From: Graham R. <gr...@li...> - 2001-04-10 19:46:46
|
> This was an issue? Only for stupid people who don't check urls before running them. Since there are a lot of stupid people out there, a fix was added in 1.0.3. > > ----- Forwarded message from Linux Mandrake Security Team <security@LINUX-MANDRAKE.COM> ----- > > Delivered-To: jon@EMOSTAR.DYNDNS.ORG > Approved-By: aleph1@SECURITYFOCUS.COM > Delivered-To: bu...@li... > Delivered-To: bu...@se... > Mail-Followup-To: Linux Mandrake Security Announcements > <sec...@li...>, > Linux Mandrake Security > <mdk...@li...>, > Bugtraq <bu...@se...>, > Linux Security List <lin...@se...> > User-Agent: Mutt/1.3.15i > Date: Fri, 23 Mar 2001 19:18:28 -0700 > Reply-To: Linux Mandrake Security Team <security@LINUX-MANDRAKE.COM> > From: Linux Mandrake Security Team <security@LINUX-MANDRAKE.COM> > Subject: MDKSA-2001:032-1 - licq update > X-To: Linux Mandrake Security Announcements > <sec...@li...> > X-cc: Linux Mandrake Security <mdk...@li...>, > Linux Security List <lin...@se...> > To: BUGTRAQ@SECURITYFOCUS.COM > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ________________________________________________________________________ > > Linux-Mandrake Security Update Advisory > ________________________________________________________________________ > > Package name: licq > Date: March 23rd, 2001 > Original Advisory Date: March 20th, 2001 > Advisory ID: MDKSA-2001:032-1 > > Affected versions: 7.1, 7.2, Corporate Server 1.0.1 > ________________________________________________________________________ > > Problem Description: > > Versions of Licq prior to 1.0.3 have a vulnerability involving the way > Licq parses received URLs. The received URLs are passed to the web > browser without any sanity checking by using the system() function. > Because of the lack of checks on the URL, remote attackers can pipe > other commands with the sent URLs causing the client to unwillingly > execute arbitrary commands. The URL parsing code has been fixed in > the most recent 1.0.3 version. > > Users of Linux-Mandrake 7.1 and Corporate Server 1.0.1 will have to > manually remove the licq-data package by using "rpm -e licq-data" prior > to upgrading. > > Update: > > The Licq update for Linux-Mandrake 7.2 was built against the qt2 > libraries available in MandrakeFreq. As such, the previously released > Licq packages will be made available in MandrakeFreq and users of > Linux-Mandrake 7.2 without MandrakeFreq or the "unsupported" updates > applied should use these new packages. > ________________________________________________________________________ > > Please verify the update prior to upgrading to ensure the integrity of > the downloaded package. You can do this with the command: > rpm --checksig package.rpm > You can get the GPG public key of the Linux-Mandrake Security Team at > http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS > If you use MandrakeUpdate, the verification of md5 checksum and GPG > signature is performed automatically for you. > > Linux-Mandrake 7.1: > f2d0e9e399834b4018d306ec32c2c616 7.1/RPMS/licq-1.0.3-2.2mdk.i586.rpm > 30bdd5a1b0402e0bf8773089cfadb4ed 7.1/RPMS/licq-autoreply-1.0.3-2.2mdk.i586.rpm > c489c68d5ef4348ec278ea4f13285cc4 7.1/RPMS/licq-console-1.0.3-2.2mdk.i586.rpm > 4b574c6f7e5822551a4028cbfc299de3 7.1/RPMS/licq-devel-1.0.3-2.2mdk.i586.rpm > 47a0f6c31795c75f7edc26674c0e9891 7.1/RPMS/licq-forwarder-1.0.3-2.2mdk.i586.rpm > 1b08d1774855a97ad2551d88625e55eb 7.1/RPMS/licq-gtk-0.50.1-3.3mdk.i586.rpm > f5a166cdc473298ff39a9d3d5d45fbfe 7.1/RPMS/licq-rms-1.0.3-2.2mdk.i586.rpm > 8bb8f5d7809ecd40c0365261dc5f15ae 7.1/RPMS/licq-update-hosts-1.0.3-2.2mdk.i586.rpm > 5698c01aa71559c101c097d5c27c0b51 7.1/SRPMS/licq-1.0.3-2.2mdk.src.rpm > e8f21170c7456b8bd2178219afa98355 7.1/SRPMS/licq-gtk-0.50.1-3.3mdk.src.rpm > > Linux-Mandrake 7.2: > fe66ebd7210b2ee8a5474640e98caef7 7.2/RPMS/licq-1.0.3-2.3mdk.i586.rpm > 34a0a105bbfea233f3af7ca041ac7344 7.2/RPMS/licq-autoreply-1.0.3-2.3mdk.i586.rpm > 97b844e166830647df7263c904e3e22b 7.2/RPMS/licq-console-1.0.3-2.3mdk.i586.rpm > 69599cbd57b69d962ea3d01d8f599796 7.2/RPMS/licq-devel-1.0.3-2.3mdk.i586.rpm > 3593d53adb66ccdfe4deed0d78f5d465 7.2/RPMS/licq-forwarder-1.0.3-2.3mdk.i586.rpm > 388637f969eefc830f5d294ebd853e46 7.2/RPMS/licq-rms-1.0.3-2.3mdk.i586.rpm > 930744f996467b20e253ab33a401ac4b 7.2/RPMS/licq-update-hosts-1.0.3-2.3mdk.i586.rpm > ae4fbacd9312202e451fd16d86f4cc22 7.2/SRPMS/licq-1.0.3-2.3mdk.src.rpm > > Corporate Server 1.0.1: > f2d0e9e399834b4018d306ec32c2c616 1.0.1/RPMS/licq-1.0.3-2.2mdk.i586.rpm > 30bdd5a1b0402e0bf8773089cfadb4ed 1.0.1/RPMS/licq-autoreply-1.0.3-2.2mdk.i586.rpm > c489c68d5ef4348ec278ea4f13285cc4 1.0.1/RPMS/licq-console-1.0.3-2.2mdk.i586.rpm > 4b574c6f7e5822551a4028cbfc299de3 1.0.1/RPMS/licq-devel-1.0.3-2.2mdk.i586.rpm > 47a0f6c31795c75f7edc26674c0e9891 1.0.1/RPMS/licq-forwarder-1.0.3-2.2mdk.i586.rpm > 1b08d1774855a97ad2551d88625e55eb 1.0.1/RPMS/licq-gtk-0.50.1-3.3mdk.i586.rpm > f5a166cdc473298ff39a9d3d5d45fbfe 1.0.1/RPMS/licq-rms-1.0.3-2.2mdk.i586.rpm > 8bb8f5d7809ecd40c0365261dc5f15ae 1.0.1/RPMS/licq-update-hosts-1.0.3-2.2mdk.i586.rpm > 5698c01aa71559c101c097d5c27c0b51 1.0.1/SRPMS/licq-1.0.3-2.2mdk.src.rpm > e8f21170c7456b8bd2178219afa98355 1.0.1/SRPMS/licq-gtk-0.50.1-3.3mdk.src.rpm > ________________________________________________________________________ > > To upgrade automatically, use MandrakeUpdate. > > If you want to upgrade manually, download the updated package from one > of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". > > You can download the updates directly from one of the mirror sites > listed at: > > http://www.linux-mandrake.com/en/ftp.php3. > > Updated packages are available in the "updates/[ver]/RPMS/" directory. > For example, if you are looking for an updated RPM package for > Linux-Mandrake 7.2, look for it in "updates/7.2/RPMS/". Updated source > RPMs are available as well, but you generally do not need to download > them. > > Please be aware that sometimes it takes the mirrors a few hours to > update. > > You can view other security advisories for Linux-Mandrake at: > > http://www.linux-mandrake.com/en/security/ > > If you want to report vulnerabilities, please contact > > sec...@li... > ________________________________________________________________________ > > Linux-Mandrake has two security-related mailing list services that > anyone can subscribe to: > > sec...@li... > > Linux-Mandrake's security announcements mailing list. Only > announcements are sent to this list and it is read-only. > > sec...@li... > > Linux-Mandrake's security discussion mailing list. This list is open > to anyone to discuss Linux-Mandrake security specifically and Linux > security in general. > > To subscribe to either list, send a message to > sy...@li... > with "subscribe [listname]" in the body of the message. > > To remove yourself from either list, send a message to > sy...@li... > with "unsubscribe [listname]" in the body of the message. > > To get more information on either list, send a message to > sy...@li... > with "info [listname]" in the body of the message. > > Optionally, you can use the web interface to subscribe to or unsubscribe > from either list: > > http://www.linux-mandrake.com/en/flists.php3#security > ________________________________________________________________________ > > Type Bits/KeyID Date User ID > pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team > <sec...@li...> > > > - -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: GnuPG v1.0.1 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday > L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 > WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo > P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl > hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx > PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg > 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs > iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD > LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu > ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t > PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy > /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulq5AQ0EOWnn > 7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77 > 9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV > Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s > +A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX > Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl > 3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi > RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX > lA== > =WxWn > - -----END PGP PUBLIC KEY BLOCK----- > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE6u422mqjQ0CJFipgRArTAAKCXZqDuWHhBOOSqRZI+EHmhtPN+UwCePOlv > RPRYB9AgQYkJQ0pmGVciDnQ= > =yack > -----END PGP SIGNATURE----- > > ----- End forwarded message ----- > > _______________________________________________ > Licq-devel mailing list > Lic...@li... > http://lists.sourceforge.net/lists/listinfo/licq-devel > _____________________________________________________________________ Graham Roff gr...@li... University of Waterloo ICQ #2127503 Computer Engineering Canada Nolites tes bastardes carborundorum |