[Secure-testing-commits] r1720 - in data/DTSA: . advs

Joey Hess joeyh at costa.debian.org
Mon Aug 29 20:20:17 UTC 2005 

Author: joeyh
Date: 2005-08-29 20:20:17 +0000 (Mon, 29 Aug 2005)
New Revision: 1720

Added:
   data/DTSA/DTSA-10-1
   data/DTSA/advs/10-pcre.adv
Modified:
   data/DTSA/list
Log:
dsta for pcre3


Added: data/DTSA/DTSA-10-1
===================================================================
--- data/DTSA/DTSA-10-1	2005-08-29 20:03:04 UTC (rev 1719)
+++ data/DTSA/DTSA-10-1	2005-08-29 20:20:17 UTC (rev 1720)
@@ -0,0 +1,51 @@
+------------------------------------------------------------------------------
+Debian Testing Security Advisory DTSA-10-1    http://secure-testing.debian.net
+secure-testing-team at lists.alioth.debian.org                          Joey Hess
+August 29th, 2005
+------------------------------------------------------------------------------
+
+Package        : pcre3
+Vulnerability  : buffer overflow
+Problem-Scope  : remote
+Debian-specific: No
+CVE ID         : CAN-2005-2491 
+
+An integer overflow in pcre_compile.c in Perl Compatible Regular Expressions
+(PCRE) allows attackers to execute arbitrary code via quantifier values in
+regular expressions, which leads to a heap-based buffer overflow.
+
+For the testing distribution (etch) this is fixed in version
+6.3-0.1etch1
+
+For the unstable distribution (sid) this is fixed in version
+6.3-1
+
+This upgrade is recommended if you use pcre3.
+
+The Debian testing security team does not track security issues for then
+stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
+the Debian security team will make an announcement once a fix is ready.
+
+Upgrade Instructions
+--------------------
+
+To use the Debian testing security archive, add the following lines to
+your /etc/apt/sources.list:
+
+deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+
+The archive signing key can be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+To install the update, run this command as root:
+
+apt-get update && apt-get install libpcre3
+
+Note that after the upgrade, any daemons (exim, apache) that use libpcre3
+will remain running with the old vulnerable version. Either reboot your
+system after the upgrade or use the command "lsof /usr/lib/libpcre.so.3" to
+list programs using libpcre3, and manually restart them.
+
+For further information about the Debian testing security team, please refer
+to http://secure-testing.debian.net/

Added: data/DTSA/advs/10-pcre.adv
===================================================================
--- data/DTSA/advs/10-pcre.adv	2005-08-29 20:03:04 UTC (rev 1719)
+++ data/DTSA/advs/10-pcre.adv	2005-08-29 20:20:17 UTC (rev 1720)
@@ -0,0 +1,14 @@
+dtsa: DTSA-10-1
+source: pcre3
+date: August 29th, 2005
+author: Joey Hess
+vuln-type: buffer overflow
+problem-scope: remote
+debian-specific: no
+cve: CAN-2005-2491
+testing-fix: 6.3-0.1etch1
+sid-fix: 6.3-1
+
+An integer overflow in pcre_compile.c in Perl Compatible Regular Expressions
+(PCRE) allows attackers to execute arbitrary code via quantifier values in
+regular expressions, which leads to a heap-based buffer overflow.

Modified: data/DTSA/list
===================================================================
--- data/DTSA/list	2005-08-29 20:03:04 UTC (rev 1719)
+++ data/DTSA/list	2005-08-29 20:20:17 UTC (rev 1720)
@@ -1,10 +1,14 @@
+[01 Jan 1969] DTSA-10-1 pcre3 - buffer overflow
+	- pcre3 6.3-0.1etch1 (high)
+	NOTE: joeyh working on it
 [28 Aug 2005] DTSA-9-1 mozilla-thunderbird - several vulnerabilities
-	- mozilla-thunderbird 1.0.2-3etch1
+	- mozilla-thunderbird 1.0.2-3etch1 (high)
 	NOTE: joeyh working on it
+	NOTE: stalled by build failure
 [28 Aug 2005] DTSA-8-1 mozilla-firefox - several vulnerabilities
-	- mozilla-firefox 1.0.4-2sarge2
+	- mozilla-firefox 1.0.4-2sarge2 (high)
 [28 Aug 2005] DTSA-7-1 mozilla - frame injection spoofing
-	- mozilla 2:1.7.8-1sarge1
+	- mozilla 2:1.7.8-1sarge1 (high)
 [28 Aug 2005] DTSA-6-1 cgiwrap - multiple vulnerabilities
 	- cgiwrap 3.9-3.0etch1 (low)
 	NOTE: waiting for builds (neilm)

More information about the Secure-testing-commits mailing list