OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: OpenPKG (openpkgopenpkg.org)
Date: Tue Mar 12 2002 - 14:33:40 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________

    OpenPKG Security Advisory The OpenPKG Project
    http://www.openpkg.org/security.html http://www.openpkg.org
    openpkg-securityopenpkg.org openpkgopenpkg.org
    OpenPKG-SA-2002.003 12-Mar-2002
    ________________________________________________________________________

    Package: zlib, cvs, gnupg, rrdtool, rsync
    Vulnerability: denial of service, information leakage, code execution
    OpenPKG Specific: no

    Affected Releases: OpenPKG 1.0
    Affected Packages: <= zlib-1.1.3-1.0.0
                         <= cvs-1.11.1p1-1.0.0
                         <= gnupg-1.0.6-1.0.1
                         <= rrdtool-1.0.33-1.0.0
                         <= rsync-2.5.0-1.0.0
    Corrected Packages: >= zlib-1.1.3-1.0.1
    >= cvs-1.11.1p1-1.0.1
    >= gnupg-1.0.6-1.0.2
    >= rrdtool-1.0.33-1.0.1
    >= rsync-2.5.0-1.0.1
    Dependent Packages: gd, ircd, libxml, lynx, mng,
                         openssh, png, snmp, xdelta

    Description:
      According to a Zlib Security Advisory [5] and the original CERT
      Security Advisory [6] from Jeffrey P. Lanza, there is a bug in the
      Zlib compression library that may manifest itself as a vulnerability
      in programs that are linked with Zlib. This may allow an attacker to
      conduct a denial-of-service attack, gather information, or execute
      arbitrary code. The vulnerability results from a programming error
      that causes segments of dynamically allocated memory to be released
      more than once.

      Please check whether you are affected by running "<prefix>/bin/rpm -qa
      zlib". If you have the "zlib" package installed and its version
      is affected (see above), we recommend that you immediately upgrade
      it (see Solution). Additionally, we recommend that you rebuild and
      reinstall all dependent OpenPKG packages, too. [2]

    Solution:
      Select the updated source RPM appropriate for your OpenPKG release
      [4], fetch it from the OpenPKG FTP service [3] or a mirror location,
      verify its integrity [1], build a corresponding binary RPM from it
      and update your OpenPKG installation by applying the binary RPM [2].
      For the latest OpenPKG 1.0 release, perform the following operations
      to permanently fix the security problem (for other releases adjust
      accordingly).

      $ ftp ftp.openpkg.org
      ftp> bin
      ftp> cd release/1.0/UPD
      ftp> get zlib-1.1.3-1.0.1.src.rpm
      ftp> bye
      $ <prefix>/bin/rpm --checksig zlib-1.1.3-1.0.1.src.rpm
      $ <prefix>/bin/rpm --rebuild zlib-1.1.3-1.0.1.src.rpm
      $ su -
      # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/zlib-1.1.3-1.0.1.*.rpm

      Now repeat these steps accordingly for all other affected packages
      [7][8][9][10]. Finally, rebuild and reinstall the dependent packages.
    ________________________________________________________________________

    References:
      [1] http://www.openpkg.org/security.html#signature
      [2] http://www.openpkg.org/tutorial.html#regular-source
      [3] ftp://ftp.openpkg.org/release/1.0/UPD/
      [4] ftp://ftp.openpkg.org/release/1.0/UPD/zlib-1.1.3-1.0.1.src.rpm
      [5] http://www.gzip.org/zlib/advisory-2002-03-11.txt
      [6] http://www.kb.cert.org/vuls/id/368819
      [7] ftp://ftp.openpkg.org/release/1.0/UPD/cvs-1.11.1p1-1.0.1.src.rpm
      [8] ftp://ftp.openpkg.org/release/1.0/UPD/gnupg-1.0.6-1.0.2.src.rpm
      [9] ftp://ftp.openpkg.org/release/1.0/UPD/rrdtool-1.0.33-1.0.1.src.rpm
      [10] ftp://ftp.openpkg.org/release/1.0/UPD/rsync-2.5.0-1.0.1.src.rpm
    ________________________________________________________________________

    For security reasons, this advisory was digitally signed with
    the OpenPGP public key "OpenPKG <openpkgopenpkg.org>" (ID 63C4CB9F)
    of the OpenPKG project which you can find under the official URL
    http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
    check the integrity of this advisory, verify its digital signature by
    using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
    the command "gpg --verify --keyserver keyserver.pgp.com".
    ________________________________________________________________________
    -----BEGIN PGP SIGNATURE-----
    Comment: OpenPKG <openpkgopenpkg.org>

    iEYEARECAAYFAjyOZRkACgkQgHWT4GPEy5+QVQCfQ0Y32tqvBImcdOnR+9BKc+XP
    ya0AoIhIkhCkMBzS5MzZtBkevUwIw7Gg
    =D3Av
    -----END PGP SIGNATURE-----