lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1CyeyL-0005EG-Hh@updates.mandrakesoft.com>
Date: Tue, 08 Feb 2005 16:40:45 -0700
From: Mandrakelinux Security Team <security@...ux-mandrake.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2005:031 - Updated perl packages fix multiple vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           perl
 Advisory ID:            MDKSA-2005:031
 Date:                   February 8th, 2005

 Affected versions:	 10.0, 10.1, 9.2, Corporate 3.0,
			 Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 Jeroen van Wolffelaar discovered that the rmtree() function in the perl
 File::Path module would remove directories in an insecure manner which
 could lead to the removal of arbitrary files and directories via a
 symlink attack (CAN-2004-0452).
 
 Trustix developers discovered several insecure uses of temporary files
 in many modules which could allow a local attacker to overwrite files
 via symlink attacks (CAN-2004-0976).
 
 "KF" discovered two vulnerabilities involving setuid-enabled perl
 scripts.  By setting the PERLIO_DEBUG environment variable and calling
 an arbitrary setuid-root perl script, an attacker could overwrite
 arbitrary files with perl debug messages (CAN-2005-0155).  As well,
 calling a setuid-root perl script with a very long path would cause a
 buffer overflow if PERLIO_DEBUG was set, which could be exploited to
 execute arbitrary files with root privileges (CAN-2005-0156).
 
 The provided packages have been patched to resolve these problems.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0976
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0155
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0156
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 03ef7fbe398819df299c12b60037452e  10.0/RPMS/perl-5.8.3-5.3.100mdk.i586.rpm
 8c660b1461a18ea5d4115ce97d919400  10.0/RPMS/perl-base-5.8.3-5.3.100mdk.i586.rpm
 4cea2d8402078460a305a2d5b35ded3f  10.0/RPMS/perl-devel-5.8.3-5.3.100mdk.i586.rpm
 521c1c2a42672a5d8f59dd372a274427  10.0/RPMS/perl-doc-5.8.3-5.3.100mdk.i586.rpm
 68a64ab9524c8494b9cafe243ca4207a  10.0/SRPMS/perl-5.8.3-5.3.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 6ef2826a08789b5a5818a87d5964a1a2  amd64/10.0/RPMS/perl-5.8.3-5.3.100mdk.amd64.rpm
 c473bbbfec6d07ef351c5d2e755d873f  amd64/10.0/RPMS/perl-base-5.8.3-5.3.100mdk.amd64.rpm
 736ec557782c41dd5e43a2ff31d0cc3e  amd64/10.0/RPMS/perl-devel-5.8.3-5.3.100mdk.amd64.rpm
 a9ed51fa1e678f7481c74fc65c886f44  amd64/10.0/RPMS/perl-doc-5.8.3-5.3.100mdk.amd64.rpm
 68a64ab9524c8494b9cafe243ca4207a  amd64/10.0/SRPMS/perl-5.8.3-5.3.100mdk.src.rpm

 Mandrakelinux 10.1:
 dc0072b42ada389f8d948435fb44337b  10.1/RPMS/perl-5.8.5-3.3.101mdk.i586.rpm
 1e0c9f3256ff487d95011253abcac637  10.1/RPMS/perl-base-5.8.5-3.3.101mdk.i586.rpm
 ff2ff682b097c8ce91d989858cfe87fc  10.1/RPMS/perl-devel-5.8.5-3.3.101mdk.i586.rpm
 d2a4f038e99b1742b5e427eb508735c6  10.1/RPMS/perl-doc-5.8.5-3.3.101mdk.i586.rpm
 6421bbaac9c9260c34f1503699a9c06d  10.1/SRPMS/perl-5.8.5-3.3.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 48e3ca61e5cdb1fdb6ab167368de39dd  x86_64/10.1/RPMS/perl-5.8.5-3.3.101mdk.x86_64.rpm
 f105736fca96d67e29fedbed60e493d5  x86_64/10.1/RPMS/perl-base-5.8.5-3.3.101mdk.x86_64.rpm
 a4d842d0548a9cd8b37ac95bdc3cf76f  x86_64/10.1/RPMS/perl-devel-5.8.5-3.3.101mdk.x86_64.rpm
 c994694b34389bbd2f8f31a5a0912abd  x86_64/10.1/RPMS/perl-doc-5.8.5-3.3.101mdk.x86_64.rpm
 6421bbaac9c9260c34f1503699a9c06d  x86_64/10.1/SRPMS/perl-5.8.5-3.3.101mdk.src.rpm

 Corporate Server 2.1:
 80ab375d58e13144188efb18d823be02  corporate/2.1/RPMS/perl-5.8.0-14.4.C21mdk.i586.rpm
 1669ef10de0c263de5bcb1a6291b80e6  corporate/2.1/RPMS/perl-base-5.8.0-14.4.C21mdk.i586.rpm
 b670e055bce7ec7c3cf9fed4c0a1b0bb  corporate/2.1/RPMS/perl-devel-5.8.0-14.4.C21mdk.i586.rpm
 c6d3731abbbab36836a10098eec45632  corporate/2.1/RPMS/perl-doc-5.8.0-14.4.C21mdk.i586.rpm
 7320d6f6b55b6072b84adce5e8c24564  corporate/2.1/SRPMS/perl-5.8.0-14.4.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 79543c5e27e4fad31b70c3b1f9f78c3e  x86_64/corporate/2.1/RPMS/perl-5.8.0-14.4.C21mdk.x86_64.rpm
 df4d687f5974bc8aec71943f916b55e4  x86_64/corporate/2.1/RPMS/perl-base-5.8.0-14.4.C21mdk.x86_64.rpm
 6e235994ebfd3d140b0a98a6ced85600  x86_64/corporate/2.1/RPMS/perl-devel-5.8.0-14.4.C21mdk.x86_64.rpm
 c3e96a04b20424b4034c38e871110c43  x86_64/corporate/2.1/RPMS/perl-doc-5.8.0-14.4.C21mdk.x86_64.rpm
 7320d6f6b55b6072b84adce5e8c24564  x86_64/corporate/2.1/SRPMS/perl-5.8.0-14.4.C21mdk.src.rpm

 Corporate 3.0:
 3ec85cecac7c9311d84808c4d606fad5  corporate/3.0/RPMS/perl-5.8.3-5.3.C30mdk.i586.rpm
 eeb15059224b10ea1e38e7c295238ba2  corporate/3.0/RPMS/perl-base-5.8.3-5.3.C30mdk.i586.rpm
 2725bd3ff3a4879e92e2a837d31d371f  corporate/3.0/RPMS/perl-devel-5.8.3-5.3.C30mdk.i586.rpm
 83800acb6dff62a0283a4f4a63748769  corporate/3.0/RPMS/perl-doc-5.8.3-5.3.C30mdk.i586.rpm
 76f2ba5789d07ada7629f3fb4555214c  corporate/3.0/SRPMS/perl-5.8.3-5.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 6f9cbbbecbd93e0a69f90b87911b975c  x86_64/corporate/3.0/RPMS/perl-5.8.3-5.3.C30mdk.x86_64.rpm
 db36c037cd22e733423ee210dae671fe  x86_64/corporate/3.0/RPMS/perl-base-5.8.3-5.3.C30mdk.x86_64.rpm
 abb4772f920cc0d2776dfda4e61f7f37  x86_64/corporate/3.0/RPMS/perl-devel-5.8.3-5.3.C30mdk.x86_64.rpm
 7e2303ef39f8a35616cd3ee646faf224  x86_64/corporate/3.0/RPMS/perl-doc-5.8.3-5.3.C30mdk.x86_64.rpm
 76f2ba5789d07ada7629f3fb4555214c  x86_64/corporate/3.0/SRPMS/perl-5.8.3-5.3.C30mdk.src.rpm

 Mandrakelinux 9.2:
 e20db560fd730715e15dfa8b86bdf64e  9.2/RPMS/perl-5.8.1-0.RC4.3.3.92mdk.i586.rpm
 8b35db60de2b45267e2e7d6b5c91e9c5  9.2/RPMS/perl-base-5.8.1-0.RC4.3.3.92mdk.i586.rpm
 938d58ea9c9a14b4562da53f65e6b98d  9.2/RPMS/perl-devel-5.8.1-0.RC4.3.3.92mdk.i586.rpm
 826927185050c8390c260ea68e7c9b28  9.2/RPMS/perl-doc-5.8.1-0.RC4.3.3.92mdk.i586.rpm
 42336c6aa22474e11e49da1334c01415  9.2/SRPMS/perl-5.8.1-0.RC4.3.3.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 7b90163d3bc050172ef2b962367944f7  amd64/9.2/RPMS/perl-5.8.1-0.RC4.3.3.92mdk.amd64.rpm
 3c9e8c95c1d3637111f88924798acfb1  amd64/9.2/RPMS/perl-base-5.8.1-0.RC4.3.3.92mdk.amd64.rpm
 28644f1effa1ecd3d4e8dcbc28d56e38  amd64/9.2/RPMS/perl-devel-5.8.1-0.RC4.3.3.92mdk.amd64.rpm
 89b774253bad6f9513685eab214680aa  amd64/9.2/RPMS/perl-doc-5.8.1-0.RC4.3.3.92mdk.amd64.rpm
 42336c6aa22474e11e49da1334c01415  amd64/9.2/SRPMS/perl-5.8.1-0.RC4.3.3.92mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCCU39mqjQ0CJFipgRAvtbAJ4uFC7w+tZkJWt64S1mQ1dg3SpC6wCg8ff3
hUKmRIv57Eq+S1qE0y6zWyM=
=nw1w
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ