diff options
author | Neil McGovern <neilm@debian.org> | 2005-08-28 11:18:33 +0000 |
---|---|---|
committer | Neil McGovern <neilm@debian.org> | 2005-08-28 11:18:33 +0000 |
commit | 10b4090f6169eca7e8087a510f87314006ba56f4 (patch) | |
tree | bfb2dadddeeea28b48ccc76cd395da965e12e932 /data | |
parent | 7d98126476359d634d28ac15c30381c4f6e79c7c (diff) |
cgiwrap DTSA
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@1686 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'data')
-rw-r--r-- | data/DTSA/DTSA-6-1 | 60 | ||||
-rw-r--r-- | data/DTSA/hints/neilm | 2 | ||||
-rw-r--r-- | data/DTSA/list | 3 |
3 files changed, 65 insertions, 0 deletions
diff --git a/data/DTSA/DTSA-6-1 b/data/DTSA/DTSA-6-1 new file mode 100644 index 0000000000..465bf52c96 --- /dev/null +++ b/data/DTSA/DTSA-6-1 @@ -0,0 +1,60 @@ +----------------------------------------------------------------------------- +Debian Testing Security Advisory DTSA-6-1 http://secure-testing.debian.net +secure-testing-team@lists.alioth.debian.org Neil McGovern +August 28th, 2005 +----------------------------------------------------------------------------- + +Package : cgiwrap +Vulnerability : multiple vulnerabilities +Problem-Type : remote +Debian-specific: yes,no + +Javier Fernández-Sanguino Peña discovered various vulnerabilities in cgiwrap: + +Minimum UID does not include all system users + + The CGIwrap program will not seteuid itself to uids below the 'minimum' uid + to prevent scripts from being misused to compromise the system. However, + the Debian package sets the minimum uid to 100 when it should be 1000. + +CGIs can be used to disclose system information + + The cgiwrap (and php-cgiwrap) package installs some debugging CGIs + (actually symbolink links, which link to cgiwrap and are called 'cgiwrap' + and 'nph-cgiwrap' or link to php-cgiwrap). These CGIs should not be + installed in production environments as they disclose internal and + potentially sensible information. + +For the testing distribution (etch) this is fixed in version +3.9-3.0etch1. + +For the unstable distribution (sid) this is fixed in version +3.9-3.1. + +This upgrade is encouraged if you use cgiwrap. + +The Debian testing security team does not track security issues for the +stable distribution (woody). If stable is vulnerable, the Debian security +team will make an announcement once a fix is ready. + +Upgrade Instructions +-------------------- + +To use the Debian testing security archive, add the following lines to +your /etc/apt/sources.list: + + deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free + deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free + +The archive signing key can be downloaded from +http://secure-testing.debian.net/ziyi-2005-7.asc + +To install the update, run this command as root: +If you use cgiwrap: + apt-get update && apt-get install cgiwrap +If you use php-cgiwrap: + apt-get update && apt-get install php-cgiwrap + +For further information about the Debian testing security team, please refer +to http://secure-testing.debian.net/ + diff --git a/data/DTSA/hints/neilm b/data/DTSA/hints/neilm new file mode 100644 index 0000000000..9407aeebd2 --- /dev/null +++ b/data/DTSA/hints/neilm @@ -0,0 +1,2 @@ +# pending builds +#sync cgiwrap/3.9-3.0etch1 diff --git a/data/DTSA/list b/data/DTSA/list index 14d39e6a3c..794bc18ebf 100644 --- a/data/DTSA/list +++ b/data/DTSA/list @@ -1,3 +1,6 @@ +[28 Aug 2005] DTSA-6-1 cgiwrap - multiple vulnerabilities + - cgiwrap 3.9-3.0etch1 (low) + NOTE: waiting for builds (neilm) [27 Aug 2005] DTSA-5-1 gaim - multiple remote vulnerabilities {CAN-2005-2102 CAN-2005-2370 CAN-2005-2103} - gaim 1:1.4.0-5etch2 (high) |