-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1515-1 security@xxxxxxxxxx http://www.debian.org/security/ Florian Weimer March 11, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : libnet-dns-perl Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-3377 CVE-2007-3409 CVE-2007-6341 Debian Bug : 457445 Several remote vulnerabilities have been discovered in libnet-dns-perl. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that libnet-dns-perl generates very weak transaction IDs when sending queries (CVE-2007-3377). This update switches transaction ID generation to the Perl random generator, making prediction attacks more difficult. Compression loops in domain names resulted in an infinite loop in the domain name expander written in Perl (CVE-2007-3409). The Debian package uses an expander written in C by default, but this vulnerability has been addressed nevertheless. Decoding malformed A records could lead to a crash (via an uncaught Perl exception) of certain applications using libnet-dns-perl (CVE-2007-6341). For the stable distribution (etch), these problems have been fixed in version 0.59-1etch1. For the old stable distribution (sarge), these problems have been fixed in version 0.48-1sarge1. We recommend that you upgrade your libnet-dns-perl package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48.orig.tar.gz Size/MD5 checksum: 95754 bd5bab1de250b947a3f00148d426f2e2 http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1.diff.gz Size/MD5 checksum: 6853 72b2f73855eceafb316f7fde51bc474e http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1.dsc Size/MD5 checksum: 916 69ce0c55a0c3876faaee37e78c592ec8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_alpha.deb Size/MD5 checksum: 218240 71fd2aa70013343c56393c39e531c519 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_amd64.deb Size/MD5 checksum: 217376 142332f79bb63901d36918d57dd6c3e1 arm architecture (ARM) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_arm.deb Size/MD5 checksum: 217576 4e3532c27961f8a6c2dc55be1d203203 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_hppa.deb Size/MD5 checksum: 217734 7ef76c96fd941eb8448b53e14b9caab7 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_i386.deb Size/MD5 checksum: 217226 ee51c0d78f1482161f241fa9a37aba5a ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_ia64.deb Size/MD5 checksum: 218274 6bf0d11ccddea933acaf4c5211b3d23d m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_m68k.deb Size/MD5 checksum: 217352 659799bf4aff06dc35e10329fcf46038 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_mips.deb Size/MD5 checksum: 217448 4c643d81f131bef41dab281d5506aad6 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_mipsel.deb Size/MD5 checksum: 217142 6a604d3b26de424c6ffe074bc088b805 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_powerpc.deb Size/MD5 checksum: 218728 cfccb7c876b8bef24b448fefac3360c1 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_s390.deb Size/MD5 checksum: 217020 269b4d4665f700c01677a903a195515c sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_sparc.deb Size/MD5 checksum: 217214 512d734a1fd6783ec7319ce1edd9dd85 Debian GNU/Linux 4.0 alias etch - ------------------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1.diff.gz Size/MD5 checksum: 7584 bfbdf3851e092853756b78e648b5af29 http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59.orig.tar.gz Size/MD5 checksum: 137998 d3408875f34e5fa0a313a4a21c70e832 http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1.dsc Size/MD5 checksum: 915 97a61f446273f49c42348334f5cc9ba8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_alpha.deb Size/MD5 checksum: 253686 f64df4fbbef1d1a4859defc99b78735a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_amd64.deb Size/MD5 checksum: 252906 ac599d5c037f6488e039887081d4d93b arm architecture (ARM) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_arm.deb Size/MD5 checksum: 253716 3f9421ad70af6f70dd034c2958d8cd51 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_hppa.deb Size/MD5 checksum: 252768 d31f1e9d902efe591c334d29142c993f i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_i386.deb Size/MD5 checksum: 252170 0db91e6dd980d9f17dbc86f4684bd92c ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_ia64.deb Size/MD5 checksum: 253362 e977ad76777c9e17d45118b42c85860a mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_mips.deb Size/MD5 checksum: 252402 b470009b3dac4cb244e47af19047f884 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_mipsel.deb Size/MD5 checksum: 251640 43ffbd75ca18b847dd16d47c06e2f97f powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_powerpc.deb Size/MD5 checksum: 253538 2aa432f5f20882fa3236375f1fa10e61 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_s390.deb Size/MD5 checksum: 251724 0de26882626711d87f84d19c1c6af194 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_sparc.deb Size/MD5 checksum: 251638 3edbe84034df5c69c5a23a08738faa21 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR9cFkr97/wQC1SS+AQJcDQf/dfU2EsBbHj/ij0rgsyZ0anyHI7tx8uYp tXZl1MpVwreNJqOhC6UGRjqa3Q1CuHR6MrsViVSLiluLngMLTTZm1rhpfH2SB1K+ sCis4S6cmSjWCbtNPryDp/94Nv/WZyS4r9gQ1Gvgnq02K+EuCG24bzvi0pcJ4Gtg Ee8o4p17OEp4V2+SnX0tMkJ2cpyRNplPXp5nlG3gY4ImYsR4RAgtJZJCxmeshB99 2eTWSZM1Ry+jjnD5l5yK2vfkixXf/vBXq7Hgg7MbwwNqsyrswvWCll3nEZt7mOuW E6dOYBXfl4KOTOAHMJek7mXfUIBsHo74qcInhhYGbzZWmFxcUgCrew== =mdlz -----END PGP SIGNATURE-----
