From secure@conectiva.com.br Tue May 25 16:57:04 2004 From: Conectiva Updates To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com, linsec@lists.seifried.org Date: Tue, 25 May 2004 16:35:07 -0300 Subject: [CLA-2004:841] Conectiva Security Announcement - libneon -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : libneon SUMMARY : Fix for a buffer overflow vulnerability DATE : 2004-05-25 16:34:00 ID : CLA-2004:841 RELEVANT RELEASES : 9 - ------------------------------------------------------------------------- DESCRIPTION "libneon"[1] is a library used by some WebDAV clients. Stefan Esser from e-matters security published[2] an advisory about a vulnerability[3] in the libneon library which could be abused by remote WebDAV servers to execute arbitrary code on the client accessing these servers. SOLUTION It is recommended that all libneon users upgrade their packages. REFERENCES 1. http://www.webdav.org/neon/ 2. http://security.e-matters.de/advisories/062004.html 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0398 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/9/SRPMS/libneon-0.23.5-21884U90_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libneon-devel-0.23.5-21884U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libneon-devel-static-0.23.5-21884U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libneon-doc-0.23.5-21884U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libneon23-0.23.5-21884U90_2cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions regarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2004 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFAs5/q42jd0JmAcZARAggDAKC6q6njVMtyemabLo7eU30X0Z3yuACeLwd7 uusrqDWWIEzxBInNUdUpII0= =sP64 -----END PGP SIGNATURE-----