GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Thu Jan 14, 2010 12:26 am Post subject: [ GLSA 201001-06 ] aria2: Multiple vulnerabilities |
 |
|
Gentoo Linux Security Advisory
Title: aria2: Multiple vulnerabilities (GLSA 201001-06)
Severity: normal
Exploitable: remote
Date: January 13, 2010
Bug(s): #288291
ID: 201001-06
Synopsis
A buffer overflow and a format string vulnerability in aria2 allow remote
attackers to execute arbitrary code.
Background
aria2 is a download utility with resuming and segmented downloading
with HTTP/HTTPS/FTP/BitTorrent support.
Affected Packages
Package: net-misc/aria2
Vulnerable: < 1.6.3
Unaffected: >= 1.6.3
Architectures: All supported architectures
Description
Tatsuhiro Tsujikawa reported a buffer overflow in
DHTRoutingTableDeserializer.cc (CVE-2009-3575) and a format string
vulnerability in the AbstractCommand::onAbort() function in
src/AbstractCommand.cc (CVE-2009-3617).
Impact
A remote, unauthenticated attacker could possibly execute arbitrary
code with the privileges of the user running the application or cause a
Denial of Service (application crash).
Workaround
Do not use DHT (CVE-2009-3575) and disable logging (CVE-2009-3617).
Resolution
All aria2 users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/aria2-1.6.3" |
References
CVE-2009-3575
CVE-2009-3617
Last edited by GLSA on Sun Nov 16, 2014 4:29 am; edited 4 times in total |
|
News & Announcements
