Debian: New remstats packages fix several vulnerabilities
Summary
- --------------------------------------------------------------------------Debian Security Advisory DSA 704-1 security@debian.org http://www.debian.org/security/ Martin Schulze April 4th, 2005 http://www.debian.org/security/faq - --------------------------------------------------------------------------Package : remstats Vulnerability : tempfile, missing input sanitising Problem-Type : local, remote Debian-specific: no CVE IDs : CAN-2005-0387 CAN-2005-0388 Jens Steube discovered several vulnerabilities in remstats, the remote statistics system. The Common Vulnerabilities and Exposures Project identifies the following problems: CAN-2005-0387 When processing uptime data on the unix-server a temporary file is opened in an insecure fashion which could be used for a symlink attack to create or overwrite arbitrary files with the permissions of the remstats user. CAN-2005-0388 The remoteping service can be exploited to execute arbitrary commands due to missing input sanitising. For the stable distribution (woody) these problems have been fixed in version 1.00a4-8woody1. For the unstable distribution (sid) these problems have been fixed in version 1.0.13a-5. We recommend that you upgrade your remstats packages. Upgrade Instructions - --------------------wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: Size/MD5 checksum: 700 5efc205ed693b60a221482d34f806328 Size/MD5 checksum: 18811 2aeb52cab7aad8a500a96d29b3930750 Size/MD5 checksum: 918361 dd857cd7d66037ce068df01d22b4cee9 Architecture independent components: Size/MD5 checksum: 171294 08f1461cfeff2282a1b573d329bb3ed1 Size/MD5 checksum: 73580 568da9f07f8e229245c32a8c9690fd4a Size/MD5 checksum: 246540 5bae0a115c1fe653793df17d61eacdad Alpha architecture: Size/MD5 checksum: 60664 761461ec410d5dac63378df866be6cad ARM architecture: Size/MD5 checksum: 48028 e1e45ef582d1a82cd76d16d09fc63c5b Intel IA-32 architecture: Size/MD5 checksum: 46094 daf29132eb3252d957d4517447f2cbae Intel IA-64 architecture: Size/MD5 checksum: 63346 dd6cfabb3329b80507b62d3b3d4f8b82 HP Precision architecture: Size/MD5 checksum: 49794 d9c9867d122221a0d99cdfa0a774e3dd Motorola 680x0 architecture: Size/MD5 checksum: 45004 9a15c54ea425443dfa776bd61cff2c2a Big endian MIPS architecture: Size/MD5 checksum: 50662 b79c01e63e63b0ca39016c69e81b75a1 Little endian MIPS architecture: Size/MD5 checksum: 50614 ca121e22f5cb4167a08a52fea2a4c7f0 PowerPC architecture: Size/MD5 checksum: 48894 61528468c5735dda7a75439735cab676 IBM S/390 architecture: Size/MD5 checksum: 47900 bc9b4cae98fce8dd9477d67625dda5fe Sun Sparc architecture: Size/MD5 checksum: 52176 283ade4294f9f7dc751a038770035dd8 These files will probably be moved into the stable distribution on its next update. - ---------------------------------------------------------------------------------For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org