Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DSA-1674-1:893E9
HistoryNov 30, 2008 - 8:33 a.m.

[SECURITY] [DSA 1674-1] New jailer packages fix denial of service

2008-11-3008:33:38
lists.debian.org
12

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

JSON

Debian Security Advisory DSA-1674-1 [email protected]
http://www.debian.org/security/ Moritz Muehlenhoff
November 30, 2008 http://www.debian.org/security/faq

Package : jailer
Vulnerability : insecure temp file generation
Debian-specific: no
CVE Id(s) : CVE-2008-5139
Debian Bug : 410548

Javier Fernandez-Sanguino Pena discovered that updatejail, a component
of the chroot maintenance tool Jailer, creates a predictable temporary
file name, which may lead to local denial of service through a symlink
attack.

For the stable distribution (etch), this problem has been fixed in
version 0.4-9+etch1.

For the upcoming stable distribution (lenny) and the unstable
distribution (sid), this problem has been fixed in version 0.4-10.

We recommend that you upgrade your jailer package.

Upgrade instructions

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/j/jailer/jailer_0.4-9+etch1.diff.gz
Size/MD5 checksum: 27372 403ad34e153f4dbc14621b2bca464487
http://security.debian.org/pool/updates/main/j/jailer/jailer_0.4.orig.tar.gz
Size/MD5 checksum: 27920 a6bead6286022c54e73bfe1f51e5e5f3
http://security.debian.org/pool/updates/main/j/jailer/jailer_0.4-9+etch1.dsc
Size/MD5 checksum: 599 2a59c032c5da19b3443c0bd5c573a6e6

Architecture independent packages:

http://security.debian.org/pool/updates/main/j/jailer/jailer_0.4-9+etch1_all.deb
Size/MD5 checksum: 11688 8e042e660665df9b8657399ec3845cc8

These files will probably be moved into the stable distribution on
its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/&lt;pkg&gt;

OSVersionArchitecturePackageVersionFilename
Debian4alljailer< 0.4-9+etch1jailer_0.4-9+etch1_all.deb

Related

ubuntucve 1
cve 1
securityvulns 2
nessus 1
openvas 2
prion 1
cvelist 1
ubuntucve
ubuntucve
CVE-2008-5139
2008-11-18 00:00:00
cve
cve
CVE-2008-5139
2008-11-18 16:00:00
securityvulns
securityvulns
jailer symbolic links vulnerability
2008-12-01 00:00:00
[SECURITY] [DSA 1674-1] New jailer packages fix denial of service
2008-12-01 00:00:00
nessus
nessus
Debian DSA-1674-1 : jailer - insecure temp file generation
2008-12-01 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-1674-1)
2008-12-03 00:00:00
Debian Security Advisory DSA 1674-1 (jailer)
2008-12-03 00:00:00
prion
prion
Arbitrary file deletion
2008-11-18 16:00:00
cvelist
cvelist
CVE-2008-5139
2008-11-18 15:00:00

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

JSON
Related for DEBIAN:DSA-1674-1:893E9
ubuntucve1cve1securityvulns2nessus1openvas2prion1cvelist1