Debian: webfs Multiple vulnerabilities

    Date29 Sep 2003
    Posted ByLinuxSecurity Advisories
    Multiple vulnerabilities including unauthorized access and buffer overflow have been fixed.
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 392-1                     This email address is being protected from spambots. You need JavaScript enabled to view it.                             Matt Zimmerman
    September 29th, 2003               
    - --------------------------------------------------------------------------
    Package        : webfs
    Vulnerability  : buffer overflows, file and directory exposure
    Problem-Type   : remote
    Debian-specific: no
    CVE Ids        : CAN-2003-0832 CAN-2003-0833
    Jens Steube reported two vulnerabilities in webfs, a lightweight HTTP
    server for static content.
     CAN-2003-0832 - When virtual hosting is enabled, a remote client
     could specify ".." as the hostname in a request, allowing retrieval
     of directory listings or files above the document root.
     CAN-2003-0833 - A long pathname could overflow a buffer allocated on
     the stack, allowing execution of arbitrary code.  In order to exploit
     this vulnerability, it would be necessary to be able to create
     directories on the server in a location which could be accessed by
     the web server.  In conjunction with CAN-2003-0832, this could be a
     world-writable directory such as /var/tmp.
    For the current stable distribution (woody) these problems have been fixed
    in version 1.17.2.
    For the unstable distribution (sid) these problems have been fixed in
    version 1.20.
    We recommend that you update your webfs package.
    Upgrade Instructions
    - --------------------
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    Debian GNU/Linux 3.0 alias woody
    - --------------------------------
      Source archives:
          Size/MD5 checksum:      472 153815a86bd259abeef914eb07f69a7e
          Size/MD5 checksum:    41433 6d7d436dd741af465ea8d56198d88e1c
      Alpha architecture:
          Size/MD5 checksum:    37868 2962105934605ff0a4f844177569a42a
      ARM architecture:
          Size/MD5 checksum:    34320 b2300fded545dc60c0a4f7e3d4fb0dac
      Intel IA-32 architecture:
          Size/MD5 checksum:    32674 af563da11508475b4bd231db2776be11
      Intel IA-64 architecture:
          Size/MD5 checksum:    45916 7b7c7ff929c301125d7eafde39bfcdad
      HP Precision architecture:
          Size/MD5 checksum:    35932 85d63d5c1cb13eda0ded799ab419e3ad
      Motorola 680x0 architecture:
          Size/MD5 checksum:    31294 b141772b9a8c47354b00d4ac1f35a1db
      Big endian MIPS architecture:
          Size/MD5 checksum:    34952 09b5b96448f4ca390c881fa9bb48aa52
      Little endian MIPS architecture:
          Size/MD5 checksum:    34920 f4f8503528246a1f0b5d976056b622e9
      PowerPC architecture:
          Size/MD5 checksum:    33562 e112bf5dcf91ef2379f077cd6fd2ecb2
      IBM S/390 architecture:
          Size/MD5 checksum:    34670 24f10a95258a47475b752f12516e0515
      Sun Sparc architecture:
          Size/MD5 checksum:    36632 868ccfc05924a7cb53b3c16b666cb9af
      These files will probably be moved into the stable distribution on
      its next revision.
    - ---------------------------------------------------------------------------------
    For apt-get: deb stable/updates main
    For dpkg-ftp: dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and
    Version: GnuPG v1.2.3 (GNU/Linux)
    -----END PGP SIGNATURE-----
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.