lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080419164503.GA3893@galadriel.inutil.org>
Date: Sat, 19 Apr 2008 18:45:03 +0200
From: Moritz Muehlenhoff <jmm@...ian.org>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 1551-1] New python2.4 packages
	fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1551-1                  security@...ian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
April 19, 2008                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : python2.4
Vulnerability  : several
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)      : CVE-2007-2052 CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-1887

Several vulnerabilities have been discovered in the interpreter for the
Python language. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2007-2052

    Piotr Engelking discovered that the strxfrm() function of the locale
    module miscalculates the length of an internal buffer, which may
    result in a minor information disclosure.

CVE-2007-4965

    It was discovered that several integer overflows in the imageop
    module may lead to the execution of arbitrary code, if a user is
    tricked into processing malformed images. This issue is also
    tracked as CVE-2008-1679 due to an initially incomplete patch.

CVE-2008-1721
 
    Justin Ferguson discovered that a buffer overflow in the zlib
    module may lead to the execution of arbitrary code.

CVE-2008-1887

    Justin Ferguson discovered that insufficient input validation in
    PyString_FromStringAndSize() may lead to the execution of arbitrary
    code.

For the stable distribution (etch), these problems have been fixed in
version 2.4.4-3+etch1.

For the unstable distribution (sid), these problems have been fixed in
version 2.4.5-2.

We recommend that you upgrade your python2.4 packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 4.0 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1.diff.gz
    Size/MD5 checksum:   195434 8b86b3dc4c5a86a9ad8682fee56f30ca
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4.orig.tar.gz
    Size/MD5 checksum:  9508940 f74ef9de91918f8927e75e8c3024263a
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1.dsc
    Size/MD5 checksum:     1201 585773fd24634e05bb56b8cc85215c65

Architecture independent packages:

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-examples_2.4.4-3+etch1_all.deb
    Size/MD5 checksum:   589642 63092c4cd1ea78c0993345be25a162b8
  http://security.debian.org/pool/updates/main/p/python2.4/idle-python2.4_2.4.4-3+etch1_all.deb
    Size/MD5 checksum:    60864 21664a3f029087144046b6c175e88736

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_alpha.deb
    Size/MD5 checksum:  2968890 60a29f058a96e21d278a738fbb8067bf
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_alpha.deb
    Size/MD5 checksum:  1848176 ddb7c47970f277baa00e6c080e4530bd
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_alpha.deb
    Size/MD5 checksum:  5226532 5aa6daa859acdfdfcb7445586f4a0eb6
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_alpha.deb
    Size/MD5 checksum:   963606 38c08ee31ae6189631e503ad3d76fa87

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_amd64.deb
    Size/MD5 checksum:  2967058 6f06a90e94a6068b126413111185aff5
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_amd64.deb
    Size/MD5 checksum:  1635936 d5f98666609c652224b5552f5bb6b7a9
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_amd64.deb
    Size/MD5 checksum:   966196 7436b29b52acd99872d79b595f489ace
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_amd64.deb
    Size/MD5 checksum:  5587046 82444f4d11055f259d0899a0f8574b37

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_arm.deb
    Size/MD5 checksum:  2881272 408ac2b8cd6180975109364b26ae1c95
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_arm.deb
    Size/MD5 checksum:   901442 88d59caa6744da5c62a802124087d09c
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_arm.deb
    Size/MD5 checksum:  1500512 3113ad3590f5969703ce426a23ca67dd
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_arm.deb
    Size/MD5 checksum:  5351974 4f77de8e3dd9c12aa1e06a57cee82dac

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_hppa.deb
    Size/MD5 checksum:  3073066 1b4498c26a825c27c6d9765ed8a2e33e
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_hppa.deb
    Size/MD5 checksum:  5521834 68a5524fdb007cacc29a38865a43781d
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_hppa.deb
    Size/MD5 checksum:  1798220 6c9ce4754c024fbd1674a63c5ba0f06a
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_hppa.deb
    Size/MD5 checksum:  1017646 b8dd6490a43da08aa36c43712c360ff8

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_i386.deb
    Size/MD5 checksum:  2849512 2598cb802b7f5e1aac6404b801a0a7f0
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_i386.deb
    Size/MD5 checksum:  1508782 b8ffe50ecf5dfe173765dc5b263b7737
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_i386.deb
    Size/MD5 checksum:  5176966 f6892dc5e598f1811bfc32ea81a863d6
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_i386.deb
    Size/MD5 checksum:   900670 7956a1cf96b4b59de2d9e4972e04fff2

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_ia64.deb
    Size/MD5 checksum:  3371938 88e170459b0762e1db775753f6d69bb5
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_ia64.deb
    Size/MD5 checksum:  2269496 2c1ef318f92b9d4b1c202ad77c8c4462
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_ia64.deb
    Size/MD5 checksum:  1289496 d6fba2d2ea64736cf614b0b3b1ced9bf
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_ia64.deb
    Size/MD5 checksum:  6059106 e1008e68d3d775590b2a29bd7bec7b6c

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_mips.deb
    Size/MD5 checksum:  2906992 e6e43c336e1095e3fe7f5985e500bf55
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_mips.deb
    Size/MD5 checksum:  1725610 a9e2b6b11b1d9185885a9f99ed2d03b8
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_mips.deb
    Size/MD5 checksum:  5646190 5c420d1aa984c190b121c8494c6fca5a
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_mips.deb
    Size/MD5 checksum:   956712 4949e953435f72cf9d06bb8684170175

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_mipsel.deb
    Size/MD5 checksum:  1717120 30986065ecf6810f46294c8ca196b538
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_mipsel.deb
    Size/MD5 checksum:   939320 89571b10c2635774f65921083344a911
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_mipsel.deb
    Size/MD5 checksum:  5507492 a06d9728ef16072ee50b3a1fcf7d08a8
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_mipsel.deb
    Size/MD5 checksum:  2863620 90b6a4b2c498acb4a46e205d36cf8ec9

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_powerpc.deb
    Size/MD5 checksum:  1639780 4b7c83795b6d07c3a4050d5db977c577
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_powerpc.deb
    Size/MD5 checksum:  5778968 7e97b8f62daf0f91e48bf6af20552b51
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_powerpc.deb
    Size/MD5 checksum:  2956174 8e55e492ee8aa6e4787e77b161a245e5
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_powerpc.deb
    Size/MD5 checksum:   978078 9212e583942704f71a07478baa4d6446

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_s390.deb
    Size/MD5 checksum:   973904 3cc580a21934a7f5fac203235386e250
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_s390.deb
    Size/MD5 checksum:  2976776 efb7a2dc81b69a45ead47986d3b8fce5
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_s390.deb
    Size/MD5 checksum:  1646932 146ee8341c514308b15ca151753b3ca8
  http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_s390.deb
    Size/MD5 checksum:  5667818 9b4543d9a0e5f51e8d9b790f6c3b43c8


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFICiFUXm3vHE4uyloRAngQAKCJJPkv3wrtkymZDNanh9AQoGeRxACgqrLd
GsESR3yK0RopGIWWi6Ed91I=
=rgLC
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ