Linux Security
Linux Security
Linux Security

Debian: New elog packages fix arbitrary code execution

Date 27 Dec 2006
3438
Posted By LinuxSecurity Advisories
Updated package.
- --------------------------------------------------------------------------
Debian Security Advisory DSA 1242-1                    This email address is being protected from spambots. You need JavaScript enabled to view it.
https://www.debian.org/security/                         Moritz Muehlenhoff
December 27th, 2006                     https://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : elog
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2006-5063 CVE-2006-5790 CVE-2006-5791 CVE-2006-6318

Several remote vulnerabilities have been discovered in elog, a web-based
electronic logbook, which may lead to the execution of arbitrary code.
The Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2006-5063

    Tilman Koschnick discovered that log entry editing in HTML is vulnerable
    to cross-site scripting. This update disables the vulnerable code.

CVE-2006-5790

    Ulf Harnhammar of the Debian Security Audit Project discovered several
    format string vulnerabilities in elog, which may lead to execution of
    arbitrary code.

CVE-2006-5791

    Ulf Harnhammar of the Debian Security Audit Project discovered 
    cross-site scripting vulnerabilities in the creation of new logbook
    entries.

CVE-2006-6318

    Jayesh KS and Arun Kethipelly of OS2A discovered that elog performs
    insufficient error handling in config file parsing, which may lead to
    denial of service through a NULL pointer dereference.

For the stable distribution (sarge) these problems have been fixed in
version 2.5.7+r1558-4+sarge3.

The upcoming stable distribution (etch) will no longer include elog.

For the unstable distribution (sid) these problems have been fixed in
version 2.6.2+r1754-1.

We recommend that you upgrade your elog package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3.dsc
      Size/MD5 checksum:      581 c072e867caa0058ac44cbd69c6afff51
    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3.diff.gz
      Size/MD5 checksum:    23758 0718302e60a98844f27cd6eab336c5ce
    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558.orig.tar.gz
      Size/MD5 checksum:   538216 e05c9fdaa02692ce20c70a5fd2748fe3

  Alpha architecture:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_alpha.deb
      Size/MD5 checksum:   556190 081bd3b98bea9516c26b487024d6140f

  AMD64 architecture:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_amd64.deb
      Size/MD5 checksum:   512510 48ee1c675cefa6a0b0af01f7cbb9f079

  ARM architecture:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_arm.deb
      Size/MD5 checksum:   517072 5e4a4dc726a8a0bf75f05de3fe17e07c

  HP Precision architecture:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_hppa.deb
      Size/MD5 checksum:   544448 5f5c83341837c6dd18211b4164bbd1dc

  Intel IA-32 architecture:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_i386.deb
      Size/MD5 checksum:   514786 c14108b91d171ac38b0104ae769cfc96

  Intel IA-64 architecture:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_ia64.deb
      Size/MD5 checksum:   598224 df22b05edfb9dfab43cc69233f2d88e4

  Motorola 680x0 architecture:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_m68k.deb
      Size/MD5 checksum:   482826 254d8a1f1cae62719a9f6f2a461cffd8

  Big endian MIPS architecture:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_mips.deb
      Size/MD5 checksum:   522074 909b22df0ac8302bd7b00b8338511198

  Little endian MIPS architecture:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_mipsel.deb
      Size/MD5 checksum:   525164 278bc7397817c8f6a8a44d2879f0682c

  PowerPC architecture:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_powerpc.deb
      Size/MD5 checksum:   524304 37438b8fff9c0b162aa6870fd5c7ba31

  IBM S/390 architecture:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_s390.deb
      Size/MD5 checksum:   515148 32cf397b104321646de736141a90354d

  Sun Sparc architecture:

    https://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_sparc.deb
      Size/MD5 checksum:   519788 b532c963d03d66f4e32861531adefe4e


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb https://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.

LinuxSecurity Poll

How frequently do you patch/update your system?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum 0 answer(s) and maximum 3 answer(s).
/main-polls/52-how-frequently-do-you-patch-update-your-system?task=poll.vote&format=json
52
radio
[{"id":"179","title":"As soon as patches\/updates are released - I track advisories for my distro(s) diligently","votes":"64","type":"x","order":"1","pct":76.19,"resources":[]},{"id":"180","title":"Every so often, when I think of it","votes":"13","type":"x","order":"2","pct":15.48,"resources":[]},{"id":"181","title":"Hardly ever","votes":"7","type":"x","order":"3","pct":8.33,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

Please vote first in order to view vote results.

VOTE ON THE POLL PAGE


VIEW MORE POLLS

bottom 200

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.