'[CVS] OpenPKG: openpkg-web/security OpenPKG-SA-0000-000-template.txt O...'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openpkg-cvs
Subject:    [CVS] OpenPKG: openpkg-web/security OpenPKG-SA-0000-000-template.txt O...
From:       "Ralf S. Engelschall" <rse () openpkg ! org>
Date:       2002-01-31 15:01:38
[Download RAW message or body]

  OpenPKG CVS Repository
  http://www.openpkg.org/cvsweb/cvsweb.cgi
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  rse@openpkg.org
  Module: openpkg-web                      Date:   31-Jan-2002 16:01:38
  Branch: HEAD                             Handle: 197001010100001012485698

  Added files:
    openpkg-web/security    OpenPKG-SA-0000-000-template.txt
  Removed files:
    openpkg-web/security    OpenPKG-SA-0000:000-template.txt

  Log:
    use dash instead of colon

  Summary:
    Revision    Changes     Path
    1.1         +69 -0      openpkg-web/security/OpenPKG-SA-0000-000-template.txt
    NONE        +0  -69     openpkg-web/security/OpenPKG-SA-0000:000-template.txt
  ____________________________________________________________________________

  Index: openpkg-web/security/OpenPKG-SA-0000-000-template.txt
  ============================================================
  $ cvs update -p -r1.1 OpenPKG-SA-0000-000-template.txt
  ________________________________________________________________________
  
  OpenPKG Security Advisory                            The OpenPKG Project 
  http://www.openpkg.org/security.html              http://www.openpkg.org
  openpkg-security@openpkg.org                         openpkg@openpkg.org                 
  OpenPKG-SA-2002-xxx                                          xx-xxx-2002
  ________________________________________________________________________
  
  Package:             foo
  Vulnerability:       local root exploit
  OpenPKG Specific:    no
  
  Affected  Releases:  OpenPKG 1.0      OpenPKG 1.1
  Affected  Packages:  foo-1.2.0-1.0.0  foo-1.4.0-1.1.0
  Corrected Packages:  foo-1.2.0-1.0.1  foo-1.4.0-1.1.1
  Dependent Packages:  bar-1.0.0-1.0.0  bar-1.0.0-1.1.0 
  
  Description:
    According to ... [7] ...
  
    We recommend that you upgrade the affected package immediately (see
    Solution). Additionally, we recommend that you re-build and re-install
    all dependent OpenPKG packages, too. [2]
  
  Workaround:
    Perform the following operations to temporarily workaround the
    security problem:
  
    # <prefix>/etc/rc foo stop
    # <prefix>/bin/rpm -e foo
  
  Solution:
    Select the updated source RPM appropriate for your OpenPKG release
    [5][6], fetch it from the OpenPKG FTP service [3][4] or a mirror
    location, verify its integrity [1], build a corresponding binary RPM
    from it and update your OpenPKG installation by applying the binary
    RPM [2]. For the latest OpenPKG 1.1 release, perform the following
    operations to permanently fix the security problem (for OpenPKG 1.0
    adjust accordingly).
  
    $ ftp ftp.openpkg.org
    ftp> bin
    ftp> cd release/1.0/UPD
    ftp> get foo-1.2.0-1.0.1.src.rpm
    ftp> bye
    $ <prefix>/bin/rpm --checksig foo-1.2.1-1.0.1.src.rpm
    $ <prefix>/bin/rpm --rebuild foo-1.2.1-1.0.1.src.rpm
    # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/foo-1.2.1-1.0.1.*.rpm
  ________________________________________________________________________
  
  References:
    [1] http://www.openpkg.org/security.html#signature
    [2] http://www.openpkg.org/tutorial.html#regular-source
    [3] ftp://ftp.openpkg.org/release/1.0/UPD/
    [4] ftp://ftp.openpkg.org/release/1.1/UPD/
    [5] ftp://ftp.openpkg.org/release/1.0/UPD/foo-1.2.0-1.0.1.src.rpm
    [6] ftp://ftp.openpkg.org/release/1.1/UPD/foo-1.4.0-1.1.1.src.rpm
    [7] ... BugTraq ...
  ________________________________________________________________________
  
  For security reasons, this advisory was digitally signed with
  the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F)
  of the OpenPKG project which you can find under the official URL
  http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
  check the integrity of this advisory, verify its digital signature by
  using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
  the command "gpg --verify --keyserver keyserver.pgp.com".
  ________________________________________________________________________
  
  
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     openpkg-cvs@openpkg.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic