MDKSA-2005:210 - Updated w3c-libwww packages fixes DoS vulnerability.

From: Mandriva Security Team (security_at_mandriva.com)
Date: 11/10/05

  • Next message: crowdat_at_gmail.com: "Re: New Bug KESM in GoogleTalk"
    To: bugtraq@securityfocus.com
    Date: Wed, 09 Nov 2005 18:49:00 -0700
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________
     
     Mandriva Linux Security Advisory MDKSA-2005:210
     http://www.mandriva.com/security/
     _______________________________________________________________________
     
     Package : w3c-libwww
     Date : November 9, 2005
     Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0
     _______________________________________________________________________
     
     Problem Description:
     
     Sam Varshavchik discovered the HTBoundary_put_block function
     in HTBound.c for W3C libwww (w3c-libwww) allows remote servers
     to cause a denial of service (segmentation fault) via a crafted
     multipart/byteranges MIME message that triggers an out-of-bounds
     read.
     
     The updated packages have been patched to address this issue.
     _______________________________________________________________________

     References:
     
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3183
     _______________________________________________________________________
     
     Updated Packages:
     
     Mandriva Linux 10.1:
     0028a9950c115d5d12bfbee15c9a1faf 10.1/RPMS/w3c-libwww-5.4.0-3.1.101mdk.i586.rpm
     4a3be6811dd6d050d0d71b19529a3981 10.1/RPMS/w3c-libwww-apps-5.4.0-3.1.101mdk.i586.rpm
     fce977cbc39a6bb745fe2be4735894d6 10.1/RPMS/w3c-libwww-devel-5.4.0-3.1.101mdk.i586.rpm
     970c882bb1726148859331e261b7decc 10.1/SRPMS/w3c-libwww-5.4.0-3.1.101mdk.src.rpm

     Mandriva Linux 10.1/X86_64:
     230dab77e0420b4b5e71621f7aa4bb03 x86_64/10.1/RPMS/w3c-libwww-5.4.0-3.1.101mdk.x86_64.rpm
     79a88076028dc9f67143b18f469bcfe7 x86_64/10.1/RPMS/w3c-libwww-apps-5.4.0-3.1.101mdk.x86_64.rpm
     9a593f8e9c24188e67d99d0f0cfefccd x86_64/10.1/RPMS/w3c-libwww-devel-5.4.0-3.1.101mdk.x86_64.rpm
     970c882bb1726148859331e261b7decc x86_64/10.1/SRPMS/w3c-libwww-5.4.0-3.1.101mdk.src.rpm

     Mandriva Linux 10.2:
     dedea2c8f6044a7e8e926dec7aacb7b6 10.2/RPMS/w3c-libwww-5.4.0-5.1.102mdk.i586.rpm
     a23c0a0492d5e3283f2ba1f5011ac6e0 10.2/RPMS/w3c-libwww-apps-5.4.0-5.1.102mdk.i586.rpm
     58a644897fa5b4bd4758f1fd796b333f 10.2/RPMS/w3c-libwww-devel-5.4.0-5.1.102mdk.i586.rpm
     6325ed733dd1288eed4b7cadd761efb4 10.2/SRPMS/w3c-libwww-5.4.0-5.1.102mdk.src.rpm

     Mandriva Linux 10.2/X86_64:
     a9eb35e0a8911a6d0f4ca62835ccf11b x86_64/10.2/RPMS/w3c-libwww-5.4.0-5.1.102mdk.x86_64.rpm
     2bf2c665aa0457e3fd4477bf3bc420ed x86_64/10.2/RPMS/w3c-libwww-apps-5.4.0-5.1.102mdk.x86_64.rpm
     a32352084a5e6b4e596149e9f70b2e0e x86_64/10.2/RPMS/w3c-libwww-devel-5.4.0-5.1.102mdk.x86_64.rpm
     6325ed733dd1288eed4b7cadd761efb4 x86_64/10.2/SRPMS/w3c-libwww-5.4.0-5.1.102mdk.src.rpm

     Mandriva Linux 2006.0:
     90a6b76b0348b44b0e27bea010b4eb49 2006.0/RPMS/w3c-libwww-5.4.0-5.1.20060mdk.i586.rpm
     c3110ef8841c42bca06d7bec5a735dfc 2006.0/RPMS/w3c-libwww-apps-5.4.0-5.1.20060mdk.i586.rpm
     3ce9cb49c20992d28dbcef5279320a2e 2006.0/RPMS/w3c-libwww-devel-5.4.0-5.1.20060mdk.i586.rpm
     aa2513983ebff77a377f050a03f0f709 2006.0/SRPMS/w3c-libwww-5.4.0-5.1.20060mdk.src.rpm

     Mandriva Linux 2006.0/X86_64:
     211a4e31b787234053b57a98649ba4dd x86_64/2006.0/RPMS/w3c-libwww-5.4.0-5.1.20060mdk.x86_64.rpm
     3202bdeae1f581a5bd96ac36c3fc9343 x86_64/2006.0/RPMS/w3c-libwww-apps-5.4.0-5.1.20060mdk.x86_64.rpm
     3b38bfd1666b8a7f2ee06279b8bc9c02 x86_64/2006.0/RPMS/w3c-libwww-devel-5.4.0-5.1.20060mdk.x86_64.rpm
     aa2513983ebff77a377f050a03f0f709 x86_64/2006.0/SRPMS/w3c-libwww-5.4.0-5.1.20060mdk.src.rpm

     Corporate Server 2.1:
     7a89ba5572926683e96c33e77f3ac90c corporate/2.1/RPMS/w3c-libwww-5.4.0-1.1.C21mdk.i586.rpm
     d6bae42a8ce8464b5939768a8db0984b corporate/2.1/RPMS/w3c-libwww-apps-5.4.0-1.1.C21mdk.i586.rpm
     94fc975b58d69415229a07c72208d68b corporate/2.1/RPMS/w3c-libwww-devel-5.4.0-1.1.C21mdk.i586.rpm
     658ef36b9237c32c8b8b2242d784b649 corporate/2.1/SRPMS/w3c-libwww-5.4.0-1.1.C21mdk.src.rpm

     Corporate Server 2.1/X86_64:
     79b5a6c4cb509f8006d3ec99632f2ad6 x86_64/corporate/2.1/RPMS/w3c-libwww-5.4.0-1.1.C21mdk.x86_64.rpm
     b094ee750ad39cbb3ca4a3cbd8691e4b x86_64/corporate/2.1/RPMS/w3c-libwww-apps-5.4.0-1.1.C21mdk.x86_64.rpm
     703d42ad6034c04f67965ce7c7d85c68 x86_64/corporate/2.1/RPMS/w3c-libwww-devel-5.4.0-1.1.C21mdk.x86_64.rpm
     658ef36b9237c32c8b8b2242d784b649 x86_64/corporate/2.1/SRPMS/w3c-libwww-5.4.0-1.1.C21mdk.src.rpm

     Corporate 3.0:
     694c85995c941cdba2192fe97e5ec059 corporate/3.0/RPMS/w3c-libwww-5.4.0-2.1.C30mdk.i586.rpm
     19f8b7186d1a89b35e09e361ef886b71 corporate/3.0/RPMS/w3c-libwww-apps-5.4.0-2.1.C30mdk.i586.rpm
     2bc46f631fbaa3c76c34d68379a98a1d corporate/3.0/RPMS/w3c-libwww-devel-5.4.0-2.1.C30mdk.i586.rpm
     fbcc5c240ba9a1393630d104348b8f0d corporate/3.0/SRPMS/w3c-libwww-5.4.0-2.1.C30mdk.src.rpm

     Corporate 3.0/X86_64:
     4338a82df1ad722c4db049093c2ce40e x86_64/corporate/3.0/RPMS/w3c-libwww-5.4.0-2.1.C30mdk.x86_64.rpm
     1b0b167065556a599eb495a7bded51d1 x86_64/corporate/3.0/RPMS/w3c-libwww-apps-5.4.0-2.1.C30mdk.x86_64.rpm
     979feebbff0b283e480d223332369cbd x86_64/corporate/3.0/RPMS/w3c-libwww-devel-5.4.0-2.1.C30mdk.x86_64.rpm
     fbcc5c240ba9a1393630d104348b8f0d x86_64/corporate/3.0/SRPMS/w3c-libwww-5.4.0-2.1.C30mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrivaUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandriva for security. You can obtain the
     GPG public key of the Mandriva Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandriva Linux at:

      http://www.mandriva.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_(at)_mandriva.com
     _______________________________________________________________________

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Mandriva Security Team
      <security*mandriva.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFDcnlMmqjQ0CJFipgRAjGwAJ40Z6rAFU0GwRsqzj7lgZX6B531gwCeItNf
    f2A0d4XLb7CxvwcEU2x/BVs=
    =81Jq
    -----END PGP SIGNATURE-----


  • Next message: crowdat_at_gmail.com: "Re: New Bug KESM in GoogleTalk"

    Relevant Pages

    • [Full-disclosure] [ MDVSA-2010:079 ] irssi
      ... Multiple vulnerabilities has been found and corrected in irssi: ... The updated packages have been patched to correct these issues. ... Mandriva Linux 2009.1/X86_64: ... GPG public key of the Mandriva Security Team by executing: ...
      (Full-Disclosure)
    • [Full-disclosure] [ MDVSA-2010:079 ] irssi
      ... Multiple vulnerabilities has been found and corrected in irssi: ... The updated packages have been patched to correct these issues. ... Mandriva Linux 2009.1/X86_64: ... GPG public key of the Mandriva Security Team by executing: ...
      (Full-Disclosure)
    • [Full-disclosure] [ MDVSA-2010:245 ] krb5
      ... A vulnerability was discovered and corrected in krb5: ... Packages for 2009.0 are provided as of the Extended Maintenance ... Mandriva Linux 2009.0/X86_64: ... GPG public key of the Mandriva Security Team by executing: ...
      (Full-Disclosure)
    • [ MDVSA-2010:079 ] irssi
      ... Multiple vulnerabilities has been found and corrected in irssi: ... The updated packages have been patched to correct these issues. ... Mandriva Linux 2009.1/X86_64: ... GPG public key of the Mandriva Security Team by executing: ...
      (Bugtraq)
    • [ MDVSA-2010:245 ] krb5
      ... A vulnerability was discovered and corrected in krb5: ... Packages for 2009.0 are provided as of the Extended Maintenance ... Mandriva Linux 2009.0/X86_64: ... GPG public key of the Mandriva Security Team by executing: ...
      (Bugtraq)