Neon WebDAV Client 库格式化字符串漏洞

漏洞信息详情

Neon WebDAV Client 库格式化字符串漏洞

• CNNVD编号：CNNVD-200406-036
• 危害等级： 中危
  
  
• CVE编号：
  CVE-2004-0179
  
• 漏洞类型：
  
  
  格式化字符串错误
  
• 发布时间：
  
  2004-06-01
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2020-10-21
  
• 厂        商：
  
  neon
• 漏洞来源：
  Discovery of this …

neon是一个带有C接口的HTTP/1.1和WebDAV客户端库。

neon 0.24.4及其早期版本和其他使用包含Cadaver，Subversion和OpenOffice的neon产品存在格式化字符串漏洞。远程恶意WebDAV服务器可以执行任意代码。

The vendor has released an upgrade that deals with this issue.

Gentoo has released an advisory (GLSA 200405-25:02). This advisory announces the release of a new tla eBuild to address the issues reported in this BID. Gentoo have recommended that tla users upgrade to tla current by issuing the following sequence of commands as a superuser:

emerge sync

emerge -pv “>=dev-util/tla-1.2-r2”

emerge “>=dev-util/tla-1.2-r2”

Gentoo have released an advisory (GLSA 200405-01). This advisory announces the release of a new neon eBuild to address the issues reported in this BID. Gentoo have recommended that Neon users upgrade to neon version 0.24.5 or later by issuing the following sequence of commands as a superuser:

emerge sync

emerge -pv “>=net-misc/neon-0.24.5”

emerge “>=net-misc/neon-0.24.5”

SGI has released an advisory 20040404-01-U and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes. Fixes are linked below.

Red Hat has released an advisory (RHSA-2004:157-06) and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Redhat advisory RHSA-2004:158-01 along with fixes has been released dealing with this issue.

SUSE has released an advisory SuSE-SA:2004:009 to address this and other issues. Please see the advisory for more information.

Redhat advisory RHSA-2004:159-01 along with fixes has been released dealing with this issue. This advisory contains updated subversion packages. Please see the referenced advisory for more information.

OpenPKG has released advisory OpenPKG-SA-2004.016 as well as a fix dealing with this issue. Please see the referenced advisory for more information, and below for the updated fix.

Debian has released advisory DSA 487-1 to address this issue. Please see the attached advisory for further details on obtaining and applying fixes.

Gentoo has released updates to address these issues, which may be applied with the following commands:

# emerge sync

# emerge -pv “>=net-misc/cadaver-0.22.1”

# emerge “>=net-misc/cadaver-0.22.1”

Netwosix has released an advisory LNSA-#2004-0012 with fix information to address these issues. Please see the referenced advisory for more information.

Mandrake has released advisory MDKSA-2004:032 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Red Hat has released advisory RHSA-2004:163-01 and fixes dealing with this issue for their affected OpenOffice packages for Red Hat Linux 9.0. Please see the attached advisory for more information and details on obtaining fixes.

Gentoo has released an advisory (GLSA 200405-04) for OpenOffice, which uses the neon library. Please see the attached advisory for more information and details on obtaining fixes.

Gentoo openoffice users on the x86 architecture should:

# emerge sync

# emerge -pv “>=app-office/openoffice-1.1.1-r1”

# emerge “>=app-office/openoffice-1.1.1-r1”

Gentoo openoffice users on the sparc architecture should:

# emerge sync

# emerge -pv “>=app-office/openoffice-1.1.0-r3”

# emerge “>=app-office/openoffice-1.1.0-r3”

Gentoo openoffice users on the ppc architecture should:

# emerge sync

# emerge -pv “>=app-office/openoffice-1.0.3-r1”

# emerge “>=app-office/openoffice-1.0.3-r1”

Gentoo openoffice-ximian users should:

# emerge sync

# emerge -pv “>=app-office/openoffice-ximian-1.1.51-r1”

# emerge “>=app-office/openoffice-ximian-1.1.51-r1”

Red Hat Fedora has released advisory FEDORA-2004-103 dealing with these issues for their Fedora Linux project. Please see the referenced advisory for more information.

Gentoo has released an advisory (GLSA 200406-03) providing fixes for sitecopy, which includes the vulnerable neon library. Fixes may be applied by the superuser with the following commands:

emerge -pv unmerge net-misc/sitecopy

emerge unmerge net-misc/sitecopy

Mandrake Linux has released advisory MDKSA-2004:078 addressing this issue. Please see the referenced advisory for further information.

The Fedora Legacy project has released advisory FLSA:1552 along with fixes to address this issue for RedHat Linux 7.3 and 9.0. Please see the referenced advisory for further information.

RedHat Fedora Core1

• Fedora neon-0.24.5-1.i386.rpm

  
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386/neon-0.24.5-1.i386.rpm“>

  
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386

  
  /neon-0.24.5-1.i386.rpm

• Fedora neon-0.24.5-1.x86_64.rpm

  
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/x86_64/neon-0.24.5-1.x86_64.rpm“>

  
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/x86_

  
  64/neon-0.24.5-1.x86_64.rpm

• Fedora neon-debuginfo-0.24.5-1.i386.rpm

  
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386/debug/neon-debuginfo-0.24.5-1.i386.rpm“>

  
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386

  
  /debug/neon-debuginfo-0.24.5-1.i386.rpm

• Fedora neon-debuginfo-0.24.5-1.x86_64.rpm

  
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/x86_64/debug/neon-debuginfo-0.24.5-1.x86_64.rpm“>

  
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/x86_

  
  64/debug/neon-debuginfo-0.24.5-1.x86_64.rpm

• Fedora neon-devel-0.24.5-1.i386.rpm

  
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386/neon-devel-0.24.5-1.i386.rpm“>

  
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386

  
  /neon-devel-0.24.5-1.i386.rpm

• Fedora neon-devel-0.24.5-1.x86_64.rpm

  
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/x86_64/neon-devel-0.24.5-1.x86_64.rpm“>

  
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/x86_

  
  64/neon-devel-0.24.5-1.x86_64.rpm

Neon Client Library 0.19.3

• Debian libneon-dev_0.19.3-2woody3_alpha.debDebian GNU/Linux 3.0 (woody)

  
  http://security.debian.org/pool/updates/main/n/neon/libneon-dev_0.19.3-2woody3_alpha.deb“>

  
  http://security.debian.org/pool/updates/main/n/neon/libneon-dev_0.19.3

  
  -2woody3_alpha.deb

• Debian libneon-dev_0.19.3-2woody3_arm.debDebian GNU/Linux 3.0 (woody)

  
  http://security.debian.org/pool/updates/main/n/neon/libneon-dev_0.19.3-2woody3_arm.deb“>

  
  http://security.debian.org/pool/updates/main/n/neon/libneon-dev_0.19.3

  
  -2woody3_arm.deb

• Debian libneon-dev_0.19.3-2woody3_hppa.debDebian GNU/Linux 3.0 (woody)

  
  http://security.debian.org/pool/updates/main/n/neon/libneon-dev_0.19.3-2woody3_hppa.deb“>

  
  http://security.debian.org/pool/updates/main/n/neon/libneon-dev_0.19.3

  
  -2woody3_hppa.deb

• Debian libneon-dev_0.19.3-2woody3_i386.debDebian GNU/Linux 3.0 (woody)

  
  http://security.debian.org/pool/updates/main/n/neon/libneon-dev_0.19.3-2woody3_i386.deb“>

  
  http://security.debian.org/pool/updates/main/n/neon/libneon-dev_0.19.3

  
  -2woody3_i386.deb

• Debian libneon-dev_0.19.3-2woody3_ia64.debDebian GNU/Linux 3.0 (woody)

  
  http://security.debian.org/pool/updates/main/n/neon/libneon-dev_0.19.3-2woody3_ia64.deb“>

  
  http://security.debian.org/pool/updates/main/n/neon/libneon-dev_0.19.3

  
  -2woody3_ia64.deb

• Debian libneon-dev_0.19.3-2woody3_m68k.debDebian GNU/Linux 3.0 (woody)

  
  http://security.debian.org/pool/updates/main/n/neon/libneon-dev_0.19.3-2woody3_m68k.deb“>

  
  http://security.debian.org/pool/updates/main/n/neon/libneon-dev_0.19.3

  
  -2woody3_m68k.deb

• Debian libneon-dev_0.19.3-2woody3_mips.debDeb

来源:REDHAT

链接:http://www.redhat.com/support/errata/RHSA-2004-158.html

来源:SUSE

链接:http://lists.suse.com/archive/suse-security-announce/2004-Apr/0002.html

来源:SECUNIA

链接:http://secunia.com/advisories/11363

来源:DEBIAN

链接:https://www.debian.org/security/2004/dsa-487

来源:SUSE

链接:http://lists.suse.com/archive/suse-security-announce/2004-Apr/0003.html

来源:BUGTRAQ

链接:http://marc.info/?l=bugtraq&m=108213873203477&w=2

来源:BID

链接:https://www.securityfocus.com/bid/10136

来源:GENTOO

链接:http://security.gentoo.org/glsa/glsa-200405-04.xml

来源:FEDORA

链接:https://bugzilla.fedora.us/show_bug.cgi?id=1552

来源:BUGTRAQ

链接:http://marc.info/?l=bugtraq&m=108214147022626&w=2

来源:REDHAT

链接:http://www.redhat.com/support/errata/RHSA-2004-160.html

来源:OVAL

链接:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10913

来源:MANDRAKE

链接:http://www.mandriva.com/security/advisories?name=MDKSA-2004:032

来源:REDHAT

链接:http://www.redhat.com/support/errata/RHSA-2004-157.html

来源:OSVDB

链接:http://www.osvdb.org/5365

来源:GENTOO

链接:http://security.gentoo.org/glsa/glsa-200405-01.xml

来源:REDHAT

链接:http://www.redhat.com/support/errata/RHSA-2004-159.html

来源:OVAL

链接:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1065