[Technik] [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities

Noèl Köthe noel at debian.org
Tue Jan 1 14:17:35 CET 2008 

Am Freitag, den 28.12.2007, 16:29 +0100 schrieb Florian Weimer:

> Debian Security Advisory DSA-1438-1                  security at debian.org
> http://www.debian.org/security/                           Florian Weimer
> December 28, 2007                     http://www.debian.org/security/faq
> 
> Package        : tar
> Vulnerability  : several
> Problem type   : local(remote)
> Debian-specific: no
> CVE Id(s)      : CVE-2007-4131, CVE-2007-4476

tar auf h01, h0, h03, h04, h51, h52, hiowa, karuk, kansa, cusa,
cherokee, acoma, yuma, cree, wasco, pima, pomo, yuki und cupa
(hoffentlich keinen Namen vergessen;)) aktualisiert.

> For the stable distribution (etch), these problems have been fixed in
> version 1.16-2etch1.

tar (1.16-2etch1) stable-security; urgency=high

  * Non-maintainer upload by the security team
  * Apply patch from Dmitry V. Levin <ldv at owl.openwall.com> to avoid a
    stack-based buffer overflow while processing certain file names
    (CVE-2007-4476).  Closes: #441444.
  * Apply patch from Dmitry V. Levin to fix double-dot recognition
    in case of duplicate / (CVE-2007-4131).  Closes: #439335.
  * Update the autoconf scripts to the etch version (no functional
    changes, hopefully).

 -- Florian Weimer <fw at deneb.enyo.de>  Wed, 26 Dec 2007 13:30:08 +0100

> For the old stable distribution (sarge), these problems have been
> fixed in 1.14-2.4.

changelog:
tar (1.14-2.4) oldstable-security; urgency=high

  * Non-maintainer upload by the security team
  * Apply patch from Dmitry V. Levin <ldv at owl.openwall.com> to avoid a
    stack-based buffer overflow while processing certain file names
    (CVE-2007-4476).  Closes: #441444.
  * Apply patch from Dmitry V. Levin to fix double-dot recognition
    in case of duplicate / (CVE-2007-4131).  Closes: #439335.

 -- Florian Weimer <fw at deneb.enyo.de>  Wed, 26 Dec 2007 12:19:01 +0100

-- 
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : /archiv/technik/attachments/20080101/7c8cd535/attachment.pgp

More information about the Technik mailing list