-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-2056-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Sébastien Delafond June 06, 2010 https://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : zonecheck Vulnerability : missing input sanitizing Problem type : remote Debian-specific: no CVE Id : CVE-2010-2052 CVE-2010-2155 CVE-2009-4882 Debian Bug : 583290 It was discovered that in zonecheck, a tool to check DNS configurations, the CGI does not perform sufficient sanitation of user input; an attacker can take advantage of this and pass script code in order to perform cross-site scripting attacks. For the stable distribution (lenny), this problem has been fixed in version 2.0.4-13lenny1. For the testing distribution (squeeze), this problem has been fixed in version 2.1.1-1. For the testing distribution (sid), this problem has been fixed in version 2.1.1-1. We recommend that you upgrade your zonecheck packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - -------------------------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: https://security.debian.org/pool/updates/main/z/zonecheck/zonecheck_2.0.4.orig.tar.gz Size/MD5 checksum: 243079 260f746893e4bd82f5616c63a2f85f5e https://security.debian.org/pool/updates/main/z/zonecheck/zonecheck_2.0.4-13lenny1.dsc Size/MD5 checksum: 1064 3a2a82217362954c78b3e15382b8c930 https://security.debian.org/pool/updates/main/z/zonecheck/zonecheck_2.0.4-13lenny1.diff.gz Size/MD5 checksum: 10853 00790f50bb4f3f721c8f6979d7c135d7 Architecture independent packages: https://security.debian.org/pool/updates/main/z/zonecheck/zonecheck-cgi_2.0.4-13lenny1_all.deb Size/MD5 checksum: 38914 9b339043f824633bd6e2c9ee48b928f0 https://security.debian.org/pool/updates/main/z/zonecheck/zonecheck_2.0.4-13lenny1_all.deb Size/MD5 checksum: 210230 711b1afdb05f1b8b041fb39e7c8f5b58 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb https://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. Package info: `apt-cache show' and https://packages.debian.org/
Debian: DSA-2056-1: New zonecheck packages fix cross-site scripting
It was discovered that in zonecheck, a tool to check DNS configurations, the CGI does not perform sufficient sanitation of user input; an attacker can take advantage of this and pass script code in order to perform cross-site scripting attacks.
