Test ID:	1.3.6.1.4.1.25623.1.0.51548
Category:	Conectiva Local Security Checks
Title:	Conectiva Security Advisory CLA-2002:538
Summary:	Conectiva Security Advisory CLA-2002:538
Description:	The remote host is missing updates announced in advisory CLA-2002:538. tar and unzip are programs widely used for distribution of multiple files concatenated (commonly known as an archive). Both tar and unzip have directory transversal vulnerabilities in the way they extract filenames containning .. or / characteres at the beginning. By exploiting these vulnerabilities, a malicious user can overwrite arbitrary files if the user unpacking such an archive has sufficient filesystem permissions to do so. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2001-1267, CVE-2001-1268, CVE-2001-1269 and CVE-2002-0399 to this issue. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0399 http://www.securityspace.com/smysecure/catid.html?in=CLA-2002:538 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002002 Risk factor : Medium
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2001-1267 Bugtraq: 20010712 SECURITY.NNOV: directory traversal and path globing in multiple archivers (Google Search) http://online.securityfocus.com/archive/1/196445 Conectiva Linux advisory: CLA-2002:538 http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000538 HPdes Security Advisory: HPSBTL0209-068 http://online.securityfocus.com/advisories/4514 http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:066 http://www.redhat.com/support/errata/RHSA-2002-096.html http://www.redhat.com/support/errata/RHSA-2002-138.html http://www.redhat.com/support/errata/RHSA-2003-218.html http://sunsolve.sun.com/search/document.do?assetkey=1-26-47800-1 BugTraq ID: 3024 http://www.securityfocus.com/bid/3024 http://www.iss.net/security_center/static/10224.php Common Vulnerability Exposure (CVE) ID: CVE-2001-1268 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000928.1-1 Common Vulnerability Exposure (CVE) ID: CVE-2001-1269 Common Vulnerability Exposure (CVE) ID: CVE-2002-0399 Bugtraq: 20020928 GNU tar (Re: Allot Netenforcer problems, GNU TAR flaw) (Google Search) http://marc.theaimsgroup.com/?l=bugtraq&m=103419290219680&w=2 Bugtraq: 20070825 rPSA-2007-0172-1 tar (Google Search) http://www.securityfocus.com/archive/1/archive/1/477731/100/0/threaded Bugtraq: 20070827 FLEA-2007-0049-1 tar (Google Search) http://www.securityfocus.com/archive/1/archive/1/477865/100/0/threaded http://www.mandriva.com/security/advisories?name=MDKSA-2002:066 En Garde Linux Advisory: ESA-20021003-022 http://www.linuxsecurity.com/advisories/other_advisory-2400.html SuSE Security Announcement: SUSE-SR:2006:005 (Google Search) http://www.novell.com/linux/security/advisories/2006_05_sr.html SuSE Security Announcement: SUSE-SR:2007:019 (Google Search) http://www.novell.com/linux/security/advisories/2007_19_sr.html BugTraq ID: 5834 http://www.securityfocus.com/bid/5834 http://secunia.com/advisories/19130 http://secunia.com/advisories/26604 http://secunia.com/advisories/26673 http://secunia.com/advisories/26987
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.

New User Registration Email: UserID: Passwd: Please email me your monthly newsletters, informing the latest services, improvements & surveys. Please email me a vulnerability test announcement whenever a new test is added.     Privacy

Registered User Login   UserID:     Passwd:     Forgot userid or passwd? Email/Userid: