-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Doing upgrade. (pfiou, lot of security issues lately) lundi 11 juillet, vers 18h, Martin Schulze écrivit : > > -------------------------------------------------------------------------- > Debian Security Advisory DSA 752-1 security@debian.org > http://www.debian.org/security/ Martin Schulze July 11th, 2005 > http://www.debian.org/security/faq > -------------------------------------------------------------------------- > > Package : gzip > Vulnerability : several > Problem-Type : local (remote) > Debian-specific: no > CVE ID : CAN-2005-0988 CAN-2005-1228 > Debian Bug : 305255 > > Two problems have been discovered in gzip, the GNU compression > utility. The Common Vulnerabilities and Exposures project > identifies the following problems. > > CAN-2005-0988 > > Imran Ghory discovered a race condition in the permissions setting > code in gzip. When decompressing a file in a directory an > attacker has access to, gunzip could be tricked to set the file > permissions to a different file the user has permissions to. > > CAN-2005-1228 > > Ulf Härnhammar discovered a path traversal vulnerability in > gunzip. When gunzip is used with the -N option an attacker could > this vulnerability to create files in an arbitrary directory with > the permissions of the user. > > For the oldstable distribution (woody) these problems have been > fixed in version 1.3.2-3woody5. > > For the stable distribution (sarge) these problems have been fixed > in version 1.3.5-10. > > For the unstable distribution (sid) these problems have been fixed > in version 1.3.5-10. > > We recommend that you upgrade your gzip package. > > > Upgrade Instructions > -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 3.0 alias woody > -------------------------------- > > Source archives: > > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5.dsc > Size/MD5 checksum: 577 b948bd1c9e50578a4a9109eed8090d20 > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5.diff.gz > Size/MD5 checksum: 7146 59a0d39e9d98109bc698c22d6803516f > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2.orig.tar.gz > Size/MD5 checksum: 311011 57bff96b6b4bcbb060566bdbed29485d > > Alpha architecture: > > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_alpha.deb > Size/MD5 checksum: 76648 53d463707426c9f84d7d0cb7a6a1d742 > > ARM architecture: > > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_arm.deb > Size/MD5 checksum: 68946 2610eba8ec765b72a82e8ff1c5e8efc1 > > Intel IA-32 architecture: > > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_i386.deb > Size/MD5 checksum: 62238 c323f08a1c1c30e10800f36eed4ec3d4 > > Intel IA-64 architecture: > > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_ia64.deb > Size/MD5 checksum: 87028 3c295aefd208e38f523d9719322f3bb4 > > HP Precision architecture: > > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_hppa.deb > Size/MD5 checksum: 72788 41c9211dce59753260d83635e8212ce1 > > Motorola 680x0 architecture: > > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_m68k.deb > Size/MD5 checksum: 61456 67ed89c721455f23c26735dc322c53a3 > > Big endian MIPS architecture: > > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_mips.deb > Size/MD5 checksum: 71896 3907341326822557d0e2c8ed87af77e5 > > Little endian MIPS architecture: > > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_mipsel.deb > Size/MD5 checksum: 71742 4ced896d0887f2a2a81c339ffff7544b > > PowerPC architecture: > > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_powerpc.deb > Size/MD5 checksum: 69550 06f8ffd3e7bb5709b0c1e5854bd0c1d8 > > IBM S/390 architecture: > > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_s390.deb > Size/MD5 checksum: 66936 5ad01afb6c4c6f79785c18ea1d84d28e > > Sun Sparc architecture: > > http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5_sparc.deb > Size/MD5 checksum: 70416 ec2acb3ddfa0a6086665136ee4056e6e > > > These files will probably be moved into the stable distribution on > its next update. > > --------------------------------------------------------------------------------- > For apt-get: deb http://security.debian.org/ stable/updates main For > dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main Mailing list: > debian-security-announce@lists.debian.org Package info: `apt-cache > show ' and http://packages.debian.org/ - -- Mathieu Roy +---------------------------------------------------------------------+ | General Homepage: http://yeupou.coleumes.org/ | | Computing Homepage: http://alberich.coleumes.org/ | | Not a native english speaker: | | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english | +---------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC0qXTNl9/9y2hmbkRAippAJ9zi+jB+DIzmsa9zx9mBlo2Vn2nEwCfUswJ WfVU/pCa7rcl3AFsc7ZXF5g= =S7Of -----END PGP SIGNATURE-----