cioe' se capisco bene mi dice che cups non e' sicuro questo per la versione vecchia ma per la nuova ( woody ) va bene e' corretto?
che versione monta la woody?
ciao cartolina
-----Messaggio originale----- Da: cialtroni-admin@circolab.net [mailto:cialtroni-admin@circolab.net]Per conto di marco ghidinelli Inviato: lunedì 20 gennaio 2003 17.23 A: lug brescia; cialtroni Oggetto: [Cialtroni] [joey@infodrom.org: [SECURITY] [DSA 232-1] New CUPS packages fix several vulnerabilities]
----- Forwarded message from Martin Schulze joey@infodrom.org -----
From: joey@infodrom.org (Martin Schulze) Date: Mon, 20 Jan 2003 16:48:35 +0100 (CET) To: debian-security-announce@lists.debian.org (Debian Security Announcements) Subject: [SECURITY] [DSA 232-1] New CUPS packages fix several vulnerabilities X-Mailing-List: debian-security-announce@lists.debian.org
-------------------------------------------------------------------------- Debian Security Advisory DSA 232-1 security@debian.org http://www.debian.org/security/ Martin Schulze January 20th, 2003 http://www.debian.org/security/faq --------------------------------------------------------------------------
Package : cupsys Vulnerability : several Problem-type : remote Debian-specific: no CVE Id : CAN-2002-1366 CAN-2002-1367 CAN-2002-1368 CAN-2002-1369 CAN-2002-1371 CAN-2002-1372 CAN-2002-1383 CAN-2002-1384
Multiple vulnerabilities were discovered in the Common Unix Printing System (CUPS). Several of these issues represent the potential for a remote compromise or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems:
. CAN-2002-1383: Multiple integer overflows allow a remote attacker to execute arbitrary code via the CUPSd HTTP interface and the image handling code in CUPS filters.
. CAN-2002-1366: Race conditions in connection with /etc/cups/certs/ allow local users with lp privileges to create or overwrite arbitrary files. This is not present in the potato version.
. CAN-2002-1367: This vulnerabilities allows a remote attacker to add printers without authentication via a certain UDP packet, which can then be used to perform unauthorized activities such as stealing the local root certificate for the administration server via a "need authorization" page.
. CAN-2002-1368: Negative lengths fed into memcpy() can cause a denial of service and possibly execute arbitrary code.
. CAN-2002-1369: An unsafe strncat() function call processing the options string allows a remote attacker to execute arbitrary code via a buffer overflow.
. CAN-2002-1371: Zero width images allows a remote attacker to execute arbitrary code via modified chunk headers.
. CAN-2002-1372: CUPS does not properly check the return values of various file and socket operations, which could allow a remote attacker to cause a denial of service.
. CAN-2002-1384: The cupsys package contains some code from the xpdf package, used to convert PDF files for printing, which contains an exploitable integer overflow bug. This is not present in the potato version.
Even though we tried very hard to fix all problems in the packages for potato as well, the packages may still contain other security related problems. Hence, we advise users of potato systems using CUPS to upgrade to woody soon.
For the current stable distribution (woody), these problems have been fixed in version 1.1.14-4.3.
For the old stable distribution (potato), these problems have been fixed in version 1.0.4-12.1.
For the unstable distribution (sid), these problems have been fixed in version 1.1.18-1.
We recommend that you upgrade your CUPS packages immediately.
[ ... debian upgrade instructions trimmed ... ] _______________________________________________ Cialtroni mailing list