lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060316220616.GA6910@informatik.uni-bremen.de> Date: Fri Mar 17 15:32:09 2006 From: jmm at debian.org (Moritz Muehlenhoff) Subject: [SECURITY] [DSA 1006-1] New wzdftpd packages fix arbitrary shell command execution -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1006-1 security@...ian.org http://www.debian.org/security/ Moritz Muehlenhoff March 16th, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : wzdftpd Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CVE-2005-3081 "kcope" discovered that the wzdftpd FTP server lacks input sanitising for the SITE command, which may lead to the execution of arbitrary shell commands. The old stable distribution (woody) does not contain wzdftpd packages. For the stable distribution (sarge) this problem has been fixed in version 0.5.2-1.1sarge1. For the unstable distribution (sid) this problem has been fixed in version 0.5.5-1. We recommend that you upgrade your wzdftpd package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1.dsc Size/MD5 checksum: 770 9b5198715396dc3241b38522866236eb http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1.diff.gz Size/MD5 checksum: 18064 56f5a27176316cbe9f6e33f271fa2137 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2.orig.tar.gz Size/MD5 checksum: 818860 62a4af39801fe581f85cd063c5fc4717 Alpha architecture: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_alpha.deb Size/MD5 checksum: 309938 42447c188199c9cea54a0658801ce243 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_alpha.deb Size/MD5 checksum: 30594 02069d4746a86be34df3fa9347f2392d http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_alpha.deb Size/MD5 checksum: 293354 dbacd04240390145f75b69fdf27b7bc5 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_alpha.deb Size/MD5 checksum: 48864 e01b156146c1a68bd3ae51f689dc8d46 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_alpha.deb Size/MD5 checksum: 31408 431162de3997ddebd36b3982c85bd449 AMD64 architecture: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_amd64.deb Size/MD5 checksum: 286298 589a84919dd29f5858d9be5db77a9f7f http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_amd64.deb Size/MD5 checksum: 29872 df640d1cc2191eb6f1bfbdca5bf31b20 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_amd64.deb Size/MD5 checksum: 217728 0feb9461d80aae2138823e63e0faef32 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_amd64.deb Size/MD5 checksum: 47044 eccd196638b0cd8c953dc8944e4062af http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_amd64.deb Size/MD5 checksum: 30774 361bcb02132181eefb2eb06402d134f9 ARM architecture: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_arm.deb Size/MD5 checksum: 268212 f89c5793822e3852a1e8c1badbca0d5e http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_arm.deb Size/MD5 checksum: 29184 afa126d2b1671d44c241dc3ddea35e86 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_arm.deb Size/MD5 checksum: 214212 f1c06effaa2cfb5d4ae141aaec1e1587 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_arm.deb Size/MD5 checksum: 45668 925aeb76dd948aec878fe160d5021130 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_arm.deb Size/MD5 checksum: 29498 4512a8bf5fc97a1ff2abb9c5124060c0 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_i386.deb Size/MD5 checksum: 276502 97f51d6d1e654df0bb6f081e25a9b650 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_i386.deb Size/MD5 checksum: 29168 1dbfb15d29d721099e5a2888b6de0c9b http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_i386.deb Size/MD5 checksum: 203180 c59debe41582c57b70d7eed81b9be115 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_i386.deb Size/MD5 checksum: 46674 f86486f9676c0f7e3e249b196a24cde1 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_i386.deb Size/MD5 checksum: 30088 c8fbc3003ecce59c4c24d1f8f7369f15 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_ia64.deb Size/MD5 checksum: 354192 04aceb869b8a9c8e57fee71adc90d537 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_ia64.deb Size/MD5 checksum: 32456 14d0b99688e8515893a8bf5c3220bb8b http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_ia64.deb Size/MD5 checksum: 282944 a9ae730aff0dcbf4ba0b3ee08f9dab0d http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_ia64.deb Size/MD5 checksum: 54360 2049692cafe786e479d2b43e830bc51c http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_ia64.deb Size/MD5 checksum: 33342 11e06c91a0f5b9fbbf7614d68a8dc78d HP Precision architecture: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_hppa.deb Size/MD5 checksum: 304388 e37daa65966c7677bc04f039a2f8805b http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_hppa.deb Size/MD5 checksum: 31080 606539b364478ff7c0f98f1750706c7a http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_hppa.deb Size/MD5 checksum: 241700 cb5b2cd8dbbd8d92ff354eb8815993b3 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_hppa.deb Size/MD5 checksum: 49198 71e240d7616e16e0996b9d46210608da http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_hppa.deb Size/MD5 checksum: 31636 35ddc248ade34d8d2defa0b61ae2119c Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_m68k.deb Size/MD5 checksum: 262636 7b30cb3f1b5ff1697cb2772cdb8f38c8 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_m68k.deb Size/MD5 checksum: 28948 54a546876f6a58b1a6e34a72fa9e51f3 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_m68k.deb Size/MD5 checksum: 184634 9956717829c33c2087c92685e5d02185 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_m68k.deb Size/MD5 checksum: 45140 a9263eb4a27bc175080ab2d01c18c598 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_m68k.deb Size/MD5 checksum: 30038 ac1ee347780b2821c70d4203e36e75f8 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_mips.deb Size/MD5 checksum: 276908 5b2aa7efb2be3a351f939756b27a4396 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_mips.deb Size/MD5 checksum: 28698 78346a470cc748d66417bc5abc7b5aaa http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_mips.deb Size/MD5 checksum: 228986 31993898148caa1f647a4f8f1bcbb4ce http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_mips.deb Size/MD5 checksum: 42096 bfbad635bc67a27cef46e93b838f0517 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_mips.deb Size/MD5 checksum: 29542 7ae48fc75c3407e569bfdd3eb97a3a69 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_mipsel.deb Size/MD5 checksum: 277024 09f8b81617477a2bcfc2b4c2d786bba6 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_mipsel.deb Size/MD5 checksum: 28726 be66f9c712a7250d73b1e8e7c0031529 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_mipsel.deb Size/MD5 checksum: 228814 bdd734cc6e3801ba38d27103a2251d81 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_mipsel.deb Size/MD5 checksum: 41986 bcd24ad8a50125c8e05ff752a2237a91 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_mipsel.deb Size/MD5 checksum: 29506 062a6f05b6c63471c5d6c14c7fa7e0b7 PowerPC architecture: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_powerpc.deb Size/MD5 checksum: 288046 a813354bcd631bcd411e8b15ee8a13b7 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_powerpc.deb Size/MD5 checksum: 29692 70caafe1861540e3f16fe8c939082ad8 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_powerpc.deb Size/MD5 checksum: 226374 3e451d530c0bc2e9232301b11e778c08 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_powerpc.deb Size/MD5 checksum: 48462 6efc393f1a57d9568892e8a1a3265427 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_powerpc.deb Size/MD5 checksum: 31662 54fe559a61b46bc525ba48b1fd23ce22 IBM S/390 architecture: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_s390.deb Size/MD5 checksum: 291596 cb46f86ba2822f386ba7dde54ec40a48 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_s390.deb Size/MD5 checksum: 29634 e7879e3279371a66628be8638a0b2487 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_s390.deb Size/MD5 checksum: 217006 470280e35819dbc6f928ae392ce83fa6 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_s390.deb Size/MD5 checksum: 43734 a25305b50ee9433fad1c2bfcceb2119d http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_s390.deb Size/MD5 checksum: 30966 2e9e92254e188a2e52bd74cc76845c6d Sun Sparc architecture: http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_sparc.deb Size/MD5 checksum: 273360 7b319237b23760df5e1004876bedb0d1 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_sparc.deb Size/MD5 checksum: 29210 0a82c650b91e6023fb3d6f197926efba http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_sparc.deb Size/MD5 checksum: 209674 9adeb90f4dd44019d52929f8c933a65a http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_sparc.deb Size/MD5 checksum: 45458 81d39032c6161efa36e5b246e09d45c7 http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_sparc.deb Size/MD5 checksum: 29698 4f2760ea9123c4c12f79e3dd6f60a41f These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@...ts.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEGeDUXm3vHE4uyloRAolfAKDPHXgiKZPzI+pLkt23dw9e9dpSjwCdEWLd 17UQ9KUHQdJtn3C1e1LrbNQ= =YV07 -----END PGP SIGNATURE-----