Debian: Interchange file exposition

    Date13 Aug 2002
    CategoryDebian
    2194
    Posted ByLinuxSecurity Advisories
    A problem in Interchange can lead to an attacker being able to read any file to which the user of the Interchange daemon has sufficient permissions, when Interchange runs in "INET mode."
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 150-1                     This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/                             Martin Schulze
    August 13th, 2002   
    - --------------------------------------------------------------------------
    
    Package        : interchange
    Vulnerability  : illegal file exposition
    Problem-Type   : remote
    Debian-specific: no
    
    A problem has been discovered in Interchange, an e-commerce and
    general HTTP database display system, which can lead to an attacker
    being able to read any file to which the user of the Interchange
    daemon has sufficient permissions, when Interchange runs in "INET
    mode" (internet domain socket).  This is not the default setting in
    Debian packages, but configurable with Debconf and via configuration
    file.  We also believe that this bug cannot exploited on a regular
    Debian system.
    
    This problem has been fixed by the package maintainer in version
    4.8.3.20020306-1.woody.1 for the current stable distribution (woody)
    and in version 4.8.6-1 for the unstable distribution (sid).  The old
    stable distribution (potato) is not affected, since it doesn't ship
    the Interchange system.
    
    We recommend that you upgrade your interchange packages.
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 3.0 alias woody
    - --------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1.dsc
          Size/MD5 checksum:      883 ffa49ff2144a7bd4320eb9c2198d24b3
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1.diff.gz
          Size/MD5 checksum:      528 60c7cb2c1798ae2f61365e130d1772d3
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306.orig.tar.gz
          Size/MD5 checksum:  1858749 660c7e65732a052a81d2ae6e4c6ed2b5
    
      Architecture independent components:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange-cat-foundation_4.8.3.20020306-1.woody.1_all.deb
          Size/MD5 checksum:   635062 6ebceb949aad1dc23e364dd297125c8f
         http://security.debian.org/pool/updates/main/i/interchange/interchange-ui_4.8.3.20020306-1.woody.1_all.deb
          Size/MD5 checksum:   432068 3f9574521ced0bc39c40793c74841947
    
      Alpha architecture:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_alpha.deb
          Size/MD5 checksum:   856324 a903c5f415978bda83ebc64e533d6513
         http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_alpha.deb
          Size/MD5 checksum:    13812 21dcdb083b2d93e8b72cb06e3b9b3d77
    
      ARM architecture:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_arm.deb
          Size/MD5 checksum:   854980 80a5246531dc085d5ef629dd1337271c
         http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_arm.deb
          Size/MD5 checksum:    13198 63fe3b689099793c61b2bbb870c101e3
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_i386.deb
          Size/MD5 checksum:   852744 7a40058ecc9119c740826b3dbc9660d0
         http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_i386.deb
          Size/MD5 checksum:    13156 234c7d614aa28de64d5d33dcb49e654d
    
      Intel IA-64 architecture:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_ia64.deb
          Size/MD5 checksum:   858420 6f16f350d5d162b2bbac98bb4e7dc857
         http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_ia64.deb
          Size/MD5 checksum:    15670 fcfacf2758ac97a9ee6390bf20b9f64b
    
      HP Precision architecture:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_hppa.deb
          Size/MD5 checksum:   856104 4d7932a5d476acf49eda3ca2ecc4bf89
         http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_hppa.deb
          Size/MD5 checksum:    13920 a4593d918b5c9c87434544ed7d0af579
    
      Motorola 680x0 architecture:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_m68k.deb
          Size/MD5 checksum:   855146 de6a211e1b615dded617c9ff9877b897
         http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_m68k.deb
          Size/MD5 checksum:    13168 fda641d6355b9141fc2afde7b87c95c0
    
      Big endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_mips.deb
          Size/MD5 checksum:   855866 75c9d826ef0c1352b3a035d22d0867cf
         http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_mips.deb
          Size/MD5 checksum:    13236 4abca0332cc562ee5a624c8eb15cfa5f
    
      Little endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_mipsel.deb
          Size/MD5 checksum:   855776 3d9df00fd5fb6bee01222e9e263edc66
         http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_mipsel.deb
          Size/MD5 checksum:    13238 59556c80240d01d47bfba36b20e5c34b
    
      PowerPC architecture:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_powerpc.deb
          Size/MD5 checksum:   855224 2b0bb6d175fbe6194ef1b05c14069fcc
         http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_powerpc.deb
          Size/MD5 checksum:    13140 ff191322a2afd7b6bae946137f1835a8
    
      IBM S/390 architecture:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_s390.deb
          Size/MD5 checksum:   855636 3e35f8611357c023520871f38782fc94
         http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_s390.deb
          Size/MD5 checksum:    13440 22c5fdd8fe658f59db6ac859c6e8ff55
    
      Sun Sparc architecture:
    
         http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_sparc.deb
          Size/MD5 checksum:   858130 7dafc5291988bf31737058939f381ab3
         http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_sparc.deb
          Size/MD5 checksum:    13274 6342b55b347c6bbd330f9facd1fd8122
    
    
      These files will probably be moved into the stable distribution on
      its next revision.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb  http://security.debian.org/ stable/updates main
    For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and  http://packages.debian.org/
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    Advisories

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.