[Secure-testing-team] Re: [secure-testing-announce] [DTSA-6-1] New cgiwrap packages fix multiple vulnerabilities

Micah micah at riseup.net
Mon Aug 29 00:40:08 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This DTSA shows "Debian-specific" as "yes,no"...

micah



Neil McGovern wrote:
> -----------------------------------------------------------------------------
> Debian Testing Security Advisory DTSA-6-1     http://secure-testing.debian.net
> secure-testing-team at lists.alioth.debian.org                      Neil McGovern
> August 28th, 2005
> -----------------------------------------------------------------------------
> 
> Package        : cgiwrap
> Vulnerability  : multiple vulnerabilities
> Problem-Type   : remote
> Debian-specific: yes,no
> 
> Javier Fernández-Sanguino Peña discovered various vulnerabilities in cgiwrap:
> 
> Minimum UID does not include all system users
> 
>   The CGIwrap program will not seteuid itself to uids below the 'minimum' uid
>   to prevent scripts from being misused to compromise the system. However,
>   the Debian package sets the minimum uid to 100 when it should be 1000.
> 
> CGIs can be used to disclose system information
> 
>   The cgiwrap (and php-cgiwrap) package installs some debugging CGIs
>   (actually symbolink links, which link to cgiwrap and are called 'cgiwrap'
>   and 'nph-cgiwrap' or link to php-cgiwrap). These CGIs should not be
>   installed in production environments as they disclose internal and
>   potentially sensible information.
> 
> For the testing distribution (etch) this is fixed in version
> 3.9-3.0etch1.
> 
> For the unstable distribution (sid) this is fixed in version
> 3.9-3.1.
> 
> This upgrade is encouraged if you use cgiwrap.
> 
> The Debian testing security team does not track security issues for the
> stable distribution (woody). If stable is vulnerable, the Debian security
> team will make an announcement once a fix is ready.
> 
> Upgrade Instructions
> --------------------
> 
> To use the Debian testing security archive, add the following lines to
> your /etc/apt/sources.list:
> 
>   deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
>   deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
> 
> The archive signing key can be downloaded from
> http://secure-testing.debian.net/ziyi-2005-7.asc
> 
> To install the update, run this command as root:
> If you use cgiwrap:
>   apt-get update && apt-get install cgiwrap
> If you use php-cgiwrap:
>   apt-get update && apt-get install php-cgiwrap
> 
> For further information about the Debian testing security team, please refer
> to http://secure-testing.debian.net/
> 

_______________________________________________
secure-testing-announce mailing list
secure-testing-announce at lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDEllo9n4qXRzy1ioRAv5WAKCdN3O40gDCGsrRU366EULfWwoF6wCgj1J0
SMdgadmHkMAg2JL5aU/Gob0=
=f8fx
-----END PGP SIGNATURE-----

More information about the Secure-testing-team mailing list