Debian alert: slrn command invocation

Posted by dave on Sep 23, 2001 3:52 PM EDT
Mailing list
Mail this story
Print this story

Byrial Jensen found a nasty problem in slrn (a threaded news reader). The notice on slrn-announce describes it as follows:

-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory DSA-078-1                   security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
September 24, 2001
- ------------------------------------------------------------------------


Package        : slrn
Problem type   : remote command invocation
Debian-specific: no

Byrial Jensen found a nasty problem in slrn (a threaded news reader).
The notice on slrn-announce describes it as follows:

    When trying to decode binaries, the built-in code executes any shell
    scripts the article might contain, apparently assuming they would be
    some kind of self-extracting archive.

This problem has been fixed in version 0.9.6.2-9potato2 by removing
this feature. 

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.

  Source archives:
    http://security.debian.org/dists/stable/updates/main/source/slrn_0.9.6.2-9potato2.diff.gz
      MD5 checksum: aba6be7efd5c693d9f5466afedcb08e2
    http://security.debian.org/dists/stable/updates/main/source/slrn_0.9.6.2-9potato2.dsc
      MD5 checksum: 51a80c1465a7fcc4d74151c4bd4470d1
    http://security.debian.org/dists/stable/updates/main/source/slrn_0.9.6.2.orig.tar.gz
      MD5 checksum: 7ce442af03aeafb88a636183955c270e

  Alpha architecture:
    http://security.debian.org/dists/stable/updates/main/binary-alpha/slrn_0.9.6.2-9potato2_alpha.deb
      MD5 checksum: 735e5ce15e7f87ac06a8cdecb1451a9f
    http://security.debian.org/dists/stable/updates/main/binary-alpha/slrnpull_0.9.6.2-9potato2_alpha.deb
      MD5 checksum: 8b22f916ee5044ae6eaebbd658cffcad

  ARM architecture:
    http://security.debian.org/dists/stable/updates/main/binary-arm/slrn_0.9.6.2-9potato2_arm.deb
      MD5 checksum: 0cefa901be37e4b92796afb425369a10
    http://security.debian.org/dists/stable/updates/main/binary-arm/slrnpull_0.9.6.2-9potato2_arm.deb
      MD5 checksum: e68e5882a1d4feec1ba7fc9a737085d3

  Intel IA-32 architecture:
    http://security.debian.org/dists/stable/updates/main/binary-i386/slrn_0.9.6.2-9potato2_i386.deb
      MD5 checksum: fc35e0d868dad315728c5274ee03a41c
    http://security.debian.org/dists/stable/updates/main/binary-i386/slrnpull_0.9.6.2-9potato2_i386.deb
      MD5 checksum: c3693811c8f794dc0b5bab3f581df0e8

  Motorola 680x0 architecture:
    http://security.debian.org/dists/stable/updates/main/binary-m68k/slrn_0.9.6.2-9potato2_m68k.deb
      MD5 checksum: 004a260f84dc2e45ea144b1899947327
    http://security.debian.org/dists/stable/updates/main/binary-m68k/slrnpull_0.9.6.2-9potato2_m68k.deb
      MD5 checksum: 2721c2b2470b7781dd79e5c0e216cf3f

  PowerPC architecture:
    http://security.debian.org/dists/stable/updates/main/binary-powerpc/slrn_0.9.6.2-9potato2_powerpc.deb
      MD5 checksum: 9bc55c33a225662952854136da4865aa
    http://security.debian.org/dists/stable/updates/main/binary-powerpc/slrnpull_0.9.6.2-9potato2_powerpc.deb
      MD5 checksum: d78f8f3460d4abba54a088e5a07179c5

  Sun Sparc architecture:
    http://security.debian.org/dists/stable/updates/main/binary-sparc/slrn_0.9.6.2-9potato2_sparc.deb
      MD5 checksum: 37c48f0b104b94d5f74c7b9f76a0485d
    http://security.debian.org/dists/stable/updates/main/binary-sparc/slrnpull_0.9.6.2-9potato2_sparc.deb
      MD5 checksum: df2be8b02b16d7a85142365b42a64956

  These packages will be moved into the stable distribution on its next
  revision.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- -- 
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBO651y6jZR/ntlUftAQFIqgL+LK0ddJWd5I9O7VCIB2tanrYdRHjj0D5j
K+6+n5L4CG43osBE6GXhiwpfORgp1kAumbr5GbZrQFGDPl9GQimKEZmqPyKqVYy3
jsy8mdMDwaHN6qvamNvXbz+NboRqKZXl
=PShj
-----END PGP SIGNATURE-----


  Nav
» Read more about: Story Type: Security; Groups: Debian

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.