Just wondering what caused this to post so late. It just came in to bugtraq.... dated 29-Sep-2004. -Jim P. -------- Forwarded Message -------- > From: Dominic Hargreaves <dom@xxxxxxxx> > Reply-To: Discussion of the Fedora Legacy Project > <fedora-legacy-list@xxxxxxxxxx> > To: fedora-legacy-announce@xxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, > full-disclosure@xxxxxxxxxxxxxxxx > Cc: fedora-legacy-list@xxxxxxxxxx > Subject: [FLSA-2004:1552] Updated cadaver packages that fix security > vulnerabilities > Date: Wed, 29 Sep 2004 17:13:58 +0100 > ----------------------------------------------------------------------- > Fedora Legacy Update Advisory > > Synopsis: Updated cadaver resolves security vulnerabilities > Advisory ID: FLSA:1552 > Issue date: 2004-09-29 > Product: Red Hat Linux > Keywords: Security > Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1552 > CVE Names: CAN-2004-0179, CAN-2004-0398 > ----------------------------------------------------------------------- > > > ----------------------------------------------------------------------- > 1. Topic: > > Updated cadaver packages that fix multiple security vulnerability are > now available. > > 2. Relevant releases/architectures: > > Red Hat Linux 7.3 - i386 > Red Hat Linux 9 - i386 > > 3. Problem description: > > An updated cadaver package that fixes a vulnerability in neon exploitable > by a malicious DAV server is now available. > > cadaver is a command-line WebDAV client that uses inbuilt code from neon, > an HTTP and WebDAV client library. > > Versions of the neon client library up to and including 0.24.4 have been > found to contain a number of format string bugs. An attacker could create > a malicious WebDAV server in such a way as to allow arbitrary code > execution on the client should a user connect to it using cadaver. The > Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned > the name CAN-2004-0179 to this issue. This issue was addressed in a previous > update for Red Hat Linux 9. > > Stefan Esser discovered a flaw in the neon library which allows a heap > buffer overflow in a date parsing routine. An attacker could create > a malicious WebDAV server in such a way as to allow arbitrary code > execution on the client should a user connect to it using cadaver. The > Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned > the name CAN-2004-0398 to this issue. > > Users of cadaver are advised to upgrade to this updated package, which > contains patches correcting these issues. > > 4. Solution: > > Before applying this update, make sure all previously released errata > relevant to your system have been applied. > > To update all RPMs for your particular architecture, run: > > rpm -Fvh [filenames] > > where [filenames] is a list of the RPMs you wish to upgrade. Only those > RPMs which are currently installed will be updated. Those RPMs which are > not installed but included in the list will not be updated. Note that you > can also use wildcards (*.rpm) if your current directory *only* contains > the desired RPMs. > > Please note that this update is also available via yum and apt. Many > people find this an easier way to apply updates. To use yum issue: > > yum update > > or to use apt: > > apt-get update; apt-get upgrade > > This will start an interactive process that will result in the appropriate > RPMs being upgraded on your system. This assumes that you have yum or > apt-get configured for obtaining Fedora Legacy content. Please visit > http://www.fedoralegacy.org/docs/ for directions on how to configure yum > and apt-get. > > 5. Bug IDs fixed: > > http://bugzilla.fedora.us - 1552 - cadaver neon vulnerability (CAN-2004-0179) > > 6. RPMs required: > > Red Hat Linux 7.3: > > SRPM: > http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/cadaver-0.22.1-1.legacy.src.rpm > > i386: > http://download.fedoralegacy.org/redhat/7.3/updates/i386/cadaver-0.22.1-1.legacy.i386.rpm > > Red Hat Linux 9: > > SRPM: > http://download.fedoralegacy.org/redhat/9/updates/SRPMS/cadaver-0.22.1-3.legacy.src.rpm > > i386: > http://download.fedoralegacy.org/redhat/9/updates/i386/cadaver-0.22.1-3.legacy.i386.rpm > > 7. Verification: > > SHA1 sum Package Name > --------------------------------------------------------------------------- > > 46931edc0f4e8ad25c994891938c103a45f28982 7.3/updates/SRPMS/cadaver-0.22.1-1.legacy.src.rpm > 0c3742f3151d4dedc5e5320a3a4792f17e8bd2e4 7.3/updates/i386/cadaver-0.22.1-1.legacy.i386.rpm > 6cc852676c85e9cc3dc8e472676185cdffabf09f 9/updates/SRPMS/cadaver-0.22.1-3.legacy.src.rpm > 1a9d4e010885e902b2a6a994cfee5744b7f4afba 9/updates/i386/cadaver-0.22.1-3.legacy.i386.rpm > > These packages are GPG signed by Fedora Legacy for security. Our key is > available from http://www.fedoralegacy org/about/security.php > > You can verify each package with the following command: > > rpm --checksig -v <filename> > > If you only wish to verify that each package has not been corrupted or > tampered with, examine only the sha1sum with the following command: > > sha1sum <filename> > > 8. References: > > http://security.e-matters.de/advisories/062004.html > > 9. Contact: > > The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More > project details at http://www.fedoralegacy.org > > --------------------------------------------------------------------- > -- > > fedora-legacy-list@xxxxxxxxxx > http://www.redhat.com/mailman/listinfo/fedora-legacy-list -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
