Sistemas Afectados

1. Descripción

   Debian liberó actualizaciones para varios paquetes. Estas reparán varias vulnerabilidades y cubre todas las actualizaciones de seguridad desde el lanzamiento de la distribución estable de sarge para amd64.

2. Impacto

   Exposición de información sensible.

   Escalación de privilegios.

   Negación de Servicio (DoS).

   Acceso al sistema.

3. Solución

   Aplicar las actualizaciones correspondientes:

   DSA 762: Varias Vulnerabilidades

   affix_2.1.1-2_amd64.deb
   libaffix-dev_2.1.1-2_amd64.deb
   libaffix2_2.1.1-2_amd64.deb

   DSA 754: Archivo temporal inseguro

   centericq_4.20.0-1sarge1_amd64.deb
   centericq-common_4.20.0-1sarge1_amd64.deb
   centericq-fribidi_4.20.0-1sarge1_amd64.deb
   centericq-utf8_4.20.0-1sarge1_amd64.deb

   DSA 737: Negación de servicio remota

   clamav_0.84-2.sarge.1_amd64.deb
   clamav-daemon_0.84-2.sarge.1_amd64.deb
   clamav-freshclam_0.84-2.sarge.1_amd64.deb
   clamav-milter_0.84-2.sarge.1_amd64.deb
   libclamav-dev_0.84-2.sarge.1_amd64.deb
   libclamav1_0.84-2.sarge.1_amd64.deb

   DSA 733: Archivos temporales inseguros

   crip_3.5-1sarge2_amd64.deb

   DSA 742: Buffer Overflow

   cvs_1.11.1p1debian-11_amd64.deb

   DSA 750: Acceso de memoria fuera de los limites.

   dhcpcd_1.3.22pl4-21sarge1_amd64.deb

   DSA 760, DSA 767: Varias vulnerabilidades.

   ekg_1.5+20050411-5_amd64.deb
   libgadu-dev_1.5+20050411-5_amd64.deb
   libgadu3_1.5+20050411-5_amd64.deb

   DSA 749: Error de formato de cadena

   ettercap_0.7.1-1sarge1_amd64.deb
   ettercap-common_0.7.1-1sarge1_amd64.deb
   ettercap-gtk_0.7.1-1sarge1_amd64.deb

   DSA 744: Error de programación

   fuse-utils_2.2.1-4sarge2_amd64.deb
   libfuse-dev_2.2.1-4sarge2_amd64.deb
   libfuse2_2.2.1-4sarge2_amd64.deb

   DSA 734, DSA 769: Negación de servicio, error de alineación de memoria

   gaim_1.2.1-1.4_amd64.deb
   gaim-dev_1.2.1-1.4_amd64.deb

   DSA 753: Formato de Cadena

   gedit_2.8.3-4sarge1_amd64.deb

   DSA 770: Creación insegura de un archivo temporal.

   gopher_3.0.7sarge1_amd64.deb

   DSA 761: Archivos temporales inseguros

   heartbeat_1.2.3-9sarge2_amd64.deb
   heartbeat-dev_1.2.3-9sarge2_amd64.deb
   libpils-dev_1.2.3-9sarge2_amd64.deb
   libpils0_1.2.3-9sarge2_amd64.deb
   libstonith-dev_1.2.3-9sarge2_amd64.deb
   libstonith0_1.2.3-9sarge2_amd64.deb
   stonith_1.2.3-9sarge2_amd64.deb

   DSA 758, DSA 765: Buffer Overflows

   heimdal-clients_0.6.3-10sarge1_amd64.deb
   heimdal-clients-x_0.6.3-10sarge1_amd64.deb
   heimdal-dev_0.6.3-10sarge1_amd64.deb
   heimdal-kdc_0.6.3-10sarge1_amd64.deb
   heimdal-servers_0.6.3-10sarge1_amd64.deb
   heimdal-servers-x_0.6.3-10sarge1_amd64.deb
   libasn1-6-heimdal_0.6.3-10sarge1_amd64.deb
   libgssapi1-heimdal_0.6.3-10sarge1_amd64.deb
   libhdb7-heimdal_0.6.3-10sarge1_amd64.deb
   libkadm5clnt4-heimdal_0.6.3-10sarge1_amd64.deb
   libkadm5srv7-heimdal_0.6.3-10sarge1_amd64.deb
   libkafs0-heimdal_0.6.3-10sarge1_amd64.deb
   libkrb5-17-heimdal_0.6.3-10sarge1_amd64.deb

   DSA 743: Buffer Overflows, Desbordamiento de variables.

   ht_0.8.0-2sarge4_amd64.deb

   DSA 757: Buffer Overflow, Doble liberación de memoria.

   krb5-admin-server_1.3.6-2sarge2_amd64.deb
   krb5-clients_1.3.6-2sarge2_amd64.deb
   krb5-ftpd_1.3.6-2sarge2_amd64.deb
   krb5-kdc_1.3.6-2sarge2_amd64.deb
   krb5-rsh-server_1.3.6-2sarge2_amd64.deb
   krb5-telnetd_1.3.6-2sarge2_amd64.deb
   krb5-user_1.3.6-2sarge2_amd64.deb
   libkadm55_1.3.6-2sarge2_amd64.deb
   libkrb5-dev_1.3.6-2sarge2_amd64.deb
   libkrb53_1.3.6-2sarge2_amd64.deb

   DSA 771: Varias vulnerabilidades

   pdns_2.9.17-13sarge1_amd64.deb
   pdns-backend-geo_2.9.17-13sarge1_amd64.deb
   pdns-backend-ldap_2.9.17-13sarge1_amd64.deb
   pdns-backend-mysql_2.9.17-13sarge1_amd64.deb
   pdns-backend-pgsql_2.9.17-13sarge1_amd64.deb
   pdns-backend-pipe_2.9.17-13sarge1_amd64.deb
   pdns-backend-sqlite_2.9.17-13sarge1_amd64.deb
   pdns-recursor_2.9.17-13sarge1_amd64.deb
   pdns-server_2.9.17-13sarge1_amd64.deb

   DSA 725: Permisos inadecuados.

   ppxp_0.2001080415-10sarge2_amd64.deb
   ppxp-dev_0.2001080415-10sarge2_amd64.deb
   ppxp-tcltk_0.2001080415-10sarge2_amd64.deb
   ppxp-x11_0.2001080415-10sarge2_amd64.deb

   DSA 728: Permisos inadecuados.

   qpopper_4.0.5-4sarge1_amd64.deb
   qpopper-drac_4.0.5-4sarge1_amd64.deb

   DSA 738: Negación de servicio remota

   razor_2.670-1sarge2_amd64.deb

   DSA 748: Valor por default erroneo.

   libdbm-ruby1.8_1.8.2-7sarge1_amd64.deb
   libgdbm-ruby1.8_1.8.2-7sarge1_amd64.deb
   libopenssl-ruby1.8_1.8.2-7sarge1_amd64.deb
   libreadline-ruby1.8_1.8.2-7sarge1_amd64.deb
   libruby1.8_1.8.2-7sarge1_amd64.deb
   libruby1.8-dbg_1.8.2-7sarge1_amd64.deb
   libtcltk-ruby1.8_1.8.2-7sarge1_amd64.deb
   ruby1.8_1.8.2-7sarge1_amd64.deb
   ruby1.8-dev_1.8.2-7sarge1_amd64.deb

   DSA 736: Negación de servicio remota.

   spamc_3.0.3-2_amd64.deb

   DSA 735: Race Condition.

   sudo_1.6.8p7-1.1sarge1_amd64.deb

   DSA 740, DSA 763: Negación de servicio remota.

   zlib-bin_1.2.2-4.sarge.2_amd64.deb
   zlib1g_1.2.2-4.sarge.2_amd64.deb
   zlib1g-dev_1.2.2-4.sarge.2_amd64.deb

4. Apéndices

   Mayor información.

   http://www.debian.org/security/

La Coordinación de Seguridad de la Información/UNAM-CERT agradece el apoyo en la elaboración ó traducción y revisión de éste Documento a:

• Floriberto López Velázquez (flopez at seguridad dot unam dot mx)