[Fwd: [FLSA-2004:1552] Updated cadaver packages that fix security vulnerabilities]

Jim Popovitch jimpop at yahoo.com
Tue Dec 28 21:36:08 UTC 2004 

Just wondering what caused this to post so late.  It just came in to
bugtraq.... dated 29-Sep-2004.

-Jim P.

-------- Forwarded Message --------
> From: Dominic Hargreaves <dom at earth.li>
> Reply-To: Discussion of the Fedora Legacy Project
> <fedora-legacy-list at redhat.com>
> To: fedora-legacy-announce at redhat.com, bugtraq at securityfocus.com,
> full-disclosure at lists.netsys.com
> Cc: fedora-legacy-list at redhat.com
> Subject: [FLSA-2004:1552] Updated cadaver packages that fix security
> vulnerabilities
> Date: Wed, 29 Sep 2004 17:13:58 +0100
> -----------------------------------------------------------------------
>                Fedora Legacy Update Advisory
> 
> Synopsis:          Updated cadaver resolves security vulnerabilities
> Advisory ID:       FLSA:1552
> Issue date:        2004-09-29
> Product:           Red Hat Linux
> Keywords:          Security
> Cross references:  https://bugzilla.fedora.us/show_bug.cgi?id=1552
> CVE Names:         CAN-2004-0179, CAN-2004-0398
> -----------------------------------------------------------------------
> 
> 
> -----------------------------------------------------------------------
> 1. Topic:
> 
> Updated cadaver packages that fix multiple security vulnerability are
> now available.
> 
> 2. Relevant releases/architectures:
> 
> Red Hat Linux 7.3 - i386
> Red Hat Linux 9 - i386
> 
> 3. Problem description:
> 
> An updated cadaver package that fixes a vulnerability in neon exploitable
> by a malicious DAV server is now available.
> 
> cadaver is a command-line WebDAV client that uses inbuilt code from neon,
> an HTTP and WebDAV client library.
> 
> Versions of the neon client library up to and including 0.24.4 have been
> found to contain a number of format string bugs. An attacker could create
> a malicious WebDAV server in such a way as to allow arbitrary code
> execution on the client should a user connect to it using cadaver. The
> Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
> the name CAN-2004-0179 to this issue. This issue was addressed in a previous
> update for Red Hat Linux 9.
> 
> Stefan Esser discovered a flaw in the neon library which allows a heap
> buffer overflow in a date parsing routine. An attacker could create
> a malicious WebDAV server in such a way as to allow arbitrary code
> execution on the client should a user connect to it using cadaver. The
> Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
> the name CAN-2004-0398 to this issue.
> 
> Users of cadaver are advised to upgrade to this updated package, which
> contains patches correcting these issues.
> 
> 4. Solution:
> 
> Before applying this update, make sure all previously released errata 
> relevant to your system have been applied.
> 
> To update all RPMs for your particular architecture, run:
> 
> rpm -Fvh [filenames]
> 
> where [filenames] is a list of the RPMs you wish to upgrade.  Only those 
> RPMs which are currently installed will be updated.  Those RPMs which are 
> not installed but included in the list will not be updated.  Note that you 
> can also use wildcards (*.rpm) if your current directory *only* contains 
> the desired RPMs.
> 
> Please note that this update is also available via yum and apt.  Many 
> people find this an easier way to apply updates.  To use yum issue:
> 
> yum update
> 
> or to use apt:
> 
> apt-get update; apt-get upgrade
> 
> This will start an interactive process that will result in the appropriate 
> RPMs being upgraded on your system.  This assumes that you have yum or 
> apt-get configured for obtaining Fedora Legacy content. Please visit 
> http://www.fedoralegacy.org/docs/ for directions on how to configure yum 
> and apt-get.
> 
> 5. Bug IDs fixed:
> 
> http://bugzilla.fedora.us - 1552 - cadaver neon vulnerability (CAN-2004-0179)
> 
> 6. RPMs required:
> 
> Red Hat Linux 7.3:
> 
> SRPM:
> http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/cadaver-0.22.1-1.legacy.src.rpm
> 
> i386:
> http://download.fedoralegacy.org/redhat/7.3/updates/i386/cadaver-0.22.1-1.legacy.i386.rpm
> 
> Red Hat Linux 9:
> 
> SRPM:
> http://download.fedoralegacy.org/redhat/9/updates/SRPMS/cadaver-0.22.1-3.legacy.src.rpm
> 
> i386:
> http://download.fedoralegacy.org/redhat/9/updates/i386/cadaver-0.22.1-3.legacy.i386.rpm
> 
> 7. Verification:
> 
> SHA1 sum                                 Package Name
> ---------------------------------------------------------------------------
> 
> 46931edc0f4e8ad25c994891938c103a45f28982  7.3/updates/SRPMS/cadaver-0.22.1-1.legacy.src.rpm
> 0c3742f3151d4dedc5e5320a3a4792f17e8bd2e4  7.3/updates/i386/cadaver-0.22.1-1.legacy.i386.rpm
> 6cc852676c85e9cc3dc8e472676185cdffabf09f  9/updates/SRPMS/cadaver-0.22.1-3.legacy.src.rpm
> 1a9d4e010885e902b2a6a994cfee5744b7f4afba  9/updates/i386/cadaver-0.22.1-3.legacy.i386.rpm
> 
> These packages are GPG signed by Fedora Legacy for security.  Our key is 
> available from http://www.fedoralegacy org/about/security.php
> 
> You can verify each package with the following command:
> 
>     rpm --checksig -v <filename>
> 
> If you only wish to verify that each package has not been corrupted or 
> tampered with, examine only the sha1sum with the following command:
> 
>     sha1sum <filename>
> 
> 8. References:
> 
> http://security.e-matters.de/advisories/062004.html
> 
> 9. Contact:
> 
> The Fedora Legacy security contact is <secnotice at fedoralegacy.org>. More 
> project details at http://www.fedoralegacy.org
> 
> ---------------------------------------------------------------------
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-legacy-list

More information about the fedora-legacy-list mailing list