N.A. N.A. Dependent Packages: none Description: Subversion [1] versions up to and including 1.0.4 have a potential Denial of Service and Heap Overflow issue related to the parsing of strings in the 'svn://' family of access protocols. This affects only sites running svnserve. It does not affect 'http://' access. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0413 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q subversion". If you have the "subversion" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get subversion-1.0.0-2.0.3.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig subversion-1.0.0-2.0.3.src.rpm $ /bin/openpkg rpm --rebuild subversion-1.0.0-2.0.3.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/subversion-1.0.0-2.0.3.*.rpm ________________________________________________________________________ References: [1] http://subversion.tigris.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0413 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.0/UPD/subversion-1.0.0-2.0.3.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAyaV0gHWT4GPEy58RAgICAJ9aE/y35rI+nJBtOXl0up9CYr/XagCg+NLz WMWzhtR+N3/aOkX4UJBOYCw= =4sHV -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Jun 11 17:19:48 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id A76193013EE; Fri, 11 Jun 2004 17:19:47 +0200 (CEST) Date: Fri, 11 Jun 2004 17:19:47 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.029] OpenPKG Security Advisory (apache) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.029 11-Jun-2004 ________________________________________________________________________ Package: apache Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= apache-1.3.31-20040608 >= apache-1.3.31-20040611 OpenPKG 2.0 <= apache-1.3.29-2.0.2 >= apache-1.3.29-2.0.3 OpenPKG 1.3 <= apache-1.3.28-1.3.4 >= apache-1.3.28-1.3.5 Dependent Packages: none Description: According to a security advisory from Georgi Guninski [0] there is a buffer overflow in Apache's [1] mod_proxy module. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0492 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q apache". If you have the "apache" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get apache-1.3.29-2.0.3.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig apache-1.3.29-2.0.3.src.rpm $ /bin/openpkg rpm --rebuild apache-1.3.29-2.0.3.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/apache-1.3.29-2.0.3.*.rpm ________________________________________________________________________ References: [0] http://www.guninski.com/modproxy1.html [1] http://httpd.apache.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.5.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/apache-1.3.29-2.0.3.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAyc1YgHWT4GPEy58RAtZ/AKCsMInghsXLgfoIrxW7UdIrNnRkVQCgpY9a gVYdb52x4NXvU6axD7fLKMQ= =vBGf -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Jul 6 16:12:43 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 6D8B5300B15; Tue, 6 Jul 2004 16:12:42 +0200 (CEST) Date: Tue, 6 Jul 2004 16:12:42 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.030] OpenPKG Security Advisory (png) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.030 06-Jul-2004 ________________________________________________________________________ Package: png Vulnerability: buffer overflow vulnerability OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= png-1.2.5-20040527 >= png-1.2.5-20040629 <= doxygen-1.3.7-20040507 >= doxygen-1.3.7-20040630 <= ghostscript-8.14-20040604 >= ghostscript-8.14-20040630 <= kde-qt-3.2.3-20040429 >= kde-qt-3.2.3-20040702 <= pdflib-5.0.3-20040625 >= pdflib-5.0.3-20040701 <= perl-tk-5.8.4-20040622 >= perl-tk-5.8.4-20040701 <= qt-3.3.2-20040615 >= qt-3.3.2-20040702 <= rrdtool-1.0.48-20040513 >= rrdtool-1.0.48-20040702 <= tetex-2.0.2-20040429 >= tetex-2.0.2-20040702 <= wx-2.4.2-20040425 >= wx-2.4.2-20040702 OpenPKG 2.0 <= png-1.2.5-2.0.1 >= png-1.2.5-2.0.2 <= doxygen-1.3.6-2.0.1 >= doxygen-1.3.6-2.0.2 <= ghostscript-8.13-2.0.1 >= ghostscript-8.13-2.0.2 <= pdflib-5.0.3-2.0.1 >= pdflib-5.0.3-2.0.2 <= perl-tk-5.8.3-2.0.1 >= perl-tk-5.8.3-2.0.2 <= qt-3.2.3-2.0.1 >= qt-3.2.3-2.0.2 <= rrdtool-1.0.46-2.0.1 >= rrdtool-1.0.46-2.0.2 <= tetex-2.0.2-2.0.1 >= tetex-2.0.2-2.0.2 OpenPKG 1.3 <= png-1.2.5-1.3.1 >= png-1.2.5-1.3.2 <= doxygen-1.3.3-1.3.1 >= doxygen-1.3.3-1.3.2 <= ghostscript-8.10-1.3.1 >= ghostscript-8.10-1.3.2 <= pdflib-5.0.1-1.3.1 >= pdflib-5.0.1-1.3.2 <= perl-tk-1.3.0-1.3.1 >= perl-tk-1.3.0-1.3.2 <= rrdtool-1.0.45-1.3.1 >= rrdtool-1.0.45-1.3.2 <= tetex-2.0.2-1.3.1 >= tetex-2.0.2-1.3.2 Affected Releases: Dependent Packages: OpenPKG CURRENT apache autotrace blender cups emacs gd gdk-pixbuf gif2png gimp gnuplot gqview graphviz gtk2 imagemagick imlib latex2html lbreakout libwmf mplayer mrtg nagios netpbm perl-gd php php3 php5 povray pstoedit scribus transfig webalizer wml wv xemacs xfig xine-ui xplanet xv zimg OpenPKG 2.0 apache autotrace emacs gd gdk-pixbuf ghostscript gif2png gimp gnuplot graphviz gtk2 imagemagick imlib latex2html libwmf mozilla netpbm perl-gd perl-tk php png pstoedit qt transfig webalizer wml xfig xv OpenPKG 1.3 apache autotrace emacs gd gdk-pixbuf gif2png gimp gnuplot graphviz gtk2 imagemagick imlib latex2html libwmf netpbm perl-gd php pstoedit webalizer wml xv Description: In a previous OpenPKG security advisory [0], a buffer overflow vulnerability was addressed in the Portable Network Graphics (PNG) library libpng [1] in connection with 16-bit samples. The starting offsets for the loops are calculated incorrectly which may cause a buffer overrun beyond the beginning of the row buffer. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-1363 [2] to the problem. During an audit of Red Hat Linux updates, the Fedora Legacy team found another occurrence of this buffer overflow related to grayscale images. This OpenPKG update addresses the additional problem. Please check whether you are affected by running "/bin/rpm -q png" (and similarly for the other affected packages which have PNG included). If you have the "png" package (or one of the others) installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above), if any, too [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get png-1.2.5-2.0.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig png-1.2.5-2.0.2.src.rpm $ /bin/openpkg rpm --rebuild png-1.2.5-2.0.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/png-1.2.5-2.0.2.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too [3][4]. ________________________________________________________________________ References: [0] http://www.openpkg.org/security/OpenPKG-SA-2003.001-png.html [1] http://www.libpng.org/pub/png/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/png-1.2.5-1.3.2.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/png-1.2.5-2.0.2.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFA6rMXgHWT4GPEy58RAhg6AJ0e+JlFr6f+DeQ4O6jqWcwK/J2o4gCcDftH FtWb78lAsCODyiZ/A3tXS8E= =wWJs -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jul 8 21:38:32 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 503DE30126F; Thu, 8 Jul 2004 21:38:32 +0200 (CEST) Date: Thu, 8 Jul 2004 21:38:32 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.031 08-Jul-2004 ________________________________________________________________________ Package: dhcpd Vulnerability: denial of service, arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= dhcpd-3.0.1rc13-20040524 >= dhcpd-3.0.1rc14-20040623 OpenPKG 2.0 <= dhcpd-3.0.1rc13-2.0.0 >= dhcpd-3.0.1rc13-2.0.1 OpenPKG 1.3 <= dhcpd-3.0.1rc11-1.3.0 >= dhcpd-3.0.1rc11-1.3.1 Affected Releases: Dependent Packages: none Description: As reported by US-CERT [0] Gregory Duchemin discovered several vulnerabilities in the ISC DHCP Distribution [1]. Several buffer overflows were closed in logging messages with excessively long hostnames provided by the clients. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0460 [2] to the problem. Another issue was evident on some specific platforms where the dhcpd build mechanism ignored the existence of [v]snprintf(3) functions and used the weaker [v]sprintf(3) which lack boundary checking. The RELEASE updates enforce use of the favorable functions after it was verified they exist on all platforms supported by OpenPKG. The CURRENT update contains a vendor fix explicitly providing a suitable function. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0461 [3] to the problem. Please check whether you are affected by running "/bin/rpm -q dhcpd". If you have the "dhcpd" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [4][5]. Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get dhcpd-3.0.1rc13-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig dhcpd-3.0.1rc13-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild dhcpd-3.0.1rc13-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/dhcpd-3.0.1rc13-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://www.us-cert.gov/cas/techalerts/TA04-174A.html [1] http://www.isc.org/products/DHCP/dhcp-v3.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0460 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0461 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/1.3/UPD/dhcpd-3.0.1rc11-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.0/UPD/dhcpd-3.0.1rc13-2.0.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] ftp://ftp.openpkg.org/release/2.0/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFA7aKWgHWT4GPEy58RAs1iAJ9Uz3GmUXo0npwUKIQ2sWXeFO03tACgk6D4 Nh1gkVYtUUa0/diFjixbv7s= =NUn4 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Jul 16 20:47:41 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 1BCD3300FB9; Fri, 16 Jul 2004 20:47:41 +0200 (CEST) Date: Fri, 16 Jul 2004 20:47:40 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.032] OpenPKG Security Advisory (apache) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.032 16-Jul-2004 ________________________________________________________________________ Package: apache [with_mod_ssl=yes] Vulnerability: format string vulnerability OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= apache-1.3.31-20040714 >= apache-1.3.31-20040716 OpenPKG 2.1 <= apache-1.3.31-2.1.0 >= apache-1.3.31-2.1.1 OpenPKG 2.0 <= apache-1.3.29-2.0.3 >= apache-1.3.29-2.0.4 OpenPKG 1.3 <= apache-1.3.28-1.3.5 >= apache-1.3.28-1.3.6 Dependent Packages: none Description: Triggered by a report to Packet Storm [1] from Virulent, a format string vulnerability was found in mod_ssl [2], the Apache SSL/TLS interface to OpenSSL, version (up to and including) 2.8.18 for Apache 1.3. The mod_ssl in Apache 2.x is not affected. The vulnerability could be exploitable if Apache is used as a proxy for HTTPS URLs and the attacker established a own specially prepared DNS and origin server environment. Please check whether you are affected by running "/bin/rpm -q apache" and "/bin/rpm -qi apache | grep with_mod_ssl". If you have the "apache" package with option "with_mod_ssl" installed and its version is affected (see above), we recommend that you immediately upgrade (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get apache-1.3.29-2.0.4.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig apache-1.3.29-2.0.4.src.rpm $ /bin/openpkg rpm --rebuild --with mod_ssl apache-1.3.29-2.0.4.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/apache-1.3.29-2.0.4.*.rpm ________________________________________________________________________ References: [1] http://packetstormsecurity.org/ [2] http://www.modssl.org/ [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.6.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/apache-1.3.29-2.0.4.src.rpm [7] ftp://ftp.openpkg.org/release/1.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFA+CKjgHWT4GPEy58RAg8QAKCT6T+qmU7ho784mS6SKxGJr/QeVgCeNzuK Z+jhcuoQT+jRZx9j57TXd4c= =XGfa -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Jul 20 10:27:10 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 73B132FDAA4; Tue, 20 Jul 2004 10:27:10 +0200 (CEST) Date: Tue, 20 Jul 2004 10:27:10 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Cc: openpkg-users@openpkg.org, openpkg-dev@openpkg.org Subject: [ANNOUNCE] OpenPKG 2.1 Message-ID: <20040720082710.GA6473@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: FOR IMMEDIATE RELEASE - 20-Jul-2004 The OpenPKG project releases version 2.1 of the unique cross-platform software packaging facility. http://www.openpkg.org/ -- Munich, DE -- July 20, 2004 -- The OpenPKG project is proud to announce version 2.1 of its OpenPKG software, another evolutionary step after a series of five predecessors within three years. Much valued by IT decision makers and beloved by Unix system administrators, OpenPKG is the world leading instrument for deployment and maintenance of Open Source Unix software when administration crosses platform boundaries. The unique OpenPKG architecture leverages proven technologies like Red Hat Package Manager (RPM) and OSSP and GNU components to establish a unified software administration environment, independent of the underlying Unix operating system. NEW IN VERSION 2.1 OpenPKG platform support has increased again and OpenPKG 2.1 is now available for 21 different Unix flavors. Most notably, it is supported on FreeBSD 4.10 and 5.2, Debian GNU/Linux 3.0, Red Hat Enterprise Linux 3, Red Hat Fedora Core 2, SuSE Linux 9.1, and Sun Solaris 8 and 9. Additionally, all CORE and the vast majority of BASE class packages are already available for the tentative platforms NetBSD 1.6.2, Debian GNU/Linux 3.1, Gentoo Linux 1.4.16, Mandrake Linux 10.0, Sun Solaris 10 and HP HP-UX 11.11 and they are still available for the obsoleted platforms Red Hat Linux 9, SuSE Linux 9.0, and Sun Solaris 2.6. Since the previous release four months ago, the OpenPKG package repository has again grown by 10%. A subset of 495 packages were carefully selected for inclusion into the OpenPKG 2.1 release, including latest versions of popular Open Source Unix software like Apache, Bash, BIND, GCC, INN, Mozilla, MySQL, OpenSSH, Perl, Postfix, PostgreSQL, Samba, Squid, teTeX and Vim. The major technical efforts for this release were spent on the porting of all packages to five additional Unix platforms and the necessary adjustments to packages required by GCC 3.4. Another key target of OpenPKG 2.1 is the availability of the consolidated and packaged tool chain to the community. It consists of all packaging tools used by the OpenPKG team, including their official OpenPKG development shell ("openpkg dev"). This now enables everyone to establish a local OpenPKG development environment, allowing the creation of private packages, the modification of existing packages and the maintenance of local changes. VOICE OF THE SPONSOR "The base of Unix server installations, which my datacenter services team is responsible for, has been increased by a factor of 250% during the last six months. Thanks to our continuous deployment of OpenPKG, we were able to cope with this administration challenge while retaining the high service quality with the existing number of engineers." Hennie van den Berg, Director IT Services Europe, Cable & Wireless HIGHLIGHTS OF OPENPKG * Portable across major Unix flavors. * Available for the supported platforms: FreeBSD 4.10/5.2, Debian Linux 3.0, Red Hat Enterprise Linux 3, Red Hat Fedora Core 2, SuSE Linux 9.1 and Solaris 8 and 9. * Already available for the tentative platforms: NetBSD 1.6.2, Debian GNU/Linux 3.1, Gentoo Linux 1.4.16, Mandrake Linux 10.0, Sun Solaris 10 and HP HP-UX 11.11. * Still available for the obsoleted platforms: Red Hat Linux 9, SuSE Linux 9.0, and Sun Solaris 2.6. * Entirely based on Open Source software technology. * Minimum operating system intrusion and dependency. * Minimum overhead in software packaging. * All packages up-to-date with vendor versions as of 14-Jul-2004. * Sources of 495 CORE+BASE+PLUS packages released. * Binaries of CORE+BASE class packages provided for supported platforms. * Binaries of CORE class packages provided for all platforms. * Easy installation, updating and deinstallation of packages. * Bundled with useful and secure package pre-configurations. * Includes an abstracted and powerful run-command facility. * Virtual hosting through multiple instances on a single system. * Proxy packages for reusing packages across instances. * Build-time package variations for maximum flexibility. * Foundation to build encapsulated and self-contained environments. HISTORY OF THE OPENPKG PROJECT The OpenPKG project was founded in 2000 by Ralf S. Engelschall and the sponsor Cable & Wireless. It was first released as Open Source software in January 2002. Today OpenPKG is a mature technology in production use, and is maintained and improved by its original developers and volunteer contributors. OpenPKG is the brainchild of Ralf S. Engelschall, principal author of numerous other popular Open Source Software technologies like OSSP components, Apache SSL/TLS Engine (mod_ssl), Apache URL Rewriting Engine (mod_rewrite), GNU Portable Threads (Pth), GNU Portable Shell Tool (Shtool), Website META Language (WML) and many more. MORE INFORMATION The OpenPKG Project openpkg@openpkg.org +49-89-92699-251 (CET) +49-172-8986801 (CET) From openpkg-announce-owner@openpkg.org Thu Jul 22 10:23:09 2004 Received: from visp.engelschall.com (visp.engelschall.com [195.27.176.148]) by mail.openpkg.org (Postfix) with ESMTP id BD2E72FF73E; Thu, 22 Jul 2004 10:23:08 +0200 (CEST) Received: by visp.engelschall.com (Postfix, from userid 1005) id A29964CE56B; Thu, 22 Jul 2004 10:23:08 +0200 (CEST) Received: by en1.engelschall.com (Postfix, from userid 10000) id 8039A287F6; Thu, 22 Jul 2004 10:22:51 +0200 (CEST) Date: Thu, 22 Jul 2004 10:22:51 +0200 From: "Ralf S. Engelschall" To: openpkg-announce@openpkg.org, openpkg-users@openpkg.org, openpkg-dev@openpkg.org Subject: Security Engineering: OpenPKG 2.0 and 2.1 now supported Message-ID: <20040722082251.GA58177@engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: The OpenPKG project provides security advisories and updated SRPMs for packages of CORE and BASE class that belong to either - the most recent official release of OpenPKG and - the immediate predecessor of the most recent release Following this policy, security advisories and updated SRPMs are now being issued for - OpenPKG 2.1 CORE+BASE class packages and - OpenPKG 2.0 CORE+BASE class packages Older releases (OpenPKG 1.0, 1.1, 1.2 and 1.3) are now no longer maintained and you are strongly encouraged to finally upgrade to one of the supported releases mentioned above. Thanks. Yours, Ralf S. Engelschall rse@engelschall.com www.engelschall.com From openpkg-announce-owner@openpkg.org Thu Jul 22 11:39:35 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 794F230159D; Thu, 22 Jul 2004 11:39:35 +0200 (CEST) Date: Thu, 22 Jul 2004 11:39:35 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.033] OpenPKG Security Advisory (samba) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.033 22-Jul-2004 ________________________________________________________________________ Package: samba Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= samba-3.0.4-20040722 >= samba-3.0.5-20040722 OpenPKG 2.1 <= samba-3.0.4-2.1.0 >= samba-3.0.4-2.1.1 OpenPKG 2.0 <= samba-2.2.8a-2.0.0 >= samba-2.2.8a-2.0.1 Dependent Packages: none Description: Evgeny Demidov discovered that the Samba SMB/CIFS server [1] has a buffer overflow bug in the Samba Web Administration Tool (SWAT) on decoding Base64 data during HTTP Basic Authentication. Samba version between 3.0.2 through 3.0.4 are affected. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0600 [2] to the problem. Another buffer overflow bug has been located in the Samba code used to support the "mangling method = hash" functionality. The default setting for this parameter is "mangling method = hash2" and therefore Samba is not vulnerable by default. Samba versions between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0686 [3] to the problem. Please check whether you are affected by running "/bin/rpm -q samba". If you have the "samba" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [4][5] Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the current release OpenPKG 2.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get samba-3.0.4-2.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig samba-3.0.4-2.1.1.src.rpm $ /bin/rpm --rebuild samba-3.0.4-2.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/samba-3.0.4-2.1.1.*.rpm ________________________________________________________________________ References: [1] http://www.samba.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/2.1/UPD/samba-3.0.4-2.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.0/UPD/samba-2.2.8a-2.0.1.src.rpm [8] ftp://ftp.openpkg.org/release/2.1/UPD/ [9] ftp://ftp.openpkg.org/release/2.0/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFA/4tEgHWT4GPEy58RAmUiAKCIn5+KO6CQKob3Ic8zw58zZGYrIwCgvhsM J3K6l6DoQK8EK/Z7BaWzH/I= =WOpx -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jul 22 16:46:36 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 5F0C33015A7; Thu, 22 Jul 2004 16:46:36 +0200 (CEST) Date: Thu, 22 Jul 2004 16:46:36 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.034] OpenPKG Security Advisory (php) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.034 22-Jul-2004 ________________________________________________________________________ Package: php, apache [with_mod_php=yes] Vulnerability: cross-site scripting, remote code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= php-4.3.7-20040611 >= php-4.3.8-20040714 <= apache-1.3.31-20040713 >= apache-1.3.31-20040714 OpenPKG 2.1 none N.A. OpenPKG 2.0 <= php-4.3.4-2.0.0 >= php-4.3.4-2.0.1 <= apache-1.3.29-2.0.4 >= apache-1.3.29-2.0.5 Dependent Packages: none Description: According to a PHP [0] security advisory [1] from Stefan Esser the commonly used "memory_limit" functionality in PHP 4.x up to 4.3.7 under certain conditions allows remote attackers to execute arbitrary code by triggering a "memory_limit" abort during execution of the zend_hash_init() function. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0594 [2] to the problem. According to another security advisory [3] from Stefan Esser the strip_tags() function in PHP 4.x up to 4.3.7 does not filter NUL characters within tag names, allowing dangerous tags to be processed by certain web browsers and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0595 [4] to the problem. Please check whether you are affected by running "/bin/rpm -q php". If you have the "php" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [5][6]. Solution: Select the updated source RPM appropriate for your OpenPKG release [7], fetch it from the OpenPKG FTP service [8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [5] and update your OpenPKG installation by applying the binary RPM [6]. For the affected release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get php-4.3.4-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig php-4.3.4-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild php-4.3.4-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/php-4.3.4-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://www.php.net/ [1] http://security.e-matters.de/advisories/112004.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594 [3] http://security.e-matters.de/advisories/122004.html [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595 [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/2.0/UPD/php-4.3.4-2.0.1.src.rpm [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFA/9MggHWT4GPEy58RAjUxAJ46ZgHCdPAijcOSW3DYaDXVM1E0ZACgg4oR cX6Hz0LmxJcVgoHQNvF+SBY= =uJ3k -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Aug 4 17:12:21 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id C0082303BA5; Wed, 4 Aug 2004 17:12:20 +0200 (CEST) Date: Wed, 4 Aug 2004 17:12:20 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.035] OpenPKG Security Advisory (png) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.035 04-Aug-2004 ________________________________________________________________________ Package: png Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= png-1.2.5-20040629 >= png-1.2.5-20040804 <= doxygen-1.3.8-20040725 >= doxygen-1.3.8-20040804 <= ghostscript-8.14-20040630 >= ghostscript-8.14-20040804 <= kde-qt-3.2.3-20040702 >= kde-qt-3.2.3-20040804 <= pdflib-6.0.0p1-20040713 >= pdflib-6.0.0p1-20040804 <= perl-tk-5.8.5-20040720 >= perl-tk-5.8.5-20040804 <= qt-3.3.2-20040702 >= qt-3.3.2-20040804 OpenPKG 2.1 <= png-1.2.5-2.1.0 >= png-1.2.5-2.1.1 <= doxygen-1.3.7-2.1.0 >= doxygen-1.3.7-2.1.1 <= ghostscript-8.14-2.1.0 >= ghostscript-8.14-2.1.1 <= pdflib-6.0.0-2.1.0 >= pdflib-6.0.0-2.1.1 <= perl-tk-5.8.4-2.1.0 >= perl-tk-5.8.4-2.1.1 <= qt-3.3.2-2.1.0 >= qt-3.3.2-2.1.1 OpenPKG 2.0 <= png-1.2.5-2.0.2 >= png-1.2.5-2.0.3 <= doxygen-1.3.6-2.0.2 >= doxygen-1.3.6-2.0.3 <= ghostscript-8.13-2.0.2 >= ghostscript-8.13-2.0.3 <= pdflib-5.0.3-2.0.2 >= pdflib-5.0.3-2.0.3 <= perl-tk-5.8.3-2.0.2 >= perl-tk-5.8.3-2.0.3 <= qt-3.2.3-2.0.2 >= qt-3.2.3-2.0.3 <= rrdtool-1.0.46-2.0.2 >= rrdtool-1.0.46-2.0.3 <= tetex-2.0.2-2.0.2 >= tetex-2.0.2-2.0.3 Affected Releases: Dependent Packages: OpenPKG CURRENT abiword analog apache autotrace blender cups emacs firefox gd gdk-pixbuf ghostscript-esp gif2png gimp gnuplot gqview graphviz gtk2 imagemagick imlib latex2html lbreakout libwmf mozilla mplayer mrtg nagios netpbm perl-tk php php3 php5 povray pstoedit rrdtool scribus tetex transfig webalizer wml wv wx xemacs xfig xine-ui xplanet xv zimg OpenPKG 2.1 analog apache autotrace emacs gd gdk-pixbuf gif2png gimp gnuplot gqview graphviz gtk2 imagemagick imlib latex2html libwmf mozilla netpbm perl-tk php pstoedit rrdtool tetex transfig webalizer wml xfig xv OpenPKG 2.0 apache emacs gd gdk-pixbuf gif2png gimp gnuplot graphviz gtk2 imagemagick imlib latex2html libwmf netpbm perl-tk php pstoedit transfig utotrace webalizer wml xfig xv Description: During a source code audit, Chris Evans discovered several problems in the Portable Network Graphics (PNG) library libpng [1], some of which are security relevant. This OpenPKG update fixes all known issues. A stack-based buffer overflow in libpng which can be triggered to run arbitrary code by a malicious png file. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0597 [2] to the problem. A NULL-pointer crash in libpng which can be triggered by a malicious png file. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0598 [3] to the problem. Various possible integer overflows in libpng which may have security consequences. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0599 [4] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q png". If you have the "png" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above), if any, too [5][6]. Solution: Select the updated source RPM appropriate for your OpenPKG release [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror location, verify its integrity [11], build a corresponding binary RPM from it [5] and update your OpenPKG installation by applying the binary RPM [6]. For the most recent release OpenPKG 2.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get png-1.2.5-2.1.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig png-1.2.5-2.1.1.src.rpm $ /bin/openpkg rpm --rebuild png-1.2.5-2.1.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/png-1.2.5-2.1.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too [5][6]. ________________________________________________________________________ References: [1] http://www.libpng.org/pub/png/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599 [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/2.1/UPD/png-1.2.5-2.1.1.src.rpm [8] ftp://ftp.openpkg.org/release/2.0/UPD/png-1.2.5-2.0.3.src.rpm [9] ftp://ftp.openpkg.org/release/2.1/UPD/ [10] ftp://ftp.openpkg.org/release/2.0/UPD/ [11] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBEPzJgHWT4GPEy58RAqObAJ9P2rR/N8nfXDmOQEBb5rcUdMvUNwCfTaY3 vHQGjayhxr3KyVQ5PqVgG7A= =svpv -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Aug 6 18:02:37 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 85748303FFB; Fri, 6 Aug 2004 18:02:35 +0200 (CEST) Date: Fri, 6 Aug 2004 18:02:35 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.036] OpenPKG Security Advisory (cvstrac) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.036 06-Aug-2004 ________________________________________________________________________ Package: cvstrac Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= cvstrac-1.1.3-20040505 >= cvstrac-1.1.3-20040806 OpenPKG 2.1 <= cvstrac-1.1.3-2.1.0 >= cvstrac-1.1.3-2.1.1 OpenPKG 2.0 <= cvstrac-1.1.2-2.0.0 >= cvstrac-1.1.2-2.0.1 Dependent Packages: none Description: As reported on BugTraq [1], Richard Ngo discovered a vulnerability in the CVS repository web browsing tool CVSTrac [2]. If properly exploited an attacker can execute arbitrary code on the CVSTrac host with the privileges of the associated web server. Please check whether you are affected by running "/bin/openpkg rpm -q cvstrac". If you have the "cvstrac" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6] and fetch it from the OpenPKG FTP service [7][8] or a mirror location. Verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get cvstrac-1.1.3-2.1.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig cvstrac-1.1.3-2.1.1.src.rpm $ /bin/openpkg rpm --rebuild cvstrac-1.1.3-2.1.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/cvstrac-1.1.3-2.1.1.*.rpm Addendum: Although simply upgrading the affected CVSTrac installation does remove the vulnerability in question, the existing CVSTrac configuration should be corrected on the underlying SQLite level as well. Repeat the following for all project databases: $ /bin/sqlite /var/cvstrac/.db sqlite> select value from config where name="filediff"; rcsdiff -q -r%V1 -r%V2 -u '%F' sqlite> select value from config where name="filelist"; co -q -p%V '%F' | diff -c /dev/null - sqlite> .exit Any commands using version or file replacements (%V, %V1, %V2, %F) but lacking single quotes (') around them should be corrected: $ /bin/sqlite /var/cvstrac/.db sqlite> update config ...> set value="rcsdiff -q -r'%V1' -r'%V2' -u '%F'" ...> where name="filediff"; sqlite> update config ...> set value="co -q -p '%V' '%F' | diff -c /dev/null -" ...> where name="filelist"; sqlite> .exit An identical result can be achieved by logging in to the CVSTrac project pages as the user 'setup'. Select 'Diff Programs' from the 'Setup Menu', and then review both HTML input fields for missing single quotes as shown. ________________________________________________________________________ References: [1] http://www.securityfocus.com/archive/1/370955/2004-08-03/2004-08-09/0 [2] http://www.cvstrac.org/ [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.1/UPD/cvstrac-1.1.3-2.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/cvstrac-1.1.2-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.1/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBE6uFgHWT4GPEy58RAg55AKCzGm4IZ0TfWKuqoaAEvk/qeKM0yQCgwZuL aPzhupWq4Zo+33VhZPl9fAY= =42L4 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Sun Aug 15 12:17:39 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 92A6B304BD7; Sun, 15 Aug 2004 12:17:38 +0200 (CEST) Date: Sun, 15 Aug 2004 12:17:38 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.037] OpenPKG Security Advisory (rsync) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.037 15-Aug-2004 ________________________________________________________________________ Package: rsync Vulnerability: filesystem path determination OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= rsync-2.6.2-20040706 >= rsync-2.6.2-20040815 OpenPKG 2.1 <= rsync-2.6.2-2.1.0 >= rsync-2.6.2-2.1.1 OpenPKG 2.0 <= rsync-2.6.0-2.0.1 >= rsync-2.6.0-2.0.2 Dependent Packages: none Description: According to a security notice [1] by the vendor, a path-sanitizing bug exists in the filesystem synchronization utility RSYNC [2]. The bug affects daemon mode in all RSYNC versions up to and including 2.6.2 if option "use chroot" is disabled (not the case in the default configuration in OpenPKG). It does not affect the normal send/receive filenames that specify what files should be transferred, but it does affect certain option paths that cause auxilliary files to be read or written. Please check whether you are affected by running "/bin/openpkg rpm -q rsync". If you have the "rsync" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above), if any, too [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get rsync-2.6.2-2.1.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig rsync-2.6.2-2.1.1.src.rpm $ /bin/openpkg rpm --rebuild rsync-2.6.2-2.1.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/rsync-2.6.2-2.1.1.*.rpm ________________________________________________________________________ References: [1] http://samba.org/rsync/#security_aug04 [2] http://samba.org/rsync/ [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.1/UPD/rsync-2.6.2-2.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/rsync-2.6.0-2.0.2.src.rpm [7] ftp://ftp.openpkg.org/release/2.1/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBHzgxgHWT4GPEy58RAlwUAKDtW9fyxZqfN+uCB/egu5RTSCn3DwCfUuNE 8fth6K4zemMCmK1EPvWgAOw= =Z7z1 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Aug 25 21:53:39 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 92A8B304B84; Wed, 25 Aug 2004 21:53:39 +0200 (CEST) Date: Wed, 25 Aug 2004 21:53:39 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.038] OpenPKG Security Advisory (zlib) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.038 25-Aug-2004 ________________________________________________________________________ Package: zlib Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= zlib-1.2.1-20040207 >= zlib-1.2.1-20040825 <= ghostscript-8.14-20040816 >= ghostscript-8.14-20040825 <= openpkg-20040811-20040811 >= openpkg-20040825-20040825 OpenPKG 2.1 <= zlib-1.2.1-2.1.0 >= zlib-1.2.1-2.1.1 <= ghostscript-8.14-2.1.1 >= ghostscript-8.14-2.1.2 <= openpkg-2.1.1-2.1.1 >= openpkg-2.1.2-2.1.2 OpenPKG 2.0 <= zlib-1.2.1-2.0.0 >= zlib-1.2.1-2.0.1 <= ghostscript-8.13-2.0.3 >= ghostscript-8.13-2.0.4 <= openpkg-2.0.3-2.0.3 >= openpkg-2.0.4-2.0.4 Dependent Packages: abiword aegis aide analog apache apache2 autotrace blender bsdtar cadaver citadel clamav cups curl cvs cvsps cvsync dia doxygen emacs ethereal expat file firefox gd geoip gif2png gift-gnutella gift-openft gimp gmime gnome-vfs gnupg gnuplot htdig imagemagick ircd jitterbug kcd lbreakout lcms libarchive libwmf libxml lout lynx mixmaster mng mozilla mplayer mrtg mysql mysql3 mysql41 mysqlcc nagios neon netpbm opencdk openpkg openssh pdflib perl-comp perl-gd perl-tk pgpdump php php3 php5 png postgresql pstoedit python qt ripe-dbase rrdtool scribus sio subversion tardy tetex tiff tightvnc transfig ttmkfdir w3m webalizer wml wv xdelta xemacs xfig xmame xplanet xv zimg Description: Triggered by a Debian bug report [1], a denial of service vulnerability was found in the ZLib compression library [0] versions 1.2.x (older versions are not affected). The problem arises from incorrect error handling in the inflate() and inflateBack() functions. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0797 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q zlib". If you have the "zlib" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above) as well [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get zlib-1.2.1-2.1.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig zlib-1.2.1-2.1.1.src.rpm $ /bin/openpkg rpm --rebuild zlib-1.2.1-2.1.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/zlib-1.2.1-2.1.1.*.rpm Additionally, rebuild and reinstall any other dependent packages (see above) already installed in your OpenPKG instance. Only updating the "zlib" package is NOT sufficient because of the statically linked old "libz.a" code residing in the executables of other dependent packages. Due to transitive dependencies and because "zlib" is used by such many other libraries and programs, the convenient way to upgrade "zlib" and all affected packages is to use the "openpkg-tools" package: $ su - # /bin/openpkg build -Ua | sh ________________________________________________________________________ References: [0] http://www.gzip.org/zlib/ [1] http://bugs.debian.org/252253 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0797 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.1/UPD/zlib-1.2.1-2.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/zlib-1.2.1-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.1/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBLO4cgHWT4GPEy58RAkjgAKC948i4v38A8FX513o85Zbqq3aBOACff8Ce 9M2/cv/zac1hHD2/oqzCgUY= =sbmZ -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Sep 13 15:35:33 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 1B04A302139; Mon, 13 Sep 2004 15:35:31 +0200 (CEST) Date: Mon, 13 Sep 2004 15:35:31 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.039 13-Sep-2004 ________________________________________________________________________ Package: kerberos Vulnerability: arbitrary code execution, denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= kerberos-1.3.4-20040730 >= kerberos-1.3.4-20040901 OpenPKG 2.1 <= kerberos-1.3.4-2.1.0 >= kerberos-1.3.4-2.1.1 OpenPKG 2.0 <= kerberos-1.3.1-2.0.1 >= kerberos-1.3.1-2.0.2 Dependent Packages: none Description: According to two vendor security advisories [1][2], multiple vulnerabilities exists in the Kerberos [0] network authentication system. The first set of problems are double-free issues in the KDC and libraries. The second problem is a denial-of-service vulnerability in the ASN.1 decoder. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2004-0642 [3], CAN-2004-0643 [4], CAN-2004-0644 [5] and CAN-2004-0772 [6] to the problems. Please check whether you are affected by running "/bin/openpkg rpm -q kerberos". If you have the "kerberos" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [7][8]. Solution: Select the updated source RPM appropriate for your OpenPKG release [9][10], fetch it from the OpenPKG FTP service [11][12] or a mirror location, verify its integrity [13], build a corresponding binary RPM from it [7] and update your OpenPKG installation by applying the binary RPM [8]. For the most recent release OpenPKG 2.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get kerberos-1.3.4-2.1.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig kerberos-1.3.4-2.1.1.src.rpm $ /bin/openpkg rpm --rebuild kerberos-1.3.4-2.1.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/kerberos-1.3.4-2.1.1.*.rpm ________________________________________________________________________ References: [0] http://web.mit.edu/kerberos/ [1] http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt [2] http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772 [7] http://www.openpkg.org/tutorial.html#regular-source [8] http://www.openpkg.org/tutorial.html#regular-binary [9] ftp://ftp.openpkg.org/release/2.1/UPD/kerberos-1.3.4-2.1.1.src.rpm [10] ftp://ftp.openpkg.org/release/2.0/UPD/kerberos-1.3.1-2.0.2.src.rpm [11] ftp://ftp.openpkg.org/release/2.1/UPD/ [12] ftp://ftp.openpkg.org/release/2.0/UPD/ [13] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBRaIBgHWT4GPEy58RAv1AAKC105VNKMYuaRvSZ51SKGuBimb4dACfQyn5 oN2jEZVt4WeeexbfQpH29ec= =DpcF -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Sep 15 14:25:42 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 3C1893022FE; Wed, 15 Sep 2004 14:25:42 +0200 (CEST) Date: Wed, 15 Sep 2004 14:25:41 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.040] OpenPKG Security Advisory (samba) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.040 15-Sep-2004 ________________________________________________________________________ Package: samba Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= samba-3.0.6-20040820 >= samba-3.0.7-20040913 OpenPKG 2.1 <= samba-3.0.4-2.1.1 >= samba-3.0.4-2.1.2 OpenPKG 2.0 N.A. N.A. Dependent Packages: none Description: According to a security advisory [1] from the Samba team and two corresponding security advisories [2][3] from iDEFENSE, two Denial of Service (DoS) vulnerabilities exists in the Samba SMB/CIFS server [0]. The first DoS bug is in smbd(8) and may allow an unauthenticated user to cause smbd(8) to spawn new processes, each one entering an infinite loop. After sending a sufficient amount of packets it is possible to exhaust the memory resources on the server. The second DoS bug in nmbd(8) may allow an attacker to remotely crash the nmbd(8) daemon. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2004-0807 [4] and CAN-2004-0808 [5] to the problems. Please check whether you are affected by running "/bin/openpkg rpm -q samba". If you have the "samba" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [6][7]. Solution: Select the updated source RPM appropriate for your OpenPKG release [8], fetch it from the OpenPKG FTP service [9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [6] and update your OpenPKG installation by applying the binary RPM [7]. For the most recent release OpenPKG 2.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get samba-3.0.4-2.1.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig samba-3.0.4-2.1.2.src.rpm $ /bin/openpkg rpm --rebuild samba-3.0.4-2.1.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/samba-3.0.4-2.1.2.*.rpm ________________________________________________________________________ References: [0] http://www.samba.org/ [1] http://us3.samba.org/samba/history/3.0_DOS_sept04_announce.txt [2] http://www.idefense.com/application/poi/display?id=138 [3] http://www.idefense.com/application/poi/display?id=139 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0807 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0808 [6] http://www.openpkg.org/tutorial.html#regular-source [7] http://www.openpkg.org/tutorial.html#regular-binary [8] ftp://ftp.openpkg.org/release/2.1/UPD/samba-3.0.4-2.1.2.src.rpm [9] ftp://ftp.openpkg.org/release/2.1/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBSDSngHWT4GPEy58RAo/gAJ9KAwEpj5Wo1yFnAyw91rNojZQjFgCfQVUJ B3L6lz23T8ZxdT9vR+FmlnI= =sqJA -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Sep 15 14:53:37 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id BEF4330223B; Wed, 15 Sep 2004 14:53:36 +0200 (CEST) Date: Wed, 15 Sep 2004 14:53:36 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.041] OpenPKG Security Advisory (spamassassin) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.041 15-Sep-2004 ________________________________________________________________________ Package: spamassassin Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT N.A. N.A. OpenPKG 2.1 N.A. N.A. OpenPKG 2.0 <= spamassassin-2.63-2.0.0 >= spamassassin-2.63-2.0.1 Dependent Packages: none Description: According to a vendor announcement [1], a Denial of Service (DoS) vulnerability exists in the email spam filter SpamAssassin [0] versions 2.5x and 2.6x. The problem can be exploited by sending certain malformed Email messages. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0796 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q spamassassin". If you have the "spamassassin" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the affected release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get spamassassin-2.63-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig spamassassin-2.63-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild spamassassin-2.63-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/spamassassin-2.63-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://spamassassin.apache.org/ [1] http://marc.theaimsgroup.com/?l=spamassassin-announce&m=109168121628767&w=2 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.0/UPD/spamassassin-2.63-2.0.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBSDs+gHWT4GPEy58RApiaAKCJLv2k4qC7zcE1X9TvZWb+t0ULmwCgnenT N945JfRoySa6YT3b/9UHsI8= =P0A8 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Sep 15 15:39:44 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 8AD52302616; Wed, 15 Sep 2004 15:39:44 +0200 (CEST) Date: Wed, 15 Sep 2004 15:39:44 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.042] OpenPKG Security Advisory (aspell) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.042 15-Sep-2004 ________________________________________________________________________ Package: aspell Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= aspell-0.50.5-20040310 >= aspell-0.60-20040827 OpenPKG 2.1 <= aspell-0.50.5-2.1.0 >= aspell-0.50.5-2.1.1 OpenPKG 2.0 <= aspell-0.50.5-2.0.0 >= aspell-0.50.5-2.0.1 Dependent Packages: none Description: According to a security advisory from shaun2k2 [0], multiple stack-based buffer overflows exists in the "word-list-compress" utility from the spell-checker GNU Aspell [1]. By providing a specially crafted word list containing an overly long string (more than 256 bytes), an attacker can cause a buffer overflow and execute arbitrary code. This allows an attacker to execute arbitrary code via a long entry in the wordlist. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0548 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q aspell". If you have the "aspell" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above), if any, too [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get aspell-0.50.5-2.1.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig aspell-0.50.5-2.1.1.src.rpm $ /bin/openpkg rpm --rebuild aspell-0.50.5-2.1.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/aspell-0.50.5-2.1.1.*.rpm ________________________________________________________________________ References: [0] http://marc.theaimsgroup.com/?l=bugtraq&m=108675120224531&w=2 [1] http://aspell.net/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0548 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.1/UPD/aspell-0.50.5-2.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/aspell-0.50.5-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.1/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBSEYSgHWT4GPEy58RAu8wAKCArhOXX3vLABA6bHHGfgry7LrnPgCfR6rb TUJTe7vSbTjVNzh+61GyDAU= =nytM -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Oct 14 19:58:00 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 690CA305084; Thu, 14 Oct 2004 19:58:00 +0200 (CEST) Date: Thu, 14 Oct 2004 19:58:00 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.043] OpenPKG Security Advisory (tiff) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.043 14-Oct-2004 ________________________________________________________________________ Package: tiff Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= tiff-3.6.1-20040714 >= tiff-3.6.1-20041013 OpenPKG 2.1 <= tiff-3.6.1-2.1.0 >= tiff-3.6.1-2.1.1 OpenPKG 2.0 <= tiff-3.6.1-2.0.0 >= tiff-3.6.1-2.0.1 Affected Releases: Dependent Packages: OpenPKG CURRENT cups emacs gdk-pixbuf gimp gtk2 imagemagick imlib lcms lyx netpbm perl-tk povray scribus wx xemacs xplanet xv OpenPKG 2.1 emacs gdk-pixbuf gimp gtk2 imagemagick imlib lcms netpbm perl-tk xv OpenPKG 2.0 emacs gdk-pixbuf gimp gtk2 imagemagick imlib netpbm perl-tk xv Description: According to security advisory CESA-2004-006 from Chris Evans, the libtiff [0] image en-/decoder suffers from several heap based buffer overflows. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0803 [1] to the problem. Other code reviewers found integer overflows which affect memory allocation. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0886 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q tiff". If you have the "tiff" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above), if any, too [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get tiff-3.6.1-2.1.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig tiff-3.6.1-2.1.1.src.rpm $ /bin/openpkg rpm --rebuild tiff-3.6.1-2.1.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/tiff-3.6.1-2.1.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too [3][4]. ________________________________________________________________________ References: [0] http://www.libtiff.org/ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.1/UPD/tiff-3.6.1-2.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/tiff-3.6.1-2.0.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.1/UPD/ [8] ftp://ftp.openpkg.org/release/2.0/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBbr4HgHWT4GPEy58RAgTwAJ9GpzRv/XTwaL7T8QqB/jQgaJIFdgCeOSsW W5KM345KbfAHGBTX1lmBUh8= =CatT -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Oct 15 17:47:17 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 6E4D8304EBC; Fri, 15 Oct 2004 17:47:17 +0200 (CEST) Date: Fri, 15 Oct 2004 17:47:17 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.044] OpenPKG Security Advisory (modssl) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.044 15-Oct-2004 ________________________________________________________________________ Package: apache (option "with_mod_ssl yes" only) Vulnerability: information disclosure OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= apache-1.3.31-20041005 >= apache-1.3.31-20041015 OpenPKG 2.1 <= apache-1.3.31-2.1.4 >= apache-1.3.31-2.1.5 OpenPKG 2.0 <= apache-1.3.29-2.0.5 >= apache-1.3.29-2.0.6 Dependent Packages: none Description: Hartmut Keil discovered [0] an information disclosure vulnerability in mod_ssl [1], the SSL/TLS module of the Apache [2] webserver. After a renegotiation, affected versions of mod_ssl fail to ensure that the requested cipher suite is actually negotiated. In some configurations a client may be able to retrieve content using a cipher suite the server does not consider strong enough. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0885 [3] to the problem. Please check whether you are affected by running "/bin/rpm -q apache" and "/bin/rpm -qi apache | grep with_mod_ssl". If you have the "apache" package with option "with_mod_ssl" installed and its version is affected (see above), we recommend that you immediately upgrade (see Solution) [4][5]. Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the current release OpenPKG 2.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get apache-1.3.31-2.1.5.src.rpm ftp> bye $ /bin/rpm -v --checksig apache-1.3.31-2.1.5.src.rpm $ /bin/rpm --rebuild apache-1.3.31-2.1.5.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/apache-1.3.31-2.1.5.*.rpm ________________________________________________________________________ References: [0] http://issues.apache.org/bugzilla/show_bug.cgi?id=31505 [1] http://www.modssl.org/ [2] http://www.apache.org/ [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/2.1/UPD/apache-1.3.31-2.1.5.src.rpm [7] ftp://ftp.openpkg.org/release/2.0/UPD/apache-1.3.29-2.0.6.src.rpm [8] ftp://ftp.openpkg.org/release/2.1/UPD/ [9] ftp://ftp.openpkg.org/release/2.0/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBb/DzgHWT4GPEy58RAiuVAJ9aZSEzvz21fIUlxa7Wc7TyQ9U7egCfXqz8 laFy+rt1jxLscb9qokgm49o= =Git7 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Oct 20 11:44:19 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 22EA1300E09; Wed, 20 Oct 2004 11:44:19 +0200 (CEST) Date: Wed, 20 Oct 2004 11:44:18 +0200 From: OpenPKG To: openpkg-announce@openpkg.org, openpkg-users@openpkg.org, openpkg-dev@openpkg.org Subject: [ANNOUNCE] OpenPKG 2.2 Message-ID: <20041020094418.GA27344@en4.engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: FOR IMMEDIATE RELEASE - 20-Oct-2004 The OpenPKG project releases version 2.2 of the unique cross-platform software packaging facility. http://www.openpkg.org/ -- Munich, DE -- October 20, 2004 -- The OpenPKG project is proud to announce version 2.2 of its OpenPKG software, another evolutionary step after a series of six predecessors within three years. Much valued by IT decision makers and beloved by Unix system administrators, OpenPKG is the world leading instrument for deployment and maintenance of Open Source Unix software when administration crosses platform boundaries. The unique OpenPKG architecture leverages proven technologies like Red Hat Package Manager (RPM) and OSSP and GNU components to establish a unified software administration environment, independent of the underlying Unix operating system. NEW IN VERSION 2.2 OpenPKG 2.2 is available for 18 different Unix flavors. Most notably, it is supported on FreeBSD 4.10 and 5.3, Debian GNU/Linux 3.0, Red Hat Enterprise Linux 3, Fedora Core 2, SuSE Linux 9.1, and Sun Solaris 8 and 9. Additionally, all CORE and the vast majority of BASE class packages are already available for the tentative platforms NetBSD 1.6.2, Debian GNU/Linux 3.1, Gentoo Linux 1.5.3, Mandrake Linux 10.0, Sun Solaris 10 and HP HP-UX 11.11. Packages are even still available for the obsoleted platforms SuSE Linux 9.0 and Sun Solaris 2.6. Since the previous release four months ago, the OpenPKG package repository has grown by 10%. A subset of 528 packages were carefully selected for inclusion into the OpenPKG 2.2 release, including the latest versions of popular Open Source Unix software like Apache, Bash, BIND, GCC, INN, Mozilla, MySQL, OpenSSH, Perl, Postfix, PostgreSQL, Samba, Squid, teTeX and Vim. Focusing on portability and isolation, OpenPKG 2.2 places greater emphasis on reducing underlying Unix system requirements. Effort was expended to offer a smooth upgrade path from the previous release, which should reassure administrators of high availability systems. HIGHLIGHTS OF OPENPKG * Portable across major Unix flavors. * Available for the supported platforms: FreeBSD 4.10/5.3, Debian Linux 3.0, Red Hat Enterprise Linux 3, Fedora Core 2, SuSE Linux 9.1 and Solaris 8 and 9. * Already available for the tentative platforms: NetBSD 1.6.2, Debian GNU/Linux 3.1, Gentoo Linux 1.5.3, Mandrake Linux 10.0, Sun Solaris 10 and HP HP-UX 11.11. * Still available for the obsoleted platforms: SuSE Linux 9.0, and Sun Solaris 2.6. * Entirely based on Open Source software technology. * Minimum operating system intrusion and dependency. * Minimum overhead in software packaging. * All packages up to date with vendor versions as of 12-Oct-2004. * Sources of 528 CORE+BASE+PLUS packages released. * Binaries of CORE+BASE class packages provided for supported platforms. * Binaries of CORE class packages provided for all platforms. * Easy installation, updating and deinstallation of packages. * Bundled with useful and secure package preconfigurations. * Includes an abstracted and powerful run-command facility. * Virtual hosting through multiple instances on a single system. * Proxy packages for reusing packages across instances. * Build-time package variations for maximum flexibility. * Foundation to build encapsulated and self-contained environments. HISTORY OF THE OPENPKG PROJECT The OpenPKG project was founded in 2000 by Ralf S. Engelschall and the sponsor Cable & Wireless. It was first released as Open Source software in January 2002. Today OpenPKG is a mature technology in production use, and is maintained and improved by its original developers and volunteer contributors. Ralf S. Engelschall is the principal author of numerous other popular Open Source Software technologies as well. His accomplishments include releases of OSSP components, Apache SSL/TLS Engine (mod_ssl), Apache URL Rewriting Engine (mod_rewrite), GNU Portable Threads (Pth), GNU Portable Shell Tool (Shtool), Website META Language (WML) and more. MORE INFORMATION The OpenPKG Project openpkg@openpkg.org +49-89-92699-251 (CET) +49-172-8986801 (CET) From openpkg-announce-owner@openpkg.org Fri Oct 22 17:34:51 2004 Received: from visp.engelschall.com (visp.engelschall.com [195.27.176.148]) by mail.openpkg.org (Postfix) with ESMTP id 5EA962FF7CE for ; Fri, 22 Oct 2004 17:34:51 +0200 (CEST) Received: by visp.engelschall.com (Postfix, from userid 1005) id 468904CE549; Fri, 22 Oct 2004 17:34:51 +0200 (CEST) Received: by en1.engelschall.com (Postfix, from userid 10000) id E5263A17A1; Fri, 22 Oct 2004 17:34:41 +0200 (CEST) Date: Fri, 22 Oct 2004 17:34:41 +0200 From: "Ralf S. Engelschall" To: openpkg-announce@openpkg.org Subject: Official OpenPKG slideset updated and extended Message-ID: <20041022153441.GA41147@engelschall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: After our OpenPKG 2.2 release we've spent some time and both updated and extended the official OpenPKG slideset -- our primer on OpenPKG. All examples, numbers and images were updated to reflect the status quo as of October 2004 and a few additional slides were added about Security Engineering, Release Engineering and Source vs. Binary Packaging, etc. The updated slideset is available again in on-line, print and source format: http://www.openpkg.org/doc/slideset/openpkg/ (HTML/PNG) http://www.openpkg.org/doc/slideset/openpkg.pdf (PDF 1.3) http://www.openpkg.org/doc/slideset/openpkg.ppt (Powerpoint 2003) Yours, Ralf S. Engelschall rse@engelschall.com rse@openpkg.org From openpkg-announce-owner@openpkg.org Fri Oct 29 16:23:54 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 36AA930401D; Fri, 29 Oct 2004 16:23:53 +0200 (CEST) Date: Fri, 29 Oct 2004 16:23:53 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.046] OpenPKG Security Advisory (postgresql) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.046 29-Oct-2004 ________________________________________________________________________ Package: postgresql Vulnerability: insecure temporary file generation OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= postgresql-7.4.5-20041028 >= postgresql-7.4.6-20041028 OpenPKG 2.2 <= postgresql-7.4.5-2.2.0 >= postgresql-7.4.5-2.2.1 OpenPKG 2.1 <= postgresql-7.4.3-2.1.0 >= postgresql-7.4.3-2.1.1 Dependent Packages: none Description: According to a vendor announcement [0], a vulnerability exists in the generation of temporary files in the PostgreSQL RDBMS [1]. The issue exists in the "make_oidjoins_check" script creating temporary files insecurely and possibly allowing a malicious user to overwrite another user's files via a symlink attack. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0977 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q postgresql". If you have the "postgresql" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get postgresql-7.4.5-2.2.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig postgresql-7.4.5-2.2.1.src.rpm $ /bin/openpkg rpm --rebuild postgresql-7.4.5-2.2.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/postgresql-7.4.5-2.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.postgresql.org/news/234.html [1] http://www.postgresql.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0977 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.2/UPD/postgresql-7.4.5-2.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.1/UPD/postgresql-7.4.3-2.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.2/UPD/ [8] ftp://ftp.openpkg.org/release/2.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBglJmgHWT4GPEy58RAueIAKDP33ovouI34vd+CuiwPpaeTGPCCwCeOGZG YdiADsf3fii2vRM4yl3mF1g= =bMr1 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Oct 29 16:39:47 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id EBC7C304105; Fri, 29 Oct 2004 16:39:46 +0200 (CEST) Date: Fri, 29 Oct 2004 16:39:46 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.047] OpenPKG Security Advisory (apache) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.047 29-Oct-2004 ________________________________________________________________________ Package: apache Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= apache-1.3.32-20041028 >= apache-1.3.33-20041029 OpenPKG 2.2 <= apache-1.3.31-2.2.0 >= apache-1.3.31-2.2.1 OpenPKG 2.1 <= apache-1.3.31-2.1.5 >= apache-1.3.31-2.1.6 OpenPKG 2.0 <= apache-1.3.29-2.0.6 >= apache-1.3.29-2.0.7 (*) (*) actually already end-of-life Dependent Packages: none Description: According to a vendor announcement [1], a vulnerability exists in the Apache HTTP server [0], version 1.3. The problem is a potential buffer overflow in the "get_tag" function of Apache's SSI module "mod_include". It allows local users who can create SSI documents to execute arbitrary code as the Apache run-time user via SSI documents that trigger a content length calculation error. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0940 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q apache". If you have the "apache" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get apache-1.3.31-2.2.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig apache-1.3.31-2.2.1.src.rpm $ /bin/openpkg rpm --rebuild apache-1.3.31-2.2.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/apache-1.3.31-2.2.1.*.rpm ________________________________________________________________________ References: [0] http://httpd.apache.org/ [1] http://www.apache.org/dist/httpd/Announcement.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.2/UPD/apache-1.3.31-2.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.1/UPD/apache-1.3.31-2.1.6.src.rpm [7] ftp://ftp.openpkg.org/release/2.2/UPD/ [8] ftp://ftp.openpkg.org/release/2.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBglYagHWT4GPEy58RAiWOAJ4grmkr9HqULrFBv8xnXEbrn4jp4ACeOQfq pmAzG6r/HxkJho1rVnAcBxU= =bBiA -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Oct 29 16:53:20 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id BFF50301A87; Fri, 29 Oct 2004 16:53:19 +0200 (CEST) Date: Fri, 29 Oct 2004 16:53:19 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.048] OpenPKG Security Advisory (squid) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.048 29-Oct-2004 ________________________________________________________________________ Package: squid (option "with_snmp yes" only) Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= squid-2.5.6-20040913 >= squid-2.5.7-20041012 OpenPKG 2.2 none N.A. OpenPKG 2.1 <= squid-2.5.6-2.1.0 >= squid-2.5.6-2.1.1 Dependent Packages: none Description: According to an iDEFENSE security advisory [0], a denial of service (DoS) vulnerability exists in the Squid [1] web caching proxy [1]. The "asn_parse_header" function in the SNMP module of Squid before version 2.4.STABLE7 allows remote attackers to cause a denial of service (server restart) via certain SNMP packets with negative length fields that causes a memory allocation error. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0918 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q squid" and "/bin/rpm -qi squid | grep with_snmp". If you have the "squid" package with option "with_snmp" installed and its version is affected (see above), we recommend that you immediately upgrade (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the previous release OpenPKG 2.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get squid-2.5.6-2.1.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig squid-2.5.6-2.1.1.src.rpm $ /bin/openpkg rpm --rebuild squid-2.5.6-2.1.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/squid-2.5.6-2.1.1.*.rpm ________________________________________________________________________ References: [0] http://www.idefense.com/application/poi/display?id=152 [1] http://www.squid-cache.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0918 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.1/UPD/squid-2.5.6-2.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.1/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBgllNgHWT4GPEy58RAuOuAJ0aemAHXPo9pTKgOh8OtW/J/xihYwCfdW01 zpDwYACYJT+WD2p+gJDCwmY= =GmCs -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Sat Oct 30 13:49:00 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id E9F43304563; Sat, 30 Oct 2004 13:48:59 +0200 (CEST) Date: Sat, 30 Oct 2004 13:48:59 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.045] OpenPKG Security Advisory (mysql) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.045 30-Oct-2004 ________________________________________________________________________ Package: mysql Vulnerability: multiple vulnerabilities OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= mysql-4.0.20-20040910 >= mysql-4.0.21-20040910 OpenPKG 2.2 none N.A. OpenPKG 2.1 <= mysql-4.0.20-2.1.0 >= mysql-4.0.20-2.1.1 Affected Releases: Dependent Packages: OpenPKG CURRENT apache:with_mod_php_mysql apache:with_mod_auth_mysql bind:with_dlz_mysql cacti exim:with_mysql jabberd:with_mysql libgda:with_mysql myodbc mysqlcc perl-dbi:with_dbd_mysql php:with_mysql php3:with_mysql php5:with_mysql postfix:with_mysql powerdns:with_mysql proftpd:with_mysql pureftpd:with_mysql qt:with_mysql rekall:with_mysql ripe-dbase rt:with_db_mysql sasl:with_mysql sendmail:with_mysql snort:with_mysql tacacs:with_mysql OpenPKG 2.2 N.A. OpenPKG 2.1 apache:with_mod_php_mysql apache:with_mod_auth_mysql bind:with_dlz_mysql cacti exim:with_mysql perl-dbi:with_dbd_mysql php:with_mysql postfix:with_mysql proftpd:with_mysql pureftpd:with_mysql qt:with_mysql sasl:with_mysql sendmail:with_mysql snort:with_mysql Description: Several vulnerabilities including privilege abuse, Denial of Service, and potentially remote arbitrary code execution have been discovered in the MySQL RDBMS [1]. Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2004-0836 [2] to this problem. Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2004-0837 [3] to this problem. A crash can occur with "MATCH..AGAINST", resulting in a denial of service (MySQL bugs 3870 and 2708). A privilege escalation can occur with "GRANT" (MySQL bug 3933). Please check whether you are affected by running "/bin/rpm -q mysql". If you have the "mysql" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages. [4][5] Solution: Select the updated source RPM appropriate for your OpenPKG release [6], fetch it from the OpenPKG FTP service [7] or a mirror location, verify its integrity [8], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the previous release OpenPKG 2.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.1/UPD ftp> get mysql-4.0.20-2.1.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig mysql-4.0.20-2.1.1.src.rpm $ /bin/openpkg rpm --rebuild mysql-4.0.20-2.1.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/mysql-4.0.20-2.1.1.*.rpm Additionally, it is recommend that you rebuild and reinstall all dependent packages (see above) as well [3][4]. ________________________________________________________________________ References: [1] http://www.mysql.com/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0836 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0837 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/2.1/UPD/mysql-4.0.20-2.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.1/UPD/ [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBg3+SgHWT4GPEy58RApPAAJ9zJUGoZWc2O/gzZU+QsEBx112GewCfeCze ISdurW/oYeVVZe+vKZIKmYg= =FgxI -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Sat Oct 30 13:50:29 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id A6D3E30465E; Sat, 30 Oct 2004 13:50:28 +0200 (CEST) Date: Sat, 30 Oct 2004 13:50:28 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.049] OpenPKG Security Advisory (gd) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.049 30-Oct-2004 ________________________________________________________________________ Package: gd Vulnerability: denial of service, arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= gd-2.0.28-20041001 >= gd-2.0.29-20041030 OpenPKG 2.2 <= gd-2.0.28-2.2.0 >= gd-2.0.28-2.2.1 OpenPKG 2.1 <= gd-2.0.27-2.1.1 >= gd-2.0.27-2.1.2 Affected Releases: Dependent Packages: OpenPKG CURRENT analog, apache::with_mod_php_gd, libwmf, mrtg, nagios, perl-gd, php::with_gd, php3::with_gd, php5::with_gd, webalizer, zimg OpenPKG 2.2 analog, apache::with_mod_php_gd, libwmf, mrtg, perl-gd, php::with_gd, webalizer OpenPKG 2.1 analog, apache::with_mod_php_gd, libwmf, perl-gd, php::with_gd, webalizer Description: In a BUGTRAQ posting [0], a vulnerability was reported for the graphics library GD [1]. There can be an integer overflow when allocating memory in the routine that handles loading of PNG image files. This later leads to heap data structures being overwritten. If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening the image. Similar integer overflow possibilities also exist in other code parts of GD. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0990 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q gd". If you have the "gd" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above), if any, too [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get gd-2.0.28-2.2.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig gd-2.0.28-2.2.1.src.rpm $ /bin/openpkg rpm --rebuild gd-2.0.28-2.2.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/gd-2.0.28-2.2.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too [3][4]. ________________________________________________________________________ References: [0] http://www.securityfocus.com/archive/1/379382 [1] http://www.boutell.com/gd/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0990 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.2/UPD/gd-2.0.28-2.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.1/UPD/gd-2.0.27-2.1.2.src.rpm [7] ftp://ftp.openpkg.org/release/2.2/UPD/ [8] ftp://ftp.openpkg.org/release/2.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBg3/lgHWT4GPEy58RAkZ2AKCYEWtrb9gxDdQUHp4V40xcC3aoGgCeLAKa NjSlMU1Xi905AyVUaoiG298= =nlRU -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Sun Oct 31 10:31:57 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id F003D3047C1; Sun, 31 Oct 2004 10:31:56 +0100 (CET) Date: Sun, 31 Oct 2004 10:31:56 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.050] OpenPKG Security Advisory (libxml) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.050 31-Oct-2004 ________________________________________________________________________ Package: libxml Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= libxml-2.6.14-20041022 >= libxml-2.6.15-20041028 OpenPKG 2.2 <= libxml-2.6.14-2.2.0 >= libxml-2.6.14-2.2.1 OpenPKG 2.1 <= libxml-2.6.11-2.1.0 >= libxml-2.6.11-2.1.1 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_dom, cadaver, dia, gconf, gift-gnutella, gq, heartbeat, imagemagick, kde-libs, libgda, libgdome, libglade, librsvg, libwmf, libxslt, neon, pan, papyrus, perl-xml, php::with_dom, php5::with_xml, php5::with_dom, ripe-dbase, roadrunner, scli, sitecopy, snownews, subversion, wv, xmlsec, xmlstarlet, xmlto, xmms OpenPKG 2.2 apache::with_mod_php_dom, cadaver, gconf, gift-gnutella, imagemagick, libgdome, libwmf, libxslt, neon, perl-xml, php::with_dom, scli, sitecopy, subversion, xmlsec OpenPKG 2.1 apache::with_mod_php_dom, cadaver, gift-gnutella, imagemagick, libgdome, libwmf, libxslt, neon, perl-xml, php::with_dom, scli, sitecopy, subversion, xmlsec Description: According to BUGTRAQ posting [0], multiple vulnerabilities exist in the XML parsing library libxml [1]. Multiple buffer overflows may allow remote attackers to execute arbitrary code via a long FTP URL that is not properly handled by the "xmlNanoFTPScanURL" function, a long proxy URL containing FTP data that is not properly handled by the "xmlNanoFTPScanProxy" function, and other overflows related to the manipulation of DNS length values in "xmlNanoFTPConnect", "xmlNanoHTTPConnectHost", and "xmlNanoHTTPConnectHost". The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0989 [2] to the problems. Please check whether you are affected by running "/bin/openpkg rpm -q libxml". If you have the "libxml" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above), if any, too [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get libxml-2.6.14-2.2.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig libxml-2.6.14-2.2.1.src.rpm $ /bin/openpkg rpm --rebuild libxml-2.6.14-2.2.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/libxml-2.6.14-2.2.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too [3][4]. ________________________________________________________________________ References: [0] http://www.securityfocus.com/archive/1/379383/2004-10-24/2004-10-30/0 [1] http://xmlsoft.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0989 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.2/UPD/libxml-2.6.14-2.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.1/UPD/libxml-2.6.11-2.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.2/UPD/ [8] ftp://ftp.openpkg.org/release/2.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBhLD2gHWT4GPEy58RAgg4AJ9C+Di2wpvm/g/rd4T2OLbJADa0wgCdE7Em T79dOmoQ9aCayM9BCNMBsog= =Oh/e -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Nov 29 17:23:15 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 9632F30069E; Mon, 29 Nov 2004 17:23:14 +0100 (CET) Date: Mon, 29 Nov 2004 17:23:14 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.051] OpenPKG Security Advisory (imapd) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.051 29-Nov-2004 ________________________________________________________________________ Package: imapd Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= imapd-2.2.9-20041123 >= imapd-2.2.10-20041124 OpenPKG 2.2 <= imapd-2.2.8-2.2.0 >= imapd-2.2.8-2.2.1 OpenPKG 2.1 <= imapd-2.2.6-2.1.0 >= imapd-2.2.6-2.1.1 Affected Releases: Dependent Packages: none Description: According to a security advisory from Stefan Esser [0], several vulnerabilities exist in Cyrus imapd. The updated OpenPKG packages fix all these problems. When the option "IMAPMAGICPLUS" is activated on a server, the "PROXY" and "LOGIN" commands suffer a standard stack overflow, because the username is not checked against a maximum length. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-1011 [2] to the problem. Due to a bug within the argument parser of the "PARTIAL" command buffer positions outside the allocated memory buffer may be accessed. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-1012 [3] to the problem. The argument parser of the "FETCH" command suffers a similar bug. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-1013 [4] to the problem. Under memory allocation failure conditions the "cmd_append" handler supporting "MULTIAPPENDS" may enter code paths doing post increments whose behavior is undefined in ANSI C. The same function also suffers from a integer wrap. No CVE id. Another "IMAPMAGICPLUS" overflow was later discovered by Thomas Klaeger in proxyd.c "proxyd_canon_user" function. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-1015 [5] to the problem. Sebastian Krahmer mentioned a missing NUL-termination in global.c and provided a patch. No CVE id. Please check whether you are affected by running "/bin/openpkg rpm -q imapd". If you have the "imapd" package installed and its version is affected (see above), we recommend that you immediately upgrade it [6][7]. Solution: Select the updated source RPM appropriate for your OpenPKG release [8][9], fetch it from the OpenPKG FTP service [10][11] or a mirror location, verify its integrity [12], build a corresponding binary RPM from it [6] and update your OpenPKG installation by applying the binary RPM [7]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get imapd-2.2.8-2.2.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig imapd-2.2.8-2.2.1.src.rpm $ /bin/openpkg rpm --rebuild imapd-2.2.8-2.2.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/imapd-2.2.8-2.2.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too [6][7]. ________________________________________________________________________ References: [0] http://security.e-matters.de/advisories/152004.html [1] http://asg.web.cmu.edu/cyrus/imapd/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1011 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1012 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1013 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1015 [6] http://www.openpkg.org/tutorial.html#regular-source [7] http://www.openpkg.org/tutorial.html#regular-binary [8] ftp://ftp.openpkg.org/release/2.2/UPD/imapd-2.2.8-2.2.1.src.rpm [9] ftp://ftp.openpkg.org/release/2.1/UPD/imapd-2.2.6-2.1.1.src.rpm [10] ftp://ftp.openpkg.org/release/2.2/UPD/ [11] ftp://ftp.openpkg.org/release/2.1/UPD/ [12] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBq0xYgHWT4GPEy58RAmf8AKCfU689XYrzG8sZyX2yarquUKE0VgCfSk/c lMGiX8Fe/lKwjvTkwffV/Xg= =DeKk -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Dec 15 18:17:02 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id A494D300EC0; Wed, 15 Dec 2004 18:17:02 +0100 (CET) Date: Wed, 15 Dec 2004 18:17:02 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.052] OpenPKG Security Advisory (vim) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.052 15-Dec-2004 ________________________________________________________________________ Package: vim Vulnerability: source arbitrary scripts OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= vim-6.3.44-20041209 >= vim-6.3.45-20041210 OpenPKG 2.2 <= vim-6.3.30-2.2.0 >= vim-6.3.30-2.2.1 OpenPKG 2.1 <= vim-6.3.11-2.1.0 >= vim-6.3.11-2.1.1 Dependent Packages: none Description: The Gentoo Vim maintainer Ciaran McCreesh found several "modeline"-related vulnerabilities in Vim editor [1] and reported them to the vendor. Bram Moolenaar created patch 6.3.045 that fixes the reported vulnerabilities and adds more conservative "modeline" rights. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-1138 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q vim". If you have the "vim" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get vim-6.3.30-2.2.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig vim-6.3.30-2.2.1.src.rpm $ /bin/openpkg rpm --rebuild vim-6.3.30-2.2.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/vim-6.3.30-2.2.1.*.rpm ________________________________________________________________________ References: [1] http://www.vim.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1138 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.2/UPD/vim-6.3.30-2.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.1/UPD/vim-6.3.11-2.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.2/UPD/ [8] ftp://ftp.openpkg.org/release/2.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBwHFvgHWT4GPEy58RAtzMAKCkcrNyH3kuhcnt5zo2ni0/LSA96gCg54Cl lLn+VG19loTfrU4iy66ZdlA= =tSIj -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Dec 16 22:23:13 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 851A1300E4F; Thu, 16 Dec 2004 22:23:13 +0100 (CET) Date: Thu, 16 Dec 2004 22:23:13 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.053] OpenPKG Security Advisory (php) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.053 16-Dec-2004 ________________________________________________________________________ Package: php Vulnerability: local and remote execution of arbitrary code OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= php-4.3.9-20041130 >= php-4.3.10-20041215 <= apache-1.3.33-20041215 >= apache-1.3.33-20041215 OpenPKG 2.2 <= php-4.3.9-2.2.0 >= php-4.3.9-2.2.2 <= apache-1.3.31-2.2.1 >= apache-1.3.31-2.2.3 OpenPKG 2.1 <= php-4.3.8-2.1.2 >= php-4.3.8-2.1.4 <= apache-1.3.31-2.1.6 >= apache-1.3.31-2.1.8 Dependent Packages: none Description: According to a PHP [0] vendor release announcement [1] and a security advisory [2] from Stefan Esser of the Hardened-PHP project, several very serious security issues were fixed in the 4.3.10 maintenance release. The OpenPKG project extracted and backported the fixes. Out of bounds memory write access in shmop_write() and integer overflow/underflow in pack() and unpack() functions. The Common Vulnerabilities and Exposures (CVE) project assigned the candidate id CAN-2004-1018 [3] to the problem and later rejected it because it was not considered to be a serious security issue. Possible information disclosure, double free and negative reference index array underflow in deserialization code. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-1019 [4] to the problem. The addslashes() function does not escape \0 correctly. The Common Vulnerabilities and Exposures (CVE) project assigned the canidate id CAN-2004-1020 [5] to the problem and later rejected it because it was not considered to be a serious security issue. Directory bypass in safe_mode execution. The Common Vulnerabilities and Exposures (CVE) project assigned the candidate id CAN-2004-1063 [6] to the problem and later rejected it because it was not considered to be a serious security issue. Arbitrary file access through path truncation. The Common Vulnerabilities and Exposures (CVE) project assigned the candidate id CAN-2004-1064 [7] to the problem and later rejected it because it was not considered to be a serious security issue. Function exif_read_data() suffers from overflow on long sectionname. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-1065 [8] to the problem. The "magic_quotes_gpc" functionality could lead to one level directory traversal with file uploads. The Common Vulnerabilities and Exposures (CVE) project assigned no id to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q php". If you have the "php" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [9][10]. Solution: Select the updated source RPM appropriate for your OpenPKG release [11][12], fetch it from the OpenPKG FTP service [13][14] or a mirror location, verify its integrity [15], build a corresponding binary RPM from it [9] and update your OpenPKG installation by applying the binary RPM [10]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get php-4.3.9-2.2.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig php-4.3.9-2.2.2.src.rpm $ /bin/openpkg rpm --rebuild php-4.3.9-2.2.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/php-4.3.9-2.2.2.*.rpm ________________________________________________________________________ References: [0] http://www.php.net/ [1] http://www.php.net/release_4_3_10.php [2] http://www.hardened-php.net/advisories/012004.txt [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1018 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1019 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1020 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1063 [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1064 [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1065 [9] http://www.openpkg.org/tutorial.html#regular-source [10] http://www.openpkg.org/tutorial.html#regular-binary [11] ftp://ftp.openpkg.org/release/2.2/UPD/php-4.3.9-2.2.2.src.rpm [12] ftp://ftp.openpkg.org/release/2.1/UPD/php-4.3.8-2.1.4.src.rpm [13] ftp://ftp.openpkg.org/release/2.2/UPD/ [14] ftp://ftp.openpkg.org/release/2.1/UPD/ [15] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBwfyrgHWT4GPEy58RAl92AKCCyJtcajHH+offSqSYHCTd3EktFgCgq5Np K7JUISp/AjmwMCN/Gz7og7M= =2l65 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Dec 17 17:11:17 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 6800D2FFD30; Fri, 17 Dec 2004 17:11:17 +0100 (CET) Date: Fri, 17 Dec 2004 17:11:17 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.054] OpenPKG Security Advisory (samba) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.054 17-Dec-2004 ________________________________________________________________________ Package: samba Vulnerability: denial of service, arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= samba-3.0.9-20041119 >= samba-3.0.10-20041216 OpenPKG 2.2 <= samba-3.0.7-2.2.0 >= samba-3.0.7-2.2.1 OpenPKG 2.1 <= samba-3.0.4-2.1.2 >= samba-3.0.4-2.1.3 Dependent Packages: none Description: Several vulnerabilities exist in the Samba SMB/CIFS server [1]. The OpenPKG team applied official patches where available and backported others to address all known issues. According to a security advisory [2] from Stefan Esser a Unicode filename buffer overflow within the handling of "TRANSACT2_QFILEPATHINFO" replies was discovered that allows remote execution of arbitrary code. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0882 [4] to the problem. A problem in the ms_fnmatch() function allows remote authenticated users to consume excessive CPU horsepower and cause a denial of service via a SMB request that contains multiple asterisk characters. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0930 [5] to the problem. According to a security advisory [3] from the Samba team, an integer overflow vulnerability in the "smbd" daemon could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-1154 [6] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q samba". If you have the "samba" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [7][8]. Solution: Select the updated source RPM appropriate for your OpenPKG release [9][10], fetch it from the OpenPKG FTP service [11][12] or a mirror location, verify its integrity [13], build a corresponding binary RPM from it [7] and update your OpenPKG installation by applying the binary RPM [8]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get samba-3.0.7-2.2.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig samba-3.0.7-2.2.1.src.rpm $ /bin/openpkg rpm --rebuild samba-3.0.7-2.2.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/samba-3.0.7-2.2.1.*.rpm ________________________________________________________________________ References: [1] http://www.samba.org/ [2] http://security.e-matters.de/advisories/132004.html [3] http://us4.samba.org/samba/security/CAN-2004-1154.html [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0930 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1154 [7] http://www.openpkg.org/tutorial.html#regular-source [8] http://www.openpkg.org/tutorial.html#regular-binary [9] ftp://ftp.openpkg.org/release/2.2/UPD/samba-3.0.7-2.2.1.src.rpm [10] ftp://ftp.openpkg.org/release/2.1/UPD/samba-3.0.4-2.1.3.src.rpm [11] ftp://ftp.openpkg.org/release/2.2/UPD/ [12] ftp://ftp.openpkg.org/release/2.1/UPD/ [13] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBwwUUgHWT4GPEy58RAjBiAKDNrWDjb2mM3ZqPLqo8M3ukvvs/sgCeMqYQ WcM7fuYB9Qbixyinb8wlPXo= =rNqz -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Dec 17 18:59:07 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id D185E300F61; Fri, 17 Dec 2004 18:59:06 +0100 (CET) Date: Fri, 17 Dec 2004 18:59:06 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.056] OpenPKG Security Advisory (cvstrac) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.056 17-Dec-2004 ________________________________________________________________________ Package: cvstrac Vulnerability: cross-site scripting OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= cvstrac-1.1.4-20041109 >= cvstrac-1.1.5-20041217 OpenPKG 2.2 <= cvstrac-1.1.4-2.2.0 >= cvstrac-1.1.4-2.2.1 OpenPKG 2.1 <= cvstrac-1.1.3-2.1.2 >= cvstrac-1.1.3-2.1.3 Dependent Packages: none Description: Michael Krax discovered a Cross-Site Scripting (XSS) vulnerability in the CVS repository web frontend CVSTrac [1]. All versions below CVSTrac 1.1.5 are affected. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-1146 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q cvstrac". If you have the "cvstrac" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get cvstrac-1.1.4-2.2.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig cvstrac-1.1.4-2.2.1.src.rpm $ /bin/openpkg rpm --rebuild cvstrac-1.1.4-2.2.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/cvstrac-1.1.4-2.2.1.*.rpm ________________________________________________________________________ References: [1] http://www.cvstrac.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1146 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.2/UPD/cvstrac-1.1.4-2.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.1/UPD/cvstrac-1.1.3-2.1.3.src.rpm [7] ftp://ftp.openpkg.org/release/2.2/UPD/ [8] ftp://ftp.openpkg.org/release/2.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBwx5PgHWT4GPEy58RAlzFAKCk2HvO07H6i//PYY3L0Sj0mNKy5QCaAywX S9nXpSpZR2alJ8TfIGYGc3k= =hf0e -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Dec 23 15:37:48 2004 Received: by mail.openpkg.org (Postfix, from userid 7000) id 5F953300F37; Thu, 23 Dec 2004 15:37:48 +0100 (CET) Date: Thu, 23 Dec 2004 15:37:48 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2004.055] OpenPKG Security Advisory (gettext) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.055 23-Dec-2004 ________________________________________________________________________ Package: gettext Vulnerability: insecure temporary file generation OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= gettext-0.14.1-20041006 >= gettext-0.14.1-20041217 OpenPKG 2.2 <= gettext-0.14.1-2.2.0 >= gettext-0.14.1-2.2.1 OpenPKG 2.1 <= gettext-0.14.1-2.1.0 >= gettext-0.14.1-2.1.1 Affected Releases: Dependent Packages: OpenPKG CURRENT aegis, apache, doodle, giftoxic, gimp, glib2, gpa, gqview, gtk2, heartbeat, indent, kcd, kde-base, kde-libs, kolab, libextractor, lyx, openjade, orbit, papyrus, perl-locale, php, php5, popt, smbc, subversion, xine-lib, xine-ui, yodl OpenPKG 2.2 aegis, apache, giftoxic, gimp, glib2, gqview, gtk2, indent, kolab, openjade, orbit, perl-locale, php, popt, yodl OpenPKG 2.1 aegis, apache, gimp, glib2, gqview, gtk2, indent, kolab, openjade, orbit, perl-locale, php, popt, yodl Description: Trustix security engineers discovered vulnerabilities [0] in the "autopoint" and "gettextize" scripts of GNU gettext [1]. The scripts in question insecurely generate temporary files which could allow a malicious user to overwrite another user's files via a "symlink attack". Software only using GNU gettext's headers and libraries is not affected by this problem, however. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2004-0966 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q gettext". If you have the "gettext" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get gettext-0.14.1-2.2.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig gettext-0.14.1-2.2.1.src.rpm $ /bin/openpkg rpm --rebuild gettext-0.14.1-2.2.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/gettext-0.14.1-2.2.1.*.rpm Additionally, we recommend rebuilding and reinstalling all dependent packages (see above) as well [3][4]. ________________________________________________________________________ References: [0] http://www.trustix.org/errata/2004/0050 [1] http://www.gnu.org/software/gettext/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0966 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.2/UPD/gettext-0.14.1-2.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.1/UPD/gettext-0.14.1-2.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.2/UPD/ [8] ftp://ftp.openpkg.org/release/2.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFBytgqgHWT4GPEy58RAhuGAKDpeqcGekb2uYC6ng+MxUK2KMemgACeJSin dAYcOAONTykpMwG4C7routM= =EWyA -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Jan 11 16:09:17 2005 Received: by mail.openpkg.org (Postfix, from userid 7000) id E7926300DED; Tue, 11 Jan 2005 16:09:16 +0100 (CET) Date: Tue, 11 Jan 2005 16:09:16 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.001] OpenPKG Security Advisory (perl) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.001 11-Jan-2005 ________________________________________________________________________ Package: perl Vulnerability: information disclosure, insecure permissions OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= perl-5.8.6-20041129 >= perl-5.8.6-20050111 OpenPKG 2.2 <= perl-5.8.5-2.2.0 >= perl-5.8.5-2.2.1 OpenPKG 2.1 <= perl-5.8.4-2.1.0 >= perl-5.8.4-2.1.1 Dependent Packages: none Description: Jeroen van Wolffelaar discovered that the rmtree() function in the Perl [0] File::Path module removes directory trees in an insecure manner which could lead to the removal of arbitrary files and directories through a symlink attack. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0452 [1] to the problem. Trustix developers discovered several insecure uses of temporary files in many modules which allow a local attacker to overwrite files via a symlink attack. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0976 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q perl". If you have the "perl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get perl-5.8.5-2.2.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig perl-5.8.5-2.2.1.src.rpm $ /bin/openpkg rpm --rebuild perl-5.8.5-2.2.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/perl-5.8.5-2.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.perl.com/ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0976 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.2/UPD/perl-5.8.5-2.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.1/UPD/perl-5.8.4-2.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.2/UPD/ [8] ftp://ftp.openpkg.org/release/2.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFB4+wMgHWT4GPEy58RAmB8AJ9RXjXuF4foXhhDAvR4KRRJ31dUBwCg6pRb TZQ44p6zfBdfieRvvcf3QLo= =CkBO -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Jan 17 13:29:50 2005 Received: by mail.openpkg.org (Postfix, from userid 7000) id 6702C3022A3; Mon, 17 Jan 2005 13:29:50 +0100 (CET) Date: Mon, 17 Jan 2005 13:29:50 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.002] OpenPKG Security Advisory (sudo) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.002 17-Jan-2005 ________________________________________________________________________ Package: sudo Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= sudo-1.6.8p1-20041104 >= sudo-1.6.8p2-20041112 OpenPKG 2.2 <= sudo-1.6.8p1-2.2.1 >= sudo-1.6.8p1-2.2.2 OpenPKG 2.1 <= sudo-1.6.7p5-2.1.1 >= sudo-1.6.7p5-2.1.2 Dependent Packages: none Description: Liam Helmer discovered a design flaw in Sudo [0], a program used to control user privilege escalation. The Sudo function rebuild_env() fails to sufficiently clean potentially dangerous variables from the environment passed to the program to be executed. An attacker with Sudo access to a shell script that uses GNU Bash may therefore run arbitrary commands with other (including superuser) privileges. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2004-1051 [1] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q sudo". If you have the "sudo" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [2][3]. Workaround: Add a line to the sudoers file containing the text 'Defaults env_reset'. This causes the environment to only contain the variables HOME, LOGNAME, PATH, SHELL, TERM, and USER, thus preventing an attack. Solution: Select the updated source RPM appropriate for your OpenPKG release [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror location, verify its integrity [8], build a corresponding binary RPM from it [2] and update your OpenPKG installation by applying the binary RPM [3]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get sudo-1.6.8p1-2.2.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig sudo-1.6.8p1-2.2.2.src.rpm $ /bin/openpkg rpm --rebuild sudo-1.6.8p1-2.2.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/sudo-1.6.8p1-2.2.2.*.rpm ________________________________________________________________________ References: [0] http://www.sudo.ws/ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1051 [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary [4] ftp://ftp.openpkg.org/release/2.2/UPD/sudo-1.6.8p1-2.2.2.src.rpm [5] ftp://ftp.openpkg.org/release/2.1/UPD/sudo-1.6.7p5-2.1.2.src.rpm [6] ftp://ftp.openpkg.org/release/2.2/UPD/ [7] ftp://ftp.openpkg.org/release/2.1/UPD/ [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFB66+ugHWT4GPEy58RAmbnAKD11oxrYLF/oKusAvLc7yhY606SDwCgyPFc NlNjIk/xso2hVQ17fKfCKbA= =kozt -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Jan 17 13:37:28 2005 Received: by mail.openpkg.org (Postfix, from userid 7000) id 3F39A3022AD; Mon, 17 Jan 2005 13:37:28 +0100 (CET) Date: Mon, 17 Jan 2005 13:37:28 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.003] OpenPKG Security Advisory (a2ps) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.003 17-Jan-2005 ________________________________________________________________________ Package: a2ps Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= a2ps-4.13b-20040818 >= a2ps-4.13b-20050117 OpenPKG 2.2 <= a2ps-4.13b-2.2.0 >= a2ps-4.13b-2.2.1 OpenPKG 2.1 <= a2ps-4.13b-2.1.0 >= a2ps-4.13b-2.1.1 Dependent Packages: none Description: Rudolf Polzer discovered [0] a vulnerability in GNU a2ps [1], a converter and pretty-printer for many formats to PostScript. The program does not escape shell meta characters properly which could lead to the execution of arbitrary commands as a privileged user if a2ps is installed as a printer filter. a2ps allows remote attackers to execute arbitrary commands via shell metacharacters in the filename. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2004-1170 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q a2ps". If you have the "a2ps" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get a2ps-4.13b-2.2.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig a2ps-4.13b-2.2.1.src.rpm $ /bin/openpkg rpm --rebuild a2ps-4.13b-2.2.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/a2ps-4.13b-2.2.1.*.rpm ________________________________________________________________________ References: [0] http://archives.neohapsis.com/archives/fulldisclosure/2004-08/1026.html [1] http://www.inf.enst.fr/~demaille/a2ps/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1170 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.2/UPD/a2ps-4.13b-2.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.1/UPD/a2ps-4.13b-2.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.2/UPD/ [8] ftp://ftp.openpkg.org/release/2.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFB67F5gHWT4GPEy58RAiuUAKCaVwm6qztuFo7Gx7aZP6ZrITKjgQCfdGrL ZrkstKQlbfIuKDISsjhjYHE= =+cr1 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Jan 28 08:39:27 2005 Received: by mail.openpkg.org (Postfix, from userid 7000) id 5BFF730228F; Fri, 28 Jan 2005 08:39:27 +0100 (CET) Date: Fri, 28 Jan 2005 08:39:27 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.004] OpenPKG Security Advisory (sasl) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.004 28-Jan-2005 ________________________________________________________________________ Package: sasl Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= sasl-2.1.19-20040920 >= sasl-2.1.20-20041025 OpenPKG 2.2 <= sasl-2.1.19-2.2.0 >= sasl-2.1.19-2.2.1 OpenPKG 2.1 <= sasl-2.1.18-2.1.0 >= sasl-2.1.18-2.1.1 Affected Releases: Dependent Packages: OpenPKG CURRENT imapd kolab openldap::with_sasl postfix::with_sasl sendmail::with_sasl OpenPKG 2.2 imapd kolab openldap::with_sasl postfix::with_sasl sendmail::with_sasl OpenPKG 2.1 imapd kolab openldap::with_sasl postfix::with_sasl sendmail::with_sasl Description: A setuid and setgid application vulnerability was found in the Cyrus SASL library [0]. At application startup, libsasl2 attempts to build a list of all available SASL plugins which are available on the system. To do so, the library searches for and attempts to load every shared library found within the plugin directory. This location can be set with the SASL_PATH environment variable. In situations where an untrusted local user can affect the environment of a privileged process, this behavior could be exploited to run arbitrary code with the privileges of a setuid or setgid application. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2004-0884 [1] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q sasl". If you have the "sasl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and any dependent packages as well [2][3]. Solution: Select the updated source RPM appropriate for your OpenPKG release [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror location, verify its integrity [8], build a corresponding binary RPM from it [2] and update your OpenPKG installation by applying the binary RPM [3]. For the most recent release OpenPKG 2.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get sasl-2.1.19-2.2.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig sasl-2.1.19-2.2.1.src.rpm $ /bin/openpkg rpm --rebuild sasl-2.1.19-2.2.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/sasl-2.1.19-2.2.1.*.rpm Additionally, we recommend that you rebuild and reinstall any dependent packages (see above) as well [2][3]. ________________________________________________________________________ References: [0] http://asg.web.cmu.edu/sasl/ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0884 [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary [4] ftp://ftp.openpkg.org/release/2.2/UPD/sasl-2.1.19-2.2.1.src.rpm [5] ftp://ftp.openpkg.org/release/2.1/UPD/sasl-2.1.18-2.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.2/UPD/ [7] ftp://ftp.openpkg.org/release/2.1/UPD/ [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFB+ewigHWT4GPEy58RAjdyAJsFrQUG5q9DjmwiGvccEEIxU/mXbACg431X BjzkxqCH71N5ZEMlDoGBGwU= =kOee -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Feb 24 17:29:13 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id EE5D71B5B22; Thu, 24 Feb 2005 17:29:12 +0100 (CET) Date: Thu, 24 Feb 2005 17:29:12 +0100 From: OpenPKG To: openpkg-announce@openpkg.org, openpkg-users@openpkg.org, openpkg-dev@openpkg.org Subject: [ANNOUNCE] OpenPKG 2.3 Message-ID: <20050224162912.GA22651@master.openpkg.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: FOR IMMEDIATE RELEASE - 24-Feb-2005 The OpenPKG project releases version 2.3 of the unique cross-platform software packaging facility. http://www.openpkg.org/ -- Munich, DE -- February 24, 2005 -- The OpenPKG project is proud to announce version 2.3 of its OpenPKG software, another evolutionary step after a series of seven predecessors within four years. Much valued by IT decision makers and beloved by Unix system administrators, OpenPKG is the world leading instrument for deployment and maintenance of Open Source Unix software when administration crosses platform boundaries. The unique OpenPKG architecture leverages proven technologies like Red Hat Package Manager (RPM) and OSSP and GNU components to establish a unified software administration environment, independent of the underlying Unix operating system. NEW IN VERSION 2.3 Since the previous release four months ago, the OpenPKG package repository has grown again by 15%. A subset of 545 packages were carefully selected for inclusion into the OpenPKG 2.3 release, including the latest versions of popular Open Source Unix software like Apache, Bash, BIND, GCC, INN, Mozilla, MySQL, OpenSSH, Perl, Postfix, PostgreSQL, Samba, Squid, teTeX and Vim. The major technical efforts for this release were spent on the porting of all packages to the now officially supported Unix platform Sun Solaris 10 on both Intel and SPARC architectures. OpenPKG 2.3 is available for 21 different Unix platforms. Most notably, it is supported on FreeBSD 4.11 and 5.3, Debian GNU/Linux 3.0, Red Hat Enterprise Linux 3, Fedora Core 3, SuSE Linux 9.2 and SuSE Enterprise Linux 9, and Sun Solaris 8, 9 and 10. Additionally, all CORE and the vast majority of BASE class packages are already available for the tentative platforms NetBSD 2.0, FreeBSD 6.0, Debian GNU/Linux 3.1, Gentoo Linux 1.6.9, Mandrake Linux 10.1, HP HP-UX 11.11 and MacOS X 10.3. HIGHLIGHTS OF OPENPKG * Portable across major Unix flavors. * Available for the supported platforms: FreeBSD 4.11/5.3, Debian Linux 3.0, Red Hat Enterprise Linux 3, Fedora Core 3, SuSE Linux 9.2, SuSE Enterprise Linux 9 and Solaris 8, 9 and 10. * Already available for the tentative platforms: FreeBSD 6.0, NetBSD 2.0, Debian GNU/Linux 3.1, Gentoo Linux 1.6.9, Mandrake Linux 10.1, HP HP-UX 11.11 and MacOS X 10.3. * Entirely based on Open Source software technology. * Minimum operating system intrusion and dependency. * Minimum overhead in software packaging. * All packages up to date with vendor versions as of 24-Feb-2005. * Sources of 545 CORE+BASE+PLUS packages released. * Binaries of CORE+BASE class packages provided for supported platforms. * Binaries of CORE class packages provided for all platforms. * Easy installation, updating and deinstallation of packages. * Bundled with useful and secure package preconfigurations. * Includes an abstracted and powerful run-command facility. * Virtual hosting through multiple instances on a single system. * Proxy packages for reusing packages across instances. * Build-time package variations for maximum flexibility. * Foundation to build encapsulated and self-contained environments. HISTORY OF THE OPENPKG PROJECT The OpenPKG project was founded in 2000 by Ralf S. Engelschall. It was first released as Open Source software in January 2002. Today OpenPKG is a mature technology in production use, and is maintained and improved by its original developers and volunteer contributors. Ralf S. Engelschall is the principal author of numerous other popular Open Source Software technologies as well. His accomplishments include releases of OSSP components (OSSP uuid, OSSP mm, OSSP ex, OSSP sa, OSSP shiela, etc), Apache SSL/TLS Engine (mod_ssl), Apache URL Rewriting Engine (mod_rewrite), GNU Portable Threads (Pth), GNU Portable Shell Tool (Shtool), Website META Language (WML) and more. MORE INFORMATION The OpenPKG Project openpkg@openpkg.org +49-89-92699-251 (CET) +49-172-8986801 (CET) From openpkg-announce-owner@openpkg.org Tue Apr 5 16:43:10 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id AC4461B5B33; Tue, 5 Apr 2005 16:43:09 +0200 (CEST) Date: Tue, 5 Apr 2005 16:43:09 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.005] OpenPKG Security Advisory (imapd) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.005 05-Apr-2005 ________________________________________________________________________ Package: imapd Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= imapd-2.2.10-20050129 >= imapd-2.2.11-20050214 OpenPKG 2.2 <= imapd-2.2.8-2.2.1 >= imapd-2.2.8-2.2.2 Dependent Packages: none Description: Sean Larsson discovered several vulnerabilities in the Cyrus IMAP Server [0] that could allow a remote attacker to execute machine code in the context of the server process. The Cyrus Electronic Messaging Project identified the affected server logic and released a security advisory [1]. Essentially, the application is affected by multiple one byte buffer overflows affecting the IMAP annotate extension and cached header handling routines. Additionally, stack based overflows affecting the fetchnews, backend, and imapd logic exist as well. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-0546 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q imapd". If you have the "imapd" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most previous release OpenPKG 2.2, perform the following operations to permanently fix the security problem. $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get imapd-2.2.8-2.2.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig imapd-2.2.8-2.2.2.src.rpm $ /bin/openpkg rpm --rebuild imapd-2.2.8-2.2.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/imapd-2.2.8-2.2.2.*.rpm ________________________________________________________________________ References: [0] http://asg.web.cmu.edu/cyrus/imapd/ [1] http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=33723 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0546 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.2/UPD/imapd-2.2.8-2.2.2.src.rpm [6] ftp://ftp.openpkg.org/release/2.2/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFCUqPxgHWT4GPEy58RAt+GAKDOatq1M0OtZNO4Jdq0prnrNrbDowCgzbfn 74UcLwGpm7wfbOoSpT7Nu4M= =z4o5 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Apr 20 17:21:22 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 50C641B5B6B; Wed, 20 Apr 2005 17:21:22 +0200 (CEST) Date: Wed, 20 Apr 2005 17:21:22 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.006] OpenPKG Security Advisory (mysql) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.006 20-Apr-2005 ________________________________________________________________________ Package: mysql Vulnerability: arbitrary code execution, insecure file creation OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= mysql-4.1.10-20050216 >= mysql-4.1.10a-20050311 OpenPKG 2.2 <= mysql-4.0.21-2.2.1 >= mysql-4.0.21-2.2.2 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_mysql apache::with_mod_auth_mysql bind::with_dlz_mysql exim::with_mysql flowtools::with_mysql jabberd::with_mysql libdbi::with_mysql libgda::with_mysql lighttpd::with_mysql myodbc mysqlcc perl-dbi::with_dbd_mysql php::with_mysql php3::with_mysql php5::with_mysql postfix::with_mysql powerdns::with_mysql proftpd::with_mysql pureftpd::with_mysql ripe-dbase qt::with_mysql rekall::with_mysql sasl::with_mysql sendmail::with_mysql snort::with_mysql tacacs::with_mysql OpenPKG 2.2 apache::with_mod_php_mysql apache::with_mod_auth_mysql bind::with_dlz_mysql exim::with_mysql jabberd::with_mysql perl-dbi::with_dbd_mysql php::with_mysql postfix::with_mysql proftpd::with_mysql pureftpd::with_mysql qt::with_mysql sasl::with_mysql sendmail::with_mysql snort::with_mysql Description: Several vulnerabilities including insecure handling of temporary files and arbitrary code execution have been discovered in the MySQL RDBMS [0]. Javier Fernandez-Sanguino Pena found that users may overwrite arbitrary files or read temporary files via a symlink attack on insecurely created temporary files. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-0004 [1] to this problem. Stefano Di Paola found that users may load forbidden dynamic library symbols with dlsym(3) to exploit a problem with user definable functions (UDFs) logic and thereby remotely execute arbitrary code. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-0709 [2] to this problem. Stefano Di Paola also determined that incomplete testing of dynamic library pathnames could lead to insecure loading of UDFs from dynamic libraries in arbitrary locations, allowing users to remotely execute arbitrary code. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-0710 [3] to this problem. Stefano Di Paola also discovered that creation of temporary tables uses predictable file names, allowing users to overwrite arbitrary files via a symlink attack. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-0711 [4] to this problem. Please check whether you are affected by running "/bin/openpkg rpm -q mysql". If you have the "mysql" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above). [5][6] Solution: Select the updated source RPM appropriate for your OpenPKG release [7], fetch it from the OpenPKG FTP service [8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [5] and update your OpenPKG installation by applying the binary RPM [6]. For the most previous release OpenPKG 2.2, perform the following operations to permanently fix the security problem. $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get mysql-4.0.21-2.2.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig mysql-4.0.21-2.2.2.src.rpm $ /bin/openpkg rpm --rebuild mysql-4.0.21-2.2.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/mysql-4.0.21-2.2.2.*.rpm Additionally, we recommend rebuilding and reinstalling all dependent packages (see above) as well [5][6]. ________________________________________________________________________ References: [0] http://www.mysql.com/ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711 [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/2.2/UPD/mysql-4.0.21-2.2.2.src.rpm [8] ftp://ftp.openpkg.org/release/2.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFCZnNZgHWT4GPEy58RAidHAKC3q/jVpH+nwRR+vywKBkPrWF1kVACgtabH 6K1qurV1hlsBureBo3auVIo= =F5zz -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Jun 10 22:39:07 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 3560F1B50FA; Fri, 10 Jun 2005 22:39:07 +0200 (CEST) Date: Fri, 10 Jun 2005 22:39:07 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.007] OpenPKG Security Advisory (cvs) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.007 10-Jun-2005 ________________________________________________________________________ Package: cvs Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= cvs-1.12.11-20050408 >= cvs-1.12.11-20050504 OpenPKG 2.3 <= cvs-1.12.9-2.3.0 >= cvs-1.12.9-2.3.1 OpenPKG 2.2 <= cvs-1.12.9-2.2.0 >= cvs-1.12.9-2.2.1 Dependent Packages: none Description: According to a Debian bug report [0], a Denial of Service (DoS) vulnerability exists in the embedded ZLib [1] compression logic of the Concurrent Versions Systems (CVS). The problem involves incorrect error handling in the inflate() and inflateBack() functions. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2004-0797 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q cvs". If you have the "cvs" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.3/UPD ftp> get cvs-1.12.9-2.3.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig cvs-1.12.9-2.3.1.src.rpm $ /bin/openpkg rpm --rebuild cvs-1.12.9-2.3.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/cvs-1.12.9-2.3.1.*.rpm ________________________________________________________________________ References: [0] http://bugs.debian.org/252253 [1] http://www.gzip.org/zlib/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0797 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.3/UPD/cvs-1.12.9-2.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.2/UPD/cvs-1.12.9-2.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.3/UPD/ [8] ftp://ftp.openpkg.org/release/2.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFCqfpYgHWT4GPEy58RAj/7AJ90JXP6HyV0RV0SM6FPhx6wkuxgFwCgjUZI cdMtnMS/1+Mv+Bo/KJbb+ZY= =b/HB -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Jun 10 22:42:11 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 3CA451B50FC; Fri, 10 Jun 2005 22:42:11 +0200 (CEST) Date: Fri, 10 Jun 2005 22:42:11 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.008] OpenPKG Security Advisory (bzip2) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.008 10-Jun-2005 ________________________________________________________________________ Package: bzip2 Vulnerability: arbitrary file mode modification, denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= bzip2-1.0.2-20050324 >= bzip2-1.0.3-20050506 <= analog-6.0-20041220 >= analog-6.0-20050608 OpenPKG 2.3 <= bzip2-1.0.2-2.3.0 >= bzip2-1.0.2-2.3.1 <= analog-6.0-2.3.0 >= analog-6.0-2.3.1 OpenPKG 2.2 <= bzip2-1.0.2-2.2.0 >= bzip2-1.0.2-2.2.1 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_bzip2 bsdtar clamav gnupg imagemagick libarchive perl-comp perl-mail pgpdump php::with_bzip2 php5::with_bzip2 python::with_bzip2 r rzip OpenPKG 2.3 apache::with_mod_php_bzip2 clamav gnupg imagemagick perl-comp perl-mail php::with_bzip2 php5::with_bzip2 OpenPKG 2.2 apache::with_mod_php_bzip2 clamav imagemagick perl-comp perl-mail php::with_bzip2 Description: According to a BugTraq posting [0], Imran Ghory discovered a time of check time of use (TOCTOU) file mode vulnerability in the BZip2 data compressor [1]. Because bzip2(1) does not safely restore the mode of a file undergoing compression or decompression, a malicious user can potentially change the mode of any file belonging to the user running bzip2(1). The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-0953 [2] to this problem. In a unrelated case, a denial of service vulnerability was found in both the bzip2(1) program and its associated library libbz2(3). Specially crafted BZip2 archives lead to an infinite loop in the decompressor which results in an indefinitively large output file. This could be exploited to cause disk space exhaustion. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1260 [3] to this problem. Because the OpenPKG bootstrap package embeds BZip2, it is affected as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4]. Please check whether you are affected by running "/bin/openpkg rpm -q bzip2". If you have the "bzip2" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and any dependent packages as well [5][6]. Solution: Select the updated source RPM appropriate for your OpenPKG release [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror location, verify its integrity [11], build a corresponding binary RPM from it [5] and update your OpenPKG installation by applying the binary RPM [6]. For the most recent release OpenPKG 2.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.3/UPD ftp> get bzip2-1.0.2-2.3.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig bzip2-1.0.2-2.3.1.src.rpm $ /bin/openpkg rpm --rebuild bzip2-1.0.2-2.3.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/bzip2-1.0.2-2.3.1.*.rpm We recommend that you rebuild and reinstall any dependent packages (see above) as well [5][6]. The "openpkg build" tool can be instrumental in consistently updating and securing the entire OpenPKG instance. ________________________________________________________________________ References: [0] http://marc.theaimsgroup.com/?l=bugtraq&m=111229375217633 [1] http://www.bzip.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260 [4] http://www.openpkg.org/security/OpenPKG-SA-2005.010-openpkg.html [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/2.3/UPD/bzip2-1.0.2-2.3.1.src.rpm [8] ftp://ftp.openpkg.org/release/2.2/UPD/bzip2-1.0.2-2.2.1.src.rpm [9] ftp://ftp.openpkg.org/release/2.3/UPD/ [10] ftp://ftp.openpkg.org/release/2.2/UPD/ [11] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFCqfsRgHWT4GPEy58RAlK8AJwJrHocGaqSJyF3B0K32CygMRevsQCfRCx6 Wk2ihwlYtsP5vSk5sIm9E6g= =RvKk -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Jun 10 22:42:37 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 83CE21B50FA; Fri, 10 Jun 2005 22:42:37 +0200 (CEST) Date: Fri, 10 Jun 2005 22:42:37 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.009] OpenPKG Security Advisory (gzip) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.009 10-Jun-2005 ________________________________________________________________________ Package: gzip Vulnerability: arbitrary path writing OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= gzip-1.3.5-20040207 >= gzip-1.3.5-20050610 OpenPKG 2.3 <= gzip-1.3.5-2.3.0 >= gzip-1.3.5-2.3.1 OpenPKG 2.2 <= gzip-1.3.5-2.2.0 >= gzip-1.3.5-2.2.1 Dependent Packages: none Description: According to a Debian bug report [0], Ulf Harnhammar discovered an input validation error in the GZip data compressor [1]. Because gzip(1) fails to properly validate file paths during decompression with the "-N" argument, a remote attacker using a malicious archive could corrupt arbitrary files with the privileges of the user that is running gzip(1). The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1228 [2] to this problem. Because the OpenPKG bootstrap package embeds GZip, it is affected as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [3]. Please check whether you are affected by running "/bin/openpkg rpm -q gzip". If you have the "gzip" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and any dependent packages as well [4][5]. Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the most recent release OpenPKG 2.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.3/UPD ftp> get gzip-1.3.5-2.3.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig gzip-1.3.5-2.3.1.src.rpm $ /bin/openpkg rpm --rebuild gzip-1.3.5-2.3.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/gzip-1.3.5-2.3.1.*.rpm We recommend that you rebuild and reinstall any dependent packages (see above) as well [4][5]. The "openpkg build" tool can be instrumental in consistently updating and securing the entire OpenPKG instance. ________________________________________________________________________ References: [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255 [1] http://www.gzip.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228 [3] http://www.openpkg.org/security/OpenPKG-SA-2005.010-openpkg.html [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/2.3/UPD/gzip-1.3.5-2.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.2/UPD/gzip-1.3.5-2.2.1.src.rpm [8] ftp://ftp.openpkg.org/release/2.3/UPD/ [9] ftp://ftp.openpkg.org/release/2.2/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFCqfstgHWT4GPEy58RAiYuAJwJMqdOKQmm6BMByHHSFWp17B28wACgoQ9e TqauW23Vx/UJBmuofVeB3/I= =PBsZ -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Jun 10 22:46:14 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id E838F1B5102; Fri, 10 Jun 2005 22:46:13 +0200 (CEST) Date: Fri, 10 Jun 2005 22:46:12 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.010] OpenPKG Security Advisory (openpkg) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.010 10-Jun-2005 ________________________________________________________________________ Package: openpkg Vulnerability: arbitrary file mode modification, arbitrary path writing, denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openpkg-20050609-20050609 >= openpkg-20050610-20050610 OpenPKG 2.3 <= openpkg-2.2.2-2.2.2 >= openpkg-2.2.3-2.2.3 OpenPKG 2.2 <= openpkg-2.3.1-2.3.1 >= openpkg-2.3.2-2.3.2 Dependent Packages: none Description: The vulnerabilities described by this text affect the OpenPKG bootstrap package's GZip and BZip2 embedded software. Similar advisories [0][1] describe the same vulnerabilities, although in context of the particular vendor software. According to a Debian bug report [2], Ulf Harnhammar discovered an input validation error in the GZip data compressor [3]. Because gzip(1) fails to properly validate file paths during decompression with the "-N" argument, a remote attacker using a malicious archive could corrupt arbitrary files with the privileges of the user that is running gzip(1). The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1228 [4] to this problem. According to a BugTraq posting [5], Imran Ghory discovered a time of check time of use (TOCTOU) file mode vulnerability in the BZip2 data compressor [6]. Because bzip2(1) does not safely restore the mode of a file undergoing compression or decompression, a malicious user can potentially change the mode of any file belonging to the user running bzip2(1). The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-0953 [7] to this problem. In a unrelated BZip2 problem, a denial of service vulnerability was found in both the bzip2(1) program and its associated library libbz2(3). Specially crafted BZip2 archives lead to an infinite loop in the decompressor which results in an indefinitively large output file. This could be exploited to cause disk space exhaustion. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1260 [8] to this problem. Please check whether you are affected by running "/bin/openpkg rpm -q openpkg". If the openpkg package version is affected (see above), we recommend that you immediately upgrade it (see Solution) [9][10]. Solution: Select the updated source RPM appropriate for your OpenPKG release [11][12], fetch it from the OpenPKG FTP service [13][14] or a mirror location, verify its integrity [15], build a corresponding binary RPM from it [9] and update your OpenPKG installation by applying the binary RPM [10]. For the most recent release OpenPKG 2.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.3/UPD ftp> get openpkg-2.3.2-2.3.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig openpkg-2.3.2-2.3.2.src.rpm $ /bin/openpkg rpm --rebuild openpkg-2.3.2-2.3.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/openpkg-2.3.2-2.3.2.*.rpm ________________________________________________________________________ References: [0] http://www.openpkg.org/security/OpenPKG-SA-2005.008-bzip2.html [1] http://www.openpkg.org/security/OpenPKG-SA-2005.009-gzip.html [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255 [3] http://www.gzip.org/ [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228 [5] http://marc.theaimsgroup.com/?l=bugtraq&m=111229375217633 [6] http://sources.redhat.com/bzip2/ [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953 [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260 [9] http://www.openpkg.org/tutorial.html#regular-source [10] http://www.openpkg.org/tutorial.html#regular-binary [11] ftp://ftp.openpkg.org/release/2.3/UPD/openpkg-2.3.2-2.3.2.src.rpm [12] ftp://ftp.openpkg.org/release/2.2/UPD/openpkg-2.2.3-2.2.3.src.rpm [13] ftp://ftp.openpkg.org/release/2.3/UPD/ [14] ftp://ftp.openpkg.org/release/2.2/UPD/ [15] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFCqfvvgHWT4GPEy58RAn37AKCO1mquoh33sAnOG7K4Te5DPZX9lACgo0IJ YmZlJ+9kZyRgnTEIlvR2HRE= =DiNk -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Jun 21 11:33:28 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id A01F31B50C1; Tue, 21 Jun 2005 11:33:28 +0200 (CEST) Date: Tue, 21 Jun 2005 11:33:28 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [ANNOUNCE] OpenPKG Foundation e.V. established Message-ID: <20050621093328.GA81150@master.openpkg.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: FOR IMMEDIATE RELEASE - 2005-06-21 OpenPKG Foundation e.V. established to support OpenPKG, the unique cross-platform multi-instance Unix software packaging solution. http://www.openpkg.org/ http://www.openpkg.net/ -- Munich, DE -- 2005-06-21 -- After five months of efforts, the Open Source software project OpenPKG is proud to announce the establishment of the OpenPKG Foundation e.V., a nonprofit organization providing the ideational, financial, material and manned support of OpenPKG. "We have done so much for so long with so little. We are now qualified to do anything with nothing." -- adapted from Larry Wall ABOUT OPENPKG For years OpenPKG has been the undisputed world leading instrument for deployment and maintenance of Open Source Unix software when administration crosses platform boundaries. The unique OpenPKG architecture leverages proven technologies like Red Hat Package Manager (RPM) and OSSP and GNU components to establish a unified software administration environment, independent of the underlying Unix operating system. As of June 2005, OpenPKG consists of over 86000 lines of polished package specifications, resulting in over 880 freely available individual Unix software packages. HISTORY OF THE OPENPKG PROJECT The Open Source software project OpenPKG was founded in 2000 by Ralf S. Engelschall and first released to the public in January 2002. Today OpenPKG is a mature technology in production use. It is maintained and improved by its original developers and volunteer contributors. The project expects to receive valuable contributions and support from the community behind the OpenPKG Foundation e.V. in order to maintain leadership and expand to a larger audience. The equipment to run the project is sponsored by Ralf S. Engelschall and Thomas Lotterer and hosting is sponsored by SpaceNet since late 2004. HISTORY OF THE OPENPKG FOUNDATION The OpenPKG Foundation e.V. is a nonprofit organization with the dedicated goal of supporting the OpenPKG project. The idea to organize the social network of OpenPKG was born by Ralf S. Engelschall and Thomas Lotterer in January 2005. A month later, on 2005-02-09, the nine founders Herbert Schmid, Manuel Hendel, Peter Kajinski, Richard Maier, Thomas Lotterer, Ralf S. Engelschall, Torsten Homeyer, Christoph Schug and Michael Schloh von Bennewitz kicked off the Foundation. Official registration under German law was completed on 2005-03-18. Today the OpenPKG Foundation e.V. counts seventeen members and is open for more to join. Hosting of the Foundation's equipment is also sponsored by SpaceNet since late 2004. MORE INFORMATION OpenPKG Project OpenPKG Foundation e.V. http://www.openpkg.org/ http://www.openpkg.net/ press@openpkg.org press@openpkg.net +49-172-8986801 (CET) From openpkg-announce-owner@openpkg.org Wed Jun 22 11:19:29 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 2CE7D1B50BC; Wed, 22 Jun 2005 11:19:29 +0200 (CEST) Date: Wed, 22 Jun 2005 11:19:29 +0200 From: OpenPKG To: openpkg-announce@openpkg.org, openpkg-users@openpkg.org, openpkg-dev@openpkg.org Subject: [ANNOUNCE] OpenPKG 2.4 Message-ID: <20050622091929.GA89968@master.openpkg.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: FOR IMMEDIATE RELEASE - 2005-06-22 The OpenPKG project releases version 2.4 of the unique cross-platform software packaging facility. http://www.openpkg.org/ -- Munich, DE -- 2005-06-22 -- The OpenPKG project is proud to announce version 2.4 of its software, another evolutionary step after eight releases in four years. Much valued by IT decision makers and beloved by Unix system administrators, OpenPKG is the world leading instrument for deployment and maintenance of Open Source Unix software when administration crosses platform boundaries. The unique OpenPKG architecture leverages proven technologies like Red Hat Package Manager (RPM) and OSSP and GNU components to establish a unified software administration environment, independent of the underlying Unix operating system. NEW IN VERSION 2.4 This is the first release created by the newly established OpenPKG Foundation e.V., which contributed a substantial amount of manpower and all the technical resources making up the "buildfarm" and the development environment for the release engineers. Since the previous release four months ago, the OpenPKG package repository has grown again by 15%. A subset of 562 packages were carefully selected for inclusion into the OpenPKG 2.4 release, including the latest versions of popular Open Source Unix software like Apache, Bash, BIND, GCC, INN, Mozilla Firefox, MySQL, OpenSSH, Perl, Postfix, PostgreSQL, Samba, Squid, teTeX and Vim. Major technical efforts for this release were spent on migrating the whole development and release engineering environment to the new OpenPKG Foundation infrastructure, porting OpenPKG to IBM AIX 5.1 and enhancing the Solaris 10 and Debian 3.1 support. OpenPKG 2.4 is available for 16 different Unix platforms. Most notably, it is supported on FreeBSD 5.4, NetBSD 2.0.2, Debian GNU/Linux 3.1, Fedora Core 3, SUSE Linux 9.3, and Sun Solaris 9 and 10. Additionally, all CORE and the vast majority of BASE class packages are already available for the tentative platforms FreeBSD 6.0, Gentoo Linux 1.6.12 and Mandriva Linux 10.2. It is also still available for the obsolete platforms Red Hat Enterprise Linux 3, Sun Solaris 8 and FreeBSD 4.11. Finally, OpenPKG is also known to work under IBM AIX 5.1, HP HP-UX 11.11 and MacOS X 10.3. The OpenPKG 2.4 release was a joint effort of many individuals, most notably the Release Engineering team, this time consisting of the OpenPKG Foundation members Thomas Lotterer, Ralf S. Engelschall, Steve Weinreich and Matthias Kurz. HIGHLIGHTS OF OPENPKG * Portable across major Unix flavors. * Supporting many commonly used platforms: FreeBSD 5.4, NetBSD 2.0.2, Debian GNU/Linux 3.11, Fedora Core 3, SUSE Linux 9.3, and Solaris 9 and 10. * Additionally already available for the tentative platforms: FreeBSD 6.0, Gentoo Linux 1.6.9 and Mandriva Linux 10.2. * Additionally still available for the obsolete platforms: FreeBSD 4.11, Red Hat Enterprise Linux 3 and Sun Solaris 8. * Additionally known to work for the forthcoming platforms: HP HP-UX 11.11, MacOS X 10.3 and IBM AIX 5.1 * Entirely based on Open Source technology. * Minimum operating system intrusion and dependency. * Minimum overhead in software packaging. * All packages up to date with vendor versions as of 2005-06-18. * Sources of 562 CORE+BASE+PLUS packages released. * Binaries of CORE+BASE class packages provided for supported platforms. * Binaries of CORE class packages provided for all platforms. * Easy installation, updating and deinstallation of packages. * Bundled with useful and secure package preconfigurations. * Includes an abstracted and powerful run-command facility. * Virtual hosting through multiple instances on a single system. * Proxy package mechanism for sharing packages across instances. * Build-time package variations for maximum flexibility. * Foundation to build encapsulated and self contained environments. HISTORY OF THE OPENPKG PROJECT The Open Source software project OpenPKG was founded in 2000 by Ralf S. Engelschall and first released to the public in January 2002. Today OpenPKG is a mature technology in production use. It is maintained and improved by its original developers, organized in the OpenPKG Foundation e.V., and volunteer contributors. HISTORY OF THE OPENPKG FOUNDATION The OpenPKG Foundation e.V. is a nonprofit organization with the dedicated goal of supporting the OpenPKG project. The idea to organize the social network of OpenPKG was born by Ralf S. Engelschall and Thomas Lotterer in January 2005. A month later, on 2005-02-09, nine founders kicked off the Foundation. Official registration under German law was completed on 2005-03-18. The OpenPKG Foundation finally went public on 2005-06-21. MORE INFORMATION The OpenPKG Project OpenPKG Foundation e.V. http://www.openpkg.org/ http://www.openpkg.net/ press@openpkg.org press@openpkg.net +49-172-8986801 (CET) From openpkg-announce-owner@openpkg.org Thu Jun 23 20:09:16 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 509791B50FC; Thu, 23 Jun 2005 20:09:15 +0200 (CEST) Date: Thu, 23 Jun 2005 20:09:14 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.012] OpenPKG Security Advisory (sudo) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.012 23-Jun-2005 ________________________________________________________________________ Package: sudo Vulnerability: race condition, arbitrary command execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= sudo-1.6.8p8-20050422 >= sudo-1.6.8p9-20060620 OpenPKG 2.4 <= sudo-1.6.8p8-2.4.0 >= sudo-1.6.8p8-2.4.1 OpenPKG 2.3 <= sudo-1.6.8p7-2.3.0 >= sudo-1.6.8p7-2.3.1 Dependent Packages: none Description: According to a vendor security advisory [0] based on hints from Charles Morris, a race condition exists in the command pathname handling of Sudo [1] prior to version 1.6.8p9. This could allow a user with Sudo privileges to run arbitrary commands. Exploitation of the bug requires that the user be allowed to run one or more commands via Sudo and be able to create symbolic links in the filesystem. Furthermore, an entry in the "sudoers" file giving another user access to the "ALL" pseudo-command must follow the user's entry for the race to exist. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-1993 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q sudo". If you have the "sudo" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.4/UPD ftp> get sudo-1.6.8p8-2.4.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig sudo-1.6.8p8-2.4.1.src.rpm $ /bin/openpkg rpm --rebuild sudo-1.6.8p8-2.4.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/sudo-1.6.8p8-2.4.1.*.rpm ________________________________________________________________________ References: [0] http://www.sudo.ws/sudo/alerts/path_race.html [1] http://www.sudo.ws/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1993 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.4/UPD/sudo-1.6.8p8-2.4.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.3/UPD/sudo-1.6.8p7-2.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.4/UPD/ [8] ftp://ftp.openpkg.org/release/2.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFCuvpUgHWT4GPEy58RAuqJAKDKJZ29ph5iOYOTwJHhBn7JNCCmZgCcD/dG AuUubrgwjVpyuZ+jkbvuPl0= =d12Z -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jun 23 20:33:43 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 6F0AE1B506D; Thu, 23 Jun 2005 20:33:42 +0200 (CEST) Date: Thu, 23 Jun 2005 20:33:42 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.011] OpenPKG Security Advisory (shtool) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.011 23-Jun-2005 ________________________________________________________________________ Package: shtool Vulnerability: insecure temporary file handling OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= shtool-2.0.1-20050324 >= shtool-2.0.2-20050615 <= openpkg-20050613-20050613 >= openpkg-20050615-20050615 <= al-0.9.1-20040207 >= al-0.9.1-20050615 <= as-gui-0.7.7-20040920 >= as-gui-0.7.7-20050615 <= cfg-0.9.9-20050218 >= cfg-0.9.9-20050615 <= ettercap-0.7.3-20050529 >= ettercap-0.7.3-20050615 <= ex-1.0.4-20050610 >= ex-1.0.4-20050615 <= flow2rrd-0.9.1-20041230 >= flow2rrd-0.9.1-20050615 <= fsl-1.6.0-20050308 >= fsl-1.6.0-20050615 <= getopt-20030307-20040207 >= getopt-20030307-20050615 <= iselect-1.3.0-20041008 >= iselect-1.3.0-20050615 <= jitterbug-1.6.2.3-20040203 >= jitterbug-1.6.2.3-20050615 <= l2-0.9.10-20050308 >= l2-0.9.10-20050615 <= libnetdude-0.7-20050506 >= libnetdude-0.7-20050615 <= libpcapnav-0.6-20050506 >= libpcapnav-0.6-20050615 <= libradius-20040920-20040920 >= libradius-20040920-20050615 <= lmtp2nntp-1.3.0-20041207 >= lmtp2nntp-1.3.0-20050615 <= lzo-2.00-20050530 >= lzo-2.00-20050615 <= lzop-1.01-20050530 >= lzop-1.01-20050615 <= mm-1.3.1-20041018 >= mm-1.3.1-20050615 <= netdude-0.4.6-20050506 >= netdude-0.4.6-20050615 <= newt-0.51.6.7-20050323 >= newt-0.51.6.7-20050615 <= nmap-3.81-20050207 >= nmap-3.81-20050615 <= openldap-2.2.27-20050611 >= openldap-2.2.27-20050615 <= openpkg-rc-0.7.3-20040207 >= openpkg-rc-0.7.3-20050615 <= petidomo-4.0b6-20050215 >= petidomo-4.0b6-20050615 <= php-4.3.11-20050407 >= php-4.3.11-20050615 <= php5-5.0.4-20050611 >= php5-5.0.4-20050615 <= pth-2.0.4-20050218 >= pth-2.0.4-20050615 <= sa-1.2.4-20050308 >= sa-1.2.4-20050615 <= shiela-1.1.5-20050112 >= shiela-1.1.5-20050615 <= sio-0.9.2-20050610 >= sio-0.9.2-20050615 <= snmpdx-0.2.10-20041018 >= snmpdx-0.2.10-20050615 <= str-0.9.10-20050124 >= str-0.9.10-20050615 <= svs-1.0.2-20050206 >= svs-1.0.2-20050615 <= uuid-1.2.0-20050407 >= uuid-1.2.0-20050615 <= val-0.9.3-20050610 >= val-0.9.3-20050615 <= var-1.1.2-20041031 >= var-1.1.2-20050615 <= wml-2.0.9-20050613 >= wml-2.0.9-20050615 <= xds-0.9.2-20050603 >= xds-0.9.2-20050615 OpenPKG 2.4 none N.A. OpenPKG 2.3 <= shtool-2.0.1-2.3.0 >= shtool-2.0.1-2.3.1 <= openpkg-2.3.2-2.3.2 >= openpkg-2.3.3-2.3.3 <= al-0.9.1-2.3.0 >= al-0.9.1-2.3.1 <= cfg-0.9.9-2.3.0 >= cfg-0.9.9-2.3.1 <= ex-1.0.4-2.3.0 >= ex-1.0.4-2.3.1 <= fsl-1.6.0-2.3.1 >= fsl-1.6.0-2.3.2 <= getopt-20030307-2.3.0 >= getopt-20030307-2.3.1 <= iselect-1.3.0-2.3.0 >= iselect-1.3.0-2.3.1 <= l2-0.9.10-2.3.0 >= l2-0.9.10-2.3.1 <= lmtp2nntp-1.3.0-2.3.0 >= lmtp2nntp-1.3.0-2.3.1 <= lzo-1.08-2.3.0 >= lzo-1.08-2.3.1 <= lzop-1.01-2.3.0 >= lzop-1.01-2.3.1 <= mm-1.3.1-2.3.1 >= mm-1.3.1-2.3.1 <= newt-0.51.6.6-2.3.0 >= newt-0.51.6.6-2.3.1 <= nmap-3.81-2.3.0 >= nmap-3.81-2.3.1 <= openldap-2.2.23-2.3.0 >= openldap-2.2.23-2.3.1 <= php-4.3.10-2.3.1 >= php-4.3.10-2.3.2 <= php5-5.0.3-2.3.0 >= php5-5.0.3-2.3.1 <= pth-2.0.4-2.3.0 >= pth-2.0.4-2.3.1 <= sa-1.2.4-2.3.0 >= sa-1.2.4-2.3.1 <= shiela-1.1.5-2.3.0 >= shiela-1.1.5-2.3.1 <= sio-0.9.2-2.3.0 >= sio-0.9.2-2.3.1 <= snmpdx-0.2.10-2.3.0 >= snmpdx-0.2.10-2.3.1 <= str-0.9.10-2.3.0 >= str-0.9.10-2.3.1 <= uuid-1.2.0-2.3.0 >= uuid-1.2.0-2.3.1 <= val-0.9.3-2.3.0 >= val-0.9.3-2.3.1 <= var-1.1.2-2.3.0 >= var-1.1.2-2.3.1 <= wml-2.0.9-2.3.0 >= wml-2.0.9-2.3.1 <= xds-0.9.1-2.3.0 >= xds-0.9.1-2.3.1 Dependent Packages: none Description: Eric Romang has discovered [1] that GNU shtool [0] insecurely creates temporary files with predictable filenames, potentially allowing a local user to overwrite arbitrary files with a "symlink" attack. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-1751 [2] to the problem. On closer inspection, the Gentoo Security team discovered that the GNU shtool temporary file, once created, was being reused insecurely, too. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-1759 [3] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q shtool". If you have the "shtool" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [6], fetch it from the OpenPKG FTP service [7] or a mirror location, verify its integrity [8], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [5]. For the affected release OpenPKG 2.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.3/UPD ftp> get shtool-2.0.2-2.3.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig shtool-2.0.1-2.3.1.src.rpm $ /bin/openpkg rpm --rebuild shtool-2.0.1-2.3.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/shtool-2.0.1-2.3.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too [4][5]. ________________________________________________________________________ References: [0] http://www.gnu.org/software/shtool/ [1] http://www.zataz.net/adviso/shtool-05252005.txt [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1751 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1759 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/2.3/UPD/shtool-2.0.1-2.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.3/UPD/ [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFCuwBMgHWT4GPEy58RAhbpAJ97hyBv9hd+Z6tHo0AaC34O4puVugCgjSZ7 kG885jFAJ+kCHvIcEKAufSc= =bIdp -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jul 7 14:28:15 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id A99B41B506F; Thu, 7 Jul 2005 14:28:14 +0200 (CEST) Date: Thu, 7 Jul 2005 14:28:14 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.013] OpenPKG Security Advisory (zlib) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.013 07-Jul-2005 ________________________________________________________________________ Package: zlib Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= zlib-1.2.2-20050219 >= zlib-1.2.2-20050706 <= ghostscript-8.51-20050423 >= ghostscript-8.51-20050706 <= openpkg-20050615-20050615 >= openpkg-20050706-20050706 <= qt-3.3.4-20050503 >= qt-3.3.4-20050707 OpenPKG 2.4 <= zlib-1.2.2-2.4.0 >= zlib-1.2.2-2.4.1 <= ghostscript-8.51-2.4.0 >= ghostscript-8.51-2.4.1 <= openpkg-2.4.0-2.4.0 >= openpkg-2.4.1-2.4.1 <= qt-3.3.4-2.4.0 >= qt-3.3.4-2.4.1 OpenPKG 2.3 <= zlib-1.2.2-2.3.0 >= zlib-1.2.2-2.3.1 <= ghostscript-8.14-2.3.0 >= ghostscript-8.14-2.3.1 <= openpkg-2.3.3-2.3.3 >= openpkg-2.3.4-2.3.4 <= qt-3.3.4-2.3.0 >= qt-3.3.4-2.3.1 Affected Releases: Dependent Packages: OpenPKG CURRENT abiword aegis aide analog apache apache2 autotrace blender bsdtar cadaver cairo citadel clamav cups curl cvs cvsps cvsync dia doxygen emacs ethereal exim expat file firefox flowtools gd geoip gif2png gift-gnutella gift-openft gimp gmime gnome-vfs gnupg gnuplot gnutls htdig imagemagick ircd jitterbug kcd lbreakout lcms libarchive librsync libwmf libxml lout lynx magicpoint mcrypt mixmaster mng mozilla mplayer mrtg mysql mysql3 mysql40 mysql41 mysqlcc nagios neon netpbm opencdk openpkg openssh openssl pdflib perl-comp perl-gd perl-tk pgpdump php php3 php5 pnet png postgresql postgresql7 pstoedit python qt ratbox ripe-dbase rrdtool ruby scribus sio subversion tardy tetex tiff tightvnc transfig ttmkfdir w3m webalizer wml wv xdelta xemacs xfig xmame xplanet xv zimg OpenPKG 2.4 aegis aide analog apache apache2 autotrace cadaver cairo clamav curl cvs emacs exim expat file firefox flowtools gd geoip gif2png gift-gnutella gift-openft gimp gmime gnupg gnuplot htdig imagemagick ircd lcms libwmf libxml lout lynx magicpoint mng mozilla mrtg mysql mysql40 neon netpbm opencdk openssh openssl pdflib perl-comp perl-tk php php5 png postgresql postgresql7 pstoedit python ratbox ripe-dbase rrdtool sio subversion tardy tetex tiff tightvnc transfig ttmkfdir w3m webalizer wml xdelta xfig xv OpenPKG 2.3 aegis aide analog apache apache2 autotrace cadaver clamav curl cvs emacs exim expat file flowtools gd geoip gif2png gift-gnutella gift-openft gimp gmime gnupg gnuplot htdig imagemagick ircd lcms libwmf libxml lout lynx mng mozilla mrtg mysql mysql40 neon netpbm opencdk openssh openssl pdflib perl-comp perl-tk php php5 png postgresql postgresql7 pstoedit python ripe-dbase rrdtool sio subversion tardy tetex tiff tightvnc transfig ttmkfdir w3m webalizer wml xdelta xfig xv Description: Tavis Ormandy from Gentoo discovered a Denial of Service (DoS) vulnerability in the ZLib compression library [1] versions 1.2.x (older versions are not affected). An error in the handling of corrupt compressed data streams can result in a buffer being overflowed. By carefully crafting a corrupt compressed data stream, an attacker could overwrite data structures in a ZLib-using application. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-2096 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q zlib". If you have the "zlib" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above), too [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.4/UPD ftp> get zlib-1.2.2-2.4.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig zlib-1.2.2-2.4.1.src.rpm $ /bin/openpkg rpm --rebuild zlib-1.2.2-2.4.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/zlib-1.2.2-2.4.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too [3][4]. ________________________________________________________________________ References: [1] http://www.zlib.net/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.4/UPD/zlib-1.2.2-2.4.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.3/UPD/zlib-1.2.2-2.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.4/UPD/ [8] ftp://ftp.openpkg.org/release/2.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFCzR+OgHWT4GPEy58RAhP4AKCBIX+ekTTr4bTMOaB9Sm4D+umstACgpsD9 Qkh660UJivb/cm8b8qk7Bc0= =E9eq -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jul 28 10:08:17 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 46F801B515B; Thu, 28 Jul 2005 10:08:17 +0200 (CEST) Date: Thu, 28 Jul 2005 10:08:17 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.014] OpenPKG Security Advisory (zlib) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.014 28-Jul-2005 ________________________________________________________________________ Package: zlib Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= zlib-1.2.2-20050706 >= zlib-1.2.3-20050722 <= ghostscript-8.51-20050706 >= ghostscript-8.51-20050722 <= openpkg-20050706-20050706 >= openpkg-20050722-20050722 <= qt-3.3.4-20050707 >= qt-3.3.4-20050728 OpenPKG 2.4 <= zlib-1.2.2-2.4.1 >= zlib-1.2.2-2.4.2 <= ghostscript-8.51-2.4.1 >= ghostscript-8.51-2.4.2 <= openpkg-2.4.1-2.4.1 >= openpkg-2.4.2-2.4.2 <= qt-3.3.4-2.4.1 >= qt-3.3.4-2.4.2 OpenPKG 2.3 <= zlib-1.2.2-2.3.1 >= zlib-1.2.2-2.3.2 <= ghostscript-8.14-2.3.1 >= ghostscript-8.14-2.3.2 <= openpkg-2.3.4-2.3.4 >= openpkg-2.3.5-2.3.5 <= qt-3.3.4-2.3.1 >= qt-3.3.4-2.3.2 Affected Releases: Dependent Packages: OpenPKG CURRENT abiword aegis aide analog apache apache2 autotrace blender bsdtar cadaver cairo citadel clamav cups curl cvs cvsps cvsync dia doxygen emacs ethereal exim expat file firefox flowtools gd geoip gif2png gift-gnutella gift-openft gimp gmime gnome-vfs gnupg gnuplot gnutls htdig imagemagick ircd jitterbug kcd lbreakout lcms libarchive librsync libwmf libxml lout lynx magicpoint mcrypt mixmaster mng mozilla mplayer mrtg mysql mysql3 mysql40 mysql41 mysqlcc nagios neon netpbm opencdk openpkg openssh openssl pdflib perl-comp perl-gd perl-tk pgpdump php php3 php5 pnet png postgresql postgresql7 pstoedit python qt ratbox ripe-dbase rrdtool ruby scribus sio subversion tardy tetex tiff tightvnc transfig ttmkfdir w3m webalizer wml wv xdelta xemacs xfig xmame xplanet xv zimg OpenPKG 2.4 aegis aide analog apache apache2 autotrace cadaver cairo clamav curl cvs emacs exim expat file firefox flowtools gd geoip gif2png gift-gnutella gift-openft gimp gmime gnupg gnuplot htdig imagemagick ircd lcms libwmf libxml lout lynx magicpoint mng mozilla mrtg mysql mysql40 neon netpbm opencdk openssh openssl pdflib perl-comp perl-tk php php5 png postgresql postgresql7 pstoedit python ratbox ripe-dbase rrdtool sio subversion tardy tetex tiff tightvnc transfig ttmkfdir w3m webalizer wml xdelta xfig xv OpenPKG 2.3 aegis aide analog apache apache2 autotrace cadaver clamav curl cvs emacs exim expat file flowtools gd geoip gif2png gift-gnutella gift-openft gimp gmime gnupg gnuplot htdig imagemagick ircd lcms libwmf libxml lout lynx mng mozilla mrtg mysql mysql40 neon netpbm opencdk openssh openssl pdflib perl-comp perl-tk php php5 png postgresql postgresql7 pstoedit python ripe-dbase rrdtool sio subversion tardy tetex tiff tightvnc transfig ttmkfdir w3m webalizer wml xdelta xfig xv Description: A previous ZLib [1] update for CAN-2005-2096 fixed a Denial of Service (DoS) flaw that could allow a carefully crafted compressed stream to crash an application. While the original patch corrected the reported overflow, Markus Oberhumer discovered additional ways a stream could trigger an overflow. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-1849 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q zlib". If you have the "zlib" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above), too [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.4/UPD ftp> get zlib-1.2.2-2.4.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig zlib-1.2.2-2.4.2.src.rpm $ /bin/openpkg rpm --rebuild zlib-1.2.2-2.4.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/zlib-1.2.2-2.4.2.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too [3][4]. ________________________________________________________________________ References: [1] http://www.zlib.net/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1849 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.4/UPD/zlib-1.2.2-2.4.2.src.rpm [6] ftp://ftp.openpkg.org/release/2.3/UPD/zlib-1.2.2-2.3.2.src.rpm [7] ftp://ftp.openpkg.org/release/2.4/UPD/ [8] ftp://ftp.openpkg.org/release/2.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFC6JIRgHWT4GPEy58RAun3AJ9mvppzpQs4m5xWs/G2LC7Q/UQf2QCffSoz nziZUeYND7D9aHtJ93N0+PA= =EzY9 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jul 28 13:11:11 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 8D5FB1B5160; Thu, 28 Jul 2005 13:11:11 +0200 (CEST) Date: Thu, 28 Jul 2005 13:11:11 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.015] OpenPKG Security Advisory (spamassassin) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.015 28-Jul-2005 ________________________________________________________________________ Package: spamassassin Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= spamassassin-3.0.3-20050603 >= spamassassin-3.0.4-20050725 OpenPKG 2.4 <= spamassassin-3.0.3-2.4.0 >= spamassassin-3.0.3-2.4.1 OpenPKG 2.3 <= spamassassin-3.0.2-2.3.0 >= spamassassin-3.0.2-2.3.1 Dependent Packages: none Description: A Denial of Service (DoS) vulnerability exists in the Email spam filter SpamAssassin [1]. The problem can be exploited by sending certain malformed Email headers. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-1266 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q spamassassin". If you have the "spamassassin" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the latest release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.4/UPD ftp> get spamassassin-3.0.3-2.4.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig spamassassin-3.0.3-2.4.1.src.rpm $ /bin/openpkg rpm --rebuild spamassassin-3.0.3-2.4.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/spamassassin-3.0.3-2.4.1.*.rpm ________________________________________________________________________ References: [1] http://spamassassin.apache.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.4/UPD/spamassassin-3.0.3-2.4.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.3/UPD/spamassassin-3.0.2-2.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.4/UPD/ [8] ftp://ftp.openpkg.org/release/2.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFC6L05gHWT4GPEy58RAijtAJ4ns7MSIFBukgwxsWtcUBc2/gcMIACfTMns z+Y55JlfpZgS5xNZKmvQt8E= =4UMi -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Thu Jul 28 14:33:36 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 6DB4E1B5161; Thu, 28 Jul 2005 14:33:36 +0200 (CEST) Date: Thu, 28 Jul 2005 14:33:36 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.016] OpenPKG Security Advisory (fetchmail) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.016 28-Jul-2005 ________________________________________________________________________ Package: fetchmail Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= fetchmail-6.2.5-20050311 >= fetchmail-6.2.5-20050728 OpenPKG 2.4 <= fetchmail-6.2.5-2.4.0 >= fetchmail-6.2.5-2.4.1 OpenPKG 2.3 <= fetchmail-6.2.5-2.3.0 >= fetchmail-6.2.5-2.3.1 Dependent Packages: none Description: Ross Boylan reported a bug [0] in fetchmail [1] which turned out being a remote buffer overflow vulnerability. A malicious POP3 server could send a carefully crafted message and cause a denial of service and possibly execute arbitrary code via long UIDL responses. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-2335 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q fetchmail". If you have the "fetchmail" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.4/UPD ftp> get fetchmail-6.2.5-2.4.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig fetchmail-6.2.5-2.4.1.src.rpm $ /bin/openpkg rpm --rebuild fetchmail-6.2.5-2.4.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/fetchmail-6.2.5-2.4.1.*.rpm ________________________________________________________________________ References: [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762 [1] http://www.catb.org/~esr/fetchmail/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2335 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.4/UPD/fetchmail-6.2.5-2.4.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.3/UPD/fetchmail-6.2.5-2.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.4/UPD/ [8] ftp://ftp.openpkg.org/release/2.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFC6M/NgHWT4GPEy58RAlopAKCaj7LsPJ6W4sMWY7qMZ1YGl47DhACgxAG8 oqkFGO++EPKu+BcOzBp2UPg= =3oJ+ -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Fri Sep 2 23:29:00 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id DFEFD1B507F; Fri, 2 Sep 2005 23:28:59 +0200 (CEST) Date: Fri, 2 Sep 2005 23:28:59 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.017] OpenPKG Security Advisory (modssl) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.017 02-Sep-2005 ________________________________________________________________________ Package: apache/modssl (apache::with_mod_ssl=yes only) Vulnerability: information disclosure OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= apache-1.3.33-20050713 >= apache-1.3.33-20050902 OpenPKG 2.4 <= apache-1.3.33-2.4.0 >= apache-1.3.33-2.4.1 OpenPKG 2.3 <= apache-1.3.33-2.3.3 >= apache-1.3.33-2.3.4 Dependent Packages: none Description: An information disclosure vulnerability was discovered in mod_ssl [1], the SSL/TLS module of the Apache [2] webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-2700 [3] to the problem. Please check whether you are affected by running "/bin/rpm -q apache" and "/bin/rpm -qi apache | grep with_mod_ssl". If you have the "apache" package with option "with_mod_ssl" installed and its version is affected (see above), we recommend that you immediately upgrade (see Solution) [4][5]. Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the current release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.4/UPD ftp> get apache-1.3.33-2.4.1.src.rpm ftp> bye $ /bin/rpm -v --checksig apache-1.3.33-2.4.1.src.rpm $ /bin/rpm --rebuild apache-1.3.33-2.4.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/apache-1.3.33-2.4.1.*.rpm ________________________________________________________________________ References: [1] http://www.modssl.org/ [2] http://www.apache.org/ [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/2.4/UPD/apache-1.3.33-2.4.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.3/UPD/apache-1.3.33-2.3.4.src.rpm [8] ftp://ftp.openpkg.org/release/2.4/UPD/ [9] ftp://ftp.openpkg.org/release/2.3/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFDGMQIgHWT4GPEy58RAksBAJ9vXcBdhYubDD4jJSh1oYJQmoSiFACdFfu1 USHwOH+XxJ9S8jZARVvxOJM= =zblS -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Sep 5 18:10:36 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 185BE1B50D3; Mon, 5 Sep 2005 18:10:35 +0200 (CEST) Date: Mon, 5 Sep 2005 18:10:35 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.018] OpenPKG Security Advisory (pcre) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.018 05-Sep-2005 ________________________________________________________________________ Package: pcre Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= pcre-6.1-20050622 >= pcre-6.2-20050802 <= exim-4.52-20050701 >= exim-4.52-20050905 <= fsl-1.6.0-20050808 >= fsl-1.6.0-20050905 <= hypermail-2.1.8-20050324 >= hypermail-2.1.8-20050905 <= l2-0.9.10-20050615 >= l2-0.9.10-20050905 <= str-0.9.10-20050615 >= str-0.9.10-20050905 <= lmtp2nntp-1.3.0-20050615 >= lmtp2nntp-1.3.0-20050905 <= tin-1.6.2-20040207 >= tin-1.6.2-20050905 <= wml-2.0.9-20050617 >= wml-2.0.9-20050905 OpenPKG 2.4 <= pcre-6.0-2.4.0 >= pcre-6.0-2.4.1 <= exim-4.51-2.4.0 >= exim-4.51-2.4.1 <= fsl-1.6.0-2.4.0 >= fsl-1.6.0-2.4.1 <= hypermail-2.1.8-2.4.0 >= hypermail-2.1.8-2.4.1 <= l2-0.9.10-2.4.0 >= l2-0.9.10-2.4.1 <= str-0.9.10-2.4.0 >= str-0.9.10-2.4.1 <= lmtp2nntp-1.3.0-2.4.0 >= lmtp2nntp-1.3.0-2.4.1 <= tin-1.6.2-2.4.0 >= tin-1.6.2-2.4.1 <= wml-2.0.9-2.4.0 >= wml-2.0.9-2.4.1 OpenPKG 2.3 <= pcre-5.0-2.3.0 >= pcre-5.0-2.3.1 <= exim-4.50-2.3.0 >= exim-4.50-2.3.1 <= fsl-1.6.0-2.3.2 >= fsl-1.6.0-2.3.3 <= hypermail-2.1.8-2.3.0 >= hypermail-2.1.8-2.3.1 <= l2-0.9.10-2.3.1 >= l2-0.9.10-2.3.2 <= str-0.9.10-2.3.1 >= str-0.9.10-2.3.2 <= lmtp2nntp-1.3.0-2.3.1 >= lmtp2nntp-1.3.0-2.3.2 <= tin-1.6.2-2.3.0 >= tin-1.6.2-2.3.1 <= wml-2.0.9-2.3.1 >= wml-2.0.9-2.3.2 Dependent Packages: aide analog apache apachetop arpd cfengine cvs cvsd dbtool dhcp-agent dhcpd diogene87 dnrd drac ethereal ettercap flowd flowtools gated grep honeyd imapd inetutils inn ircd kde-libs kerberos kermit lighttpd mixmaster monit msntp nagios nessus-tool ngircd nntpcache nsd ntp openldap openssh openvpn petidomo php php5 pks portfwd portsentry postfix pound powerdns privoxy prngd procmail pureftpd qpopper r rbldnsd rdist samhain sasl scponly sendmail smtpfeed snmp snort softflowd sophie spamassassin squid ssmtp stunnel sudo sysmon tacacs teapop tftp thttpd tinyproxy tripwire ucarp whoson Description: An integer overflow problem was discovered in the Perl Compatible Regular Expressions (PCRE) [1] library, version 6.2 and earlier. The problem allows a remote or local attacker to execute arbitrary code by causing a heap-based buffer overflow via quantifier values in regular expressions. As PCRE is a popular library, this problem affects many applications. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-2491 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q pcre". If you have the "pcre" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above), too [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.4/UPD ftp> get pcre-6.0-2.4.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig pcre-6.0-2.4.1.src.rpm $ /bin/openpkg rpm --rebuild pcre-6.0-2.4.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/pcre-6.0-2.4.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), too [3][4]. ________________________________________________________________________ References: [1] http://www.pcre.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.4/UPD/pcre-6.0-2.4.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.3/UPD/pcre-5.0-2.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.4/UPD/ [8] ftp://ftp.openpkg.org/release/2.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFDHG3jgHWT4GPEy58RAlJ6AKCRpeXSjDgtyjThecNIWmFY+kLWqwCg5tR0 TboY1Zy6BjvYZzjPLE4dH6Q= =mj3k -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Sep 6 15:25:26 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id CCF371B5052; Tue, 6 Sep 2005 15:25:25 +0200 (CEST) Date: Tue, 6 Sep 2005 15:25:25 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.019] OpenPKG Security Advisory (openssh) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.019 06-Sep-2005 ________________________________________________________________________ Package: openssh Vulnerability: privilege escalation OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssh-4.1p1-20050812 >= openssh-4.2p1-20050901 OpenPKG 2.4 <= openssh-4.1p1-2.4.0 >= openssh-4.1p1-2.4.1 OpenPKG 2.3 none N.A. Dependent Packages: none Description: A security bug introduced in OpenSSH [1] version 4.0 caused gateway ports (SSH client command line option "-o 'GatewayPorts yes'") to be accidentally activated for dynamic port forwardings (SSH client command line option "-D [address:]port") when the listen address was not explicitly specified. As a result, the SSH client performed a wildcard bind for the listening socket on the SSH client machine instead of a bind to just "localhost". This way the dynamic port forwardings can be accessed also from outside the SSH client machine. Please check whether you are affected by running "/bin/rpm -q openssh". If you have the "openssh" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [2][3] Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [5] or a mirror location, verify its integrity [6], build a corresponding binary RPM from it [2] and update your OpenPKG installation by applying the binary RPM [3]. For the most recent release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd current/SRC ftp> get openssh-4.1p1-2.4.1.src.rpm ftp> bye $ /bin/rpm --rebuild openssh-4.1p1-2.4.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssh-4.1p1-2.4.1.*.rpm ________________________________________________________________________ References: [1] http://www.openssh.com/ [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary [4] ftp://ftp.openpkg.org/release/2.4/UPD/openssh-4.1p1-2.4.1.src.rpm [5] ftp://ftp.openpkg.org/release/2.4/UPD/ [6] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFDHZi1gHWT4GPEy58RAnrTAJ0dKA35YVj6Tltklch+O0bkXgxQkACg6R4Y IzIjDHb0pjTYiVqySMyBV2w= =/6Zk -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Tue Sep 6 16:15:33 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id D90A21B5060; Tue, 6 Sep 2005 16:15:32 +0200 (CEST) Date: Tue, 6 Sep 2005 16:15:32 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.020] OpenPKG Security Advisory (proftpd) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.020 06-Sep-2005 ________________________________________________________________________ Package: proftpd Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= proftpd-1.3.0rc1-20050610 >= proftpd-1.3.0rc2-20050725 OpenPKG 2.4 <= proftpd-1.3.0rc1-2.4.0 >= proftpd-1.3.0rc1-2.4.1 OpenPKG 2.3 <= proftpd-1.2.10-2.3.1 >= proftpd-1.2.10-2.3.2 Dependent Packages: none Description: It was reported that ProFTPd [1] version before 1.3.0rc2 suffer from two format string vulnerabilities. In the first, a user with the ability to create a directory could trigger the format string error if there is a ProFTPd shutdown message configured to use the "%C", "%R", or "%U" variables. In the second, the error is triggered if the ProFTPd extension mod_sql is used to retrieve messages from a database and if format strings have been inserted into the database by a user with permission to do so. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-2390 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q proftpd". If you have the "proftpd" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.4/UPD ftp> get proftpd-1.3.0rc1-2.4.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig proftpd-1.3.0rc1-2.4.1.src.rpm $ /bin/openpkg rpm --rebuild proftpd-1.3.0rc1-2.4.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/proftpd-1.3.0rc1-2.4.1.*.rpm ________________________________________________________________________ References: [1] http://www.proftpd.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2390 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.4/UPD/proftpd-1.3.0rc1-2.4.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.3/UPD/proftpd-1.2.10-2.3.2.src.rpm [7] ftp://ftp.openpkg.org/release/2.4/UPD/ [8] ftp://ftp.openpkg.org/release/2.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFDHaR4gHWT4GPEy58RApHdAJ4xjzYNvDjJpEE6nroHOIyMmHCuogCcCAA1 Yygt57YXIMaqBuM/BzJcMUk= =0EKg -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Sat Sep 10 17:14:02 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 1F22C1B50E2; Sat, 10 Sep 2005 17:14:02 +0200 (CEST) Date: Sat, 10 Sep 2005 17:14:02 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.021] OpenPKG Security Advisory (squid) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.021 10-Sep-2005 ________________________________________________________________________ Package: squid Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= squid-2.5.10-20050709 >= squid-2.5.10-20050910 OpenPKG 2.4 <= squid-2.5.10-2.4.0 >= squid-2.5.10-2.4.1 OpenPKG 2.3 <= squid-2.5.9-2.3.0 >= squid-2.5.9-2.3.1 Dependent Packages: none Description: Two Denial of Service (DoS) security issues were discovered in the Squid [0] Internet proxy. The first DoS is possible via certain aborted requests that trigger an assertion error related to "STORE_PENDING". The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-2794 [1] to the problem. The second problem allows remote attackers to cause a DoS via certain crafted requests and SSL timeouts. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-2796 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q squid". If you have the "squid" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.4/UPD ftp> get squid-2.5.10-2.4.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig squid-2.5.10-2.4.1.src.rpm $ /bin/openpkg rpm --rebuild squid-2.5.10-2.4.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/squid-2.5.10-2.4.1.*.rpm ________________________________________________________________________ References: [0] http://www.squid-cache.org/ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2794 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2796 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.4/UPD/squid-2.5.10-2.4.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.3/UPD/squid-2.5.9-2.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.4/UPD/ [8] ftp://ftp.openpkg.org/release/2.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFDIvf/gHWT4GPEy58RAnCnAKDrvmGNftc9jHI+PDzE9wDUHNja4QCffSdO Qa9zYyI7QLe9aZLBxbNyG5c= =2dyO -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Oct 17 08:52:07 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 79ADF1B506A; Mon, 17 Oct 2005 08:52:07 +0200 (CEST) Date: Mon, 17 Oct 2005 08:52:07 +0200 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.022] OpenPKG Security Advisory (openssl) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.022 17-Oct-2005 ________________________________________________________________________ Package: openssl Vulnerability: potential SSL 2.0 rollback OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssl-0.9.8-2005092 >= openssl-0.9.8a-20051011 OpenPKG 2.4 <= openssl-0.9.7g-2.4.1 >= openssl-0.9.7g-2.4.2 OpenPKG 2.3 <= openssl-0.9.7e-2.3.2 >= openssl-0.9.7e-2.3.3 Dependent Packages: unknown Description: According to a vendor security advisory [0], a potential SSL 2.0 protocol rollback attack vulnerability exists in the cryptography toolkit OpenSSL [1]. The vulnerability potentially affects applications that use the SSL/TLS server implementation provided by OpenSSL. Such applications are affected if they use the option "SSL_OP_MSIE_SSLV2_RSA_PADDING". Applications using neither "SSL_OP_MSIE_SSLV2_RSA_PADDING" nor "SSL_OP_ALL" are not affected. Also, applications that disable use of SSL 2.0 are not affected. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-2969 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q openssl". If you have the "openssl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.4/UPD ftp> get openssl-0.9.7g-2.4.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig openssl-0.9.7g-2.4.2.src.rpm $ /bin/openpkg rpm --rebuild openssl-0.9.7g-2.4.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/openssl-0.9.7g-2.4.2.*.rpm ________________________________________________________________________ References: [0] http://www.openssl.org/news/secadv_20051011.txt [1] http://www.openssl.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.4/UPD/openssl-0.9.7g-2.4.2.src.rpm [6] ftp://ftp.openpkg.org/release/2.3/UPD/openssl-0.9.7e-2.3.3.src.rpm [7] ftp://ftp.openpkg.org/release/2.4/UPD/ [8] ftp://ftp.openpkg.org/release/2.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFDU0oIgHWT4GPEy58RAsolAKCQvKIKBp76kHx8EE/BA4lHaI6yoQCgjiqv pW5i7CNa0+Gcnhtln/6AJWI= =lYeP -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Wed Oct 19 11:48:18 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 72C641B5045; Wed, 19 Oct 2005 11:48:17 +0200 (CEST) Date: Wed, 19 Oct 2005 11:48:16 +0200 From: OpenPKG To: openpkg-announce@openpkg.org, openpkg-users@openpkg.org, openpkg-dev@openpkg.org Subject: [ANNOUNCE] OpenPKG 2.5 Message-ID: <20051019094815.GA87420@master.openpkg.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: FOR IMMEDIATE RELEASE - 2005-10-19 The OpenPKG project releases version 2.5 of the unique cross-platform software packaging facility. http://www.openpkg.org/ -- Munich, DE -- 2005-10-19 -- The OpenPKG project is proud to announce version 2.5 of its software, another evolutionary step after nine releases in four years. Much valued by IT decision makers and beloved by Unix system administrators, OpenPKG is the world leading instrument for deployment and maintenance of Open Source Unix software when administration crosses platform boundaries. The unique OpenPKG architecture leverages proven technologies like Red Hat Package Manager (RPM) and OSSP and GNU components to establish a unified software administration environment, independent of the underlying Unix operating system. NEW IN VERSION 2.5 This is the second release created by the recently established OpenPKG Foundation e.V., which contributed a substantial amount of manpower and all the technical resources making up the "build farm" and the development environment for release engineering. Since the previous release four months ago, the OpenPKG package repository has grown to 904 packages. A subset of 579 packages were carefully selected for inclusion into the OpenPKG 2.5 release, including the latest versions of popular Open Source Unix software like Apache, Bash, BIND, GCC, INN, MySQL, OpenSSH, Perl, Postfix, PostgreSQL, Samba, Squid, teTeX and Vim. Major technical efforts for this release were spent on migrating from the GNU Compiler Collection (GCC) version 3.4 to the latest version 4.0. This required a lot of vendor sources to be adjusted to pass the stronger standard constraints of GCC 4.0. Additionally, generous sponsoring from the industry allowed us to add back full official support for the important Solaris 10/SPARC platform. On Solaris 10 we also finally switched OpenPKG from using legacy init-scripts to the new Service Management Facility (SMF). Furthermore, this OpenPKG version already fully supports the brand new FreeBSD 6.0 and SUSE Linux 10.0 platforms. OpenPKG 2.5 is available for 19 different Unix platforms. Most notably, it is supported on FreeBSD 5.4 and 6.0, NetBSD 2.0.2, Debian GNU/Linux 3.1, Fedora Core 4, Red Hat Enterprise Linux 4, SUSE Linux 10.0 and Sun Solaris 9 and 10. Additionally, all CORE and the vast majority of BASE class packages are already available for the tentative platforms FreeBSD 7.0, Gentoo Linux 1.12 and Mandriva Linux 10.2. It is also still available for the obsolete platforms Sun Solaris 8, FreeBSD 4.11 and SUSE Linux 9.3. Finally, OpenPKG CORE is also known to work under IBM AIX 5.1, HP HP-UX 11.11 and MacOS X 10.3. The OpenPKG 2.5 release was a joint effort of many individuals, most notably the Release Engineering team of the OpenPKG Foundation e.V. HIGHLIGHTS OF OPENPKG * Portable across major Unix flavors. * Supporting many commonly used platforms: FreeBSD 5.4 and 6.0, NetBSD 2.0.2, Debian GNU/Linux 3.1, Fedora Core 4, Red Hat Enterprise Linux 4, and Solaris 9 and 10. * Additionally already available for the tentative platforms: FreeBSD 7.0, Gentoo Linux 1.12 and Mandriva Linux 10.2. * Additionally still available for the obsolete platforms: FreeBSD 4.11, SUSE Linux 9.3 and Sun Solaris 8. * Additionally known to partially work for the forthcoming platforms: HP HP-UX 11.11, MacOS X 10.3 and IBM AIX 5.1 * Entirely based on Open Source technology. * Minimum operating system intrusion and dependency. * Minimum overhead in software packaging. * All packages up to date with vendor versions as of 2005-10-16. * Sources of 579 CORE+BASE+PLUS packages released. * Binaries of CORE+BASE class packages provided for supported platforms. * Binaries of CORE class packages provided for all platforms. * Easy installation, updating and deinstallation of packages. * Bundled with useful and secure package preconfigurations. * Includes an abstracted and powerful run-command facility. * Virtual hosting through multiple instances on a single system. * Proxy package mechanism for sharing packages across instances. * Build-time package variations for maximum flexibility. * Foundation to build encapsulated and self contained environments. HISTORY OF THE OPENPKG PROJECT The Open Source software project OpenPKG was founded in 2000 by Ralf S. Engelschall and first released to the public in January 2002. Today OpenPKG is a mature technology in production use. It is maintained and improved by its original developers, organized in the OpenPKG Foundation e.V., and volunteer contributors. HISTORY OF THE OPENPKG FOUNDATION The OpenPKG Foundation e.V. is a nonprofit organization with the dedicated goal of supporting the OpenPKG project. The idea to organize the social network of OpenPKG was born by Ralf S. Engelschall and Thomas Lotterer in January 2005. A month later, on 2005-02-09, nine founders kicked off the Foundation. Official registration under German law was completed on 2005-03-18. The OpenPKG Foundation finally went public on 2005-06-21 and currently consists of eighteen members. MORE INFORMATION The OpenPKG Project OpenPKG Foundation e.V. http://www.openpkg.org/ http://www.openpkg.net/ press@openpkg.org press@openpkg.net +49-172-8986801 (CET) +49-172-8986801 (CET) From openpkg-announce-owner@openpkg.org Wed Nov 2 19:02:23 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id F11291B50A6; Wed, 2 Nov 2005 19:02:21 +0100 (CET) Date: Wed, 2 Nov 2005 19:02:20 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: [OpenPKG-SA-2005.023] OpenPKG Security Advisory (openvpn) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.023 02-Nov-2005 ________________________________________________________________________ Package: openvpn Vulnerability: arbitrary code execution, denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openvpn-2.0.2-20050928 >= openvpn-2.0.4-20051102 OpenPKG 2.5 <= openvpn-2.0.2-2.5.0 >= openvpn-2.0.2-2.5.1 OpenPKG 2.4 <= openvpn-2.0-2.4.0 >= openvpn-2.0-2.4.1 OpenPKG 2.3 N.A. N.A. Dependent Packages: none Description: According to a BUGTRAQ report [0], a Denial of Service (DoS) vulnerability exists in the OpenVPN [1] network security application. The vulnerability allows a malicious or compromised server to execute arbitrary code on the client. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3393 [2] to the problem. Additionally, another DoS situation can occur if OpenVPN in TCP server mode receives an error on accept(2) and the resulting exception handler causes a segmentation fault. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3409 [3] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q openvpn". If you have the "openvpn" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [4][5]. Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [5]. For the most recent release OpenPKG 2.5, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.5/UPD ftp> get openvpn-2.0.2-2.5.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig openvpn-2.0.2-2.5.1.src.rpm $ /bin/openpkg rpm --rebuild openvpn-2.0.2-2.5.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/openvpn-2.0.2-2.5.1.*.rpm ________________________________________________________________________ References: [0] http://marc.theaimsgroup.com/?l=bugtraq&m=113081023121059&w=2 [1] http://www.openvpn.net/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3393 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3409 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/2.5/UPD/openvpn-2.0.2-2.5.1.src.rpm [7] ftp://ftp.openpkg.org/release/2.4/UPD/openvpn-2.0-2.4.1.src.rpm [8] ftp://ftp.openpkg.org/release/2.5/UPD/ [9] ftp://ftp.openpkg.org/release/2.4/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFDaPJPgHWT4GPEy58RAmDqAKCxyFlxNv4WfdCditQrK8+ex6zl+ACeJjki ussQ4vs+e3IvPJJILk0ubWM= =Q322 -----END PGP SIGNATURE----- From openpkg-announce-owner@openpkg.org Mon Nov 28 23:56:25 2005 Received: by master.openpkg.org (Postfix, from userid 25000) id 001251B5047; Mon, 28 Nov 2005 23:56:24 +0100 (CET) Date: Mon, 28 Nov 2005 23:56:24 +0100 From: OpenPKG To: openpkg-announce@openpkg.org Subject: OpenPKG Registry launched Message-ID: <20051128225624.GA35663@master.openpkg.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Reply-To: openpkg-users@openpkg.org Sender: openpkg-announce-owner@openpkg.org Precedence: list List-Server: OSSP Petidomo/4.0 List-Owner: List-Archive: List-Post: List-Help: List-Subscribe: List-Unsubscribe: FOR IMMEDIATE RELEASE - 2005-11-28 OpenPKG Registry finally launched! http://www.openpkg.org/ -- Munich, DE -- 2005-11-28 -- As a consequence of the changed environmental conditions of OpenPKG during the year 2005, the OpenPKG project needs to finally shift its focus from the requirements of a single predominant sponsor towards the needs of a highly distributed and diverse community. To meet this target it is vital to the OpenPKG project to know its community. Unfortunately, experience showed that optional community feedback gains just little attention. As a result, the OpenPKG project still has not sufficiently explored its community in both size and scope. To throw in a gear and build a much stronger relationship with its community the OpenPKG project is forced to now pull essential information from its community through mandatory methods. Everything available from the OpenPKG project is a free and open offering and remains this way, of course. Additionally, since years it was also possible to grab all of the OpenPKG offerings anonymously. In order to receive information about the community this anonymous access now is no longer provided for accessing the full range of OpenPKG offerings. From now on only the latest OpenPKG-RELEASE (without updates) is accessible anonymously. A registration is now required to access all other download resources. Access is granted upon a free of charge registration as an OpenPKG fellow user, registration of at least one installed OpenPKG instance and a configured relationship between these two entities. Please note that everything available from the OpenPKG project remains available free of charge and as open source software. Only anonymous access to our offerings is now restricted in order to better assess the OpenPKG installation base and start to understand the demands of the OpenPKG community. Please actively support the OpenPKG project with your registration! More details can be found under http://registry.openpkg.org/help MORE INFORMATION The OpenPKG Project OpenPKG Foundation e.V. http://www.openpkg.org/ http://www.openpkg.net/ press@openpkg.org press@openpkg.net +49-172-8986801 (CET) +49-172-8986801 (CET)