The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:
"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1629-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
August 18, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : postfix
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-2936
Sebastian Krahmer discovered that Postfix, a mail transfer agent,
incorrectly checks the ownership of a mailbox. In some configurations,
this allows for appending data to arbitrary files as root.
The default Debian installation of Postfix is not affected. Only a
configuration meeting the following requirements is vulnerable:
* The mail delivery style is mailbox, with the Postfix built-in
local(8) or virtual(8) delivery agents.
* The mail spool directory is user-writeable.
* The user can create hardlinks pointing to root-owned symlinks
located in other directories.
For a detailed treating of this issue, please refer to the upstream
author's announcement:
http://article.gmane.org/gmane.mail.postfix.announce/110
For the stable distribution (etch), this problem has been fixed in
version 2.3.8-2etch1.
For the testing distribution (lenny), this problem has been fixed in
version 2.5.2-2lenny1.
For the unstable distribution (sid), this problem has been fixed
in version 2.5.4-1.
We recommend that you upgrade your postfix package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8.orig.tar.gz
Size/MD5 checksum: 2787761 a6c560657788fc7a5444fa9ea32f5513
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1.diff.gz
Size/MD5 checksum: 177462 0827e61a7033e8625d92123c84b32782
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1.dsc
Size/MD5 checksum: 907 8e9f0c462c57eb2be521714404474aca
Architecture independent packages:
http://security.debian.org/pool/updates/main/p/postfix/postfix-dev_2.3.8-2etch1_all.deb
Size/MD5 checksum: 130818 5038e376db1c661eb0284f96dff4761a
http://security.debian.org/pool/updates/main/p/postfix/postfix-doc_2.3.8-2etch1_all.deb
Size/MD5 checksum: 785408 5db9bdc0300637afd3d508afe2c261dc
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_alpha.deb
Size/MD5 checksum: 1188364 c8c7f45763ccfd74b84335ea073c551c
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_alpha.deb
Size/MD5 checksum: 36556 fcb1c6262baed1402032c2105b83d059
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_alpha.deb
Size/MD5 checksum: 38746 a0d1334395beda433d586b63b0d60b80
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_alpha.deb
Size/MD5 checksum: 43408 d9e830efc4532ccddc46f394232959a6
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_alpha.deb
Size/MD5 checksum: 38596 855c8573280d5b191a12175b2e7afe8c
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_alpha.deb
Size/MD5 checksum: 38928 579217f55db12977c61b8d437f3ab436
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_amd64.deb
Size/MD5 checksum: 38318 24205dd0481bb1d78684167d8d20f44f
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_amd64.deb
Size/MD5 checksum: 38338 50a46f34f638ea42525b98ca985b4f11
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_amd64.deb
Size/MD5 checksum: 43268 a24dd35f2ec288c2c4f674099e44385f
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_amd64.deb
Size/MD5 checksum: 1148848 f27f053dffd95b730f1186ed37ed8673
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_amd64.deb
Size/MD5 checksum: 38460 907b2a8d84a54cdf31ade8c201d3780a
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_amd64.deb
Size/MD5 checksum: 36378 1ab120583bcc5873a5350d9786282eab
arm architecture (ARM)
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_arm.deb
Size/MD5 checksum: 42742 2d6799c7726a3943a39939baebacdc98
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_arm.deb
Size/MD5 checksum: 38324 6acd31d6ce0200fdd49043c99459c4c8
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_arm.deb
Size/MD5 checksum: 38394 52628e6399391671a8512ed25739813c
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_arm.deb
Size/MD5 checksum: 38592 1db4a21bb2c6f135e342b65317ecb897
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_arm.deb
Size/MD5 checksum: 1080626 3e05804bf0bf7101ae3e4eec33d1524f
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_arm.deb
Size/MD5 checksum: 36378 71361b9cd3c008a9e96e8c23866b1a80
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_hppa.deb
Size/MD5 checksum: 37504 76b3b4785a5e91fc1010ce32ccee31ed
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_hppa.deb
Size/MD5 checksum: 45296 73bc72e54d6ef6909fd3df4266061d7b
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_hppa.deb
Size/MD5 checksum: 40138 807908ccb69444d9aa1917861dc51af9
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_hppa.deb
Size/MD5 checksum: 1174040 44260c5be83cd1d051de22c155aee72a
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_hppa.deb
Size/MD5 checksum: 39814 547026b4994dfbf216be7f9ee0487054
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_hppa.deb
Size/MD5 checksum: 39624 69209a3695bb1568f8c11e6ab4bb792d
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_i386.deb
Size/MD5 checksum: 36514 2c10b797c15b02828b344693d4f9c597
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_i386.deb
Size/MD5 checksum: 38680 d1beb196bcc090457a791760b5e7bdfd
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_i386.deb
Size/MD5 checksum: 38354 d074798f79b42bd245e13b8ce0f3adef
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_i386.deb
Size/MD5 checksum: 43160 40cc3fc2fc6374a07893321c2758a447
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_i386.deb
Size/MD5 checksum: 38770 d97f22246f4cb6cb48e4c993ad37daac
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_i386.deb
Size/MD5 checksum: 1092656 30352104ad6fad91f13b996483e52e5b
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_ia64.deb
Size/MD5 checksum: 37958 d3628d8f8d4fa6cc760ef77e21acb468
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_ia64.deb
Size/MD5 checksum: 40762 6c5dcb7f2d6196ddf23a8e6d7b9e5f10
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_ia64.deb
Size/MD5 checksum: 47878 bb8188e31d1a632164d1bb5dda88a810
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_ia64.deb
Size/MD5 checksum: 1439608 cfc2f5db48f0f6bcc8ddb3e85a4032d6
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_ia64.deb
Size/MD5 checksum: 40766 59cd143a5727868aaae30f309286a433
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_ia64.deb
Size/MD5 checksum: 41066 385bf68a76cd27e12e012bf535a841e0
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_mips.deb
Size/MD5 checksum: 38194 014b70898f5aae21a95877c4e32f9941
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_mips.deb
Size/MD5 checksum: 36186 7c957d531808b35bd6994aeea448e213
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_mips.deb
Size/MD5 checksum: 38188 29a16989a6414ed3722f1422f46d9cd2
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_mips.deb
Size/MD5 checksum: 38446 0dc8cfc6f527161b8b4ce16dd8b297c6
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_mips.deb
Size/MD5 checksum: 1129132 4e6a95c1f4040b7b24ac18ab80455d4d
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_mips.deb
Size/MD5 checksum: 42376 af1d25a56c756443db89f6aa6a7bbb38
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_powerpc.deb
Size/MD5 checksum: 37738 ee3c0924d5deb0d61741c9497156c0bf
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_powerpc.deb
Size/MD5 checksum: 44218 6ade57e38f9948016b71e6373f6f1863
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_powerpc.deb
Size/MD5 checksum: 39670 6a6597cfb2a225d05963a149386d8fcc
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_powerpc.deb
Size/MD5 checksum: 39774 3979adcff1c659588beb2e65c5ddb4d3
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_powerpc.deb
Size/MD5 checksum: 1167716 45d3590893a6b4c3efc99780508f92e1
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_powerpc.deb
Size/MD5 checksum: 39966 7acc51d59c4c640b8c4963c09c573356
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_s390.deb
Size/MD5 checksum: 38752 56864ace555741a8e580ac9cdad129c3
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_s390.deb
Size/MD5 checksum: 1154368 f62e41e9b4d18eaaf76d0096370ceb1f
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_s390.deb
Size/MD5 checksum: 36562 9deaaf037d9694a5a09f01743c687a52
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_s390.deb
Size/MD5 checksum: 38360 6191ba334c80aa5e4dd12df40781c96d
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_s390.deb
Size/MD5 checksum: 43310 9a73eaee5cfd0b3656976a36c256e676
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_s390.deb
Size/MD5 checksum: 38918 570c0d157fd6b6b4102122a965d3e6f6
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_sparc.deb
Size/MD5 checksum: 38198 6ca537558089e41ebbdea7c90f2e4fd4
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_sparc.deb
Size/MD5 checksum: 37906 746615a2cc165a0fcb5aff5be073e289
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_sparc.deb
Size/MD5 checksum: 38058 ac84629509e45bf424752e4852e175e1
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_sparc.deb
Size/MD5 checksum: 36106 55d00480a61daa52578d69081a4e93a6
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_sparc.deb
Size/MD5 checksum: 1080776 87ff76ea63ba069b769b3491fac51670
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_sparc.deb
Size/MD5 checksum: 42910 767373c92a53b62640e69b16749f1fcc
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSKngTmz0hbPcukPfAQKcCgf/RVacZ4VuJKLKuo72HbqHnG/lnOKGOkPV
R1MjmIljkTRXn5WUJD/0ixAt0UuF1lMMtEV+bNSulMbAxKstLfXOreupPN7fwZ+F
bCoUX2YuibzzMb6sXr5LAgQBOjOQ1jDXoCRFTF7FGdMpPsL8f1rn3M4dC59Sxst3
mL7q6Dw4OZKXmQa1cTnVv7GRWgSmOkKGrUsqeHN5E4TC83qdbPmZOyFK/zo+ZvP8
CIuISq0uP5ULr0u+ajaxlDHiY9FpExmpMK7QJoOryxZ5DUdyEt4AsSt4ypKF7jqP
mPAnlgUwZG227a5Pp0kvjNlR+QrxV3JH/+mDA0HBAy3CpF2QSXT4Dw==
=1YVg
-----END PGP SIGNATURE-----
"
Apple ships massive Mac OS X 10.4 security upgrade
DSA 1577-1: New gforge packages fix insecure temporary files
This entry was posted
on 6:06 AM
.
Archives
-
▼
2008
(457)
-
▼
August
(65)
- CESA-2008:0836 Moderate CentOS 5 x86_64 libxml2 Up...
- CESA-2008:0849 Important CentOS 5 x86_64 ipsec-too...
- RHSA-2008:0847-01 Important: libtiff security and ...
- RHSA-2008:0848-01 Important: libtiff security and ...
- RHSA-2008:0863-01 Important: libtiff security update
- CESA-2008:0836 Moderate CentOS 5 i386 libxml2 Update
- CESA-2008:0836 Moderate CentOS 3 x86_64 libxml2 - ...
- CESA-2008:0836 Moderate CentOS 3 i386 libxml2 - se...
- Intel acquires Linux distro developer
- RHSA-2008:0648-01 Important: tomcat security update
- RHSA-2008:0849-01 Important: ipsec-tools security ...
- CESA-2008:0839 Moderate CentOS 4 ia64 postfix - se...
- DSA 1631-1: New libxml2 packages fix denial of ser...
- MIDs offer Atom, HSDPA
- CESA-2008:0836 Moderate CentOS 4 s390(x) libxml2 -...
- CESA-2008:0836 Moderate CentOS 4 ia64 libxml2 - se...
- Kubuntu 8.10 Alpha 4 Review
- CESA-2008:0855 Critical CentOS 4 s390(x) openssh -...
- Contentteller Release Candidate 2 available
- Creating Advanced MySQL-Based Virtual Hosts On Lig...
- openSUSE 11.1 Alpha 2
- DSA 1629-2: New postfix packages fix installabilit...
- USN-636-1: Postfix vulnerability
- RHSA-2008:0815-01 Moderate: yum-rhn-plugin securit...
- Intel aims x86 at digital TVs
- Intel unveils dual-core Atom
- GLSA 200808-12 Postfix: Local privilege escalatio...
- AMD Radeon HD 4870 X2 On Linux
- DSA 1629-1: New postfix packages fix privilege esc...
- RHSA-2008:0818-02 Moderate: hplip security update
- RHSA-2008:0814-01 Moderate: condor security and bu...
- Ubuntu Linux 8.10 Alpha-4 released
- No title
- No title
- How To Set Up WebDAV With Lighttpd On Debian Etch
- RHSA-2008:0816-01 Moderate: condor security and bu...
- Contentteller Release Candidate 1 available
- GLSA 200808-09 OpenLDAP: Denial of Service vulner...
- DSA 1627-1: New PowerDNS packages reduce DNS spoof...
- GLSA 200808-11 UUDeview: Insecure temporary file ...
- GLSA 200808-10 Adobe Reader: User-assisted execut...
- GLSA 200808-07 ClamAV: Multiple Denials of Service
- ispCP Omega 1.0.0 RC6 released
- GLSA 200808-08 stunnel: Security bypass
- GLSA 200808-03 Mozilla products: Multiple vulnera...
- RHSA-2008:0612-01 Important: kernel security and b...
- Lightweight GNOME alternative emerges
- GLSA 200808-06 libxslt: Execution of arbitrary code
- GLSA 200808-04 Wireshark: Denial of Service
- At last -- native apps for Motorola Linux phones
- USN-626-2: Devhelp, Epiphany, Midbrowser and Yelp ...
- GLSA 200808-01 xine-lib: User-assisted execution ...
- How To Install The Zimbra Desktop Email Client On ...
- Fedora 10 Alpha
- GLSA 200807-15 Pan: User-assisted execution of ar...
- USN-633-1: libxslt vulnerabilities
- Installing And Using OpenVZ On CentOS 5.2
- DSA 1625-1: New cupsys packages fix arbitrary code...
- USN-634-1: OpenLDAP vulnerability
- RHSA-2008:0790-02 Critical: java-1.5.0-ibm securit...
- Netbooks growing -- in two ways
- DSA 1624-1: New libxslt packages fix arbitrary cod...
- DSA 1626-1: New httrack packages fix arbitrary cod...
- USN-626-1: Firefox and xulrunner vulnerabilities
- DSA 1623-1: New dnsmasq packages fix cache poisoning
-
▼
August
(65)