Debians sikkerhedsbulletin

DSA-1818-1 gforge -- utilstrækkelig fornuftighedskontrol af inddata

Rapporteret den:

18. jun 2009

Berørte pakker:

gforge

Sårbar:

Referencer i sikkerhedsdatabaser:

Der er pt. ingen tilgængelige eksterne sikkerhedsreferencer i andre databaser.

Yderligere oplysninger:

Laurent Almeras og Guillaume Smet opdagede mulige sårbarheder i forbindelse med indsprøjtning af SQL og udførelse af skripter på tværs af websteder, i gforge, et værktøj til samarbejdsudvikling. På grund af utilstrækkelig kontrol af inddata, var det muligt at indsprøjte vilkårlige SQL-kommandoer og anvende flere parametre, for at iværksætte angreb i forbindelse med udførelse af skripter på tværs af websteder.

I den stabile distribution (lenny), er disse problemer rettet i version 4.7~rc2-7lenny1.

I den gamle stabile distribution (etch), er disse problemer rettet i version 4.5.14-22etch11.

I distributionen testing (squeeze), vil disse problemer snart blive rettet.

I den ustabile distribution (sid), er disse problemer rettet i version 4.7.3-2.

Vi anbefaler at du opgraderer dine gforge-pakker.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz; http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch11.diff.gz; http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch11.dsc
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch11_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch11_all.deb

Debian GNU/Linux 5.0 (lenny)

Kildekode:: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny1.dsc; http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny1.diff.gz; http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2.orig.tar.gz
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-mediawiki_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmcvs_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmsvn_4.7~rc2-7lenny1_all.deb; http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache2_4.7~rc2-7lenny1_all.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.