Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > January 2005 > Four Debian Security Advisories: 1. DSA 650-1 - sword 2. DSA 652-1 - New unarj packages fix several vulnerabilities 3. DSA 653-1 - New ethereal packages fix buffer overflow 4. DSA 654-1 - New enscript packages fix several vulnerabilities

January 2005

Four Debian Security Advisories: 1. DSA 650-1 - sword 2. DSA 652-1 - New unarj packages fix several vulnerabilities 3. DSA 653-1 - New ethereal packages fix buffer overflow 4. DSA 654-1 - New enscript packages fix several vulnerabilities

ID: 00055
Ref: 51/2005
Date: 24 January 2005:14:21:55
Version: 1
Title: Four Debian Security Advisories: 1. DSA 650-1 - sword 2. DSA 652-1 - New unarj packages fix several vulnerabilities 3. DSA 653-1 - New ethereal packages fix buffer overflow 4. DSA 654-1 - New enscript packages fix several vulnerabilities
Abstract:
Vendors affected: Debian
Operating systems affected: Debian
Applications affected: Debian
Title
=====

Four Debian Security Advisories:

1. DSA 650-1 - sword

2. DSA 652-1 - New unarj packages fix several vulnerabilities

3. DSA 653-1 - New ethereal packages fix buffer overflow

4. DSA 654-1 - New enscript packages fix several vulnerabilities

Detail
======

1. Ulf Härnhammar discovered that due to missing input sanitising in diatheke,
a CGI script for making and browsing a bible website, it is possible to
execute arbitrary commands via a specially crafted URL.

2. Several vulnerabilities have been discovered in unarj, a non-free ARJ
unarchive utility.

3. A buffer overflow has been detected in the X11 dissector of ethereal,
a commonly used network traffic analyser. A remote attacker may be
able to overflow a buffer using a specially crafted IP packet. More
problems have been discovered which don't apply to the version in
woody but are fixed in sid as well.

4. Erik Sjölund has discovered several security relevant problems in
enscript, a program to convert ASCII text into Postscript and other
formats.




1.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 650-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 20th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package :
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0015

Ulf Härnhammar discovered that due to missing input sanitising in diatheke,
a CGI script for making and browsing a bible website, it is possible to
execute arbitrary commands via a specially crafted URL.

For the stable distribution (woody) this problem has been fixed in version
1.5.3-3woody2.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your diatheke package.


Upgrade Instructions
- - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list
as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the footer to
the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/s/sword/sword_1.5.3-3woody2.dsc
Size/MD5 checksum: 612 9204579e3a264d7d43297c1b7bf98438
http://security.debian.org/pool/updates/main/s/sword/sword_1.5.3-3woody2.diff.gz
Size/MD5 checksum: 21169 c355f97deb2ef2c39b82aec857b15a21
http://security.debian.org/pool/updates/main/s/sword/sword_1.5.3.orig.tar.gz
Size/MD5 checksum: 2389613 055f9c1e7c081a667674d9f4112abf11

Alpha architecture:

http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_alpha.deb
Size/MD5 checksum: 82154 2c73838e4e5d1112ded21365df2578a3
http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_alpha.deb
Size/MD5 checksum: 1712920 e3914e31b0b0217ac8f227f8730c0ace
http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_alpha.deb
Size/MD5 checksum: 13312 29c89888a4b51b5aa555ff55b0a410ad
http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_alpha.deb
Size/MD5 checksum: 601828 dfcf6f97b2b3eead528e92b5dc387fe6

ARM architecture:

http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_arm.deb
Size/MD5 checksum: 56756 0a83537894f73c59aac38b8698d68dc8
http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_arm.deb
Size/MD5 checksum: 989694 18f31fc2d82aec5b342a62822f6421d8
http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_arm.deb
Size/MD5 checksum: 13326 f8a405bc39b9e73d84cb42448144b4ec
http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_arm.deb
Size/MD5 checksum: 298826 53df2455c33de26ddc7f661f1ff74a43

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_i386.deb
Size/MD5 checksum: 54788 7329737ccfe2988b667bf1cf4d0b684d
http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_i386.deb
Size/MD5 checksum: 923510 87cbc45e59453e36004331d8a1ba4950
http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_i386.deb
Size/MD5 checksum: 13320 190147bb90a295003c9bf6ad0e0a48d4
http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_i386.deb
Size/MD5 checksum: 281460 c0c5beeb00046e67a6fa9089e9d43d14

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_ia64.deb
Size/MD5 checksum: 62174 fbf8fac6dfc7d61a739b3bdb3f499566
http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_ia64.deb
Size/MD5 checksum: 1291474 d38e91788454487c3fc8b40e017fc682
http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_ia64.deb
Size/MD5 checksum: 13308 b24742b3c41724e34669d0b921cb3d27
http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_ia64.deb
Size/MD5 checksum: 333424 7aaaaf076026a95ac0d0bdbe488777fb

HP Precision architecture:

http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_hppa.deb
Size/MD5 checksum: 62118 2504df74d92b6adb4910a6a4f3452183
http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_hppa.deb
Size/MD5 checksum: 1104178 07328cd8ee7dde27dfed04296e3ae908
http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_hppa.deb
Size/MD5 checksum: 13320 d62ee10092df4e13ad703662fd5ffdda
http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_hppa.deb
Size/MD5 checksum: 321394 ab1a13bf24f55ca743a8c760adebc8e9

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_m68k.deb
Size/MD5 checksum: 53082 39829e678361864e1da30406d34b63eb
http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_m68k.deb
Size/MD5 checksum: 932564 a1189885065e93581e8467cc85b270cd
http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_m68k.deb
Size/MD5 checksum: 13340 2b3407e4e1f8e272f86d297d6ff73738
http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_m68k.deb
Size/MD5 checksum: 298670 47ec4a13a6a9492deaa50d841366458d

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_mips.deb
Size/MD5 checksum: 52350 e4c719c9a0dda7691232f30eef22dbde
http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_mips.deb
Size/MD5 checksum: 1109974 878366a171bca33b56ee9710119412c9
http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_mips.deb
Size/MD5 checksum: 13332 91fe931443f5ae22621628db2deef543
http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_mips.deb
Size/MD5 checksum: 256508 82fb17f0ff951a96d406d1f65eac8a26

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_mipsel.deb
Size/MD5 checksum: 52126 5e61bca3b51666582fbb182398f0f9bd
http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_mipsel.deb
Size/MD5 checksum: 1099316 5de4d4a7a89bc24bb3e50f4bf6edf740
http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_mipsel.deb
Size/MD5 checksum: 13346 f0fcbee29448cd9c32d906ecdee962f3
http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_mipsel.deb
Size/MD5 checksum: 240420 b71294049ac28ea1fafe85968b6499de

PowerPC architecture:

http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_powerpc.deb
Size/MD5 checksum: 53026 4063714e63bb48f93c16c70be949d2c1
http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_powerpc.deb
Size/MD5 checksum: 1000066 7eda6d983cd89dee3543b6db26a3bdfe
http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_powerpc.deb
Size/MD5 checksum: 13318 3687a1d751652c987d9e658463e71e9a
http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_powerpc.deb
Size/MD5 checksum: 306722 8d01c00d9235925512c46b5e4efe5bfe

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_s390.deb
Size/MD5 checksum: 50260 6dafccc1e39907a9852bb8f73be90c30
http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_s390.deb
Size/MD5 checksum: 889972 dc0a114eb6df20568623173363c34fab
http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_s390.deb
Size/MD5 checksum: 13322 520de046e8134166d87d0ea4eb699d1f
http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_s390.deb
Size/MD5 checksum: 278278 9fcd920f31203c18884a74d3e2b208ad

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_sparc.deb
Size/MD5 checksum: 53248 ed0cafc23539322dd589c13d74fef525
http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_sparc.deb
Size/MD5 checksum: 953876 862ce2d7c89eeb445a1348158439838f
http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_sparc.deb
Size/MD5 checksum: 13322 d7db9daeb609981e322caa1549b84015
http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_sparc.deb
Size/MD5 checksum: 281526 2d918e10ef4eba590d5185410e11340d


These files will probably be moved into the stable distribution on
its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp:
ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list:
debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB79dHW5ql+IAeqTIRAv83AJ9edTzwp8lcwzBU9z/IDhFU+47YCQCdEfg+
QsLqO8u8pblK3827Zf3iIGw=
=S0pH
- -----END PGP SIGNATURE-----


2.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================


ESB-2005.0071 -- Debian Security Advisory DSA 652-1
New unarj packages fix several vulnerabilities
24 January 2005

===========================================================================



Product: unarj
Publisher: Debian
Operating System: Debian GNU/Linux 3.0
Linux variants
UNIX variants
Windows
Impact: Execute Arbitrary Code/Commands
Overwrite Arbitrary Files
Access: Remote/Unauthenticated
CVE Names: CAN-2004-1027 CAN-2004-0947

Ref: ESB-2004.0735

Original Bulletin: http://www.debian.org/security/2005/dsa-652

Comment: On Windows platforms, ARJ Software recommends using ARJ instead
of UNARJ.

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - --------------------------------------------------------------------------
Debian Security Advisory DSA 652-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 21st, 2005 http://www.debian.org/security/faq
- - - --------------------------------------------------------------------------

Package : unarj
Vulnerability : several
Problem-Type : local (remote)
Debian-specific: no
CVE ID : CAN-2004-0947 CAN-2004-1027
Debian Bug : 281922

Several vulnerabilities have been discovered in unarj, a non-free ARJ
unarchive utility. The Common Vulnerabilities and Exposures Project
identifies the following vulnerabilities:

CAN-2004-0947

A buffer overflow has been discovered when handling long file
names contained in an archive. An attacker could create a
specially crafted archive which could cause unarj to crash or
possibly execute arbitrary code when being extracted by a victim.

CAN-2004-1027

A directory traversal vulnerability has been found so that an
attacker could create a specially crafted archive which would
create files in the parent directory when being extracted by a
victim. When used recursively, this vulnerability could be used
to overwrite critical system files and programs.

For the stable distribution (woody) these problems have been fixed
in version 2.43-3woody1.

For the unstable distribution (sid) these problems don't apply since
unstable/non-free does not contain the unarj package.

We recommend that you upgrade your unarj package.


Upgrade Instructions
- - - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list
as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the footer to the
proper configuration.


Debian GNU/Linux 3.0 alias woody
- - - --------------------------------

Source archives:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1.dsc
Size/MD5 checksum: 528 e1d166f2eaf315641d1269a32ad1dc76
http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1.diff.gz
Size/MD5 checksum: 12903 4ef4cfad33d05ecc048d63596ab2673c
http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43.orig.tar.gz
Size/MD5 checksum: 39620 7a481dc017f1fbfa7f937a97e66eb99f

Alpha architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_alpha.deb
Size/MD5 checksum: 29668 08dc91afd3146ccdfaa51d73f8be56e5

ARM architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_arm.deb
Size/MD5 checksum: 22784 ed352d363cbeb34ba2268db63a632824

Intel IA-32 architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_i386.deb
Size/MD5 checksum: 20690 aa9490bd82bc9aef4f6092d19fa83eaa

Intel IA-64 architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_ia64.deb
Size/MD5 checksum: 31072 0b1f0403cfaaf572399fcb60b2549664

HP Precision architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_hppa.deb
Size/MD5 checksum: 23888 15a8d6b0b7b565186398c0b8ebe3eb6a

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_m68k.deb
Size/MD5 checksum: 20384 644a6dcc9f566bad384c050bc8b8fb14

PowerPC architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_powerpc.deb
Size/MD5 checksum: 23060 5c5a1f0157aa613337f80b439e78456f

IBM S/390 architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_s390.deb
Size/MD5 checksum: 22668 97dc977c8217a10d4915ee32db49edd5

Sun Sparc architecture:

http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_sparc.deb
Size/MD5 checksum: 25386 bd2210a978ad30306e3db2ab112c87e8


These files will probably be moved into the stable distribution on
its next update.

- - - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp:
ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list:
debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB8L/1W5ql+IAeqTIRAiqfAJ9G2Qz1XaGuTV9D9HsLH77/pOwOswCfWdUa
sOBvZN8plbTquPjXFFac16Q=
=I0rL
- - -----END PGP SIGNATURE-----

- - --------------------------END INCLUDED TEXT--------------------

iQCVAwUBQfQ56ih9+71yA2DNAQJxAAP/SlrQmwwltoqJmusbs1ZuVQq9V1qPprtJ
fzaYADjSGbhTOKiWqT6HsWGFIUpDuOPM3ZAlmlQqt9pLr7AjCk9azffAi27j1mol
Bo995a2y0COlhYZ79KFst85dQFQLzmlTPhioAWfB3HxUqwXa0hN0YPXabVxHXL09
Hndz7iD10wU=
=XB82
- -----END PGP SIGNATURE-----



3.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================

ESB-2005.0072 -- Debian Security Advisory DSA 653-1
New ethereal packages fix buffer overflow
24 January 2005

===========================================================================



Product: ethereal 0.10.8 and prior
Publisher: Debian
Operating System: Debian GNU/Linux 3.0
Linux variants
UNIX variants
Windows
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2005-0084

Original Bulletin: http://www.debian.org/security/2005/dsa-653

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - --------------------------------------------------------------------------
Debian Security Advisory DSA 653-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 21st, 2005 http://www.debian.org/security/faq
- - - --------------------------------------------------------------------------

Package : ethereal
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0084

A buffer overflow has been detected in the X11 dissector of ethereal,
a commonly used network traffic analyser. A remote attacker may be
able to overflow a buffer using a specially crafted IP packet. More
problems have been discovered which don't apply to the version in
woody but are fixed in sid as well.

For the stable distribution (woody) this problem has been fixed in
version 0.9.4-1woody11.

For the unstable distribution (sid) this problem has been fixed in
version 0.10.9-1.

We recommend that you upgrade your ethereal package.


Upgrade Instructions
- - - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list
as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the footer to
the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11.dsc
Size/MD5 checksum: 681 8e8bbe73bf65d45446fb7c03dddb41a1
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11.diff.gz
Size/MD5 checksum: 40601 a9a6e17ee6c2e1749ac3d140628c77c6
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz
Size/MD5 checksum: 3278908 42e999daa659820ee93aaaa39ea1e9ea

Alpha architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_alpha.deb
Size/MD5 checksum: 1941102 aab1360769a64476ce4113068230c8ad
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_alpha.deb
Size/MD5 checksum: 334424 c3647ca04af3f48b4e24ec6ae2fa6b4d
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_alpha.deb
Size/MD5 checksum: 222460 06e7e8c5713efa6f102bb436c6251e61
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_alpha.deb
Size/MD5 checksum: 1707844 08f64c248a99394a8366ca5b512e096d

ARM architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_arm.deb
Size/MD5 checksum: 1635456 190bd5415abaf62c1cde340605079152
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_arm.deb
Size/MD5 checksum: 297770 6d5ee1df687aeee0e49d4bc27cfab0da
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_arm.deb
Size/MD5 checksum: 206356 fcba9b5be975e62bd5cf8efca338a299
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_arm.deb
Size/MD5 checksum: 1439676 d825f5c16e37f1a5c1a7aaa6ba0798b1

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_i386.deb
Size/MD5 checksum: 1513338 996070722f320a6d6d40652101480ec6
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_i386.deb
Size/MD5 checksum: 286736 69fd768db07ee2ac52b33f3188fdba97
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_i386.deb
Size/MD5 checksum: 198652 50e416b732e5d02d1f8e6bfb5269d1f9
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_i386.deb
Size/MD5 checksum: 1326536 c8415c2297b0bc30a297b3b07e0a1186

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_ia64.deb
Size/MD5 checksum: 2150414 b46cc7da4c46e2a920299cef6d6f1f1c
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_ia64.deb
Size/MD5 checksum: 373372 1b977535a20b449ea7c1b21e09f9493b
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_ia64.deb
Size/MD5 checksum: 234004 e8c69f3f1db9708ceb2e74122e81c168
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_ia64.deb
Size/MD5 checksum: 1861780 6c48358d2c8c892d24ebbc29b020931d

HP Precision architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_hppa.deb
Size/MD5 checksum: 1804712 495491720997b53f60f5b9dbfeabac27
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_hppa.deb
Size/MD5 checksum: 322696 cccbc77685f25eb8aa1a8429e0298dd7
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_hppa.deb
Size/MD5 checksum: 217116 3bcb0ff60d01b12b85d25ee6e277fbe2
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_hppa.deb
Size/MD5 checksum: 1576164 67ecb81ffa522198b999353ce6294b19

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_m68k.deb
Size/MD5 checksum: 1424704 7014155418ca6c1947e71a04ab716b03
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_m68k.deb
Size/MD5 checksum: 282996 c73d8c241771bbe5f89c1e859e436aba
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_m68k.deb
Size/MD5 checksum: 195364 21d07bf8bb05d52dfd45d91c73c656a6
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_m68k.deb
Size/MD5 checksum: 1248922 5cd077cf05e8e14f627a10e44ced739d

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_mips.deb
Size/MD5 checksum: 1617160 41dd4cd8059c472ff109bb002d9b5074
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_mips.deb
Size/MD5 checksum: 305514 855a56f8596f0bb4da7fe0024616d87a
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_mips.deb
Size/MD5 checksum: 213936 8459c58071700c436ea96af9a6fd7901
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_mips.deb
Size/MD5 checksum: 1422110 bdcdf3c021429ccaf8eb95027a48f69e

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_mipsel.deb
Size/MD5 checksum: 1598210 0c60efc6fcdea7d25359ecd88dd8aeff
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_mipsel.deb
Size/MD5 checksum: 304982 63cea39a93b19891ae0bbfaa8c5e0327
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_mipsel.deb
Size/MD5 checksum: 213596 e7d160f30cd5e9360fc90d4ef160dfb6
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_mipsel.deb
Size/MD5 checksum: 1406444 e8f3d141f724da42a16d051c12879efb

PowerPC architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_powerpc.deb
Size/MD5 checksum: 1618676 f3890280569d1b2a7e66c039c0def6b4
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_powerpc.deb
Size/MD5 checksum: 302174 d5c364dcb6039f637005c4ce259bed2c
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_powerpc.deb
Size/MD5 checksum: 209172 ae06ac9e4e976d4fd846b3b222efe911
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_powerpc.deb
Size/MD5 checksum: 1419454 2a6a56b278e0e647cbb7c41881e5aaa0

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_s390.deb
Size/MD5 checksum: 1574786 17c662f34613b6b0fb24e033dd1fc463
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_s390.deb
Size/MD5 checksum: 301014 7f0c78cce38eb8927b708146cb4b8463
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_s390.deb
Size/MD5 checksum: 204250 f85efb4e0c75da840c7b1224292f7005
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_s390.deb
Size/MD5 checksum: 1387552 c4e2e39307ca9b70793e1b8a6dc9a3ee

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_sparc.deb
Size/MD5 checksum: 1583368 199f9efbe4d98e43882bb28d054c8ff6
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_sparc.deb
Size/MD5 checksum: 318282 87d2b4c8298e3e179d89aa3827602011
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_sparc.deb
Size/MD5 checksum: 205026 0c71e4c61947bc0f198de8d66a1892b4
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_sparc.deb
Size/MD5 checksum: 1389390 8327f812bcaee04cf83fc34f8450aacc


These files will probably be moved into the stable distribution on
its next update.

- - - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp:
ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list:
debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB8OiHW5ql+IAeqTIRAhEJAJ9dEuKVcXscQbAZrd6VmZ0de5Ou6wCcDHAN
gcBn2Bp/9cc2FXzr5L6ccps=
=2QHP
- - -----END PGP SIGNATURE-----

- - --------------------------END INCLUDED TEXT--------------------

iQCVAwUBQfQ6sSh9+71yA2DNAQLqzgP+P/Lb/7rQN1gkkA7riEKR23PGOiakzSxD
bEzC3SHG/cfnO/nlIy7iSC/Ja91xVbsHbP4DklTL0slTpiyr4lxcoH84GbBJrjIR
H5fMrTkeZCJlztIqjQUbRRPBJTrMxG/VLL2fs2rHEih9fSFEn199FxHj6CW85vW8
6dDPV162Ifs=
=0MwV
- -----END PGP SIGNATURE-----




4.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================

ESB-2005.0073 -- Debian Security Advisory DSA 654-1
New enscript packages fix several vulnerabilities
24 January 2005

===========================================================================



Product: GNU enscript
Publisher: Debian
Operating System: Debian GNU/Linux 3.0
Linux variants
UNIX variants
Windows
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2004-1186 CAN-2004-1185 CAN-2004-1184

Original Bulletin: http://www.debian.org/security/2005/dsa-654

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - --------------------------------------------------------------------------
Debian Security Advisory DSA 654-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 21st, 2005 http://www.debian.org/security/faq
- - - --------------------------------------------------------------------------

Package : enscript
Vulnerability : several
Problem-Type : local (remote)
Debian-specific: no
CVE ID : CAN-2004-1184 CAN-2004-1185 CAN-2004-1186

Erik Sjölund has discovered several security relevant problems in
enscript, a program to convert ASCII text into Postscript and other
formats. The Common Vulnerabilities and Exposures project identifies
the following vulnerabilities:

CAN-2004-1184

Unsanitised input can cause the execution of arbitrary commands
via EPSF pipe support. This has been disabled, also upstream.

CAN-2004-1185

Due to missing sanitising of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be
executed.

CAN-2004-1186

Multiple buffer overflows can cause the program to crash.

Usually, enscript is only run locally, but since it is executed inside
of viewcvs some of the problems mentioned above can easily be turned
into a remote vulnerability.

For the stable distribution (woody) these problems have been fixed
in version 1.6.3-1.3.

For the unstable distribution (sid) these problems have been fixed
in version 1.6.4-6.

We recommend that you upgrade your enscript package.


Upgrade Instructions
- - - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list
as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the footer to
the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3.dsc
Size/MD5 checksum: 598 b64a0ab822bd8e613a96cfe534f40cbc
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3.diff.gz
Size/MD5 checksum: 7312 5f39d5caad3a93f874705a10f4a4ae6d
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3.orig.tar.gz
Size/MD5 checksum: 814308 ec717f8b0de7db00a21a21f70d354610

Alpha architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_alpha.deb
Size/MD5 checksum: 488176 ef6dc427cf55c77423da2b84c04a291e

ARM architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_arm.deb
Size/MD5 checksum: 466220 6443058723684f0c7b7d14d659e909bf

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_i386.deb
Size/MD5 checksum: 458068 1b5dd9325b47b06f6fb0280a74753bdd

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_ia64.deb
Size/MD5 checksum: 506248 5a4bc6e9f0f771b694e65908bc302e64

HP Precision architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_hppa.deb
Size/MD5 checksum: 477426 0f2bc8aba5c8f244d6d882c87b01946a

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_m68k.deb
Size/MD5 checksum: 447374 1054d2c3a5f249b2c7167fdd2aec2726

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_mips.deb
Size/MD5 checksum: 470862 996def7fa0ca46edac520083d5d22e39

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_mipsel.deb
Size/MD5 checksum: 470122 1f886d9ab7df6d9e3b4aafe6840676f8

PowerPC architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_powerpc.deb
Size/MD5 checksum: 466374 a08bf7e3d47b5ed94cf436439d21922b

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_s390.deb
Size/MD5 checksum: 460778 a2f4b67a5c7af46eba735b44ccea7de1

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.3-1.3_sparc.deb
Size/MD5 checksum: 465822 a8da2cae1003ca40e4e8b6c81137fb63


These files will probably be moved into the stable distribution on
its next update.

- - - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp:
ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list:
debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB8QxQW5ql+IAeqTIRAms2AJ96BxPaZ3l5zHgZjF64urAAknetlwCeLAeX
T4BRwnlugM4tRy2jGvJUsgE=
=o9wU
- - -----END PGP SIGNATURE-----

- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQfQ9gCh9+71yA2DNAQLp+gP+LuapsPTuBmM7qElNTpmVqKO8RwafLzLJ
AH0G4DPXa85gZaKXxtTpzMJeGfrbnhlAQu0RPyPhle2Fml14bpPwzNmEtyEh/97i
y8pF82RikeZiAmEDW5xHQyd0iNLxSzWm+9ypuLnMV5CYlPhwrTvmZBU1GRzDhxzE
YoM3vOTwETA=
=Do9R
- -----END PGP SIGNATURE-----


  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |