[SECURITY] [DSA 1836-1] New fckeditor packages fix arbitrary code execution

Type securityvulns
Reporter Securityvulns
Modified 2009-07-18T00:00:00



Debian Security Advisory DSA-1836-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff July 16, 2009 http://www.debian.org/security/faq

Package : fckeditor Vulnerability : missing input sanitising Problem type : remote Debian-specific: no CVE Id(s) : CVE-2009-2265

Vinny Guido discovered that multiple input sanitising vulnerabilities in Fckeditor, a rich text web editor component, may lead to the execution of arbitrary code.

The old stable distribution (etch) doesn't contain fckeditor.

For the stable distribution (lenny), this problem has been fixed in version 1:2.6.2-1lenny1.

For the unstable distribution (sid), this problem has been fixed in version 1:

We recommend that you upgrade your fckeditor package.

Upgrade instructions

wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update will update the internal database apt-get upgrade will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/f/fckeditor/fckeditor_2.6.2.orig.tar.gz Size/MD5 checksum: 934845 8b58da54703e47622e07b8fdc9f5f93d http://security.debian.org/pool/updates/main/f/fckeditor/fckeditor_2.6.2-1lenny1.diff.gz Size/MD5 checksum: 25408 2e10c633f28bdffa1afda0918783ac9e http://security.debian.org/pool/updates/main/f/fckeditor/fckeditor_2.6.2-1lenny1.dsc Size/MD5 checksum: 1028 489da6d230d86e6347c2f5839ffd0af3

Architecture independent packages:

http://security.debian.org/pool/updates/main/f/fckeditor/fckeditor_2.6.2-1lenny1_all.deb Size/MD5 checksum: 945672 5a0d59f390945ab2df02c43be8e81a5c

These files will probably be moved into the stable distribution on its next update.

For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpfaV4ACgkQXm3vHE4uyloLvwCgkzaouu6V8TbisSreuf6VCuWF 6pUAoNEqmfVDU0LffLY8hdh7NIHGzYvK =WDKk -----END PGP SIGNATURE-----