[Secure-testing-commits] r1720 - in data/DTSA: . advs
Joey Hess
joeyh at costa.debian.org
Mon Aug 29 20:20:17 UTC 2005
Author: joeyh
Date: 2005-08-29 20:20:17 +0000 (Mon, 29 Aug 2005)
New Revision: 1720
Added:
data/DTSA/DTSA-10-1
data/DTSA/advs/10-pcre.adv
Modified:
data/DTSA/list
Log:
dsta for pcre3
Added: data/DTSA/DTSA-10-1
===================================================================
--- data/DTSA/DTSA-10-1 2005-08-29 20:03:04 UTC (rev 1719)
+++ data/DTSA/DTSA-10-1 2005-08-29 20:20:17 UTC (rev 1720)
@@ -0,0 +1,51 @@
+------------------------------------------------------------------------------
+Debian Testing Security Advisory DTSA-10-1 http://secure-testing.debian.net
+secure-testing-team at lists.alioth.debian.org Joey Hess
+August 29th, 2005
+------------------------------------------------------------------------------
+
+Package : pcre3
+Vulnerability : buffer overflow
+Problem-Scope : remote
+Debian-specific: No
+CVE ID : CAN-2005-2491
+
+An integer overflow in pcre_compile.c in Perl Compatible Regular Expressions
+(PCRE) allows attackers to execute arbitrary code via quantifier values in
+regular expressions, which leads to a heap-based buffer overflow.
+
+For the testing distribution (etch) this is fixed in version
+6.3-0.1etch1
+
+For the unstable distribution (sid) this is fixed in version
+6.3-1
+
+This upgrade is recommended if you use pcre3.
+
+The Debian testing security team does not track security issues for then
+stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
+the Debian security team will make an announcement once a fix is ready.
+
+Upgrade Instructions
+--------------------
+
+To use the Debian testing security archive, add the following lines to
+your /etc/apt/sources.list:
+
+deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+
+The archive signing key can be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+To install the update, run this command as root:
+
+apt-get update && apt-get install libpcre3
+
+Note that after the upgrade, any daemons (exim, apache) that use libpcre3
+will remain running with the old vulnerable version. Either reboot your
+system after the upgrade or use the command "lsof /usr/lib/libpcre.so.3" to
+list programs using libpcre3, and manually restart them.
+
+For further information about the Debian testing security team, please refer
+to http://secure-testing.debian.net/
Added: data/DTSA/advs/10-pcre.adv
===================================================================
--- data/DTSA/advs/10-pcre.adv 2005-08-29 20:03:04 UTC (rev 1719)
+++ data/DTSA/advs/10-pcre.adv 2005-08-29 20:20:17 UTC (rev 1720)
@@ -0,0 +1,14 @@
+dtsa: DTSA-10-1
+source: pcre3
+date: August 29th, 2005
+author: Joey Hess
+vuln-type: buffer overflow
+problem-scope: remote
+debian-specific: no
+cve: CAN-2005-2491
+testing-fix: 6.3-0.1etch1
+sid-fix: 6.3-1
+
+An integer overflow in pcre_compile.c in Perl Compatible Regular Expressions
+(PCRE) allows attackers to execute arbitrary code via quantifier values in
+regular expressions, which leads to a heap-based buffer overflow.
Modified: data/DTSA/list
===================================================================
--- data/DTSA/list 2005-08-29 20:03:04 UTC (rev 1719)
+++ data/DTSA/list 2005-08-29 20:20:17 UTC (rev 1720)
@@ -1,10 +1,14 @@
+[01 Jan 1969] DTSA-10-1 pcre3 - buffer overflow
+ - pcre3 6.3-0.1etch1 (high)
+ NOTE: joeyh working on it
[28 Aug 2005] DTSA-9-1 mozilla-thunderbird - several vulnerabilities
- - mozilla-thunderbird 1.0.2-3etch1
+ - mozilla-thunderbird 1.0.2-3etch1 (high)
NOTE: joeyh working on it
+ NOTE: stalled by build failure
[28 Aug 2005] DTSA-8-1 mozilla-firefox - several vulnerabilities
- - mozilla-firefox 1.0.4-2sarge2
+ - mozilla-firefox 1.0.4-2sarge2 (high)
[28 Aug 2005] DTSA-7-1 mozilla - frame injection spoofing
- - mozilla 2:1.7.8-1sarge1
+ - mozilla 2:1.7.8-1sarge1 (high)
[28 Aug 2005] DTSA-6-1 cgiwrap - multiple vulnerabilities
- cgiwrap 3.9-3.0etch1 (low)
NOTE: waiting for builds (neilm)
More information about the Secure-testing-commits
mailing list