Executive Summary
| Summary | |
|---|---|
| Title | New aria2 packages fix arbitrary code execution |
| Informations | |||
|---|---|---|---|
| Name | DSA-1957 | First vendor Publication | 2009-12-28 |
| Vendor | Debian | Last vendor Modification | 2009-12-28 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 10 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| It was discovered that aria2, a high speed download utility, is prone to a buffer overflow in the DHT routing code, which might lead to the execution of arbitrary code. For the stable distribution (lenny), this problem has been fixed in version 0.14.0-1+lenny1. Binaries for powerpc, arm, ia64 and hppa will be provided once they are available. The oldstable distribution (etch) is not affected by this problem. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.2.0-1. We recommend that you upgrade your aria2 packages. |
Original Source
| Url : http://www.debian.org/security/2009/dsa-1957 |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13685 | |||
| Oval ID: | oval:org.mitre.oval:def:13685 | ||
| Title: | DSA-1957-1 aria2 -- buffer overflow | ||
| Description: | It was discovered that aria2, a high speed download utility, is prone to a buffer overflow in the DHT routing code, which might lead to the execution of arbitrary code. For the stable distribution, this problem has been fixed in version 0.14.0-1+lenny1. Binaries for powerpc, arm, ia64 and hppa will be provided once they are available. The oldstable distribution is not affected by this problem. For the testing distribution and the unstable distribution, this problem has been fixed in version 1.2.0-1. We recommend that you upgrade your aria2 packages. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1957-1 CVE-2009-3575 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | aria2 |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:7022 | |||
| Oval ID: | oval:org.mitre.oval:def:7022 | ||
| Title: | DSA-1957 aria2 -- buffer overflow | ||
| Description: | It was discovered that aria2, a high speed download utility, is prone to a buffer overflow in the DHT routing code, which might lead to the execution of arbitrary code. The oldstable distribution is not affected by this problem. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1957 CVE-2009-3575 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | aria2 |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 2 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2010-01-20 | Name : Gentoo Security Advisory GLSA 201001-06 (aria2) File : nvt/glsa_201001_06.nasl |
| 2009-12-30 | Name : Debian Security Advisory DSA 1957-1 (aria2) File : nvt/deb_1957_1.nasl |
| 2009-10-13 | Name : Fedora Core 10 FEDORA-2009-10344 (aria2) File : nvt/fcore_2009_10344.nasl |
| 2009-09-15 | Name : Mandrake Security Advisory MDVSA-2009:226 (aria2) File : nvt/mdksa_2009_226.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 58708 | aria2 DHTRoutingTableDeserializer.cc deserialize() Function DHT Routing Table... A remote overflow exists in aria2. aria2 fails to check a boundary error in the deserialize() function in DHTRoutingTableDeserializer.cc resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-02-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201001-06.nasl - Type : ACT_GATHER_INFO |
| 2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1957.nasl - Type : ACT_GATHER_INFO |
| 2009-10-19 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_aria2-091014.nasl - Type : ACT_GATHER_INFO |
| 2009-10-09 | Name : The remote Fedora host is missing a security update. File : fedora_2009-10344.nasl - Type : ACT_GATHER_INFO |
| 2009-09-10 | Name : The remote Mandriva Linux host is missing a security update. File : mandriva_MDVSA-2009-226.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:29:05 |
|
