lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060221153044.GC5903@piware.de>
Date: Tue Feb 21 15:31:05 2006
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-254-1] noweb vulnerability

===========================================================
Ubuntu Security Notice USN-254-1	  February 21, 2006
noweb vulnerability
CVE-2005-3342
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

nowebm

The problem can be corrected by upgrading the affected package to
version 2.10c-3ubuntu1.1 (for Ubuntu 4.10), 2.10c-3.1ubuntu5.04.1 (for
Ubuntu 5.04), or 2.10c-3.1ubuntu5.10.1 (for Ubuntu 5.10).  In general,
a standard system upgrade is sufficient to effect the necessary
changes.

Details follow:

Javier Fern?ndez-Sanguino Pe?a discovered that noweb scripts created
temporary files in an insecure way. This could allow a symlink attack
to create or overwrite arbitrary files with the privileges of the user
running noweb.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3ubuntu1.1.diff.gz
      Size/MD5:    11262 c97d1934407598134e7da5d53b4c625a
    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3ubuntu1.1.dsc
      Size/MD5:      629 a21c779c23311c40353fee565971f7dd
    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c.orig.tar.gz
      Size/MD5:   712332 30bbacf1fb2a402410e5ad2fb600d9fc

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3ubuntu1.1_amd64.deb
      Size/MD5:   535460 2d35850c7436ec5e1c452098ab8f2f26

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3ubuntu1.1_i386.deb
      Size/MD5:   518536 7b89ab418e72de19d81aed9d1dc8aefa

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3ubuntu1.1_powerpc.deb
      Size/MD5:   522740 f5b23a14a7600e91788a6803e1453861

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.04.1.diff.gz
      Size/MD5:    11276 d692bce20df8c6e0fb64013daf7bc9e5
    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.04.1.dsc
      Size/MD5:      639 6b6781615241f3d07db34b4ed951eab4
    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c.orig.tar.gz
      Size/MD5:   712332 30bbacf1fb2a402410e5ad2fb600d9fc

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.04.1_amd64.deb
      Size/MD5:   535570 7ed60a1bfce4de9db2b6f6ca24f7544d

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.04.1_i386.deb
      Size/MD5:   518652 973b9b6459bc21f645725f4c5013500f

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.04.1_powerpc.deb
      Size/MD5:   522804 70fd183b24ea9c8d77ca8eb65172924f

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.10.1.diff.gz
      Size/MD5:    11275 8b1c3749cd3fc5f0f5bb0909d1db527c
    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.10.1.dsc
      Size/MD5:      639 3f37d4a988691727bdc9452e459ccc46
    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c.orig.tar.gz
      Size/MD5:   712332 30bbacf1fb2a402410e5ad2fb600d9fc

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.10.1_amd64.deb
      Size/MD5:   535562 8ce18eceec28b3bb1165156e17d06f10

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.10.1_i386.deb
      Size/MD5:   519066 5d22ae6879e674ba5dba97a10957e6c7

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.10.1_powerpc.deb
      Size/MD5:   522756 2ea6685d6400fc111cf093f01b7a4b39
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/c972fe8a/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ