Debians sikkerhedsbulletin

DSA-883-1 thttpd -- usikker midlertidig fil

Rapporteret den:

4. nov 2005

Berørte pakker:

thttpd

Sårbar:

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2005-3124.

Yderligere oplysninger:

Javier Fernández-Sanguino Peña fra Debians Debian Security Audit-teamet har opdaget at skriptet syslogtocern fra thttpd, en lille webserver, anvendte en midlertidig fil på en usikker måde, hvilket gjorde det muligt for en lokal angriber at iværksætte et symlink-angreb til overskrivelse af vilkårlige filer.

I den gamle stabile distribution (woody) er dette problem rettet i version 2.21b-11.3.

I den stabile distribution (sarge) er dette problem rettet i version 2.23beta1-3sarge1.

I den ustabile distribution (sid) er dette problem rettet i version 2.23beta1-4.

Vi anbefaler at du opgraderer din thttpd-pakke.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3.dsc; http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3.diff.gz; http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_alpha.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_arm.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_i386.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_ia64.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_hppa.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_m68k.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_mips.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_mipsel.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_powerpc.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_s390.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_sparc.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_sparc.deb

Debian GNU/Linux 3.1 (sarge)

Kildekode:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1.dsc; http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1.diff.gz; http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_alpha.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_amd64.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_arm.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_i386.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_ia64.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_hppa.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_m68k.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_mips.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_mipsel.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_powerpc.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_s390.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_sparc.deb; http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.