Debian Security Advisory DSA 865-1 - Javier Fernandez-Sanguino Pena discovered that several scripts of the hylafax suite, a flexible client/server fax software, create temporary files and directories in an insecure fashion, leaving them vulnerable to symlink exploits.
665f9ba8756a18f91394c5b16dc16e066c6794141834ccdf4197e43263d83525
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 865-1 security@debian.org
https://www.debian.org/security/ Martin Schulze
October 13th, 2005 https://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : hylafax
Vulnerability : insecure temporary files
Problem type : local
Debian-specific: no
CVE ID : CAN-2005-3069
CERT advisory :
BugTraq ID :
Debian Bug :
Javier Fernández-Sanguino Peña discovered that several scripts of the
hylafax suite, a flexible client/server fax software, create temporary
files and directories in an insecure fashion, leaving them vulnerable
to symlink exploits.
For the old stable distribution (woody) this problem has been fixed in
version 4.1.1-3.2.
For the stable distribution (sarge) this problem has been fixed in
version 4.2.1-5sarge1.
For the unstable distribution (sid) this problem has been fixed in
version 4.2.2-1.
We recommend that you upgrade your hylafax packages.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1-3.2.dsc
Size/MD5 checksum: 739 a26715f7b967614e4aa3afb4657fb20e
https://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1-3.2.diff.gz
Size/MD5 checksum: 116099 ad9d74b7d995655df44c6a257cfb8e1f
https://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1.orig.tar.gz
Size/MD5 checksum: 1287689 1ed081750be70a800708699b7568e17e
Architecture independent components:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-doc_4.1.1-3.2_all.deb
Size/MD5 checksum: 318302 49ee14fc07e1ca12ea191ec01209831f
Alpha architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_alpha.deb
Size/MD5 checksum: 556336 2ca7177d8d4e45ad08052612d31e3286
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_alpha.deb
Size/MD5 checksum: 1362414 98b7c46d94841981577a46965982daf3
ARM architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_arm.deb
Size/MD5 checksum: 445654 7fd22812bb3e50f5915a3d5ca56c3412
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_arm.deb
Size/MD5 checksum: 1095664 3b56df8d25e56adbf657f35f6add331d
Intel IA-32 architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_i386.deb
Size/MD5 checksum: 462410 1b6ef2d2bc9a013abc3ca5c88d9517ef
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_i386.deb
Size/MD5 checksum: 1132566 fe019575d929c90497da4da532dd0e14
Intel IA-64 architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_ia64.deb
Size/MD5 checksum: 615710 80614f594990528f32d72f29a25059aa
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_ia64.deb
Size/MD5 checksum: 1491748 1fefde2f9ef1e1f29f2f3e538746e826
HP Precision architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_hppa.deb
Size/MD5 checksum: 501634 a6d82e052b47ec50dcb2074b97bc9118
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_hppa.deb
Size/MD5 checksum: 1231286 21b6141ceb425b35dca9ba8350cea477
Motorola 680x0 architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_m68k.deb
Size/MD5 checksum: 451276 e7bcefc8e040c5dd61993cce93f8463f
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_m68k.deb
Size/MD5 checksum: 1099994 35967ff6911e340a8ad03677e314bdb6
PowerPC architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_powerpc.deb
Size/MD5 checksum: 450830 a81c00ffe35a3596f2a1cba944e25369
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_powerpc.deb
Size/MD5 checksum: 1104318 49a486d5ad824024d1aee622f38bca9b
IBM S/390 architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_s390.deb
Size/MD5 checksum: 441260 40081bae3595b7b5d409129f2658ce6c
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_s390.deb
Size/MD5 checksum: 1086846 a5db5a237b9af20c976adc66ae5186d0
Sun Sparc architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_sparc.deb
Size/MD5 checksum: 433626 5ff8d52490ad2d2a9f77c0371662f757
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_sparc.deb
Size/MD5 checksum: 1082548 78c8ee6392656ad57d66dc03e9619451
Debian GNU/Linux 3.1 alias sarge
- --------------------------------
Source archives:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.2.1-5sarge1.dsc
Size/MD5 checksum: 746 b6ffe5782b520108a41be7da0e65f212
https://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.2.1-5sarge1.diff.gz
Size/MD5 checksum: 51332 486108ce920ac6adfed78ea503a429d5
https://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.2.1.orig.tar.gz
Size/MD5 checksum: 1412035 05430e41a279d0fff6d6e4b444440829
Architecture independent components:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-doc_4.2.1-5sarge1_all.deb
Size/MD5 checksum: 372500 f5f4b31a5efcfe1c906ee102d03d306c
Alpha architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge1_alpha.deb
Size/MD5 checksum: 373904 a8b07000fe5e9fe40c8729411c8c8bdd
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge1_alpha.deb
Size/MD5 checksum: 863548 5ea99f1e2b7770a1f9467081ba076484
AMD64 architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge1_amd64.deb
Size/MD5 checksum: 350818 0bcd173184e7fa51589b2f54ccfb15c5
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge1_amd64.deb
Size/MD5 checksum: 801080 9f72610133beab92ca221215e0263b68
ARM architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge1_arm.deb
Size/MD5 checksum: 342470 117f8e70e33830ca07f04babd116927d
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge1_arm.deb
Size/MD5 checksum: 808824 74f5d116878343c02269a2577e06d945
Intel IA-32 architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge1_i386.deb
Size/MD5 checksum: 348094 c81c1b6d04a35e3a6d317449b8ec2801
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge1_i386.deb
Size/MD5 checksum: 805734 4fcc081ed2e9b0865025cfe2e719d203
Intel IA-64 architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge1_ia64.deb
Size/MD5 checksum: 402470 6ad9857e7c46d2c51479271a20bb78c7
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge1_ia64.deb
Size/MD5 checksum: 924518 b98f0ff9f1bae59d39956d5f3fef96bc
HP Precision architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge1_hppa.deb
Size/MD5 checksum: 402304 6f5944f958c4a4fb1297391387547006
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge1_hppa.deb
Size/MD5 checksum: 911470 a9b443693d95bc152977114b054ebec4
Motorola 680x0 architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge1_m68k.deb
Size/MD5 checksum: 345324 d0dd8395c48a88e9d080e26fe7beb333
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge1_m68k.deb
Size/MD5 checksum: 784366 bd761bc6035a6ba2a52e072476d36d47
Big endian MIPS architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge1_mips.deb
Size/MD5 checksum: 352702 7227bc9a47689297868b622a0f1328b2
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge1_mips.deb
Size/MD5 checksum: 836084 e7a9cf31efe92f03cf8be2f34e6ae4d3
Little endian MIPS architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge1_mipsel.deb
Size/MD5 checksum: 350218 faf1361beefc28c5b3f7feab9703c2a9
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge1_mipsel.deb
Size/MD5 checksum: 831058 44c131e3f464cfd9b6e05ce2cb93658d
PowerPC architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge1_powerpc.deb
Size/MD5 checksum: 356594 f25e009fcdbd2cf4e867293f894dab7d
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge1_powerpc.deb
Size/MD5 checksum: 819646 3330a4499a03d26f8baf0ad71307a23d
IBM S/390 architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge1_s390.deb
Size/MD5 checksum: 339420 fb65b63a8de4e4725730b973e4e3ea27
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge1_s390.deb
Size/MD5 checksum: 767898 2e7a83d6bd2c026b1b2af53797e63a21
Sun Sparc architecture:
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge1_sparc.deb
Size/MD5 checksum: 328882 502e63cbc6728737c66b39686ff2f1c5
https://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge1_sparc.deb
Size/MD5 checksum: 759848 2ba892225d8368372a475ecc12acc942
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb https://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and https://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDTiyqW5ql+IAeqTIRAjSZAKCwUulVlutYGgX6RvH7h7BdbxFULACgsBK7
VgLQWgoeKnybwSzkX3/7zD0=
=Jkvm
-----END PGP SIGNATURE-----