Debian security update DSA-1597-2

  • Package : mt-daapd
  • Vulnerability : multiple vulnerabilities
  • Problem type : remote
  • Debian-specific : no
  • CVE Id(s) : CVE-2007-5824 CVE-2007-5825 CVE-2008-1771
  • Debian Bug : 459961 476241 496217

    • In DSA-1597-1, an update was announced for multiple vulnerabilities in
    the mt-daapd audio server.  One of the fixes introduced a regression
    preventing successful authentication to the administration interface.
    An updated release is available which corrects this problem.  For
    reference, the original advisory text follows.

    Three vulnerabilities have been discovered in the mt-daapd DAAP audio
    server (also known as the Firefly Media Server).  The Common
    Vulnerabilities and Exposures project identifies the following three
    problems:

    CVE-2007-5824

    Insufficient validation and bounds checking of the Authorization:
    HTTP header enables a heap buffer overflow, potentially enabling
    the execution of arbitrary code.

    CVE-2007-5825

    Format string vulnerabilities in debug logging within the
    authentication of XML-RPC requests could enable the execution of
    arbitrary code.

    CVE-2008-1771

    An integer overflow weakness in the handling of HTTP POST
    variables could allow a heap buffer overflow and potentially
    arbitrary code execution.

    For the stable distribution (etch), these problems have been fixed in
    version 0.2.4+r1376-1.1+etch2.

    We recommend that you upgrade your mt-daapd package.

    Upgrade instructions

Popular Posts

Tags: ,

This entry was posted on Sunday, August 31st, 2008 at 10:00 AM and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply