[Savannah-hackers] [Martin Schulze] [SECURITY] [DSA 505-1] New cvs packa

savannah-hackers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] [Martin Schulze] [SECURITY] [DSA 505-1] New cvs packa

From:	Paul Fisher
Subject:	[Savannah-hackers] [Martin Schulze] [SECURITY] [DSA 505-1] New cvs packages fix remote exploit
Date:	Wed, 19 May 2004 07:56:55 -0400
User-agent:	Gnus/5.1003 (Gnus v5.10.3) Emacs/21.2 (gnu/linux)

The relevant patch for this security errata has already been applied
to CVS running on savannah.

--- Begin Message --- Subject: [SECURITY] [DSA 505-1] New cvs packages fix remote exploit Date: Wed, 19 May 2004 10:58:27 +0200 (CEST) User-agent: dsa-launch $Revision: 1.13 $

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 505-1                     address@hidden
http://www.debian.org/security/                             Martin Schulze
May 19th, 2004                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : cvs
Vulnerability  : heap overflow
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2004-0396

Stefan Esser discovered a heap overflow in the CVS server, which
serves the popular Concurrent Versions System.  Malformed "Entry"
Lines in combination with Is-modified and Unchanged can be used to
overflow malloc()ed memory.  This was prooven to be exploitable.

For the stable distribution (woody) this problem has been fixed in
version 1.11.1p1debian-9woody4.

For the unstable distribution (sid) this problem has been fixed in
version 1.12.5-6.

We recommend that you upgrade your cvs package immediately.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4.dsc
      Size/MD5 checksum:      693 c4580daf3d02e68bf271c3fc2fa9fe8c
    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4.diff.gz
      Size/MD5 checksum:    52212 a44f53ccf950679f3257a2f3487220b7
    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian.orig.tar.gz
      Size/MD5 checksum:  2621658 500965ab9702b31605f8c58aa21a6205

  Alpha architecture:

    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_alpha.deb
      Size/MD5 checksum:  1178736 503ab302999d5fec9c4cb41f735bc2ab

  ARM architecture:

    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_arm.deb
      Size/MD5 checksum:  1105276 8b2536e975a3272b5d10590bd768b6c7

  Intel IA-32 architecture:

    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_i386.deb
      Size/MD5 checksum:  1085994 195aa822dbd450bbb3321f17442b3644

  Intel IA-64 architecture:

    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_ia64.deb
      Size/MD5 checksum:  1270986 2adee3e24f61234e0c597c55983257df

  HP Precision architecture:

    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_hppa.deb
      Size/MD5 checksum:  1147338 e1a7eec47c9f6ca11d342c7a680abd93

  Motorola 680x0 architecture:

    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_m68k.deb
      Size/MD5 checksum:  1065866 5238933fe0b1d9a9e7e2506cc39d8411

  Big endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_mips.deb
      Size/MD5 checksum:  1129740 c6e9a932c2bdabbfee51c792d813a439

  Little endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_mipsel.deb
      Size/MD5 checksum:  1131106 05424d6056d0c9123c88b7e7f6b27f7d

  PowerPC architecture:

    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_powerpc.deb
      Size/MD5 checksum:  1116184 1fe49f6356a160087cf669f7afc12700

  IBM S/390 architecture:

    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_s390.deb
      Size/MD5 checksum:  1097006 6e98ead7e926fc07203cf43e84b1152d

  Sun Sparc architecture:

    
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_sparc.deb
      Size/MD5 checksum:  1107284 47f8dad7b309c9c19542bf1fc9502f77


  These files will probably be moved into the stable distribution on
  its next update.

- 
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: address@hidden
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAqyGzW5ql+IAeqTIRAjZyAJ4mtABnKF6VAFCZxb0CE4of0iukRwCguIi6
qlV+sX6Sz2V14AW5qdH7J/I=
=iN93
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to address@hidden
with a subject of "unsubscribe". Trouble? Contact address@hidden

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-hackers] [Martin Schulze] [SECURITY] [DSA 505-1] New cvs packages fix remote exploit, Paul Fisher <=

Prev by Date: Re: [Savannah-hackers] Savannah-hackers password
Next by Date: [Savannah-hackers] recovering access to savannah
Previous by thread: [Savannah-hackers] Savannah-hackers password
Next by thread: [Savannah-hackers] recovering access to savannah
Index(es):
- Date
- Thread