LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 29th, 2014
Linux Security Week: August 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Debian: New gforge packages fix several vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Debian Steve Kemp from the Debian Security Audit project discovered that gforge, a collaborative development tool, used temporary files insecurely which could allow local users to truncate files upon the system with the privileges of the gforge user, or create a denial of service attack.
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1402-1                  security@debian.org
http://www.debian.org/security/                               Steve Kemp
November 07, 2007                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : gforge
Vulnerability  : insecure temporary files
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2007-3921

Steve Kemp from the Debian Security Audit project discovered that gforge,
a collaborative development tool, used temporary files insecurely which
could allow local users to truncate files upon the system with the privileges
of the gforge user, or create a denial of service attack.

For the stable distribution (etch), this problem has been fixed in version
4.5.14-22etch3.

For the old stable distribution (sarge), this problem has been fixed in
version 3.1-31sarge4.

We recommend that you upgrade your gforge package.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4.dsc
    Size/MD5 checksum:      868 4005b2a103656a62f38e1786a227b1d0
  http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1.orig.tar.gz
    Size/MD5 checksum:  1409879 c723b3a9efc016fd5449c4765d5de29c
  http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4.diff.gz
    Size/MD5 checksum:   297962 8fd56957c8fbab462ac619339c2f00d3

Architecture independent packages:

  http://security.debian.org/pool/updates/main/g/gforge/sourceforge_3.1-31sarge4_all.deb
    Size/MD5 checksum:    55884 f4b7e0aee840e3574a0febf1615070be
  http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_3.1-31sarge4_all.deb
    Size/MD5 checksum:    70804 967a22a70e3ee974962073ab74cfb980
  http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_3.1-31sarge4_all.deb
    Size/MD5 checksum:    61044 7b10ab898c539af9aa118b38fcd77843
  http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_3.1-31sarge4_all.deb
    Size/MD5 checksum:    72508 7ad6f5e0672cbb256fd12f270130adc6
  http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4_all.deb
    Size/MD5 checksum:    56432 fc8ee68a79928b0833e2a183228a3493
  http://security.debian.org/pool/updates/main/g/gforge/gforge-sourceforge-transition_3.1-31sarge4_all.deb
    Size/MD5 checksum:    59388 d0db9082a30227f4b9b60491d58a8c78
  http://security.debian.org/pool/updates/main/g/gforge/gforge-cvs_3.1-31sarge4_all.deb
    Size/MD5 checksum:    99248 6fb788e20a56a3b39688723a1c285680
  http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_3.1-31sarge4_all.deb
    Size/MD5 checksum:    59914 79c5932a61e0382017da8e1893307e66
  http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_3.1-31sarge4_all.deb
    Size/MD5 checksum:   148476 e22948a815a5ffa5b4c829b926f04d8c
  http://security.debian.org/pool/updates/main/g/gforge/gforge-common_3.1-31sarge4_all.deb
    Size/MD5 checksum:    93924 12005d816bb895cb93c3add804d137bf
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_3.1-31sarge4_all.deb
    Size/MD5 checksum:    64834 bea186826f61ae4b1d473d45d2821538
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_3.1-31sarge4_all.deb
    Size/MD5 checksum:    65198 b17e85bb88554d2e083d9dcb799e6da7
  http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_3.1-31sarge4_all.deb
    Size/MD5 checksum:  1108056 f812bd185a9dede06dec099e9abaa335
  http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_3.1-31sarge4_all.deb
    Size/MD5 checksum:    58298 c3abd99679008d3919d59e373589d8cd
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_3.1-31sarge4_all.deb
    Size/MD5 checksum:    64732 941c0d9bc65f37e3e8860adf3181a3fc


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3.dsc
    Size/MD5 checksum:      950 6099abb16f573f57a3bef4a5fec2df30
  http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3.diff.gz
    Size/MD5 checksum:   196475 94131f4f4040768e173c4568894f052f
  http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz
    Size/MD5 checksum:  2161141 e85f82eff84ee073f80a2a52dd32c8a5

Architecture independent packages:

  http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch3_all.deb
    Size/MD5 checksum:    85774 6ef702c44459bcb5602cf15f2c5408a7
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch3_all.deb
    Size/MD5 checksum:    88240 03cd801f8442311fa94772b7f7994b92
  http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch3_all.deb
    Size/MD5 checksum:    81816 0513fa49e24d3d32aab0b06f1784917a
  http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch3_all.deb
    Size/MD5 checksum:   212246 5c8141de198c575026dd45daa102abf8
  http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch3_all.deb
    Size/MD5 checksum:    86880 ed9555dda5c9362f86f9fd19f44da63e
  http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch3_all.deb
    Size/MD5 checksum:    86070 4f98531e9f1a9140ead750449bece33e
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch3_all.deb
    Size/MD5 checksum:    88852 fbb81cbba0e639c37f2aa4ed388ccb97
  http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch3_all.deb
    Size/MD5 checksum:  1010522 d6c6de89c0373fe98f23484985db224b
  http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3_all.deb
    Size/MD5 checksum:    80004 e57126df7280e1ef2822514db1886d34
  http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch3_all.deb
    Size/MD5 checksum:    95346 2303c086ce85a29158fc6c6e98fe168d
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch3_all.deb
    Size/MD5 checksum:    75808 5847979a3121ba010aa9cc99bf72d63b
  http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch3_all.deb
    Size/MD5 checksum:   704552 f805d6dee8f80eed35d6b52f821e8e05
  http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch3_all.deb
    Size/MD5 checksum:   103496 daab9b6b66b251d69b1774fd90c6fc98
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch3_all.deb
    Size/MD5 checksum:    88346 be6ee1639fe1bcd0a3d8fb0ec398b48c


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.