lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1233002458.19266.1.camel@mdlinux.technorage.com>
Date: Mon, 26 Jan 2009 15:40:58 -0500
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [USN-711-1] KTorrent vulnerabilities

===========================================================
Ubuntu Security Notice USN-711-1           January 26, 2009
ktorrent vulnerabilities
CVE-2008-5905, CVE-2008-5906
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
  ktorrent                        2.2.1-0ubuntu3.1

Ubuntu 8.04 LTS:
  ktorrent                        2.2.5-0ubuntu1.1

Ubuntu 8.10:
  ktorrent                        3.1.2+dfsg.1-0ubuntu2.1

After a standard system upgrade you need to restart KTorrent to effect
the necessary changes.

Details follow:

It was discovered that KTorrent did not properly restrict access when using the
web interface plugin. A remote attacker could use a crafted http request and
upload arbitrary torrent files to trigger the start of downloads and seeding.
(CVE-2008-5905)

It was discovered that KTorrent did not properly handle certain parameters when
using the web interface plugin. A remote attacker could use crafted http
requests to execute arbitrary PHP code. (CVE-2008-5906)


Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1.diff.gz
      Size/MD5:     8139 542d145b17f4c93e90358305f5082892
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1.dsc
      Size/MD5:      679 5d731774f0370fa9347ff1d4a9fe59b3
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1.orig.tar.gz
      Size/MD5:  3763678 229a0615d9252510d9387079dd5bd86d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_amd64.deb
      Size/MD5:  2809826 64590eb7d61058feffe16b0c05c462de

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_i386.deb
      Size/MD5:  2764082 0e1d642f8f86576da7aadb1ba5915993

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_lpia.deb
      Size/MD5:  2769980 979fbc6391793dd1b976b555614b8125

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_powerpc.deb
      Size/MD5:  2912698 5c0baa03be10092f5f9dae0ec33cf050

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_sparc.deb
      Size/MD5:  2764418 71d8cf3eb924098584948847752a69e7

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1.diff.gz
      Size/MD5:     8186 887b90cfe0b14d6e654edf5f83d443a1
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1.dsc
      Size/MD5:      679 1cf90260c7bb419ba83f280e0c242c1e
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5.orig.tar.gz
      Size/MD5:  3841204 f5cd0430250317eff85d8356d65c0a6f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_amd64.deb
      Size/MD5:  2812314 a60c001b92052ac0d269c894f4bafa7c

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_i386.deb
      Size/MD5:  2749174 361a62003fe4029dd48b007f05a18848

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_lpia.deb
      Size/MD5:  2762832 e458e9a11bf9d2db72c8af4d89936241

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_powerpc.deb
      Size/MD5:  2894978 935494d19c317011e02041b204d042a5

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_sparc.deb
      Size/MD5:  2744550 5a1f3871c1a972155efcc1a77cac2788

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1.diff.gz
      Size/MD5:    28491 2dfc78827267f8a0316f7b871a3c5795
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1.dsc
      Size/MD5:     1616 9daa934ea811f90d15aafcb96bcb8b3e
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1.orig.tar.gz
      Size/MD5:  3243464 d7ec6f8f7a77f9a460c99f9ba1d95cec

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_amd64.deb
      Size/MD5: 10574990 4039eb82f82e92c60212a4639842fb8e
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_amd64.deb
      Size/MD5:  1876310 7d183d5f936776da921a26eb07852cf9

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_i386.deb
      Size/MD5: 10462534 b2a3142f8a5a73fac78af5651cb31a68
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_i386.deb
      Size/MD5:  1872266 7f2002e96efccf24fd12178a0ac2af91

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_lpia.deb
      Size/MD5: 10485854 5b8f4fda1bb0b2e797a2b6d59bbe0f1a
    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_lpia.deb
      Size/MD5:  1891462 4b37c0d9502c46aa5f55e7cccd35c7b5

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_powerpc.deb
      Size/MD5: 11060316 fd33f09a63abe5485884da105fd5de91
    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_powerpc.deb
      Size/MD5:  1947996 561ba5edef371c84a165d61a88df0b80

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_sparc.deb
      Size/MD5: 10583140 b2957586c0802312c7e837336b2dfc10
    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_sparc.deb
      Size/MD5:  1873550 2d38e242cfa474fb4c335a1ae2475482



Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ