[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:27288] [SECURITY] [DSA 033-1] New versions of analog available (from debian-security-announce@lists.debian.org)

From: KISE Hiroshi <fuyuneko@xxxxxxxxxxxx>
Subject: [debian-users:27288] [SECURITY] [DSA 033-1] New versions of analog available (from debian-security-announce@lists.debian.org)
Date: Thu, 8 Mar 2001 00:15:17 +0900
X-dispatcher: imput version 20000414(IM141)
X-envelope-to: <debian-users@debian.or.jp>
X-ml-info: If you have a question, send e-mail with the body "help" (without quotes) to the address debian-users-ctl@debian.or.jp; help=<mailto:debian-users-ctl@debian.or.jp?body=help>
X-ml-name: debian-users
X-mlserver: fml [fml 3.0pl#17]; post only (only members can post)
References: <20010307143416.C19952@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Message-id: <200103071515.AAA02535@xxxxxxxxxxxx>
X-mail-count: 27288
X-mailer: Mew version 1.94.2 on Emacs 20.7 / Mule 4.0 (HANANOEN)

debian-security-announce@lists.debian.orgに、analogパッケージの
最新版のアナウンスが出ました。修正済みバージョンは4.01-1potato1
です。このバージョンへのアップデートをおすすめします。

analogのバージョン4.16以外のすべてに、バッファオーバランする
バグがあります。そのため、CGIに利用している場合に問題がおきる
可能性があります。くわしくは原文を参照してください。

修正版は4.01ベースですが、この問題に関する部分を最新版から
移植することで直しているとのことです。

以下、アナウンスの引用です。

From: Martin Schulze <joey@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: [SECURITY] [DSA 033-1] New versions of analog available
Date: Wed, 7 Mar 2001 14:34:16 +0100
> - ----------------------------------------------------------------------------
> Debian Security Advisory DSA-033-1                       security@debian.org
> http://www.debian.org/security/                               Martin Schulze
> March 7, 2001
> - ----------------------------------------------------------------------------
> 
> Package        : analog
> Vulnerability  : Buffer overflow
> Type           : Remote exploit
> Debian-specific: no
> 
> The author of analog, Stephen Turner, has found a buffer overflow bug
> in all versions of analog except of version 4.16.  A malicious user
> could use an ALIAS command to construct very long strings which were
> not checked for length and boundaries.  This bug is particularly
> dangerous if the form interface (which allows unknown users to run the
> program via a CGI script) has been installed.  There doesn't seem to
> be a known exploit.
> 
> The bugfix has been backported to the version of analog from Debian
> 2.2.  Version 4.01-1potato1 is fixed.
> 
> We recommend you upgrade your analog packages immediately.
> 
> wget url
> 	will fetch the file for you
> dpkg -i file.deb
>         will install the referenced file.
> 
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
(中略)
> - ----------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
(以下省略)

以上です。
-- 
喜瀬“冬猫”浩＠南国沖縄

Follow-Ups:
- [debian-users:27323] Re: [SECURITY] [DSA 033-1] New versions of analog available (fromdebian-security-announce@lists.debian.org)
  - From: Seiji Kaneko

Prev by Date: [debian-users:27287] Re: ミキサーが起動不可
Next by Date: [debian-users:27289] Re: SKK からみ
Previous by thread: [debian-users:27296] Re: Where is "make" in Woody ?
Next by thread: [debian-users:27323] Re: [SECURITY] [DSA 033-1] New versions of analog available (fromdebian-security-announce@lists.debian.org)
Index(es):
- Date
- Thread