Beiträge von Micha

Package : gforge
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE IDs : CVE ids pending

Laurent Almeras and Guillaume Smet have discovered a possible SQL
injection vulnerability and cross-site scripting vulnerabilities in
gforge, a collaborative development tool. Due to insufficient input
sanitising, it was possible to inject arbitrary SQL statements and use
several parameters to conduct cross-site scripting attacks.

For the stable distribution (lenny), these problem have been fixed in
version 4.7~rc2-7lenny1.

The oldstable distribution (etch), these problems have been fixed in
version 4.5.14-22etch11.

For the testing distribution (squeeze), these problems will be fixed
soon.

For the unstable distribution (sid), these problems have been fixed in
version 4.7.3-2.

We recommend that you upgrade your gforge packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : ctorrent
Vulnerability : stack-based buffer overflow
Problem type : local (remote)
Debian-specific: no
Debian bug : 530255
CVE ID : CVE-2009-1759

Michael Brooks discovered that ctorrent, a text-mode bittorrent client,
does not verify the length of file paths in torrent files. An attacker
can exploit this via a crafted torrent that contains a long file path to
execute arbitrary code with the rights of the user opening the file.

The oldstable distribution (etch) does not contain ctorrent.

For the stable distribution (lenny), this problem has been fixed in
version 1.3.4-dnh3.2-1+lenny1.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.4-dnh3.2-1.1.

We recommend that you upgrade your ctorrent packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : apache2
Vulnerability : insufficient security check
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2009-1195

It was discovered that the Apache web server did not properly handle
the "Options=" parameter to the AllowOverride directive:

In the stable distribution (lenny), local users could (via .htaccess)
enable script execution in Server Side Includes even in configurations
where the AllowOverride directive contained only
Options=IncludesNoEXEC.

In the oldstable distribution (etch), local users could (via
.htaccess) enable script execution in Server Side Includes and CGI
script execution in configurations where the AllowOverride directive
contained any "Options=" value.

For the stable distribution (lenny), this problem has been fixed in
version 2.2.9-10+lenny3.

The oldstable distribution (etch), this problem has been fixed in
version 2.2.3-4+etch8.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem will be fixed in version 2.2.11-6.

This advisory also provides updated apache2-mpm-itk packages which
have been recompiled against the new apache2 packages (except for the
s390 architecture where updated packages will follow shortly).

We recommend that you upgrade your apache2 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : libtorrent-rasterbar
Vulnerability : programming error
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2009-1760

It was discovered that the Rasterbar Bittorrent library performed
insufficient validation of path names specified in torrent files, which
could lead to denial of service by overwriting files.

The old stable distribution (etch) doesn't include libtorrent-rasterbar.

For the stable distribution (lenny), this problem has been fixed in
version 0.13.1-2+lenny1.

For the unstable distribution (sid), this problem has been fixed in
version 0.14.4-1.

We recommend that you upgrade your libtorrent-rasterbar package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : libsndfile
Vulnerability : heap-based buffer overflow
Problem type : local (remote)
Debian-specific: no
Debian bug : 528650
CVE ID : CVE-2009-1788 CVE-2009-1791

Two vulnerabilities have been found in libsndfile, a library to read
and write sampled audio data. The Common Vulnerabilities and Exposures
project identified the following problems:

Tobias Klein discovered that the VOC parsing routines suffer of a heap-based
buffer overflow which can be triggered by an attacker via a crafted VOC
header (CVE-2009-1788 ).

The vendor discovered that the AIFF parsing routines suffer of a heap-based
buffer overflow similar to CVE-2009-1788 which can be triggered by an attacker
via a crafted AIFF header (CVE-2009-1791).

In both cases the overflowing data is not completely attacker controlled but
still leads to application crashes or under some circumstances might still
lead to arbitrary code execution.

For the oldstable distribution (etch), this problem has been fixed in
version 1.0.16-2+etch2.

For the stable distribution (lenny), this problem has been fixed in
version 1.0.17-4+lenny2.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 1.0.20-1.

We recommend that you upgrade your libsndfile packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Hier die Anleitung für Strato Kunden um auf Plesk 9.x zu kommen.

Einfach probieren und das mit dem /usr/local/psa/admin/bin/autoinstaller mußte ich bei mir auch ausführen, da Plesk offensichtlich nicht alle Pakete über das Update aktualisiert.

Hallo,

vorher den alten Server auf Plesk 9.2.1 bringen und dort eine Sicherung des kompleten Servers über die Plesk Backup Funktion machen.

Neuen Server aufsetzen, diesen auch auf Plesk 9.2.1 bringen und dann Backup über Plesk einspielen. Habe ich gerade selber durchgeführt. Schneller geht es nicht und vor allem werden alle Kunden und Webs ohne jegliche manuelle Konfiguration wieder hergestellt.

1. Wir legen ein Verzeichniss login für den neuen User im Ordner /home/ an.

cd /home/
mkdir login

2. Neuen User anlegen in der Gruppe users, bei mir login und diesen als Standardshell Bash geben.

useradd -g users -d /home/login -s /bin/bash login

3. Den User login das Passwort vergeben.

passwd login

Im Dialog ein Passwort vergeben, Groß- und Kleinbuchstaben und Sonderzeichen mitbenutzen. Ein sicheres Passwort hat mindestens 8 Stellen.

4. Mit dem neuen Benutzer auf einer zweiten eröffneten Konsole einloggen.

5. Wenn das klappt, mit der root Konsole die Datei /etc/ssh/sshd_config editieren und in der Zeile

PermitRootLogin yes auf
PermitRootLogin no ändern.

Gegebenfalls noch die Raute # vor dieser Zeile entfernen.

6. Die ssh_config neu laden

/etc/init.d/sshd reload (für SUSE)
/etc/init.d/ssh reload (für Debian)

7. Mit dem neuen User login einlogen und mit su - zu root wechseln. Rootpasswort eingeben und fertig.

Hat nun länger gedauert wie ich dachte , aber nun ist der Systemwechsel vollzogen.

Es gab verschiedene Probleme die im Rechenzentrum (Softwarereset) bzw. beim Hersteller der Plesksoftware ihre Ursachen hatten. Nun ist aber alles bereinigt und ich wünsche allen viel Spaß weiter an Board.

Package : apr-util
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-0023

Apr-util, the Apache Portable Runtime Utility library, is used by
Apache 2.x, Subversion, and other applications. Two denial of service
vulnerabilities have been found in apr-util:

"kcope" discovered a flaw in the handling of internal XML entities in
the apr_xml_* interface that can be exploited to use all available
memory. This denial of service can be triggered remotely in the Apache
mod_dav and mod_dav_svn modules. (No CVE id yet)

Matthew Palmer discovered an underflow flaw in the
apr_strmatch_precompile function that can be exploited to cause a
daemon crash. The vulnerability can be triggered (1) remotely in
mod_dav_svn for Apache if the "SVNMasterURI"directive is in use, (2)
remotely in mod_apreq2 for Apache or other applications using
libapreq2, or (3) locally in Apache by a crafted ".htaccess" file.
(CVE-2009-0023)

Other exploit paths in other applications using apr-util may exist.

If you use Apache, or if you use svnserve in standalone mode, you need
to restart the services after you upgraded the libaprutil1 package.

For the stable distribution (lenny), these problems have been fixed in
version 1.2.12+dfsg-8+lenny2.

The oldstable distribution (etch), these problems have been fixed in
version 1.2.7+dfsg-2+etch2.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems will be fixed soon.

We recommend that you upgrade your apr-util packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : cups, cupsys
Vulnerability : null ptr dereference
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-0949

Anibal Sacco discovered that cups, a general printing system for UNIX
systems, suffers from null pointer dereference because of its handling
of two consecutive IPP packets with certain tag attributes that are
treated as IPP_TAG_UNSUPPORTED tags. This allows unauthenticated attackers
to perform denial of service attacks by crashing the cups daemon.

For the oldstable distribution (etch), this problem has been fixed in
version 1.2.7-4+etch8 of cupsys.

For the stable distribution (lenny), this problem has been fixed in
version 1.3.8-1+lenny6 of cups.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your cups/cupsys packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : libapache-mod-jk
Vulnerability : information disclosure
Problem type : remote
Debian-specific: no
CVE ID : CVE-2008-5519
Debian Bug : 523054

An information disclosure flaw was found in mod_jk, the Tomcat Connector
module for Apache. If a buggy client included the "Content-Length" header
without providing request body data, or if a client sent repeated
equests very quickly, one client could obtain a response intended for
another client.

For the stable distribution (lenny), this problem has been fixed in
version 1:1.2.26-2+lenny1.

The oldstable distribution (etch), this problem has been fixed in
version 1:1.2.18-3etch2.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1:1.2.26-2.1.

We recommend that you upgrade your libapache-mod-jk packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Am 05.06.2009 ab ca. 12.00 Uhr bis 06.06.2009 werden Serverarbeiten durchgeführt. Das Betriebssystem des Servers wird erneuert, da für das jetzige (SUSE 10.1) keine Aktualisierungen mehr angeboten werden.

In dieser Zeit ist die Domain komplett nicht zu erreichen.

Package : linux-2.6
Vulnerability : denial of service, privilege escalation
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2009-1630 CVE-2009-1633 CVE-2009-1758

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a denial of service, or privilege escalation. The Common
Vulnerabilities and Exposures project identifies the following
problems:

CVE-2009-1630

Frank Filz discovered that local users may be able to execute
files without execute permission when accessed via an nfs4 mount.

CVE-2009-1633

Jeff Layton and Suresh Jayaraman fixed several buffer overflows in
the CIFS filesystem which allow remote servers to cause memory
corruption.

CVE-2009-1758

Jan Beulich discovered an issue in Xen where local guest users may
cause a denial of service (oops).

This update also fixes a regression introduced by the fix for
CVE-2009-1184 in 2.6.26-15lenny3. This prevents a boot time panic on
systems with SELinux enabled.

For the stable distribution (lenny), these problems have been fixed in
version 2.6.26-15lenny3.

For the oldstable distribution (etch), these problems, where
applicable, will be fixed in future updates to linux-2.6 and
linux-2.6.24.

We recommend that you upgrade your linux-2.6 and user-mode-linux
packages.

Note: Debian carefully tracks all known security issues across every
linux kernel package in all releases under active security support.
However, given the high frequency at which low-severity security
issues are discovered in the kernel and the resource requirements of
doing an update, updates for lower priority issues will normally not
be released for all kernels at the same time. Rather, they will be
released in a staggered or "leap-frog" fashion.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:

Debian 5.0 (lenny)
user-mode-linux 2.6.26-1um-2+15lenny3

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Eine Mietdomain auf meinem Server war heute plötzlich gesperrt. Entsperren war nicht möglich, da Plesk immer meinte "Die Domain ist für Backup-/Wiederherstellungszwecke vorübergehend gesperrt."

Es war aber kein Backupprozess gestartet. Tja was nun, also mal gesucht und die Lösung gefunden. Mit der Eingabe des folgenden Befehls auf der Kommandozeile wird die Domain entsperrt:

/usr/local/psa/bin/domain --on deineDomain.de

Package : drupal6
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE ID : no CVE id yet
Debian Bug : 529190 531386

Markus Petrux discovered a cross-site scripting vulnerability in the
taxonomy module of drupal6, a fully-featured content management
framework. It is also possible that certain browsers using the UTF-7
encoding are vulnerable to a different cross-site scripting
vulnerability.

For the stable distribution (lenny), these problems have been fixed in
version 6.6-3lenny2.

The oldstable distribution (etch) does not contain drupal6.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 6.11-1.1.

We recommend that you upgrade your drupal6 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : cyrus-sasl2, cyrus-sasl2-heimdal
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
Debian bug : 528749
CERT advisory : VU#238019
CVE ID : CVE-2009-0688

James Ralston discovered that the sasl_encode64() function of cyrus-sasl2,
a free library implementing the Simple Authentication and Security Layer,
suffers from a missing null termination in certain situations. This causes
several buffer overflows in situations where cyrus-sasl2 itself requires
the string to be null terminated which can lead to denial of service or
arbitrary code execution.

Important notice (Quoting from US-CERT):
While this patch will fix currently vulnerable code, it can cause
non-vulnerable existing code to break. Here's a function prototype from
include/saslutil.h to clarify my explanation:

/* base64 encode
* in -- input data
* inlen -- input data length
* out -- output buffer (will be NUL terminated)
* outmax -- max size of output buffer
* result:
* outlen -- gets actual length of output buffer (optional)
*
* Returns SASL_OK on success, SASL_BUFOVER if result won't fit
*/
LIBSASL_API int sasl_encode64(const char *in, unsigned inlen,
char *out, unsigned outmax,
unsigned *outlen);

Assume a scenario where calling code has been written in such a way that it
calculates the exact size required for base64 encoding in advance, then
allocates a buffer of that exact size, passing a pointer to the buffer into
sasl_encode64() as *out. As long as this code does not anticipate that the
buffer is NUL-terminated (does not call any string-handling functions like
strlen(), for example) the code will work and it will not be vulnerable.

Once this patch is applied, that same code will break because sasl_encode64()
will begin to return SASL_BUFOVER.

For the oldstable distribution (etch), this problem will be fixed soon.

For the stable distribution (lenny), this problem has been fixed in
version 2.1.22.dfsg1-23+lenny1 of cyrus-sasl2 and cyrus-sasl2-heimdal.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 2.1.23.dfsg1-1 of cyrus-sasl2 and cyrus-sasl2-heimdal.

We recommend that you upgrade your cyrus-sasl2/cyrus-sasl2-heimdal packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Versuch es, ich glaube aber das da keine logische Antwort kommen wird.

Ich würde meinen im confixx gibts da auch was, Logdateien oder so ähnlich. Habe leider kein confixx.

Allerdings sagt die Fehlermeldung eindeutig:

Zitat

More information about this error may be available in the server error log. Apache Server at https://www.rootserverprojekt.de/www.community-channel.de Port 80

Damit sollte also in die error log des Apachen geschaut werden und das kann nur der Anbieter. Vom Anbieter auch schwach, nicht mal eine Kontaktadresse im Server einzutragen....

Zitat

Please contact the server administrator, [no address given]

Eine Einsicht in die error logs des Apachen würde helfen.

So aus dem Bauch raus etwa Server überlastet oder der zugehörige Datenbankserver könnte es auch sein.