lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87d4q03nyp.fsf@mid.deneb.enyo.de>
Date: Tue, 11 Mar 2008 23:17:18 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 1515-1] New libnet-dns-perl
	packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1515-1                  security@...ian.org
http://www.debian.org/security/                           Florian Weimer
March 11, 2008                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : libnet-dns-perl
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2007-3377 CVE-2007-3409 CVE-2007-6341
Debian Bug     : 457445

Several remote vulnerabilities have been discovered in libnet-dns-perl.
The Common Vulnerabilities and Exposures project identifies the
following problems:

It was discovered that libnet-dns-perl generates very weak transaction
IDs when sending queries (CVE-2007-3377).  This update switches
transaction ID generation to the Perl random generator, making
prediction attacks more difficult.

Compression loops in domain names resulted in an infinite loop in the
domain name expander written in Perl (CVE-2007-3409).  The Debian
package uses an expander written in C by default, but this vulnerability
has been addressed nevertheless.

Decoding malformed A records could lead to a crash (via an uncaught
Perl exception) of certain applications using libnet-dns-perl
(CVE-2007-6341).

For the stable distribution (etch), these problems have been fixed in
version 0.59-1etch1.

For the old stable distribution (sarge), these problems have been fixed in
version 0.48-1sarge1.

We recommend that you upgrade your libnet-dns-perl package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48.orig.tar.gz
    Size/MD5 checksum:    95754 bd5bab1de250b947a3f00148d426f2e2
  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1.diff.gz
    Size/MD5 checksum:     6853 72b2f73855eceafb316f7fde51bc474e
  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1.dsc
    Size/MD5 checksum:      916 69ce0c55a0c3876faaee37e78c592ec8

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_alpha.deb
    Size/MD5 checksum:   218240 71fd2aa70013343c56393c39e531c519

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_amd64.deb
    Size/MD5 checksum:   217376 142332f79bb63901d36918d57dd6c3e1

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_arm.deb
    Size/MD5 checksum:   217576 4e3532c27961f8a6c2dc55be1d203203

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_hppa.deb
    Size/MD5 checksum:   217734 7ef76c96fd941eb8448b53e14b9caab7

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_i386.deb
    Size/MD5 checksum:   217226 ee51c0d78f1482161f241fa9a37aba5a

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_ia64.deb
    Size/MD5 checksum:   218274 6bf0d11ccddea933acaf4c5211b3d23d

m68k architecture (Motorola Mc680x0)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_m68k.deb
    Size/MD5 checksum:   217352 659799bf4aff06dc35e10329fcf46038

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_mips.deb
    Size/MD5 checksum:   217448 4c643d81f131bef41dab281d5506aad6

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_mipsel.deb
    Size/MD5 checksum:   217142 6a604d3b26de424c6ffe074bc088b805

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_powerpc.deb
    Size/MD5 checksum:   218728 cfccb7c876b8bef24b448fefac3360c1

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_s390.deb
    Size/MD5 checksum:   217020 269b4d4665f700c01677a903a195515c

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_sparc.deb
    Size/MD5 checksum:   217214 512d734a1fd6783ec7319ce1edd9dd85

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1.diff.gz
    Size/MD5 checksum:     7584 bfbdf3851e092853756b78e648b5af29
  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59.orig.tar.gz
    Size/MD5 checksum:   137998 d3408875f34e5fa0a313a4a21c70e832
  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1.dsc
    Size/MD5 checksum:      915 97a61f446273f49c42348334f5cc9ba8

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_alpha.deb
    Size/MD5 checksum:   253686 f64df4fbbef1d1a4859defc99b78735a

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_amd64.deb
    Size/MD5 checksum:   252906 ac599d5c037f6488e039887081d4d93b

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_arm.deb
    Size/MD5 checksum:   253716 3f9421ad70af6f70dd034c2958d8cd51

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_hppa.deb
    Size/MD5 checksum:   252768 d31f1e9d902efe591c334d29142c993f

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_i386.deb
    Size/MD5 checksum:   252170 0db91e6dd980d9f17dbc86f4684bd92c

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_ia64.deb
    Size/MD5 checksum:   253362 e977ad76777c9e17d45118b42c85860a

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_mips.deb
    Size/MD5 checksum:   252402 b470009b3dac4cb244e47af19047f884

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_mipsel.deb
    Size/MD5 checksum:   251640 43ffbd75ca18b847dd16d47c06e2f97f

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_powerpc.deb
    Size/MD5 checksum:   253538 2aa432f5f20882fa3236375f1fa10e61

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_s390.deb
    Size/MD5 checksum:   251724 0de26882626711d87f84d19c1c6af194

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_sparc.deb
    Size/MD5 checksum:   251638 3edbe84034df5c69c5a23a08738faa21


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9cFkr97/wQC1SS+AQJcDQf/dfU2EsBbHj/ij0rgsyZ0anyHI7tx8uYp
tXZl1MpVwreNJqOhC6UGRjqa3Q1CuHR6MrsViVSLiluLngMLTTZm1rhpfH2SB1K+
sCis4S6cmSjWCbtNPryDp/94Nv/WZyS4r9gQ1Gvgnq02K+EuCG24bzvi0pcJ4Gtg
Ee8o4p17OEp4V2+SnX0tMkJ2cpyRNplPXp5nlG3gY4ImYsR4RAgtJZJCxmeshB99
2eTWSZM1Ry+jjnD5l5yK2vfkixXf/vBXq7Hgg7MbwwNqsyrswvWCll3nEZt7mOuW
E6dOYBXfl4KOTOAHMJek7mXfUIBsHo74qcInhhYGbzZWmFxcUgCrew==
=mdlz
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ