Debians sikkerhedsbulletin
DSA-883-1 thttpd -- usikker midlertidig fil
- Rapporteret den:
- 4. nov 2005
- Berørte pakker:
- thttpd
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2005-3124.
- Yderligere oplysninger:
-
Javier Fernández-Sanguino Peña fra Debians Debian Security Audit-teamet har opdaget at skriptet syslogtocern fra thttpd, en lille webserver, anvendte en midlertidig fil på en usikker måde, hvilket gjorde det muligt for en lokal angriber at iværksætte et symlink-angreb til overskrivelse af vilkårlige filer.
I den gamle stabile distribution (woody) er dette problem rettet i version 2.21b-11.3.
I den stabile distribution (sarge) er dette problem rettet i version 2.23beta1-3sarge1.
I den ustabile distribution (sid) er dette problem rettet i version 2.23beta1-4.
Vi anbefaler at du opgraderer din thttpd-pakke.
- Rettet i:
-
Debian GNU/Linux 3.0 (woody)
- Kildekode:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3.dsc
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3.diff.gz
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b.orig.tar.gz
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_alpha.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_alpha.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_arm.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_arm.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_i386.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_i386.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_ia64.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_ia64.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_hppa.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_hppa.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_m68k.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_m68k.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_mips.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_mips.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_mipsel.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_mipsel.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_powerpc.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_powerpc.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_s390.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_s390.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_sparc.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_sparc.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_sparc.deb
Debian GNU/Linux 3.1 (sarge)
- Kildekode:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1.dsc
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1.diff.gz
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1.orig.tar.gz
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_alpha.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_alpha.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_amd64.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_amd64.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_arm.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_arm.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_i386.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_i386.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_ia64.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_ia64.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_hppa.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_hppa.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_m68k.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_m68k.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_mips.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_mips.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_mipsel.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_mipsel.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_powerpc.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_powerpc.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_s390.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_s390.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_sparc.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_sparc.deb
- http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.