Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [SECURITY] [DSA 1324-1] New hiki packages fix missing

from [Steve Kemp] Network Security [Permanent Link]
Subject: [Full-disclosure] [SECURITY] [DSA 1324-1] New hiki packages fix missing input sanitising
Date: Thu, 28 Jun 2007 22:04:32 +0100 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ------------------------------------------------------------------------
Debian Security Advisory DSA-1324                    security@debian.org
http://www.debian.org/security/                               Steve Kemp
June 28, 2007
- ------------------------------------------------------------------------

Package        : hiki
Vulnerability  : missing input sanitising
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2007-2836
Debian Bug     : 430691


Kazuhiro Nishiyama found a vulnerability in hiki, a Wiki engine written
in Ruby, which could allow a remote attacker to delete arbitary files
which are writable to the Hiki user, via a specially crafted session
parameter.

For the stable distribution (etch), this problem has been fixed in version
0.8.6-1etch1.

For the unstable distribution (sid) this problem has been fixed in version
0.8.7-1.

We recommend that you upgrade your hiki (0.8.6-1etch1) package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/h/hiki/hiki_0.8.6-1etch1.diff.gz
    Size/MD5 checksum:     5418 b57f6debe38f903c7615d738f5030060
  http://security.debian.org/pool/updates/main/h/hiki/hiki_0.8.6-1etch1.dsc
    Size/MD5 checksum:      571 22358a8449ae12c19fe6a80f8607a82f
  http://security.debian.org/pool/updates/main/h/hiki/hiki_0.8.6.orig.tar.gz
    Size/MD5 checksum:   244885 990212929cabf29e72df10a5b76ff27d

Architecture independent packages:

  http://security.debian.org/pool/updates/main/h/hiki/hiki_0.8.6-1etch1_all.deb
    Size/MD5 checksum:   228092 fdbc68fca2b4939ceace21f282b0c2fb


  These files will probably be moved into the stable distribution on
  its next update.

- 
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGhCIiwM/Gs81MDZ0RAqHyAKCux4dbxMkR5+uTsXopaovpCdvMdgCgkeCY
Jm5WtleaZ53cBKoLOSXSyb0=
=4Ool
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] [SECURITY] [DSA 1324-1] New hiki packages fix missing input sanitising, Steve Kemp <=
Previous by Date:  [Full-disclosure] [SECURITY] [DSA 1323-1] New krb5 packages fix several vulnerabilities, Moritz Muehlenhoff
Next by Date:  [Full-disclosure] Google Re-authentication Bypass with SID and LSID cookies, Susam Pal
Previous by Thread:  [Full-disclosure] [SECURITY] [DSA 1323-1] New krb5 packages fix several vulnerabilities, Moritz Muehlenhoff
Next by Thread:  [Full-disclosure] Google Re-authentication Bypass with SID and LSID cookies, Susam Pal
Indexes:  [Date] [Thread] [Top] [All Lists]