[Secure-testing-commits] r1686 - in data/DTSA: . hints

Sun Aug 28 11:18:34 UTC 2005

Author: neilm
Date: 2005-08-28 11:18:33 +0000 (Sun, 28 Aug 2005)
New Revision: 1686

Added:
   data/DTSA/DTSA-6-1
   data/DTSA/hints/neilm
Modified:
   data/DTSA/list
Log:
cgiwrap DTSA


Added: data/DTSA/DTSA-6-1
===================================================================

--- data/DTSA/DTSA-6-1	2005-08-28 10:49:07 UTC (rev 1685)
+++ data/DTSA/DTSA-6-1	2005-08-28 11:18:33 UTC (rev 1686)
@@ -0,0 +1,60 @@
+-----------------------------------------------------------------------------
+Debian Testing Security Advisory DTSA-6-1     http://secure-testing.debian.net
+secure-testing-team at lists.alioth.debian.org                      Neil McGovern
+August 28th, 2005
+-----------------------------------------------------------------------------
+
+Package        : cgiwrap
+Vulnerability  : multiple vulnerabilities
+Problem-Type   : remote
+Debian-specific: yes,no
+
+Javier Fernández-Sanguino Peña discovered various vulnerabilities in cgiwrap:
+
+Minimum UID does not include all system users
+
+  The CGIwrap program will not seteuid itself to uids below the 'minimum' uid 
+  to prevent scripts from being misused to compromise the system. However, 
+  the Debian package sets the minimum uid to 100 when it should be 1000.
+
+CGIs can be used to disclose system information
+
+  The cgiwrap (and php-cgiwrap) package installs some debugging CGIs
+  (actually symbolink links, which link to cgiwrap and are called 'cgiwrap'
+  and 'nph-cgiwrap' or link to php-cgiwrap). These CGIs should not be
+  installed in production environments as they disclose internal and
+  potentially sensible information.
+
+For the testing distribution (etch) this is fixed in version
+3.9-3.0etch1.
+
+For the unstable distribution (sid) this is fixed in version
+3.9-3.1.
+
+This upgrade is encouraged if you use cgiwrap.
+
+The Debian testing security team does not track security issues for the
+stable distribution (woody). If stable is vulnerable, the Debian security
+team will make an announcement once a fix is ready.
+
+Upgrade Instructions
+--------------------
+
+To use the Debian testing security archive, add the following lines to
+your /etc/apt/sources.list:
+
+  deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+  deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+
+The archive signing key can be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+To install the update, run this command as root:
+If you use cgiwrap:
+  apt-get update && apt-get install cgiwrap
+If you use php-cgiwrap:
+  apt-get update && apt-get install php-cgiwrap
+
+For further information about the Debian testing security team, please refer
+to http://secure-testing.debian.net/
+

Added: data/DTSA/hints/neilm
===================================================================
--- data/DTSA/hints/neilm	2005-08-28 10:49:07 UTC (rev 1685)
+++ data/DTSA/hints/neilm	2005-08-28 11:18:33 UTC (rev 1686)
@@ -0,0 +1,2 @@
+# pending builds
+#sync cgiwrap/3.9-3.0etch1

Modified: data/DTSA/list
===================================================================
--- data/DTSA/list	2005-08-28 10:49:07 UTC (rev 1685)
+++ data/DTSA/list	2005-08-28 11:18:33 UTC (rev 1686)
@@ -1,3 +1,6 @@
+[28 Aug 2005] DTSA-6-1 cgiwrap - multiple vulnerabilities
+	- cgiwrap 3.9-3.0etch1 (low)
+	NOTE: waiting for builds (neilm)
 [27 Aug 2005] DTSA-5-1 gaim - multiple remote vulnerabilities
 	{CAN-2005-2102 CAN-2005-2370 CAN-2005-2103}
 	- gaim 1:1.4.0-5etch2 (high)


