[CLA-2003:738] Conectiva Security Announcement - pine

From: Conectiva Updates (secure_at_conectiva.com.br)
Date: 09/12/03

  • Next message: B-r00t: "4D WebSTAR FTP Buffer Overflow."
    Date: Fri, 12 Sep 2003 10:22:43 -0300
    To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com, linsec@lists.seifried.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - --------------------------------------------------------------------------
    CONECTIVA LINUX SECURITY ANNOUNCEMENT
    - --------------------------------------------------------------------------

    PACKAGE : pine
    SUMMARY : Remote vulnerabilities
    DATE : 2003-09-12 10:15:00
    ID : CLA-2003:738
    RELEVANT
    RELEASES : 7.0, 8, 9

    - -------------------------------------------------------------------------

    DESCRIPTION
     Pine is a mail and news text based client developed by the Washington
     University[1].
     
     This update fixes two pine remote vulnerabilities found by
     zen-parse[2]. Both vulnerabilities can be exploited by remote
     attackers through the sending of specially crafted messages that when
     opened by the user can trigger the execution of arbitrary code. The
     vulnerabilities are:
     
     1. Buffer overflow in the parsing of the message/external-body type
     attribute name/value pairs.
     
     2. Integer overflow in the rfc2231_get_param() function, which is
     used to parse e-mails headers.
     
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has
     assigned the names CAN-2003-0720[3] and CAN-2003-0721[4] to these
     issues, respectively.

    SOLUTION
     All pine users should upgrade.
     
     
     REFERENCES:
     1.http://www.washington.edu/pine/
     2.http://www.idefense.com/advisory/09.10.03.txt
     3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0720
     4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0721

    UPDATED PACKAGES
    ftp://atualizacoes.conectiva.com.br/7.0/RPMS/pine-4.50L-1U70_2cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/pine-4.50L-1U70_2cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/8/RPMS/pine-4.50L-1U80_2cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/SRPMS/pine-4.50L-1U80_2cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/pine-4.53L-22751U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/SRPMS/pine-4.53L-22751U90_1cl.src.rpm

    ADDITIONAL INSTRUCTIONS
     The apt tool can be used to perform RPM packages upgrades:

     - run: apt-get update
     - after that, execute: apt-get upgrade

     Detailed instructions reagarding the use of apt and upgrade examples
     can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

    - -------------------------------------------------------------------------
    All packages are signed with Conectiva's GPG key. The key and instructions
    on how to import it can be found at
    http://distro.conectiva.com.br/seguranca/chave/?idioma=en
    Instructions on how to check the signatures of the RPM packages can be
    found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

    - -------------------------------------------------------------------------
    All our advisories and generic update instructions can be viewed at
    http://distro.conectiva.com.br/atualizacoes/?idioma=en

    - -------------------------------------------------------------------------
    Copyright (c) 2003 Conectiva Inc.
    http://www.conectiva.com

    - -------------------------------------------------------------------------
    subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
    unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE/Ycii42jd0JmAcZARAkZFAKDjnn3AckqgsMZz5f0g1SFiYTt+dwCgv6fu
    c/SSmblJzq2nd+gkE+qWJ4o=
    =cwiq
    -----END PGP SIGNATURE-----


  • Next message: B-r00t: "4D WebSTAR FTP Buffer Overflow."

    Relevant Pages

    • [CLA-2004:821] Conectiva Security Announcement - XFree86
      ... Greg MacManus from iDEFENSE Labs discoveredtwo vulnerabilities ... in the way the X server deals with font files. ... It is recommended that all XFree86 users upgrade their packages. ... Detailed instructions regarding the use of apt and upgrade examples ...
      (Bugtraq)
    • [CLA-2004:866] Conectiva Security Announcement - qt3
      ... Fixes for image loader vulnerabilities ... It is recommended that all qt users upgrade their packages. ... Detailed instructions regarding the use of apt and upgrade examples ...
      (Bugtraq)
    • [CLA-2003:662] Conectiva Security Announcement - ethereal
      ... These vulnerabilities can be exploited ... All ethereal users should upgrade their packages. ... Detailed instructions reagarding the use of apt and upgrade examples ...
      (Bugtraq)
    • [CLA-2003:751] Conectiva Security Announcement - openssl
      ... SUMMARY: Remote vulnerabilities ... in the OpenSSL implementation: ... It is recommended that all users upgrade their openssl packages. ... Detailed instructions reagarding the use of apt and upgrade examples ...
      (Bugtraq)
    • [CLA-2002:460] Conectiva Linux Security Announcement - pine
      ... Pine is a mail and news text based client developed by the Washington ... A vulnerabilityin the pine URL handler was discovered that allows ... DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ... Detailed instructions reagarding the use of apt and upgrade examples ...
      (Bugtraq)