---

Debian Security Advisory: New version of mirror fixes remote exploit

Date: Mon, 18 Oct 1999 02:51:38 +0200
From: Wichert Akkerman wichert@liacs.nl
To: debian-security-announce@lists.debian.org
Reply to: security@debian.org


Debian Security Advisory security@debian.org
http://www.debian.org/security/
Wichert Akkerman
October 18, 1999


We have received reports that the version of mirror as
distributed in Debian GNU/Linux 2.1 could be remotely exploited.
When mirroring a remote site the remote site could use
filename-constructions like ” ..” that would case mirror to work
one level above the target directory for the mirrored files.

This has been fixed in mirror version 2.9-2.1 .

We recommend you upgrade your mirror package immediately.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

Debian GNU/Linux 2.1 alias slink


This version of Debian was released only for Intel, the Motorola
680×0, the alpha and the Sun sparc architecture.

Source archives:

http://security.debian.org/dists/stable/updates/source/mirror_2.9-2.1.diff.gz

MD5 checksum: 2340c6a18b8b69c5122ef78e50663824

http://security.debian.org/dists/stable/updates/source/mirror_2.9-2.1.dsc

MD5 checksum: 2890c6ed6c60e97299c7fcd3a56b5b36

http://security.debian.org/dists/stable/updates/source/mirror_2.9.orig.tar.gz

MD5 checksum: 49ebf2fc732322aff2a8297f89bb9df3

Architecture indendent archives:
http://security.debian.org/dists/stable/updates/binary-all/mirror_2.9-2.1_all.deb

MD5 checksum: d10e76994611915ba79aeee838fada7c


For apt-get: deb http://security.debian.org/
stable updates
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates

Mailing list: debian-security-announce@lists.debian.org

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis