-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.003 12-Mar-2002 ________________________________________________________________________ Package: zlib, cvs, gnupg, rrdtool, rsync Vulnerability: denial of service, information leakage, code execution OpenPKG Specific: no Affected Releases: OpenPKG 1.0 Affected Packages: <= zlib-1.1.3-1.0.0 <= cvs-1.11.1p1-1.0.0 <= gnupg-1.0.6-1.0.1 <= rrdtool-1.0.33-1.0.0 <= rsync-2.5.0-1.0.0 Corrected Packages: >= zlib-1.1.3-1.0.1 >= cvs-1.11.1p1-1.0.1 >= gnupg-1.0.6-1.0.2 >= rrdtool-1.0.33-1.0.1 >= rsync-2.5.0-1.0.1 Dependent Packages: gd, ircd, libxml, lynx, mng, openssh, png, snmp, xdelta Description: According to a Zlib Security Advisory [5] and the original CERT Security Advisory [6] from Jeffrey P. Lanza, there is a bug in the Zlib compression library that may manifest itself as a vulnerability in programs that are linked with Zlib. This may allow an attacker to conduct a denial-of-service attack, gather information, or execute arbitrary code. The vulnerability results from a programming error that causes segments of dynamically allocated memory to be released more than once. Please check whether you are affected by running "<prefix>/bin/rpm -qa zlib". If you have the "zlib" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Additionally, we recommend that you rebuild and reinstall all dependent OpenPKG packages, too. [2] Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [3] or a mirror location, verify its integrity [1], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [2]. For the latest OpenPKG 1.0 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.0/UPD ftp> get zlib-1.1.3-1.0.1.src.rpm ftp> bye $ <prefix>/bin/rpm --checksig zlib-1.1.3-1.0.1.src.rpm $ <prefix>/bin/rpm --rebuild zlib-1.1.3-1.0.1.src.rpm $ su - # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/zlib-1.1.3-1.0.1.*.rpm Now repeat these steps accordingly for all other affected packages [7][8][9][10]. Finally, rebuild and reinstall the dependent packages. ________________________________________________________________________ References: [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/zlib-1.1.3-1.0.1.src.rpm [5] http://www.gzip.org/zlib/advisory-2002-03-11.txt [6] http://www.kb.cert.org/vuls/id/368819 [7] ftp://ftp.openpkg.org/release/1.0/UPD/cvs-1.11.1p1-1.0.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.0/UPD/gnupg-1.0.6-1.0.2.src.rpm [9] ftp://ftp.openpkg.org/release/1.0/UPD/rrdtool-1.0.33-1.0.1.src.rpm [10] ftp://ftp.openpkg.org/release/1.0/UPD/rsync-2.5.0-1.0.1.src.rpm ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkg@openpkg.org> iEYEARECAAYFAjyOZRkACgkQgHWT4GPEy5+QVQCfQ0Y32tqvBImcdOnR+9BKc+XP ya0AoIhIkhCkMBzS5MzZtBkevUwIw7Gg =D3Av -----END PGP SIGNATURE-----
