[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87d4q03nyp.fsf@mid.deneb.enyo.de>
Date: Tue, 11 Mar 2008 23:17:18 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 1515-1] New libnet-dns-perl
packages fix several vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1515-1 security@...ian.org
http://www.debian.org/security/ Florian Weimer
March 11, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : libnet-dns-perl
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-3377 CVE-2007-3409 CVE-2007-6341
Debian Bug : 457445
Several remote vulnerabilities have been discovered in libnet-dns-perl.
The Common Vulnerabilities and Exposures project identifies the
following problems:
It was discovered that libnet-dns-perl generates very weak transaction
IDs when sending queries (CVE-2007-3377). This update switches
transaction ID generation to the Perl random generator, making
prediction attacks more difficult.
Compression loops in domain names resulted in an infinite loop in the
domain name expander written in Perl (CVE-2007-3409). The Debian
package uses an expander written in C by default, but this vulnerability
has been addressed nevertheless.
Decoding malformed A records could lead to a crash (via an uncaught
Perl exception) of certain applications using libnet-dns-perl
(CVE-2007-6341).
For the stable distribution (etch), these problems have been fixed in
version 0.59-1etch1.
For the old stable distribution (sarge), these problems have been fixed in
version 0.48-1sarge1.
We recommend that you upgrade your libnet-dns-perl package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48.orig.tar.gz
Size/MD5 checksum: 95754 bd5bab1de250b947a3f00148d426f2e2
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1.diff.gz
Size/MD5 checksum: 6853 72b2f73855eceafb316f7fde51bc474e
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1.dsc
Size/MD5 checksum: 916 69ce0c55a0c3876faaee37e78c592ec8
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_alpha.deb
Size/MD5 checksum: 218240 71fd2aa70013343c56393c39e531c519
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_amd64.deb
Size/MD5 checksum: 217376 142332f79bb63901d36918d57dd6c3e1
arm architecture (ARM)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_arm.deb
Size/MD5 checksum: 217576 4e3532c27961f8a6c2dc55be1d203203
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_hppa.deb
Size/MD5 checksum: 217734 7ef76c96fd941eb8448b53e14b9caab7
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_i386.deb
Size/MD5 checksum: 217226 ee51c0d78f1482161f241fa9a37aba5a
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_ia64.deb
Size/MD5 checksum: 218274 6bf0d11ccddea933acaf4c5211b3d23d
m68k architecture (Motorola Mc680x0)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_m68k.deb
Size/MD5 checksum: 217352 659799bf4aff06dc35e10329fcf46038
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_mips.deb
Size/MD5 checksum: 217448 4c643d81f131bef41dab281d5506aad6
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_mipsel.deb
Size/MD5 checksum: 217142 6a604d3b26de424c6ffe074bc088b805
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_powerpc.deb
Size/MD5 checksum: 218728 cfccb7c876b8bef24b448fefac3360c1
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_s390.deb
Size/MD5 checksum: 217020 269b4d4665f700c01677a903a195515c
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_sparc.deb
Size/MD5 checksum: 217214 512d734a1fd6783ec7319ce1edd9dd85
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1.diff.gz
Size/MD5 checksum: 7584 bfbdf3851e092853756b78e648b5af29
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59.orig.tar.gz
Size/MD5 checksum: 137998 d3408875f34e5fa0a313a4a21c70e832
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1.dsc
Size/MD5 checksum: 915 97a61f446273f49c42348334f5cc9ba8
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_alpha.deb
Size/MD5 checksum: 253686 f64df4fbbef1d1a4859defc99b78735a
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_amd64.deb
Size/MD5 checksum: 252906 ac599d5c037f6488e039887081d4d93b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_arm.deb
Size/MD5 checksum: 253716 3f9421ad70af6f70dd034c2958d8cd51
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_hppa.deb
Size/MD5 checksum: 252768 d31f1e9d902efe591c334d29142c993f
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_i386.deb
Size/MD5 checksum: 252170 0db91e6dd980d9f17dbc86f4684bd92c
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_ia64.deb
Size/MD5 checksum: 253362 e977ad76777c9e17d45118b42c85860a
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_mips.deb
Size/MD5 checksum: 252402 b470009b3dac4cb244e47af19047f884
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_mipsel.deb
Size/MD5 checksum: 251640 43ffbd75ca18b847dd16d47c06e2f97f
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_powerpc.deb
Size/MD5 checksum: 253538 2aa432f5f20882fa3236375f1fa10e61
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_s390.deb
Size/MD5 checksum: 251724 0de26882626711d87f84d19c1c6af194
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_sparc.deb
Size/MD5 checksum: 251638 3edbe84034df5c69c5a23a08738faa21
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9cFkr97/wQC1SS+AQJcDQf/dfU2EsBbHj/ij0rgsyZ0anyHI7tx8uYp
tXZl1MpVwreNJqOhC6UGRjqa3Q1CuHR6MrsViVSLiluLngMLTTZm1rhpfH2SB1K+
sCis4S6cmSjWCbtNPryDp/94Nv/WZyS4r9gQ1Gvgnq02K+EuCG24bzvi0pcJ4Gtg
Ee8o4p17OEp4V2+SnX0tMkJ2cpyRNplPXp5nlG3gY4ImYsR4RAgtJZJCxmeshB99
2eTWSZM1Ry+jjnD5l5yK2vfkixXf/vBXq7Hgg7MbwwNqsyrswvWCll3nEZt7mOuW
E6dOYBXfl4KOTOAHMJek7mXfUIBsHo74qcInhhYGbzZWmFxcUgCrew==
=mdlz
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists