[Fwd: [FLSA-2004:1552] Updated cadaver packages that fix security vulnerabilities]
Jim Popovitch
jimpop at yahoo.com
Tue Dec 28 21:36:08 UTC 2004
Just wondering what caused this to post so late. It just came in to
bugtraq.... dated 29-Sep-2004.
-Jim P.
-------- Forwarded Message --------
> From: Dominic Hargreaves <dom at earth.li>
> Reply-To: Discussion of the Fedora Legacy Project
> <fedora-legacy-list at redhat.com>
> To: fedora-legacy-announce at redhat.com, bugtraq at securityfocus.com,
> full-disclosure at lists.netsys.com
> Cc: fedora-legacy-list at redhat.com
> Subject: [FLSA-2004:1552] Updated cadaver packages that fix security
> vulnerabilities
> Date: Wed, 29 Sep 2004 17:13:58 +0100
> -----------------------------------------------------------------------
> Fedora Legacy Update Advisory
>
> Synopsis: Updated cadaver resolves security vulnerabilities
> Advisory ID: FLSA:1552
> Issue date: 2004-09-29
> Product: Red Hat Linux
> Keywords: Security
> Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1552
> CVE Names: CAN-2004-0179, CAN-2004-0398
> -----------------------------------------------------------------------
>
>
> -----------------------------------------------------------------------
> 1. Topic:
>
> Updated cadaver packages that fix multiple security vulnerability are
> now available.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 7.3 - i386
> Red Hat Linux 9 - i386
>
> 3. Problem description:
>
> An updated cadaver package that fixes a vulnerability in neon exploitable
> by a malicious DAV server is now available.
>
> cadaver is a command-line WebDAV client that uses inbuilt code from neon,
> an HTTP and WebDAV client library.
>
> Versions of the neon client library up to and including 0.24.4 have been
> found to contain a number of format string bugs. An attacker could create
> a malicious WebDAV server in such a way as to allow arbitrary code
> execution on the client should a user connect to it using cadaver. The
> Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
> the name CAN-2004-0179 to this issue. This issue was addressed in a previous
> update for Red Hat Linux 9.
>
> Stefan Esser discovered a flaw in the neon library which allows a heap
> buffer overflow in a date parsing routine. An attacker could create
> a malicious WebDAV server in such a way as to allow arbitrary code
> execution on the client should a user connect to it using cadaver. The
> Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
> the name CAN-2004-0398 to this issue.
>
> Users of cadaver are advised to upgrade to this updated package, which
> contains patches correcting these issues.
>
> 4. Solution:
>
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
>
> To update all RPMs for your particular architecture, run:
>
> rpm -Fvh [filenames]
>
> where [filenames] is a list of the RPMs you wish to upgrade. Only those
> RPMs which are currently installed will be updated. Those RPMs which are
> not installed but included in the list will not be updated. Note that you
> can also use wildcards (*.rpm) if your current directory *only* contains
> the desired RPMs.
>
> Please note that this update is also available via yum and apt. Many
> people find this an easier way to apply updates. To use yum issue:
>
> yum update
>
> or to use apt:
>
> apt-get update; apt-get upgrade
>
> This will start an interactive process that will result in the appropriate
> RPMs being upgraded on your system. This assumes that you have yum or
> apt-get configured for obtaining Fedora Legacy content. Please visit
> http://www.fedoralegacy.org/docs/ for directions on how to configure yum
> and apt-get.
>
> 5. Bug IDs fixed:
>
> http://bugzilla.fedora.us - 1552 - cadaver neon vulnerability (CAN-2004-0179)
>
> 6. RPMs required:
>
> Red Hat Linux 7.3:
>
> SRPM:
> http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/cadaver-0.22.1-1.legacy.src.rpm
>
> i386:
> http://download.fedoralegacy.org/redhat/7.3/updates/i386/cadaver-0.22.1-1.legacy.i386.rpm
>
> Red Hat Linux 9:
>
> SRPM:
> http://download.fedoralegacy.org/redhat/9/updates/SRPMS/cadaver-0.22.1-3.legacy.src.rpm
>
> i386:
> http://download.fedoralegacy.org/redhat/9/updates/i386/cadaver-0.22.1-3.legacy.i386.rpm
>
> 7. Verification:
>
> SHA1 sum Package Name
> ---------------------------------------------------------------------------
>
> 46931edc0f4e8ad25c994891938c103a45f28982 7.3/updates/SRPMS/cadaver-0.22.1-1.legacy.src.rpm
> 0c3742f3151d4dedc5e5320a3a4792f17e8bd2e4 7.3/updates/i386/cadaver-0.22.1-1.legacy.i386.rpm
> 6cc852676c85e9cc3dc8e472676185cdffabf09f 9/updates/SRPMS/cadaver-0.22.1-3.legacy.src.rpm
> 1a9d4e010885e902b2a6a994cfee5744b7f4afba 9/updates/i386/cadaver-0.22.1-3.legacy.i386.rpm
>
> These packages are GPG signed by Fedora Legacy for security. Our key is
> available from http://www.fedoralegacy org/about/security.php
>
> You can verify each package with the following command:
>
> rpm --checksig -v <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the sha1sum with the following command:
>
> sha1sum <filename>
>
> 8. References:
>
> http://security.e-matters.de/advisories/062004.html
>
> 9. Contact:
>
> The Fedora Legacy security contact is <secnotice at fedoralegacy.org>. More
> project details at http://www.fedoralegacy.org
>
> ---------------------------------------------------------------------
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-legacy-list
More information about the fedora-legacy-list
mailing list