Debians sikkerhedsbulletin

DSA-034-1 ePerl -- root-fjernangreb

Rapporteret den:

7. mar 2001

Berørte pakker:

eperl

Sårbar:

Referencer i sikkerhedsdatabaser:

I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 2464.
I Mitres CVE-ordbog: CVE-2001-0458.

Yderligere oplysninger:

Fumitoshi Ukai og Denis Barbier har opdaget flere potentielle buffer-overløbsfejl i vores version af ePerl som distribueres i alle vore distributioner.

Når ePerl er installeret setuid root, kan programmet skifte til scriptets ejers UID/GID. Selvom Debian ikke distribuerer programmet setuid root, er dette en nyttig funktion som folk kan have slået til lokalt. Når programmet anvendes om /usr/lib/cgi-bin/nph-eperl kan fejlene desuden medføre en fjern-sårbarhed.

Version 2.2.14-0.7potato2 retter dette; vi anbefaler at du omgående opgraderer din ePerl-pakke.

Rettet i:

Debian 2.2 (potato)

Kildekode:: http://security.debian.org/dists/stable/updates/main/source/eperl_2.2.14-0.7potato2.diff.gz; http://security.debian.org/dists/stable/updates/main/source/eperl_2.2.14-0.7potato2.dsc; http://security.debian.org/dists/stable/updates/main/source/eperl_2.2.14.orig.tar.gz
alpha:: http://security.debian.org/dists/stable/updates/main/binary-alpha/eperl_2.2.14-0.7potato2_alpha.deb
arm:: http://security.debian.org/dists/stable/updates/main/binary-arm/eperl_2.2.14-0.7potato2_arm.deb
i386:: http://security.debian.org/dists/stable/updates/main/binary-i386/eperl_2.2.14-0.7potato2_i386.deb
m68k:: http://security.debian.org/dists/stable/updates/main/binary-m68k/eperl_2.2.14-0.7potato2_m68k.deb
powerpc:: http://security.debian.org/dists/stable/updates/main/binary-powerpc/eperl_2.2.14-0.7potato2_powerpc.deb
sparc:: http://security.debian.org/dists/stable/updates/main/binary-sparc/eperl_2.2.14-0.7potato2_sparc.deb