---

Home Security

Update: Debian GNU/Linux Advisories: eldav, xbl, webfs, osh

By
Debian Security Advisory DSA 325-1 [email protected]
http://www.debian.org/security/ Matt Zimmerman
June 19th, 2003 http://www.debian.org/security/faq
Package : eldav
Vulnerability : insecure temporary file
Problem-Type : local
Debian-specific : no
CVE Ids : CAN-2003-0438

eldav, a WebDAV client for Emacs, creates temporary files
without taking appropriate security precautions. This vulnerability
could be exploited by a local user to create or overwrite files
with the privileges of the user running emacs and eldav.

For the stable distribution (woody) this problem has been fixed
in version 0.0.20020411-1woody1.

The old stable distribution (potato) does not contain an eldav
package.

For the unstable distribution (sid) this problem has been fixed
in version 0.7.2-1.

We recommend that you update your eldav package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:


http://security.debian.org/pool/updates/main/e/eldav/eldav_0.0.20020411-1woody1.dsc

Size/MD5 checksum: 592 9dd06517b53570a595d5c368924ceda1

http://security.debian.org/pool/updates/main/e/eldav/eldav_0.0.20020411-1woody1.diff.gz

Size/MD5 checksum: 3814 c4400b418452e1aea9a115a2af82e1aa

http://security.debian.org/pool/updates/main/e/eldav/eldav_0.0.20020411.orig.tar.gz

Size/MD5 checksum: 12319 3b62e4b9b05eb1c8ef27e9f5d3b98db2

Architecture independent components:


http://security.debian.org/pool/updates/main/e/eldav/eldav_0.0.20020411-1woody1_all.deb

Size/MD5 checksum: 15546 5dc5beca6a1c57b5a4b32968ebc07da4

These files will probably be moved into the stable distribution
on its next revision.

Debian Security Advisory DSA 327-1 [email protected]
http://www.debian.org/security/ Matt Zimmerman
June 19th, 2003 http://www.debian.org/security/faq
Package : xbl
Vulnerability : buffer overflows
Problem-Type : local
Debian-specific : no

Steve Kemp discovered several buffer overflows in xbl, a game,
which can be triggered by long command line arguments. This
vulnerability could be exploited by a local attacker to gain gid
‘games’.

For the stable distribution (woody) this problem has been fixed
in version 1.0k-3woody1.

For the old stable distribution (potato) this problem has been
fixed in version 1.0i-7potato1.

For the unstable distribution (sid) this problem is fixed in
version 1.0k-5.

We recommend that you update your xbl package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 2.2 alias potato

Source archives:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1.dsc

Size/MD5 checksum: 554 d4b156eca0f35de954bd913bcd189b3e

http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1.diff.gz

Size/MD5 checksum: 7844 a55498b9b859c7a71744e9e9e1752af3

http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i.orig.tar.gz

Size/MD5 checksum: 213223 b9ea1555044e7ca80ff781796fd867b1

Alpha architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1_alpha.deb

Size/MD5 checksum: 120714 dc4849970e1a724b4387e7f3f07dc820

ARM architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1_arm.deb

Size/MD5 checksum: 104536 74d0a2c7da8e14e1b7f425f31ab6f5d8

Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1_i386.deb

Size/MD5 checksum: 100054 3ef40d75316e7f455868fa23f40712d9

Motorola 680×0 architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1_m68k.deb

Size/MD5 checksum: 96526 22868d833d5b1ff7616709516ca91750

PowerPC architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1_powerpc.deb

Size/MD5 checksum: 108338 1bf1e03fcde2d23aa7c6bcfa751899db

Sun Sparc architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0i-7potato1_sparc.deb

Size/MD5 checksum: 107850 339f2a39f75c73d1eafd0bf20216bc95

Debian GNU/Linux 3.0 alias woody

Source archives:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1.dsc

Size/MD5 checksum: 566 a25e8ecf19edb97ab3cc32d52f20712f

http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1.diff.gz

Size/MD5 checksum: 9244 2376e2e1b69d0d79f0b0c0f87fe99a73

http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k.orig.tar.gz

Size/MD5 checksum: 135080 22e7822a449ae5b68695158fd59ea49c

Alpha architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_alpha.deb

Size/MD5 checksum: 122224 ef6d29658f10a304876a2f17660b92a4

ARM architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_arm.deb

Size/MD5 checksum: 111094 d02b8e87910b0c410698430110eb4609

Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_i386.deb

Size/MD5 checksum: 103230 91c87f285064777b556e60a41b5d137e

Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_ia64.deb

Size/MD5 checksum: 151410 f01344cab1623a36565d7ccae04ff20c

HP Precision architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_hppa.deb

Size/MD5 checksum: 116734 8ba40022bd13b071ce9832879bc00057

Motorola 680×0 architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_m68k.deb

Size/MD5 checksum: 97730 5d8d438bd00e9f82b84a42f2d9797141

Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_mips.deb

Size/MD5 checksum: 115968 161ebcca8ea2a4adb31ecad81c151ee1

Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_mipsel.deb

Size/MD5 checksum: 115830 59b4a9b21a0658d6fc1f4b42d599f91d

PowerPC architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_powerpc.deb

Size/MD5 checksum: 112202 69b74ea9a5fb019dbcd56051789c8970

IBM S/390 architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_s390.deb

Size/MD5 checksum: 106190 59e14cbb58a28db14639bba8a3c0c802

Sun Sparc architecture:


http://security.debian.org/pool/updates/main/x/xbl/xbl_1.0k-3woody1_sparc.deb

Size/MD5 checksum: 111194 b67bf2b0ba2174935b2ef85ca45a28a3

These files will probably be moved into the stable distribution
on its next revision.

Debian Security Advisory DSA 328-1 [email protected]
http://www.debian.org/security/ Matt Zimmerman
June 19th, 2003 http://www.debian.org/security/faq
Package : webfs
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific : no
CVE Id : CAN-2003-0445

webfs, a lightweight HTTP server for static content, contains a
buffer overflow whereby a long Request-URI in an HTTP request could
cause arbitrary code to be executed.

For the stable distribution (woody) this problem has been fixed
in version 1.17.1.

The old stable distribution (potato) does not contain a webfs
package.

For the unstable distribution (sid) this problem will be fixed
soon.

We recommend that you update your webfs package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:


http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1.dsc

Size/MD5 checksum: 472 ebff11ea33e3a2692c8d11b2b42fbe51

http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1.tar.gz

Size/MD5 checksum: 40979 6cd1419cd680e0dedaaddf8d5b1f6014

Alpha architecture:


http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1_alpha.deb

Size/MD5 checksum: 37058 ceadb6ced7463c646f826c6894766d65

ARM architecture:


http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1_arm.deb

Size/MD5 checksum: 34050 f00275e59fdbf15cf1fa1f56f18f552d

Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1_i386.deb

Size/MD5 checksum: 32366 cc87f8da127a490e718cbd53a91b22ae

Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1_ia64.deb

Size/MD5 checksum: 45388 f97e46167c401f1ed8d8772d2e69a3c8

HP Precision architecture:


http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1_hppa.deb

Size/MD5 checksum: 35414 8e21ab1df89efb46ffc93f46e25551db

Motorola 680×0 architecture:


http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1_m68k.deb

Size/MD5 checksum: 31020 77084aa2f8a1b5387375161ada8a3fbc

Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1_mips.deb

Size/MD5 checksum: 34576 0ca14889e9837081ca8c16d649b10ff9

Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1_mipsel.deb

Size/MD5 checksum: 34560 edd5ce2fe5aed50645c7e2b6bef38933

PowerPC architecture:


http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1_powerpc.deb

Size/MD5 checksum: 33204 d7cb83a6b91e1ffd037b799a9da81ad1

IBM S/390 architecture:


http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1_s390.deb

Size/MD5 checksum: 34376 c48ec81b893a28988b51cdf216925341

Sun Sparc architecture:


http://security.debian.org/pool/updates/main/w/webfs/webfs_1.17.1_sparc.deb

Size/MD5 checksum: 36380 ce67a09910792ed48a4b9f887d80478d

These files will probably be moved into the stable distribution
on its next revision.

Debian Security Advisory DSA 329-1 [email protected]
http://www.debian.org/security/ Matt Zimmerman
June 20th, 2003 http://www.debian.org/security/faq
Package : osh
Vulnerability : buffer overflows
Problem-Type : local
Debian-specific : no

Steve Kemp discovered that osh, a shell intended to restrict the
actions of the user, contains two buffer overflows, in processing
environment variables and file redirections. These vulnerabilities
could be used to execute arbitrary code, overriding any
restrictions placed on the shell.

For the stable distribution (woody) this problem has been fixed
in version 1.7-11woody1.

The old stable distribution (potato) is affected by this
problem, and may be fixed in a future advisory on a time-available
basis.

For the unstable distribution (sid) this problem is fixed in
version 1.7-12.

We recommend that you update your osh package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:


http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1.dsc

Size/MD5 checksum: 565 3af7f1c0c6a346d204c379b1a0c76239

http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1.diff.gz

Size/MD5 checksum: 11456 50c1a6f3a14d5a9a87a0903d01e40f82

Alpha architecture:


http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1_alpha.deb

Size/MD5 checksum: 33018 b655c662609b7bb5062a20b657a17a4c

ARM architecture:


http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1_arm.deb

Size/MD5 checksum: 27164 1f47067f854ca6997eaf5c1dde43f80d

Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1_i386.deb

Size/MD5 checksum: 26734 dc76617c5ba84467187da2ef53b6b5b9

Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1_ia64.deb

Size/MD5 checksum: 36458 6611963c875df296cc82331a0d4ac5af

HP Precision architecture:


http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1_hppa.deb

Size/MD5 checksum: 29144 5a16455ee0e50519b006010748d8e3b8

Motorola 680×0 architecture:


http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1_m68k.deb

Size/MD5 checksum: 26014 8d8cfaa42fa540c7dc3e74e80a96e4a6

Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1_mips.deb

Size/MD5 checksum: 29296 e1d1fbeea475a3b7cb788e0dcb03ba08

Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1_mipsel.deb

Size/MD5 checksum: 29218 1c647b0936720769bd3be3649849db7f

PowerPC architecture:


http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1_powerpc.deb

Size/MD5 checksum: 28534 7b6ef4f5ac2c7d3dd919262d04b24f7d

IBM S/390 architecture:


http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1_s390.deb

Size/MD5 checksum: 27944 b14299fa7552124c3e6b05001e79e646

Sun Sparc architecture:


http://security.debian.org/pool/updates/main/o/osh/osh_1.7-11woody1_sparc.deb

Size/MD5 checksum: 30626 58a7ccea2b17bbdbd124565545dd1057

These files will probably be moved into the stable distribution
on its next revision.

For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: [email protected]

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.