[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:35583] Forward: [SECURITY] [DSA-210-1] lynx CRLF injection

From: Kenshi Muto <kmuto@xxxxxxxxxxxxxxx>
Subject: [debian-users:35583] Forward: [SECURITY] [DSA-210-1] lynx CRLF injection
Date: Fri, 13 Dec 2002 09:28:48 +0900
List-help: <mailto:debian-users-ctl@debian.or.jp?body=help>
List-id: debian-users.debian.or.jp
List-owner: <mailto:debian-users-admin@debian.or.jp>
List-post: <mailto:debian-users@debian.or.jp>
List-software: fml [fml 4.0.3 release (20011202/4.0.3)]
List-unsubscribe: <mailto:debian-users-ctl@debian.or.jp?body=unsubscribe>
X-ml-info: If you have a question, send e-mail with the body "help" (without quotes) to the address debian-users-ctl@debian.or.jp; help=<mailto:debian-users-ctl@debian.or.jp?body=help>
X-ml-name: debian-users
X-mlserver: fml [fml 4.0.3 release (20011202/4.0.3)]; post only (only members can post)
X-spam-level:
X-spam-status: No, hits=-2.6 required=10.0 tests=TO_LOCALPART_EQ_REAL,ISO2022JP_BODY,CASHCASHCASH, PGP_SIGNATURE version=2.31
X-virus-scanned: by AMaViS new-20020517
References: <20021212234126.GA5449@xxxxxxxxx>
Message-id: <20021213002845.396995380B@xxxxxxxxxxxxxxxxxxxxxx>
X-mail-count: 35583
User-agent: Wanderlust/2.9.15 (Unchained Melody) SEMI/1.14.4 (Hosorogi) FLIM/1.14.4 (Kashiharajing�-mae) APEL/10.4 MULE XEmacs/21.4 (patch 10) (Military Intelligence) (i386-debian-linux)

このDSAはpotatoにも適用されます。

現在の Debian 安定版 (3.0 woody) にセキュリティに関する深刻な問題が発見
されました。

対象パッケージ: lynx, lynx-ssl

対処済みのパッケージに更新するには、

deb http://security.debian.org/ stable/updates main contrib non-free

を /etc/apt/sources.list に追加し、

apt-get update ; apt-get upgrade

を実行してください。

詳細については添付のアナウンスをご覧ください。

--- Begin Message ---

From: Wichert Akkerman <wichert@xxxxxxxxx>
Subject: [SECURITY] [DSA-210-1] lynx CRLF injection
Date: Fri, 13 Dec 2002 00:41:26 +0100
Content-disposition: inline
List-help: <mailto:debian-security-announce-request@lists.debian.org?subject=help>
List-post: <mailto:debian-security-announce@lists.debian.org>
List-subscribe: <mailto:debian-security-announce-request@lists.debian.org?subject=subscribe>
List-unsubscribe: <mailto:debian-security-announce-request@lists.debian.org?subject=unsubscribe>
Old-return-path: <wichert@xxxxxxxxx>
Priority: urgent
Resent-date: Thu, 12 Dec 2002 17:42:10 -0600 (CST)
Resent-from: debian-security-announce@lists.debian.org
Resent-message-id: <7zIJ0D.A.vVE.R7R-9@murphy>
Resent-sender: debian-security-announce-request@lists.debian.org
X-debian: PGP check passed for security officers
X-loop: debian-security-announce@lists.debian.org
X-mailing-list: <debian-security-announce@lists.debian.org>
X-spam-level:
X-spam-status: No, hits=-1.4 required=4.0 tests=PGP_SIGNATURE,SPAM_PHRASE_00_01,USER_AGENT,USER_AGENT_MUTT version=2.43
X-virus-scanned: by AMaViS new-20020517
Message-id: <20021212234126.GA5449@xxxxxxxxx>
User-agent: Mutt/1.4i

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-210-1                   security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
December 13, 2002
- ------------------------------------------------------------------------


Package        : lynx, lynx-ssl
Problem type   : CRLF injection
Debian-specific: no

lynx (a text-only web browser) did not properly check for illegal
characters in all places, including processing of command line options,
which could be used to insert extra HTTP headers in a request.

For Debian GNU/Linux 2.2/potato this has been fixed in version 2.8.3-1.1
of the lynx package and version 2.8.3.1-1.1 of the lynx-ssl package.

For Debian GNU/Linux 3.0/woody this has been fixed in version 2.8.4.1b-3.2
of the lynx package and version 1:2.8.4.1b-3.1 of the lynx-ssl package.

- ------------------------------------------------------------------------

Obtaining updates:

  By hand:
    wget URL
        will fetch the file for you.
    dpkg -i FILENAME.deb
        will install the fetched file.

  With apt:
    deb http://security.debian.org/ stable/updates main
        added to /etc/apt/sources.list will provide security updates

Additional information can be found on the Debian security webpages
at http://www.debian.org/security/

- ------------------------------------------------------------------------


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.


  Source archives:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1.orig.tar.gz
      Size/MD5 checksum:  2058352 2ee38e4b05d587a787c33bff9085c098
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1.dsc
      Size/MD5 checksum:     1279 3eccb5692780db83f078013ff8796224
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1.dsc
      Size/MD5 checksum:     1229 2924513df600a7cc6b4d29987a325107
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3.orig.tar.gz
      Size/MD5 checksum:  2024975 0fc239287592e885231e4be2fb2cd755
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1.diff.gz
      Size/MD5 checksum:    20091 507a328f301a1c37471a69e60df4479d
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1.diff.gz
      Size/MD5 checksum:   101630 59d4dfb527584001374bebdcc9760623

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_alpha.deb
      Size/MD5 checksum:  1165112 dce2288ab84eaac8851c657ab271f5cd
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_alpha.deb
      Size/MD5 checksum:  1155516 775381bbf1c7c5f3177b17369969fda7

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_arm.deb
      Size/MD5 checksum:  1018784 ba8d2ee2271ebb56216e4f9c67690f6a
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_arm.deb
      Size/MD5 checksum:  1006492 85a7c675d239cce67e4d7076d69e8c48

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_i386.deb
      Size/MD5 checksum:   973310 9f591d8c7e97b1bd84da2f841397a75c
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_i386.deb
      Size/MD5 checksum:   980678 ef6cf5f0e4a8781b14876639fafa78be

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_m68k.deb
      Size/MD5 checksum:   928930 b77c252b5da24613fd6b24ee7b8f09f5
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_m68k.deb
      Size/MD5 checksum:   938162 e3b5992515dfb3f537ee9ece56a05083

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_powerpc.deb
      Size/MD5 checksum:  1026988 3453040226d6fde9fb23ff8334d5e382
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_powerpc.deb
      Size/MD5 checksum:  1015372 c2e0c1e1026f7fd2053d2c09cab90be1

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_sparc.deb
      Size/MD5 checksum:  1015696 3a207988cadc086720029abf6a227954
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_sparc.deb
      Size/MD5 checksum:  1028208 bf6725e66a603d0652a6a987f737c64b


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel,
  powerpc, s390 and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b.orig.tar.gz
      Size/MD5 checksum:  2557510 053a10f76b871e3944c11c7776da7f7a
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2.diff.gz
      Size/MD5 checksum:    14143 0d4c52fb301bc17ddc2f4f5117bf020b
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1.dsc
      Size/MD5 checksum:     1307 19488ce4d65e93b7ca412a3f3a818581
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2.dsc
      Size/MD5 checksum:     1221 768cb74ff2df353a07739ceacde62fe1
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1.diff.gz
      Size/MD5 checksum:    87306 d4cced8e81fb4ad0bf005d5ae04387b3

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_alpha.deb
      Size/MD5 checksum:  1610106 40e75977e49a5f96059129febf1e8bd7
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_alpha.deb
      Size/MD5 checksum:  1617220 de2a07846520d29d8168624ecadb023d

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_arm.deb
      Size/MD5 checksum:  1487560 35f377be3b161fb8235d4a0a18982ce1
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_arm.deb
      Size/MD5 checksum:  1491566 6e2605111b5dc7164b4db2c542fe2dde

  hppa architecture (HP PA RISC)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_hppa.deb
      Size/MD5 checksum:  1555212 72b2a7385c8dd606107486349d7bed7a
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_hppa.deb
      Size/MD5 checksum:  1559452 6cb03b8fbf8fa7a6eaaee52777a36737

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_i386.deb
      Size/MD5 checksum:  1449936 c0818c607e10ab576f463eab64267e2e
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_i386.deb
      Size/MD5 checksum:  1444654 c076ad1599549f031a50e220cecbedc1

  ia64 architecture (Intel ia64)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_ia64.deb
      Size/MD5 checksum:  1762384 fb7e808dc23dcf5676f350ee5de99b65
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_ia64.deb
      Size/MD5 checksum:  1769046 75740213ea49a9eb3bcba91e477f2f44

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_m68k.deb
      Size/MD5 checksum:  1405466 d0faf24997b42bb50ac6995cfb69f2f9

  mips architecture (MIPS (Big Endian))

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_mips.deb
      Size/MD5 checksum:  1511738 332f842adc76b43e6b89296605ea5932
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_mips.deb
      Size/MD5 checksum:  1507588 11722f38007efb06835c4092dad8489a

  mipsel architecture (MIPS (Little Endian))

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_mipsel.deb
      Size/MD5 checksum:  1503806 479ff36c446a959d2817234ec4c7f2b3
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_mipsel.deb
      Size/MD5 checksum:  1507614 ffff3c5c89164dc560159852f09968a5

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_powerpc.deb
      Size/MD5 checksum:  1496782 ca05c2e570046afafb985a418d60c093
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_powerpc.deb
      Size/MD5 checksum:  1490836 e12d4c0dc846b538bd7484e70b8da9c8

  s390 architecture (IBM S/390)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_s390.deb
      Size/MD5 checksum:  1453926 e728dd600feb2ebf07ee7e31196ea8da
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_s390.deb
      Size/MD5 checksum:  1460742 6504cf5ee0e0feaf35b237b544873534

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_sparc.deb
      Size/MD5 checksum:  1497176 58f9a53667ef85fea0f0e1b07ff9c0e1
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_sparc.deb
      Size/MD5 checksum:  1492610 d987da73b4606999ec239d72ec00a30a

- -- 
- ----------------------------------------------------------------------------
Debian Security team <team@security.debian.org>
http://www.debian.org/security/
Mailing-List: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE9+R6iPLiSUC+jvC0RAumUAKCnCmPqeNaydB+wn7u8hpkdesm0zACeOx/i
+KPdCw5RNKljTnnRBTM00qM=
=Zb+W
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

--- End Message ---

Prev by Date: [debian-users:35582] Forward: [SECURITY] [DSA-209-1] two wget problems
Next by Date: [debian-users:35584] Re: gs_7.05(sarge)
Previous by thread: [debian-users:35582] Forward: [SECURITY] [DSA-209-1] two wget problems
Next by thread: [debian-users:35596] [Translate] [SECURITY] [DSA-210-1] lynx CRLF injection
Index(es):
- Date
- Thread