Re: Broken signature for DSA-2040-1
Kurt Roeckx wrote: On Sun, May 02, 2010 at 09:06:46PM +0200, Francesco Poli wrote: Hi, I received DSA-2040-1 and verified its GPG signature, as I always do. I found out that I am unable to correctly verify the signature. Works for me: gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A gpg: Good signature from Moritz Muehlenhoff j...@debian.org gpg: aka Moritz Muehlenhoff j...@inutil.org Without a working signature the mail wouldn't be transported through debian-security-announce. A valid ecurity team member's signature is required. Regards, Joey -- Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100502194941.gb31...@finlandia.home.infodrom.org
Re: Vulnerabilities not affecting Debian: reporting proposal
Alexander Konovalenko wrote: Proposed solution Do you know about http://www.debian.org/security/nonvulns-etch Regards, Joey http://www.debian.org/security/nonvulns-sarge -- It's time to close the windows. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Vulnerabilities not affecting Debian: reporting proposal
Alexander Konovalenko wrote: On 7/11/07, Martin Schulze [EMAIL PROTECTED] wrote: Do you know about http://www.debian.org/security/nonvulns-etch Oh, that's great. I should have read the website more carefully! Thanks. What about providing a more elaborate summary for some issues? Some entries merely say that the bug is not exploitable or that Debian is not affected. Feel free to add (or adjust the output format). Should be discussed with the web team I guess ([EMAIL PROTECTED]) Regards, Joey -- It's time to close the windows. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1258-1] New Mozilla Firefox packages fix several vulnerabilities
Alexander Sack wrote: On Wed, Feb 07, 2007 at 08:36:56AM +0100, Martin Schulze wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1258-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 7th, 2007 http://www.debian.org/security/faq - -- Isn't this about thunderbird? We had the firefox announcement a bit ago already. Lalala -- Every use of Linux is a proper use of Linux. -- Jon 'maddog' Hall -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DSA 1184 corrections
Jens Seidel wrote: On Thu, Oct 05, 2006 at 09:06:41AM +0200, Martin Schulze wrote: Jens Seidel wrote: I applied the following patch to CVS and hope I did it right. But I have one problem understanding the text: Index: dsa-1184.wml === RCS file: /cvs/webwml/webwml/english/security/2006/dsa-1184.wml,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- dsa-1184.wml 29 Sep 2006 19:01:15 - 1.5 +++ dsa-1184.wml 2 Oct 2006 17:35:13 - 1.6 @@ -1,6 +1,6 @@ define-tag descriptionseveral vulnerabilities/define-tag define-tag moreinfo -pThis advisory covers the S/390 components of the recent security +pThis advisory covers the S/390 component of the recent security Umh... Now the advisory text is misleading on the web: More information: This advisory covers the S/390 component of the recent security update for the Linux 2.6.8 kernel that was missing due to technical problems. For reference, please see the text of the original advisory. This advisory DSA 1184 does not only cover the S/390 components but updates for all architectures. The update DSA 1184-2, linked at the bottom as revised advisory (strictly speaking, it's not a revised advisory but an addition, so maybe we need a new string and tag) covers only the S/390 components. Btw. since there are four binary packages for S/390, it's plural, hence, components. OK, but shouldn't it be that WERE missing if you use plural or does was refer to the recent security update? Oops... You are correct. @@ -67,7 +67,7 @@ pDiego Calleja Garcia discovered a buffer overflow in the DVD handling code that could be exploited by a specially crafted DVD -or USB storage device to execute arbitrary code./p/li +USB storage device to execute arbitrary code./p/li It is DVD or USB storage as both can trigger the vulnerability. ? I googled for this vulnerability before I changed anything. As far as I understand the DVD driver/handling code is affected and this can only be exploited using a DVD hardware device, e.g. a USB DVD device or even an ATAPI drive. Hmm, did I misunderstood it? I have no desire to dig out the details, so I propose to leave the text as it is now (i.e. with your correction). OK, I added it to CC: and will be more carefully in the future. (There where no other changes to content from me, only typo fixes.) Yes, saw it, and these changes are highly appreciated, at least by me. Regards, Joey -- Given enough thrust pigs will fly, but it's not necessarily a good idea. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BADSIG verifying s.d.o Release file
martin f krafft wrote: I've been seeing this a bunch in the past few weeks. Just making sure you know about it, and maybe someone knows what's going on: W: GPG error: http://security.debian.org stable/updates Release: The following signatures were invalid: BADSIG 010908312D230C5F Debian Archive Automatic Signing Key (2006) [EMAIL PROTECTED] Could the reason be that the Release.gpg file has a size of zero? If so, I've already informed ftpmasters. If not, what's the other cause? Regards, Joey -- Those who don't understand Unix are condemned to reinvent it, poorly. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bogus DNS data from several debian.org authoritative servers
Neil McGovern wrote: I'm forwarding this over to debian-admin, as they're the people who can fix this :) I had already answered Bjoern: Ah yes, the named on saens went alive again. That was not planned. Disabled again. The problem lies somewhere between saens and you. It's fine on saens locally. Regards, Joey -- Ten years and still binary compatible. -- XFree86 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bogus DNS data from several debian.org authoritative servers
Florian Weimer wrote: * Martin Schulze: Disabled again. The problem lies somewhere between saens and you. It's fine on saens locally. While the bogus A record should be gone now that saens is down, you should still remove saens from the list of authoritative name servers for debian.{org,com,net} and ipv6.debian.org. This is definitely not a local issue at Bjørn's site, it's globally visible. Err... that's a bit more complicated... So, in theory you are correct. Regards, Joey -- Ten years and still binary compatible. -- XFree86 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fix of sudo with DSA-946-1
Freek Dijkstra wrote: Martin Schulze wrote: Proposed updates for woody and sarge are here: http://klecker.debian.org/~joey/security/sudo/ I'd be glad if you could test them.r That's awesome. Thanks! Here, have some karma :-) :) I just installed your version on sarge using: - Remove my (custom) Defaults line in my /etc/sudoers file - sudo dpkg -i sudo_1.6.8p7-1.4_i386.deb Most environment variables seem there as I would expect, and those I don't expect are indeed removed. The only issue I still have is that the manual page should still be updated. I noticed some changes in sudoers.pod (in sudo_1.6.8p7-1.4.diff.gz), but somehow that did not pass to the sudoers.5.gz man page in the sudo_1.6.8p7-1.4_i386.deb. Umh... That's a packaging bug, I'll get it recreate the manpage explicitly I just read through all bugreports, and carefully tried to reproduce each one to see if all is well now. Most importantly, the variables that are kept are indeed now the same as I would get when I specify Defaults env_reset. Specifically: HOME variable kept (closes #349587) SHELL variable kept (closes #350776) DISPLAY variable kept (closes #349085) XAUTHORITY variable kept (closes #349549) These are not passed through by env_reset with the original source, but only with this patch. Two variables are not kept: EDITOR variable kept (bug #349196). Not important. LC_ALL variable kept in earlier releases, including sudo_1.6.8p7-1.3 (the previous security fix). I've added the locale variables again. Update manual pages (#349129): NOT FIXED. Done now. Given that some things still need manual tweaking (e.g. EDITOR or LC_* variables), it is good to update the page. I noticed that one of the file you created, sudo_1.6.8p7-1.4.diff.gz, has some manual changes to sudoers.pod, but these changes are not reflected in the sudoers.5.gz man page in the sudo_1.6.8p7-1.4_i386.deb. Additionally, if you have not done so, here is also a patch for the man pages: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196;msg=34 Too many unrelated changes, rejected, should potentially be applied to the version in sid-etch. sudo -V output is misleading: it gives a very incomplete list of env vars that are removed. (also #349129) NOT FIXED. Well... yes, it is misleading. That's due to the program structure. To be honest, I'm not sure if this should be fixed now. On one hand it would be good, but I fear that it may introduce too much new code (which seem a bad thing for a security patch). I would leave it open for etch, but not fix it in woody or sarge, but the security team can decide best. It should be adjusted in sid instead. Complaint about 'sudo vi anyfile': http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196;msg=15 Status: I can't reproduce it (or it is simply fixed now) Problem was missing $HOME. Complaint about sudo joe filename: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196;msg=10 Status: I can't reproduce it (or it is simply fixed now) Problem was missing $HOME. Complaint that Defaults env_reset, env_keep=*, always_set_home gives two PATH variables instead of one (#354431). NOT FIXED. This is indeed an important bug, but I think it is not directly related to the security bug, and should thus just be fixed in etch. Not security related. Finally, I suggest to add a /usr/share/doc/sudo/READM.Debian file with this contents: Ok. Thanks a lot. I've produced new packages and copied them to the same location. Regards, Joey -- Linux - the choice of a GNU generation. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fix of sudo with DSA-946-1
Proposed updates for woody and sarge are here: http://klecker.debian.org/~joey/security/sudo/ I'd be glad if you could test them.r Regards, Joey -- Linux - the choice of a GNU generation. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: umn.edu security.d.o host unreachable
martin f krafft wrote: Hi, it seems 128.101.240.212, one of the two remaining security mirrors, is unreachable. Other mirrors (non-Debian, like 128.101.240.209 and 128.101.240.210, which seem to be right next door) are reachable. It would be great to get a status update from the administration team. The host is not reachable. Regards, Joey -- The only stupid question is the unasked one. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: tartini (one of the security mirrors) unreliable
martin f krafft wrote: tartini.debian.org, one of the three servers providing security.debian.org seems to have intermittent problems: Get:1 http://security.debian.org sarge/updates/main Packages [189kB] Err http://security.debian.org sarge/updates/main Packages Connection timed out [IP: 82.94.249.158 80] This isn't the first time I am seeing this. The host does recover after a short time, but the problem keeps coming back. I doubt the problem is on my end, this is from a rack machine with a triple-redundant connection directly onto Berlin's Level3 backbone and I see no other problems. Maybe the administrators would be so kind as to investigate the issue and send an update when it's resolved? I've finally removed tartini from the security round robin. Regards, Joey -- Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: db.debian.org certificate
Noèl Köthe wrote: Hello, the https db.debian.org certificate is expired on 2006-01-30. Certificate requested from wiggy on Date: Tue, 14 Feb 2006 14:17:08 +0100 Regards, Joey -- If you come from outside of Finland, you live in wrong country. -- motd of irc.funet.fi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PMASA-2005-6 when register_globals = on
Neil McGovern wrote: On Tue, Nov 15, 2005 at 05:54:32PM +0100, Piotr Roszatycki wrote: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 reports that sarge's phpmyadmin package has a security flaw which is occured only if register_globals = on setting is used. This feature is disabled in Debian package by default so I doubt if this is serious problem. I'd like to ask if I should prepare the new package for sarge or not? According to the advisory, all versions 2.6.4-pl4 are affected (2.7.0-beta1 from the development schema). This would mean that this affects sid and etch too. Has a bug been filed/a CVE number assigned for this? I don't know of one. We may have to go without one for the moment. Also, a second issue has just popped up: http://www.fitsec.com/advisories/FS-05-02.txt I'd be glad if you could provide patches and packages for both issues. (both because in the second the path disclosure is bogus for us since dpkg -c will disclose the path as well). Regards, Joey -- The only stupid question is the unasked one. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What's going on with advisory for phpmyadmin?
John Goerzen wrote: On Fri, Oct 28, 2005 at 04:42:31PM +0200, Piotr Roszatycki wrote: Why my report was ignored? I've reported the problem 3 days ago and I had no reply. This seems to be a very frequent problem going on for awhile now. Could someone from the security team comment on what the problem is? The problem in this case is confusing reports and patches with arbitrary changes that don't belong into security updates. Regards, Joey -- Life is too short to run proprietary software. -- Bdale Garbee -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Version of 'cvs' in security archive
Loïc Minier wrote: On Tue, Sep 13, 2005, Sam Morris wrote: Is the version in stable too high, or is the version in stable/updates too low? :) I think packages never leave from security.d.o. In cvs you see the result of the major fuckup of security.debian.org I was complaining about loudly during the release. The version for woody ended up in sarge. Since the version number is lower than the version in sarge in the main archive, you can safely ignore it. On security.debian.org: klecker!joey(pts/0):~ elmo -e -s cvs cvs oldoldstable 1.10.7-9.2 alpha arm i386 m68k powerpc sparc source cvs oldstable 1.11.1p1debian-13 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source cvs stable1.11.1p1debian-11 alpha amd64 arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source In the main archive: spohr!joey(pts/13):~ elmo -e cvs cvs oldstable 1.11.1p1debian-10 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source cvs stable 1:1.12.9-13alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source cvs testing1:1.12.9-15alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source cvs unstable 1:1.12.9-14hurd-i386 cvs unstable 1:1.12.9-15alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source Gruesse, Joey -- Testing? What's that? If it compiles, it is good, if it boots up, it is perfect. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Request for help with Kernel, Ethereal and Lesstif
Lesstif --- We have a bunch of patches for libxpm which is also part of lesstif1-1 in woody that need to be applied and tested. It needs to be investigated whether the version in sarge needs patches as well. This refers to only a single bug (CAN-2004-0914) but results in quite a large patch that does not cleanly apply. A good C coder with a lesstif test environment is required. Ethereal The test program, Red Hat and iDEFENSE discovered several (read 24) flaws in various disssectors of Ethereal. The patches need to be reviewed and applied to the versions in woody, sarge and sid. For sid the maintainer could yuo some help, hence, I've mentioned it above. The advisory text should be proposed as well. Kernel -- I have prepared an updated kernel package for woody's 2.4.18 kernel for a number of vulnerabilities (some 40). This work needs to be reviewed and ported to 2.4.16, 2.4.17 and 2.4.19 including testing. The 2.4.18 kernel is running on a test machine and under a real environment during LinuxTag and from time to time afterwards without problems. For all set of packages it needs to be documented which bugs exist in which version. All three issues have escaped the time frame of the security team in the past, hence, I'm now calling for help. The volunteer is required to be a registered Debian developer. If you are interested and sure that you can work on one of these issues, please get in touch with me. If you are not 100% sure that your skills are sufficient, please don't contact me, since I would probably only waste time needed for other stuff. Regards, Joey -- Long noun chains don't automatically imply security. -- Bruce Schneier Please always Cc to me when replying to me on the lists. signature.asc Description: Digital signature
Re: On Mozilla-* updates
Noah Meyerhans wrote: Most other OS vendors are willing to make updates for errata beyond simple security updates. Often this means minor updates to software packages like web browsers. I believe the community will be better able to help us prepare e.g. bug-free firefox 1.0.5 packages than it will to produce 1.0.4+security packages. I believe these updated packages Looking at how 1.0.5 was binary-incompatible with 1.0.4 I can only assert that the community has failed already. should be tested as thoroughly as possible and released via security.debian.org and included in the next sarge revision. As an We don't have the proper framework for thoroughly testing security updates before they are visible on security.debian.org similar to the 10 days embargo from unstable into testing. The regular testing is not sufficient as it can't cover all details. Whatever solution we choose, I believe it is very important for us to do it within Debian and not rely on backports or some other unofficial channels. As Debian developers, it is our duty to solve this problem, and simply kicking the packages out of Debian or ignoring them from the point of view of updates and security is really no solution at all. Be prepared for reality, in half a year or in one year, there won't be 1.0.x Mozilla Firefox packages anymore that build on Debian stable. At least that's what I anticipate. Regards, Joey -- Experience is something you don't get until just after you need it. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
On Mozilla-* updates
Moin, it seems that less than two months after the release of sarge it is not possible to support Mozilla, Thunderbird, Firefox (and probably Galeon) packages anymore. (in terms of fixing security related problems) Unfortunately the Mozilla Foundation does not provide dedicated and clean patches for security updates but only releases new versions that fix tons of security related problems and other stuff that is or may be irrelevant for security updates. As a result, it is extremely difficult to get security patches extracted and backported. This is an utter disaster for security teams and distributions that try to support their releases. We have tried to prepare updated packages, but they may cause problems as has been the case for a Debian fork. Eventually they've given up and released the new upstream version as security update. *sigh* Using new upstream versions are bound to cause new problems. Maybe not at the moment with only going from 1.0.4 to 1.0.6 but more probably they will do later. Sooner or later they will change the behaviour of the program (so uses will be confused), change the API (so plugins, language files etc won't work anymore), alter the dependencies (so the packages will be slurp in new packages or cannot be built on stable at all). I guess in the long term we're on a lost track and it seems this situation has already started. For these packages, help and/or advice is appreciated. Regards, Joey -- It's time to close the windows. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#319406: heartbeat: upgrade and reconfigure errors
Horms wrote: The attached patch should resolve this problem, and I have put packages that include this patch up at http://debian.vergenet.net/pending/heartbeat/ Joey, what do you want to do about this? We can't do anything about it. All you can do, ant that's what you did already, is provide .deb files and add the link to this bug report. Fortunately, the problem does not occur regularily and does not affect many users (otherwise the bug would have been reported years ago already when there was a working proposed-updates directory). Regards, Joey -- If you come from outside of Finland, you live in wrong country. -- motd of irc.funet.fi Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian security archive/updates b0rken???
Steve Langasek wrote: On Sun, Jun 19, 2005 at 12:31:23AM -0400, sean finney wrote: please excuse this blatant cross-posting, i wouldn't do it if i didn't think it were critical that i do so... http://www.infodrom.org/~joey/log/?200506142140 say it isn't so! It isn't so. It's true that the design of sbuild/wanna-build means there were no autobuilders available for stable-security at the moment of sarge's release, but there was already work in progress to fix this by the time that blog entry was posted, and the claim that it looks like we'll be without security updates for quite a while caused no small amount of consternation. To avoid confusion, feel free to keep the security in the loop and send updates to them. FWIW: Up to today (still 8000 mails to go, though, there's a small chance that an answer is within them), I still don't know what to to with the updates to crip, bzip2, cvs and ht, that were in the queue at the time sarge was released. I asked both Ryan and the ftpmaster team, without receiving an answer, hence the security team can only assume that the status from the time sarge was released is still true: security.debian.org broken. I don't like abusing my root permission to fix areas where I shouldn't intervene, hence I'm trying to avoid this on security.debian.org as well. TTBOMK, there is now again a full complement of stable-security autobuilders available on 11 archs, and autobuilders for testing-security on 10/11 archs. Good. It doesn't look like the security team has issued any DSAs since then, Because they sent inquiries about the situation and haven't yet received a note that everything is fine again and how to proceed with the updates already in the queue. though they may have done uploads that haven't yet been published (I wouldn't know, not having access to look on klecker). No uploads have been made since the release of sarge, because the archive is broken. What you could have seen was made before the release of sarge. I have had prepared more than half a dozen uploads but did not upload them, though. I've uploaded a few packages now to find out if it's working again. I don't expect the next DSAs to work properly, though. Regards, Joey -- GNU does not eliminate all the world's problems, only some of them. -- The GNU Manifesto Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Please allow drupal 4.5.3-1
Steve Langasek wrote: On Wed, Jun 01, 2005 at 07:16:00PM -0700, Ian Eure wrote: On Wednesday 01 June 2005 04:54 pm, Hilko Bengen wrote: Just a few hours ago, the Drupal project has released version 4.5.3, a bugfix release which fixes a serious security bug. I have created and just uploaded a 4.5.3-1 package to unstable. Updated Debconf translations are the only additional changes over 4.5.2-3 which is the version in sarge. Any reason why you can't just apply the patch to fix that specific bug? And you probably want to be emailing the release team... He did contact the release team; unfortunately, the diff between 4.5.2 and 4.5.3 is rather large and I don't believe it's all security-related, so I think this will have to be left for the security team after all. Umh, the release team most probably has even stricter rules than the release team when it comes to cluttering the diff... Regards, Joey -- If you come from outside of Finland, you live in wrong country. -- motd of irc.funet.fi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fixing stupid PHP application design flaws
Florian Weimer wrote: * Henrique de Moraes Holschuh: I think not only we should do it, we should also make a big fuss about it, so that some of the PHP people out there at least have a chance to get the clue. Unlikely to work. Just look at how almost all PHP developers reject a proactive approach to SQL injection. 8-( When upstream is security-ignorant, we need to educate our developers to fix the applications before actually uploading, and fix them again when a new upstream version is released, over and over again. Regards, Joey -- If nothing changes, everything will remain the same. -- Barne's Law Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fixing stupid PHP application design flaws
Jeroen van Wolffelaar wrote: What do people on this list think about fixing PHP include files in a DSA that are accessible via HTTP as well and contain one bug or another as they are not supposed to be accessible via HTTP but accidently are. I'm rather annoyed by the lack of comptence of some PHP coders who manage their project in a way so that include files are stored within the regular DocumentRoot and are hencely accessible via HTTP as well. Include files normally also don't contain any precaution about being executed standalone. These files should not be accessible via HTTP in the first place but put into /usr/share/something instead and included from there. I don't think that those include files are per definition a problem -- a well-managed project will only ship 'stock' include files only containing functions, whether the user gets to see the source of it, or it's being executed, it doesn't hurt. I agree, as long as they are silent, they don't pose a problem per se. Of course, it's different if this is not the case (non-function stuff in include files). I'd myself be inclined to advice to only fix those non-function and non-class. cases where there might be a potential problem. A lot of PHP web applications are designed by upstream to be simply untarreable in the place where the URL is supposed to be, and as such have include files necessarily http-accessible. It's sometimes hard for packagers to fix this, and when the include fiels cannot do harm, I don't see why. Clean design. Less tempting for stupid coders. Just to name two. It'd be wise for those projects to take the extra precaution by allowing (and the Debian maintainer to do so) include files outside the web root, but to DSA for such a thing when there might not even be a vulnerability at all, seems premature to me. It'd be like fixing all uses of sprintf because the programmer could have used snprintf to be more sure there is no problem. Sure, that was never my intention either. Regards, Joey -- Never trust an operating system you don't have source for! Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fixing stupid PHP application design flaws
Jeroen van Wolffelaar wrote: Having /usr/share/$package for the include files and /var/lib/$package for the executable PHP scripts that should be linked into the web server. Eh, that's now how squirrelmail works. All stock php files are in /usr/share/$package, and that's also what's used from the default apache config for squirrelmail. The config dir is symlinked from thew webroot to /etc, and so is that attachment spool symlinked to the appropriate /var/spool link. While all config files are accessible via the web, they have .php and are a no-op when executed seperately. In another mail I already said that squirrelmail seems to operate the way it should, which is very promising. Even less competent users should be able to install these three components on a bare system. You can also provide a simple Makefile to accomplish this task. Such things worked for other packages as well. Simple makefile doesn't match the typical person installing a web application. A .tar.gz may already be too difficult, they want to be able to ftp their files to their provider and it should work. Also, this Such people should stay being users and not try to become administrators, really. Also, if the Debian distribution contains such applications that are installed this way, they may need a new maintainer. Regards, Joey -- Never trust an operating system you don't have source for! Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fixing stupid PHP application design flaws
Hans Spaans wrote: Martin Schulze wrote: Hey! What do people on this list think about fixing PHP include files in a DSA that are accessible via HTTP as well and contain one bug or another as they are not supposed to be accessible via HTTP but accidently are. Patching them like Squirrelmail has fixed this may be a better solution before everything is in place. From a first look, this is what I proposed, yes. Having /usr/share/$package for the include files and /var/lib/$package for the executable PHP scripts that should be linked into the web server. I'm rather annoyed by the lack of comptence of some PHP coders who manage their project in a way so that include files are stored within the regular DocumentRoot and are hencely accessible via HTTP as well. Include files normally also don't contain any precaution about being executed standalone. I both agree and disagree with you. The reason I disagree with you, is that this works fine for php scripts that come with debian, but thats No. But it would work in Debian at least. It is no problem to provide a tarball (or zip file) with the following contents: www/ - all files that need to be beneath DocumentRoot include/ - all files that are included foo.conf - becomes /etc/foo/foo.conf and contains the path to include Even less competent users should be able to install these three components on a bare system. You can also provide a simple Makefile to accomplish this task. Such things worked for other packages as well. it. Everything a normal user installs is still a problem and even a bigger problem then the packages from debian. Also I counted 95 packages depending on php4 in Sarge at the moment versus way to many entries when you query freshmeat? What are you trying to say? These files should not be accessible via HTTP in the first place but put into /usr/share/something instead and included from there. Is this going to solve the problems? Don't get me wrong, because I love Yes. It would solve the problem of accessing include files that shouldn't be accessed via HTTP since they weren't designed to be silent. your goal but I don't believe that what you suggesting right now is going to solve the problems with PHP at this moment. Maybe its an idea It's not a problem with PHP but with web applications written in PHP. I can imagine that similar problems exist with eperl, epython, pike or any other languages embedded in the web space that weren't developed thoroughly. to get in contact with Rasmus about securing PHP, because he's trying to get a more secure and sane php4.ini in the upstream releases. Unluckily Securing PHP is a laaarge goal. Beside the fact that your plan has some issues with multiple installations because some application require that for multiple vhosts. No. Include files should be vhost-agnostic. If they aren't, a lot has gone wrong during implementation. It should be sufficient to just install the accessible PHP files a second time and maybe adjust the database or other local storage, i.e. a differend config file. It may be a better idea to start with PHP itself and ask during installation of the users wants to install a secure or insecure version of php4.ini. The same is done with setuid issues for example. There is no secure version of php4.ini. As examples see the following problems: CAN-2005-0459 - information disclosure in phpmyadmin This one goes even further then information disclosure and isn't the reason you want it out of your docroot at this moment. Using unchecked variables isn't wise at all time. You could say this problem is twofold... CAN-2005-0870 - cross site scripting in phpsysinfo Another example of what Rasmus is fighting for the last couple of years. Make the default php4.ini more sane and secure. That won't work. This is broken by design. In the application. PHP only provides the tools to shoot oneself in both feet, but others do as well. There's nothing wrong with it. You don't have to do it... Regards, Joey -- Never trust an operating system you don't have source for! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Fixing stupid PHP application design flaws
Hey! What do people on this list think about fixing PHP include files in a DSA that are accessible via HTTP as well and contain one bug or another as they are not supposed to be accessible via HTTP but accidently are. I'm rather annoyed by the lack of comptence of some PHP coders who manage their project in a way so that include files are stored within the regular DocumentRoot and are hencely accessible via HTTP as well. Include files normally also don't contain any precaution about being executed standalone. These files should not be accessible via HTTP in the first place but put into /usr/share/something instead and included from there. As examples see the following problems: CAN-2005-0459 - information disclosure in phpmyadmin CAN-2005-0870 - cross site scripting in phpsysinfo Regards, Joey -- Everybody talks about it, but nobody does anything about it! -- Mark Twain Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 652-1] New unarj packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 652-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 21st, 2005 http://www.debian.org/security/faq - -- Package: unarj Vulnerability : several Problem-Type : local (remote) Debian-specific: no CVE ID : CAN-2004-0947 CAN-2004-1027 Debian Bug : 281922 Several vulnerabilities have been discovered in unarj, a non-free ARJ unarchive utility. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities: CAN-2004-0947 A buffer overflow has been discovered when handling long file names contained in an archive. An attacker could create a specially crafted archive which could cause unarj to crash or possibly execute arbitrary code when being extracted by a victim. CAN-2004-1027 A directory traversal vulnerability has been found so that an attacker could create a specially crafted archive which would create files in the parent directory when being extracted by a victim. When used recursively, this vulnerability could be used to overwrite critical system files and programs. For the stable distribution (woody) these problems have been fixed in version 2.43-3woody1. For the unstable distribution (sid) these problems don't apply since unstable/non-free does not contain the unarj package. We recommend that you upgrade your unarj package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1.dsc Size/MD5 checksum: 528 e1d166f2eaf315641d1269a32ad1dc76 http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1.diff.gz Size/MD5 checksum:12903 4ef4cfad33d05ecc048d63596ab2673c http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43.orig.tar.gz Size/MD5 checksum:39620 7a481dc017f1fbfa7f937a97e66eb99f Alpha architecture: http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_alpha.deb Size/MD5 checksum:29668 08dc91afd3146ccdfaa51d73f8be56e5 ARM architecture: http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_arm.deb Size/MD5 checksum:22784 ed352d363cbeb34ba2268db63a632824 Intel IA-32 architecture: http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_i386.deb Size/MD5 checksum:20690 aa9490bd82bc9aef4f6092d19fa83eaa Intel IA-64 architecture: http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_ia64.deb Size/MD5 checksum:31072 0b1f0403cfaaf572399fcb60b2549664 HP Precision architecture: http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_hppa.deb Size/MD5 checksum:23888 15a8d6b0b7b565186398c0b8ebe3eb6a Motorola 680x0 architecture: http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_m68k.deb Size/MD5 checksum:20384 644a6dcc9f566bad384c050bc8b8fb14 PowerPC architecture: http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_powerpc.deb Size/MD5 checksum:23060 5c5a1f0157aa613337f80b439e78456f IBM S/390 architecture: http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_s390.deb Size/MD5 checksum:22668 97dc977c8217a10d4915ee32db49edd5 Sun Sparc architecture: http://security.debian.org/pool/updates/non-free/u/unarj/unarj_2.43-3woody1_sparc.deb Size/MD5 checksum:25386 bd2210a978ad30306e3db2ab112c87e8 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB8L/1W5ql+IAeqTIRAiqfAJ9G2Qz1XaGuTV9D9HsLH77/pOwOswCfWdUa sOBvZN8plbTquPjXFFac16Q= =I0rL -END PGP SIGNATURE-
[SECURITY] [DSA 653-1] New ethereal packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 653-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 21st, 2005 http://www.debian.org/security/faq - -- Package: ethereal Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-0084 A buffer overflow has been detected in the X11 dissector of ethereal, a commonly used network traffic analyser. A remote attacker may be able to overflow a buffer using a specially crafted IP packet. More problems have been discovered which don't apply to the version in woody but are fixed in sid as well. For the stable distribution (woody) this problem has been fixed in version 0.9.4-1woody11. For the unstable distribution (sid) this problem has been fixed in version 0.10.9-1. We recommend that you upgrade your ethereal package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11.dsc Size/MD5 checksum: 681 8e8bbe73bf65d45446fb7c03dddb41a1 http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11.diff.gz Size/MD5 checksum:40601 a9a6e17ee6c2e1749ac3d140628c77c6 http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz Size/MD5 checksum: 3278908 42e999daa659820ee9339ea1e9ea Alpha architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_alpha.deb Size/MD5 checksum: 1941102 aab1360769a64476ce4113068230c8ad http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_alpha.deb Size/MD5 checksum: 334424 c3647ca04af3f48b4e24ec6ae2fa6b4d http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_alpha.deb Size/MD5 checksum: 222460 06e7e8c5713efa6f102bb436c6251e61 http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_alpha.deb Size/MD5 checksum: 1707844 08f64c248a99394a8366ca5b512e096d ARM architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_arm.deb Size/MD5 checksum: 1635456 190bd5415abaf62c1cde340605079152 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_arm.deb Size/MD5 checksum: 297770 6d5ee1df687aeee0e49d4bc27cfab0da http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_arm.deb Size/MD5 checksum: 206356 fcba9b5be975e62bd5cf8efca338a299 http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_arm.deb Size/MD5 checksum: 1439676 d825f5c16e37f1a5c1a7aaa6ba0798b1 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_i386.deb Size/MD5 checksum: 1513338 996070722f320a6d6d40652101480ec6 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_i386.deb Size/MD5 checksum: 286736 69fd768db07ee2ac52b33f3188fdba97 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_i386.deb Size/MD5 checksum: 198652 50e416b732e5d02d1f8e6bfb5269d1f9 http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_i386.deb Size/MD5 checksum: 1326536 c8415c2297b0bc30a297b3b07e0a1186 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_ia64.deb Size/MD5 checksum: 2150414 b46cc7da4c46e2a920299cef6d6f1f1c http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody11_ia64.deb Size/MD5 checksum: 373372 1b977535a20b449ea7c1b21e09f9493b http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody11_ia64.deb Size/MD5 checksum: 234004 e8c69f3f1db9708ceb2e74122e81c168 http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody11_ia64.deb Size/MD5 checksum: 1861780 6c48358d2c8c892d24ebbc29b020931d HP Precision architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody11_hppa.deb Size/MD5
[SECURITY] [DSA 649-1] New xtrlock packages fix authentication bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 649-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 20th, 2005 http://www.debian.org/security/faq - -- Package: xtrlock Vulnerability : buffer overflow Problem-Type : local Debian-specific: no CVE ID : CAN-2005-0079 Debian Bug : 278190 278191 A buffer overflow has been discovered in xtrlock, a minimal X display lock program which can be exploited by a malicious local attacker to crash the lock program and take over the desktop session. For the stable distribution (woody) this problem has been fixed in version 2.0-6woody2. For the unstable distribution (sid) this problem has been fixed in version 2.0-9. We recommend that you upgrade your xtrlock package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2.dsc Size/MD5 checksum: 500 d39ea1ae4ee66338786d018406065022 http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2.tar.gz Size/MD5 checksum: 6977 6e6cfc0627bb74bd5014b550c2ea7a5f Alpha architecture: http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2_alpha.deb Size/MD5 checksum: 9604 d05e56b7856e770b1b43daaf43a0dc3d ARM architecture: http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2_arm.deb Size/MD5 checksum: 8604 f0d46d569f47ecb8a138c9f91be6cdc6 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2_i386.deb Size/MD5 checksum: 8730 63b6233b95553ffa59de4811c06a6502 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2_ia64.deb Size/MD5 checksum:10104 ab12fc340b57cb3cbd58cbb0e6e1c188 HP Precision architecture: http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2_hppa.deb Size/MD5 checksum: 8988 cd59712f225ec6d790ad608a8c0dac3a Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2_m68k.deb Size/MD5 checksum: 8606 abac92671aefe845c7fd609668a9f367 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2_mips.deb Size/MD5 checksum: 8830 1a09a3a4e99e8c5f94a555ad8f9fc0c0 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2_mipsel.deb Size/MD5 checksum: 8828 7f56d17dd068abe7cb99a47f2e328fc9 PowerPC architecture: http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2_powerpc.deb Size/MD5 checksum: 8636 cd7dfdba990035bc942e1c16844eefcd IBM S/390 architecture: http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2_s390.deb Size/MD5 checksum: 9128 f85ab602c4160b29bdb98170114b2368 Sun Sparc architecture: http://security.debian.org/pool/updates/main/x/xtrlock/xtrlock_2.0-6woody2_sparc.deb Size/MD5 checksum:11340 c5b11b174068e3b0ebc61aa5f6cf9412 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB74S0W5ql+IAeqTIRApNNAJ90ul19QanusFjVAGWC0SAozK0DvgCffYYF /oPUNRKDjXVfZv1kwhd326U= =86PR -END PGP SIGNATURE-
[SECURITY] [DSA 650-1] New sword packages fix arbitrary command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 650-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 20th, 2005 http://www.debian.org/security/faq - -- Package: sword Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-0015 Ulf Härnhammar discovered that due to missing input sanitising in diatheke, a CGI script for making and browsing a bible website, it is possible to execute arbitrary commands via a specially crafted URL. For the stable distribution (woody) this problem has been fixed in version 1.5.3-3woody2. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your diatheke package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/sword/sword_1.5.3-3woody2.dsc Size/MD5 checksum: 612 9204579e3a264d7d43297c1b7bf98438 http://security.debian.org/pool/updates/main/s/sword/sword_1.5.3-3woody2.diff.gz Size/MD5 checksum:21169 c355f97deb2ef2c39b82aec857b15a21 http://security.debian.org/pool/updates/main/s/sword/sword_1.5.3.orig.tar.gz Size/MD5 checksum: 2389613 055f9c1e7c081a667674d9f4112abf11 Alpha architecture: http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_alpha.deb Size/MD5 checksum:82154 2c73838e4e5d1112ded21365df2578a3 http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_alpha.deb Size/MD5 checksum: 1712920 e3914e31b0b0217ac8f227f8730c0ace http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_alpha.deb Size/MD5 checksum:13312 29c89888a4b51b5aa555ff55b0a410ad http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_alpha.deb Size/MD5 checksum: 601828 dfcf6f97b2b3eead528e92b5dc387fe6 ARM architecture: http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_arm.deb Size/MD5 checksum:56756 0a83537894f73c59aac38b8698d68dc8 http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_arm.deb Size/MD5 checksum: 989694 18f31fc2d82aec5b342a62822f6421d8 http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_arm.deb Size/MD5 checksum:13326 f8a405bc39b9e73d84cb42448144b4ec http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_arm.deb Size/MD5 checksum: 298826 53df2455c33de26ddc7f661f1ff74a43 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_i386.deb Size/MD5 checksum:54788 7329737ccfe2988b667bf1cf4d0b684d http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_i386.deb Size/MD5 checksum: 923510 87cbc45e59453e36004331d8a1ba4950 http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_i386.deb Size/MD5 checksum:13320 190147bb90a295003c9bf6ad0e0a48d4 http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_i386.deb Size/MD5 checksum: 281460 c0c5beeb00046e67a6fa9089e9d43d14 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_ia64.deb Size/MD5 checksum:62174 fbf8fac6dfc7d61a739b3bdb3f499566 http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_ia64.deb Size/MD5 checksum: 1291474 d38e91788454487c3fc8b40e017fc682 http://security.debian.org/pool/updates/main/s/sword/libsword-runtime_1.5.3-3woody2_ia64.deb Size/MD5 checksum:13308 b24742b3c41724e34669d0b921cb3d27 http://security.debian.org/pool/updates/main/s/sword/libsword1_1.5.3-3woody2_ia64.deb Size/MD5 checksum: 333424 7f076026a95ac0d0bdbe488777fb HP Precision architecture: http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.3-3woody2_hppa.deb Size/MD5 checksum:62118 2504df74d92b6adb4910a6a4f3452183 http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.3-3woody2_hppa.deb Size/MD5 checksum: 1104178
[SECURITY] [DSA 645-1] New CUPS packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 645-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 19th, 2005 http://www.debian.org/security/faq - -- Package: cupsys Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-0064 iDEFENSE has reported a buffer overflow in xpdf, the portable document format (PDF) suite. Similar code is present in the PDF processing part of CUPS. A maliciously crafted PDF file could exploit this problem, resulting in the execution of arbitrary code. For the stable distribution (woody) this problem has been fixed in version 1.1.14-5woody12. In the unstable distribution (sid) CUPSYS does not use its own xpdf variant anymore but uses xpdf-utils. We recommend that you upgrade your cups packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody12.dsc Size/MD5 checksum: 712 dba687dbc0a6992b0a3cdd8da496abdf http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody12.diff.gz Size/MD5 checksum:40770 083cfc2f84280ebaee765ec1ba7a8f29 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14.orig.tar.gz Size/MD5 checksum: 6150756 0dfa41f29fa73e7744903b2471d2ca2f Alpha architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody12_alpha.deb Size/MD5 checksum: 1901080 80c9b14b52397228088eb278ef07d897 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody12_alpha.deb Size/MD5 checksum:74548 98b9ef57c0e574aadf0e804fb070ccff http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody12_alpha.deb Size/MD5 checksum:93196 ebe102c5982747fb36254898db73bdac http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody12_alpha.deb Size/MD5 checksum: 2446048 e3509f813586e394fcaea652caeb979d http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody12_alpha.deb Size/MD5 checksum: 138216 c6c6beeff4bc077a290bb213ffafcd04 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody12_alpha.deb Size/MD5 checksum: 181162 c612bffce4b666c36e9709a3f1c3b916 ARM architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody12_arm.deb Size/MD5 checksum: 1821988 cae79abb7d1980e5cb983c51c23df200 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody12_arm.deb Size/MD5 checksum:68682 2aef42b9bfa45d45a0b94f980cd75f0b http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody12_arm.deb Size/MD5 checksum:85876 c998cf95bd9faa58bbc3618d92c69e3b http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody12_arm.deb Size/MD5 checksum: 2346072 24d5e48e3e0319b948038c45b1219b4d http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody12_arm.deb Size/MD5 checksum: 113198 4ce263fe2f228ad505e6249869ede086 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody12_arm.deb Size/MD5 checksum: 150620 9644fdf3f4c6021a203b1a9811a14de8 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody12_i386.deb Size/MD5 checksum: 1788840 4421966dabb586f81791d9d27eaf9ceb http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody12_i386.deb Size/MD5 checksum:68212 af70c5816c54edf896a22c24fe0568b8 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody12_i386.deb Size/MD5 checksum:84376 6178a9c61d805a70e3f787f9cec45d44 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody12_i386.deb Size/MD5 checksum: 2312208 53aaab028df004928720cf25e9912298 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody12_i386.deb Size/MD5 checksum: 111224 2a6caaceda4a9a617637ffec2e6b0888 http://security.debian.org/pool/updates/main/c/cupsys
[SECURITY] [DSA 647-1] New mysql packages fix insecure temporary files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 647-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 19th, 2005 http://www.debian.org/security/faq - -- Package: mysql Vulnerability : insecure temporary files Problem-Type : local Debian-specific: no CVE ID : CAN-2005-0004 Javier Fernandez-Sanguino Pena from the Debian Security Audit Project discoverd a temporary file vulnerability in the mysqlaccess script of MySQL that could allow an unprivileged user to let root overwrite arbitrary files via a symlink attack and could also could unveil the contents of a temporary file which might contain sensitive information. For the stable distribution (woody) this problem has been fixed in version 3.23.49-8.9. For the unstable distribution (sid) this problem has been fixed in version 4.0.23-3 of mysql-dfsg and in version 4.1.8a-6 of mysql-dfsg-4.1. We recommend that you upgrade your mysql packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.9.dsc Size/MD5 checksum: 875 943c6c647b130518c2a6c96bcb9c4031 http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.9.diff.gz Size/MD5 checksum:68320 7c46ef730e9c81c554b6d511481c02b7 http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz Size/MD5 checksum: 11861035 a2820d81997779a9fdf1f4b3c321564a Architecture independent components: http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.9_all.deb Size/MD5 checksum:17484 9c6cf59a839d3fc25a74f164358008e2 http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.5_all.deb Size/MD5 checksum: 1962992 a4cacebaadf9d5988da0ed1a336b48e6 Alpha architecture: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_alpha.deb Size/MD5 checksum: 278304 345708861734203ea2b8539c08a522a5 http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_alpha.deb Size/MD5 checksum: 779380 fa6bc20e561e5022eedc5dcd69715a27 http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_alpha.deb Size/MD5 checksum: 164116 f71397420366e10b5baf839658611271 http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_alpha.deb Size/MD5 checksum: 3635240 09c8c082c5bb1a5aec7fc55bebc0bcd6 ARM architecture: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_arm.deb Size/MD5 checksum: 238910 874cde30bec50e22aec0d66b163b5d60 http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_arm.deb Size/MD5 checksum: 635228 2cde5c1d7b306ad42b57a0cf26980546 http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_arm.deb Size/MD5 checksum: 124520 4a625fd5ba3b3f28cc13ebf65c2a1afb http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_arm.deb Size/MD5 checksum: 2806914 3d001b9b0c0cb886e145d0bd39af870f Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_i386.deb Size/MD5 checksum: 235264 44202de31efe2267b50a0e24fb8ee3fd http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_i386.deb Size/MD5 checksum: 577118 081914b6293637cedc177b4c10671796 http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_i386.deb Size/MD5 checksum: 123080 0d35e7a8bd5f5ae806c55a2a12aa6ac1 http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_i386.deb Size/MD5 checksum: 2800998 e2af0992c6a9921dfc864e75c1495258 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_ia64.deb Size/MD5 checksum: 315628 29091ddf30d6c12f777f53cec06b740b http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_ia64.deb Size/MD5 checksum: 849066 aa2f4e5c92fc2779c3072c85d68ffb5f http://security.debian.org/pool/updates/main/m/mysql/mysql
[SECURITY] [DSA 648-1] New xpdf packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 648-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 19th, 2005 http://www.debian.org/security/faq - -- Package: xpdf Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-0064 iDEFENSE has reported a buffer overflow in xpdf, the portable document format (PDF) suite. A maliciously crafted PDF file could exploit this problem, resulting in the execution of arbitrary code. For the stable distribution (woody) this problem has been fixed in version 1.00-3.4. For the unstable distribution (sid) this problem has been fixed in version 3.00-12. We recommend that you upgrade your xpdf package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.4.dsc Size/MD5 checksum: 706 635d7c4eae9655d8a3377d8eed6cb2d1 http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.4.diff.gz Size/MD5 checksum:10726 0267c0fd7ffecd48dd888e170953a480 http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00.orig.tar.gz Size/MD5 checksum: 397750 81f3c381cef729e4b6f4ce21cf5bbf3c Architecture independent components: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_1.00-3.4_all.deb Size/MD5 checksum:38654 d163325cae5a83d1f9ef2022242c731d http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.4_all.deb Size/MD5 checksum: 1286 14b9041fb706c9dcf9a72a7a2d616498 Alpha architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.4_alpha.deb Size/MD5 checksum: 570826 cf720966e539a765617002f4b4f5173f http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.4_alpha.deb Size/MD5 checksum: 1045624 0515266a4c09a1f3d271c37de5642b7b ARM architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.4_arm.deb Size/MD5 checksum: 487114 64e64f1224c36ec480df57aaa8862464 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.4_arm.deb Size/MD5 checksum: 886366 6295a2ce46f4fa28821ea140774bfb6e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.4_i386.deb Size/MD5 checksum: 449350 0967c7b29b81f78e9da2cdc889abb615 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.4_i386.deb Size/MD5 checksum: 827852 f4d7c558370100c774ebfaa82954b83d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.4_ia64.deb Size/MD5 checksum: 682306 25b464ea05a8f598f08bcbdedf7170f4 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.4_ia64.deb Size/MD5 checksum: 1227886 c5f8725564e5dac40e9a3e36d7cdb068 HP Precision architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.4_hppa.deb Size/MD5 checksum: 563840 d1dd472effb32d5134a23f30c3fd2580 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.4_hppa.deb Size/MD5 checksum: 1032718 5beab4427ebdb90e330b4c6f8f8d1d07 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.4_m68k.deb Size/MD5 checksum: 427492 052dad490755f8875e01dc93f1bc4fe5 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.4_m68k.deb Size/MD5 checksum: 794424 6670b3f46279a6a65c46b19f184195b9 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.4_mips.deb Size/MD5 checksum: 555248 183c3ba8ae860fa97a04e78dbdb79907 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.4_mips.deb Size/MD5 checksum: 1016592 dbbd8df3a721fe6f8fd2111d39a6398d Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.4_mipsel.deb Size/MD5 checksum: 546180 3651e279ad35be576904a273ccc97e82 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.4_mipsel.deb Size/MD5 checksum: 998826 d43a48dd2e29d83d6c8cd82c7b8eaede
[SECURITY] [DSA 643-1] New queue packages fix buffer overflows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 643-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 18th, 2005 http://www.debian.org/security/faq - -- Package: queue Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0555 jaguar of the Debian Security Audit Project has discovered several buffer overflows in queue, a transparent load balancing system. For the stable distribution (woody) these problems have been fixed in version 1.30.1-4woody2. For the unstable distribution (sid) these problems have been fixed in version 1.30.1-5. We recommend that you upgrade your queue package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2.dsc Size/MD5 checksum: 582 24c706e1af4baa9e8ac3dc02c8d72dce http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2.diff.gz Size/MD5 checksum:42917 cb036472a17be964822cd1748dff9c5f http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1.orig.tar.gz Size/MD5 checksum: 699770 82dd2a37f9c3d5f977afc0a990c9c648 Alpha architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_alpha.deb Size/MD5 checksum: 134242 cf2f009836139723d0b9eeccf6497e89 ARM architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_arm.deb Size/MD5 checksum: 112840 f2ee06cf9103664ae7dd631ff9cc5173 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_i386.deb Size/MD5 checksum: 108874 777f71c6cf3136e7143094f9ba4507f7 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_ia64.deb Size/MD5 checksum: 151766 caa6d74226f7ad6ebfbb50402b366693 HP Precision architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_hppa.deb Size/MD5 checksum: 116304 145964aa0dfd6fe42f6a67104af370a5 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_m68k.deb Size/MD5 checksum: 105868 d9035e0b49e56257444d1445b9f2b48a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_mips.deb Size/MD5 checksum: 117588 1d67e473d49dcfc3e6b8c083976ee22a Little endian MIPS architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_mipsel.deb Size/MD5 checksum: 118012 721e4a42ae02098ff7acd6fbe60934c7 PowerPC architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_powerpc.deb Size/MD5 checksum: 112670 a294d33370973324ef46a8beaf20880a IBM S/390 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_s390.deb Size/MD5 checksum: 112492 799fe37a8371ab10c4fb78298b054b8e Sun Sparc architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_sparc.deb Size/MD5 checksum: 123792 6a6685be2847e8c50c71712b80b05c2c These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB7MfgW5ql+IAeqTIRAk5gAKCiF4/BxJKCS9sO/unLnxk20Q/IkwCgp1pG HTFfGLLM5sBKoRYUI5VqR3Y= =LOOJ -END PGP SIGNATURE-
[SECURITY] [DSA 640-1] New gatos packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 640-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 17th, 2005 http://www.debian.org/security/faq - -- Package: gatos Vulnerability : buffer overflow Problem-Type : local Debian-specific: no CVE ID : CAN-2005-0016 Erik Sjölund discovered a buffer overflow in xatitv, one of the programs in the gatos package, that is used to display video with certain ATI video cards. xatitv is installed setuid root in order to gain direct access to the video hardware. For the stable distribution (woody) this problem has been fixed in version 0.0.5-6woody3. For the unstable distribution (sid) this problem has been fixed in version 0.0.5-15. We recommend that you upgrade your gatos package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gatos/gatos_0.0.5-6woody3.dsc Size/MD5 checksum: 629 0005020205c97ebd6f2efdf146846c15 http://security.debian.org/pool/updates/main/g/gatos/gatos_0.0.5-6woody3.diff.gz Size/MD5 checksum:40976 34933c1e1da0fbb172ab919e23b68e02 http://security.debian.org/pool/updates/main/g/gatos/gatos_0.0.5.orig.tar.gz Size/MD5 checksum: 483916 9c16631afc933bde6f5d5e1421efddb7 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gatos/gatos_0.0.5-6woody3_i386.deb Size/MD5 checksum: 148110 2d2e9c2ba2d429175cab205c6ce6860d http://security.debian.org/pool/updates/main/g/gatos/libgatos-dev_0.0.5-6woody3_i386.deb Size/MD5 checksum: 109748 4c1d0a17839934a2c818e314c5d7d3b2 http://security.debian.org/pool/updates/main/g/gatos/libgatos0_0.0.5-6woody3_i386.deb Size/MD5 checksum:75460 bc27c6c2ec12dab3b6b3e164ee8f05f2 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB62YyW5ql+IAeqTIRAt4LAJ4zgTFIfT7BxlVhMffji2zgXLSwUgCePtaw HrHvLmmbzoeKAmy3ZtbM3kI= =HeLT -END PGP SIGNATURE-
[SECURITY] [DSA 642-1] New gallery packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 642-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 17th, 2005 http://www.debian.org/security/faq - -- Package: gallery Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-1106 BugTraq ID : 11602 Several vulnerabilities have been discovered in gallery, a web-based photo album written in PHP4. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CAN-2004-1106 Jim Paris discovered a cross site scripting vulnerability which allows code to be inserted by using specially formed URLs. CVE-NOMATCH The upstream developers of gallery have fixed several cases of possible variable injection that could trick gallery to unintended actions, e.g. leaking database passwords. For the stable distribution (woody) these problems have been fixed in version 1.2.5-8woody3. For the unstable distribution (sid) these problems have been fixed in version 1.4.4-pl4-1. We recommend that you upgrade your gallery package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gallery/gallery_1.2.5-8woody3.dsc Size/MD5 checksum: 573 f789c8198ba2b859cfb5cca31aaf6dcd http://security.debian.org/pool/updates/main/g/gallery/gallery_1.2.5-8woody3.diff.gz Size/MD5 checksum: 7908 6acd9ee257ddad8c2ffa568b5540e9fe http://security.debian.org/pool/updates/main/g/gallery/gallery_1.2.5.orig.tar.gz Size/MD5 checksum: 132099 1a32e57b36ca06d22475938e1e1b19f9 Architecture independent components: http://security.debian.org/pool/updates/main/g/gallery/gallery_1.2.5-8woody3_all.deb Size/MD5 checksum: 133126 3527d050800873dc990c1d002478aa7e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB69gDW5ql+IAeqTIRAqipAJ4kVB7T6gwzriUDEb3qA2EnRETlUACeOHkX /DKy8tkBgh/oV4V4kynNjEk= =LtRv -END PGP SIGNATURE-
[SECURITY] [DSA 638-1] New gopher packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 638-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 13th, 2005 http://www.debian.org/security/faq - -- Package: gopher Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0560 CAN-2004-0561 jaguar has discovered two security relevant problems in gopherd, the Gopher server in Debian which is part of the gopher package. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CAN-2004-0560 An integer overflow can happen when posting content of a specially calculated size. CAN-2004-0561 A format string vulnerability has been found in the log routine. For the stable distribution (woody) these problems have been fixed in version 3.0.3woody2. The unstable distribution (sid) does not contain a gopherd package. It has been replaced by Pygopherd. We recommend that you upgrade your gopherd package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody2.dsc Size/MD5 checksum: 552 8ca5e42b27ee90a38e94bf9a6970c66c http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody2.tar.gz Size/MD5 checksum: 508697 f6c925530ffbf8bf5cfcab97f04f9d1f Alpha architecture: http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody2_alpha.deb Size/MD5 checksum: 151380 cc2a882cde9216d6a23f7cd6c9f90623 http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody2_alpha.deb Size/MD5 checksum: 120180 d0b221cf1f583be4b051f0a8e82a11c3 ARM architecture: http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody2_arm.deb Size/MD5 checksum: 114646 a27be2be4a1572fba35d959f01023888 http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody2_arm.deb Size/MD5 checksum:98678 9313f132ea75b7dd6a855cd43c1e3c9f Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody2_i386.deb Size/MD5 checksum: 112528 e687f76519118d0ea5b3c6cb579db286 http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody2_i386.deb Size/MD5 checksum:96886 2c0b651d2d00bd8c805c319ad8c33866 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody2_ia64.deb Size/MD5 checksum: 173718 2bf3e4b86029c74635a084c1eede9787 http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody2_ia64.deb Size/MD5 checksum: 139836 2b9440218cb621c60dad5495e0820301 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody2_hppa.deb Size/MD5 checksum: 129848 be292cc2310c1acb7d68e5209009c7bd http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody2_hppa.deb Size/MD5 checksum: 109810 081dbee8c04697ff7102060a03fed127 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody2_m68k.deb Size/MD5 checksum: 105758 3e4a75b833f9c0ef1c205997c1034019 http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody2_m68k.deb Size/MD5 checksum:91926 703284910206b8b5cb191e946d27dd12 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody2_mips.deb Size/MD5 checksum: 130832 8593601cee3ac10b726b8a5fda187594 http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody2_mips.deb Size/MD5 checksum: 109556 51cc6daa4ed07de0d48da154af788a59 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody2_mipsel.deb Size/MD5 checksum: 130846 c12d42a4030b8f48f0c10d52c8a9a4e3 http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody2_mipsel.deb Size/MD5 checksum: 109464 8a53bdb7a6884680eefc6513fdaa47ff PowerPC architecture: http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody2_powerpc.deb Size/MD5 checksum: 121114 5a4a7d7816b5a07fad0f332f586779db http
[SECURITY] [DSA 636-1] New libc6 packages fix insecure temporary files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 636-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 12th, 2005 http://www.debian.org/security/faq - -- Package: glibc Vulnerability : insecure temporary files Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0968 BugTraq ID : 11286 Debian Bug : 279680 278278 205600 Several insecure uses of temporary files have been discovered in support scripts in the libc6 package which provices the c library for a GNU/Linux system. Trustix developers found that the catchsegv script uses temporary files insecurely. Openwall developers discovered insecure temporary files in the glibcbug script. These scripts are vulnerable to a symlink attack. For the stable distribution (woody) these problems have been fixed in version 2.2.5-11.8. For the unstable distribution (sid) these problems have been fixed in version 2.3.2.ds1-20. We recommend that you upgrade your libc6 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/glibc/glibc_2.2.5-11.8.dsc Size/MD5 checksum: 1458 bc2b80a7f76bbf4243fa86f5245f5a50 http://security.debian.org/pool/updates/main/g/glibc/glibc_2.2.5-11.8.diff.gz Size/MD5 checksum: 399970 4e1576598f13f2a628b3eef2c9bcdc48 http://security.debian.org/pool/updates/main/g/glibc/glibc_2.2.5.orig.tar.gz Size/MD5 checksum: 11370961 bf5653fdff22ee350bd7d48047cffab9 Architecture independent components: http://security.debian.org/pool/updates/main/g/glibc/glibc-doc_2.2.5-11.8_all.deb Size/MD5 checksum: 2699182 c7a50fe321349d3593a8aa14a1a2c86a http://security.debian.org/pool/updates/main/g/glibc/locales_2.2.5-11.8_all.deb Size/MD5 checksum: 3387990 8aaa9b854416e5a6e9b1a65b1bf7ea62 Alpha architecture: http://security.debian.org/pool/updates/main/g/glibc/libc6.1_2.2.5-11.8_alpha.deb Size/MD5 checksum: 4557986 2a37871e21fdb5a514d09110814d43b5 http://security.debian.org/pool/updates/main/g/glibc/libc6.1-dbg_2.2.5-11.8_alpha.deb Size/MD5 checksum: 1351232 def6755e17e3bc9384f9fa2c0d568b55 http://security.debian.org/pool/updates/main/g/glibc/libc6.1-dev_2.2.5-11.8_alpha.deb Size/MD5 checksum: 2981066 41abb2fe30295e762110e4e065c9e188 http://security.debian.org/pool/updates/main/g/glibc/libc6.1-pic_2.2.5-11.8_alpha.deb Size/MD5 checksum: 1321546 f41b8bce8503579888203ac22c866344 http://security.debian.org/pool/updates/main/g/glibc/libc6.1-prof_2.2.5-11.8_alpha.deb Size/MD5 checksum: 1538778 526584f3262d17309a68b1c8fae6 http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_alpha.deb Size/MD5 checksum:69866 b7135768c785f453a3027e811d8b ARM architecture: http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_arm.deb Size/MD5 checksum: 3686218 05ab21bcfd365fd6e56f6745eb0005fd http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_arm.deb Size/MD5 checksum: 2767406 c5d453caa9030ebf82023e3ded3ff844 http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_arm.deb Size/MD5 checksum: 2863418 4bf8522f010cc826fd494e8deac0a504 http://security.debian.org/pool/updates/main/g/glibc/libc6-pic_2.2.5-11.8_arm.deb Size/MD5 checksum: 1182298 6197804eeb01e05a195b4360115cb19d http://security.debian.org/pool/updates/main/g/glibc/libc6-prof_2.2.5-11.8_arm.deb Size/MD5 checksum: 1282776 557442af8531a7dccf5ed38865edfac1 http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_arm.deb Size/MD5 checksum:59674 c191744f43225bc100f127267dbbd38b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_i386.deb Size/MD5 checksum: 3383144 143978addc25816d4da0e850549a17fb http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_i386.deb Size/MD5 checksum: 2433964 efb2d99d347c2bd1f7a0904c1df18201 http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_i386.deb Size/MD5 checksum: 2390882 78374bee4d59301db2ef508c44517260 http://security.debian.org
[SECURITY] [DSA 630-1] New lintian packages fix insecure temporary directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 630-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 10th, 2005 http://www.debian.org/security/faq - -- Package: lintian Vulnerability : insecure temporary directory Problem-Type : local Debian-specific: yes CVE ID : CAN-2004-1000 Debian Bug : 286681 Jeroen van Wolffelaar discovered a problem in lintian, the Debian package checker. The program removes the working directory even if it wasn't created at program start, removing an unrelated file or directory a malicious user inserted via a symlink attack. For the stable distribution (woody) this problem has been fixed in version 1.20.17.1. For the unstable distribution (sid) this problem has been fixed in version 1.23.6. We recommend that you upgrade your lintian package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/l/lintian/lintian_1.20.17.1.dsc Size/MD5 checksum: 505 03d54a4d67f1c784cbee0fdac29fd9d6 http://security.debian.org/pool/updates/main/l/lintian/lintian_1.20.17.1.tar.gz Size/MD5 checksum: 198277 886c05fe72a348ca3db23856c59bf8af Architecture independent components: http://security.debian.org/pool/updates/main/l/lintian/lintian_1.20.17.1_all.deb Size/MD5 checksum: 171384 bc968e0eeebad128e743d716e4bc10e7 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB4kg3W5ql+IAeqTIRAlBlAKCJsr+mnfrpvTopHaazkXJHYbuIwACgshD5 bT+2113w6otPFfB9cmE+5IU= =ImS0 -END PGP SIGNATURE-
[SECURITY] [DSA 632-1] New linpopup packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 632-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 10th, 2005 http://www.debian.org/security/faq - -- Package: linpopup Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-1282 Debian Bug : 287044 Stephen Dranger discovered a buffer overflow in linpopup, an X11 port of winpopup, running over Samba, that could lead to the execution of arbitrary code when displaying a maliciously crafted message. For the stable distribution (woody) this problem has been fixed in version 1.2.0-2woody1. For the unstable distribution (sid) this problem has been fixed in version 1.2.0-7. We recommend that you upgrade your linpopup package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1.dsc Size/MD5 checksum: 577 b5272d2427beb92f9572337c3907f7bf http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1.diff.gz Size/MD5 checksum:14771 346c0d8fc894eb9660cbc945f53d7a48 http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0.orig.tar.gz Size/MD5 checksum: 145628 26503ac44971e334cbbb0a79dd796d93 Alpha architecture: http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1_alpha.deb Size/MD5 checksum:84980 bd4cc7b95e42ae85891826fdd9345e5d ARM architecture: http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1_arm.deb Size/MD5 checksum:74870 b80b3706d1edb463b4d7ef0f56c87e79 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1_i386.deb Size/MD5 checksum:74384 2f4379854819b565d7b12a6c49de Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1_ia64.deb Size/MD5 checksum:92484 04b4b1b3708af2b60c06e9f71f01713e HP Precision architecture: http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1_hppa.deb Size/MD5 checksum:79440 7f77468ea23f65fc9a8ffdb8f46cdea9 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1_m68k.deb Size/MD5 checksum:74278 d796fa11bf939e3fd5bcbe1f4e2a4d13 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1_mips.deb Size/MD5 checksum:76782 55cfe5ccdd97d3cda45195adaf881149 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1_mipsel.deb Size/MD5 checksum:75740 0437ce2cd5f7eac82c53d093d3705e3e PowerPC architecture: http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1_powerpc.deb Size/MD5 checksum:76628 141d3f2f5ea14033380407ba5f947f5e IBM S/390 architecture: http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1_s390.deb Size/MD5 checksum:76724 741b61e7ba6bbe691b717a7e426ed3e5 Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/linpopup/linpopup_1.2.0-2woody1_sparc.deb Size/MD5 checksum:76130 a316e43db286b9ae298481d0bbe6fd29 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB4oUgW5ql+IAeqTIRAu4yAJ4l+cLlnkCOjSNn8wCBX7tN5F4/aQCfcp6L VmXG0DzIZ8ua/wfmG9mQLeU= =xn5n -END PGP SIGNATURE-
[SECURITY] [DSA 627-1] New namazu2 packages fix cross-site scripting vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 627-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 6th, 2005 http://www.debian.org/security/faq - -- Package: namazu2 Vulnerability : unsanitised input Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-1318 A cross-site scripting vulnerability has been discovered in namazu2, a full text search engine. An attacker could prepare specially crafted input that would not be sanitised by namazu2 and hence displayed verbatim for the victim. For the stable distribution (woody) this problem has been fixed in version 2.0.10-1woody3. For the unstable distribution (sid) this problem has been fixed in version 2.0.14-1. We recommend that you upgrade your namazu2 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/n/namazu2/namazu2_2.0.10-1woody3.dsc Size/MD5 checksum: 729 55d9af5c2d7acce5eb762335e51da150 http://security.debian.org/pool/updates/main/n/namazu2/namazu2_2.0.10-1woody3.diff.gz Size/MD5 checksum:10026 c47888f62795d22e2e82c2078e75583e http://security.debian.org/pool/updates/main/n/namazu2/namazu2_2.0.10.orig.tar.gz Size/MD5 checksum: 833838 85892f930e5ef694f39469f136f484b4 Architecture independent components: http://security.debian.org/pool/updates/main/n/namazu2/namazu2-common_2.0.10-1woody3_all.deb Size/MD5 checksum:57566 2619b0261f7c78f567c5b57bc7134709 http://security.debian.org/pool/updates/main/n/namazu2/namazu2-index-tools_2.0.10-1woody3_all.deb Size/MD5 checksum:78724 0caddc9af184cdd666f3cb8e4b86a38d Alpha architecture: http://security.debian.org/pool/updates/main/n/namazu2/libnmz3_2.0.10-1woody3_alpha.deb Size/MD5 checksum: 116832 4729657782021cc31cd560b8e5d7eb41 http://security.debian.org/pool/updates/main/n/namazu2/libnmz3-dev_2.0.10-1woody3_alpha.deb Size/MD5 checksum: 144424 a15b70d1f03ff9861e533230790718f1 http://security.debian.org/pool/updates/main/n/namazu2/namazu2_2.0.10-1woody3_alpha.deb Size/MD5 checksum: 282454 59f32b2d66a1350f373647d1f66569f6 ARM architecture: http://security.debian.org/pool/updates/main/n/namazu2/libnmz3_2.0.10-1woody3_arm.deb Size/MD5 checksum: 105864 09deb2f4befbcf66c28ec9cdd4284b94 http://security.debian.org/pool/updates/main/n/namazu2/libnmz3-dev_2.0.10-1woody3_arm.deb Size/MD5 checksum: 124170 5c6ff41c3591f8da3fda507b7cfb1d15 http://security.debian.org/pool/updates/main/n/namazu2/namazu2_2.0.10-1woody3_arm.deb Size/MD5 checksum: 264236 1914b11a284327e358d25f7f45522c4b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/namazu2/libnmz3_2.0.10-1woody3_i386.deb Size/MD5 checksum: 103678 7eb33aebb6d18620f39bca6b39491f5c http://security.debian.org/pool/updates/main/n/namazu2/libnmz3-dev_2.0.10-1woody3_i386.deb Size/MD5 checksum: 117564 be97133d3c04355444fedafaf08b8d72 http://security.debian.org/pool/updates/main/n/namazu2/namazu2_2.0.10-1woody3_i386.deb Size/MD5 checksum: 254140 fcd5ae7c0cbd72a3fe79efb23545d8d6 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/n/namazu2/libnmz3_2.0.10-1woody3_ia64.deb Size/MD5 checksum: 132674 54adcfa851a138b9f5f1ae96cb7e51c3 http://security.debian.org/pool/updates/main/n/namazu2/libnmz3-dev_2.0.10-1woody3_ia64.deb Size/MD5 checksum: 150578 26c7c95f53e6dc9905e84f59103cfa24 http://security.debian.org/pool/updates/main/n/namazu2/namazu2_2.0.10-1woody3_ia64.deb Size/MD5 checksum: 296226 55d76574ec6153ce8b0ac3c0ccb47d1f HP Precision architecture: http://security.debian.org/pool/updates/main/n/namazu2/libnmz3_2.0.10-1woody3_hppa.deb Size/MD5 checksum: 112816 155828c8655c08ea416827df8459ea43 http://security.debian.org/pool/updates/main/n/namazu2/libnmz3-dev_2.0.10-1woody3_hppa.deb Size/MD5 checksum: 133528 af9255851e8a929e47825967bd014bbf http://security.debian.org/pool/updates/main/n/namazu2/namazu2_2.0.10-1woody3_hppa.deb Size/MD5 checksum: 274078 aea2d08e925a2812a9eea146cc218385 Motorola 680x0 architecture
[SECURITY] [DSA 625-1] New pcal packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 625-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 5th, 2004 http://www.debian.org/security/faq - -- Package: pcal Vulnerability : buffer overflows Problem-Type : local Debian-specific: no CVE ID : CAN-2004-1289 Debian Bug : 287039 Danny Lungstrom discovered two buffer overflows in pcal, a program to generate Postscript calendars, that could lead to the execution of arbitrary code when compiling a calendar. For the stable distribution (woody) these problems have been fixed in version 4.7-8woody1. For the unstable distribution (sid) these problems have been fixed in version 4.8.0-1. We recommend that you upgrade your pcal package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1.dsc Size/MD5 checksum: 567 084db6ff500acb07787520fbe64fe55c http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1.diff.gz Size/MD5 checksum: 9241 dfead422c9e896806a1f3d6bf27906cd http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7.orig.tar.gz Size/MD5 checksum: 244559 1c3a5694c465e702795ba53dbbb1f412 Alpha architecture: http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1_alpha.deb Size/MD5 checksum: 124958 4bd681850f08a22ff4e2b409c74d34fc ARM architecture: http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1_arm.deb Size/MD5 checksum: 110892 01e26a1ae460e156debbc26f2657048a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1_i386.deb Size/MD5 checksum: 107250 a487a36516ae170cab2c60370352b4ad Intel IA-64 architecture: http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1_ia64.deb Size/MD5 checksum: 139992 66232d332593c1b9a1b1bdbe839f3327 HP Precision architecture: http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1_hppa.deb Size/MD5 checksum: 121282 ee138b5220ff6caf4f6ecd30f4539037 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1_m68k.deb Size/MD5 checksum: 104702 e9930289c67b6d611e51ef954724f5b4 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1_mips.deb Size/MD5 checksum: 119802 1ea25df3c512c07249fff7b6e2d08ad9 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1_mipsel.deb Size/MD5 checksum: 119766 d3c55f4e572337088ebe5cc2753e2a20 PowerPC architecture: http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1_powerpc.deb Size/MD5 checksum: 116472 034b734141ee6804d4b2f54fbba70724 IBM S/390 architecture: http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1_s390.deb Size/MD5 checksum: 109908 76455e1b97a3ba92aafcdee086916f98 Sun Sparc architecture: http://security.debian.org/pool/updates/main/p/pcal/pcal_4.7-8woody1_sparc.deb Size/MD5 checksum: 112900 a705775dedf8d2918f1016d884db48ad These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB2/4YW5ql+IAeqTIRAhaJAKCrZZpxYBWn4ECUM5jRp8qmeldW1wCeIOX9 hAanrmtdivrs5464RYNa0nM= =KCn+ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 623-1] New nasm packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 623-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 4th, 2004 http://www.debian.org/security/faq - -- Package: nasm Vulnerability : buffer overflow Problem-Type : local Debian-specific: no CVE ID : CAN-2004-1287 Debian Bug : 285889 Jonathan Rockway discovered a buffer overflow in nasm, the general-purpose x86 assembler, which could lead to the execution of arbitrary code when compiling a maliciously crafted assembler source file. For the stable distribution (woody) this problem has been fixed in version 0.98.28cvs-1woody2. For the unstable distribution (sid) this problem has been fixed in version 0.98.38-1.1. We recommend that you upgrade your nasm package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2.dsc Size/MD5 checksum: 591 ccf378a52d5e0acca8180cd2a898c23f http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2.diff.gz Size/MD5 checksum:26048 2108831b98639b53b09aa4548915e4cc http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs.orig.tar.gz Size/MD5 checksum: 537305 1d2465d345d51f1c2ce2c9c076438bc6 Alpha architecture: http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2_alpha.deb Size/MD5 checksum: 759992 9206150e538f1fb3098ac5481f495366 ARM architecture: http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2_arm.deb Size/MD5 checksum: 701838 098f440e19c005de6df393bc4c132f7d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2_i386.deb Size/MD5 checksum: 694292 c5b8b4143097dc9c7f3544406059cd73 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2_ia64.deb Size/MD5 checksum: 819652 6a1af7503971f6882995591f976d583a HP Precision architecture: http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2_hppa.deb Size/MD5 checksum: 751016 74aeea3854ac5a644c722cc571e11960 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2_m68k.deb Size/MD5 checksum: 687534 107d93d7afc41d9dabe64ddf9ff83ef6 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2_mips.deb Size/MD5 checksum: 743282 3aafdf6822bbb53dcd58df688d3a033b Little endian MIPS architecture: http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2_mipsel.deb Size/MD5 checksum: 737590 0918c72ca36528b94080db4647610b42 PowerPC architecture: http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2_powerpc.deb Size/MD5 checksum: 713496 3ed0c9adb99e5023ac208fcd6cae5d57 IBM S/390 architecture: http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2_s390.deb Size/MD5 checksum: 709216 b2a9af593f7180ca8706c43738e684d6 Sun Sparc architecture: http://security.debian.org/pool/updates/main/n/nasm/nasm_0.98.28cvs-1woody2_sparc.deb Size/MD5 checksum: 735074 64a6e597c849353ae1ea0f720ff14061 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB2rWsW5ql+IAeqTIRAh6lAKC11DTU4Q6mHr9dKN+tFpn4lzvZwwCfRZuJ cmUiVg/PHm6nb3V6l8MVmGE= =ohPW -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 619-1] New xpdf packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 619-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 30th, 2004 http://www.debian.org/security/faq - -- Package: xpdf Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-1125 Debian Bug : 286742 286983 An iDEFENSE security researcher discovered a buffer overflow in xpdf, the portable document format (PDF) suite. A maliciously crafted PDF file could exploit this problem, resulting in the execution of arbitrary code. For the stable distribution (woody) this problem has been fixed in version 1.00-3.3. For the unstable distribution (sid) this problem has been fixed in version 3.00-11. We recommend that you upgrade your xdpf package immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.3.dsc Size/MD5 checksum: 706 23700a27ce16f5eb689c506202d2765b http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.3.diff.gz Size/MD5 checksum:10380 e2848faffb3f2e31dd5537455e7080da http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00.orig.tar.gz Size/MD5 checksum: 397750 81f3c381cef729e4b6f4ce21cf5bbf3c Architecture independent components: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_1.00-3.3_all.deb Size/MD5 checksum:38564 3569649f520138653c83d1c4f1d3fdb0 http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.3_all.deb Size/MD5 checksum: 1296 7ec48e5bb253faf7213c77f9e94281a4 Alpha architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.3_alpha.deb Size/MD5 checksum: 570750 4fd37ec019d8a5f2b862e657d90f502d http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.3_alpha.deb Size/MD5 checksum: 1045440 55b96bad26e97470e55301131e0d4283 ARM architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.3_arm.deb Size/MD5 checksum: 487142 658bb5215595409c9c9ff4a6fa30da69 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.3_arm.deb Size/MD5 checksum: 886356 5d594800ed30fcc9615c903b623d221a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.3_i386.deb Size/MD5 checksum: 449334 a1e4f95151abc321e9edce25f1f6d1e3 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.3_i386.deb Size/MD5 checksum: 827848 a073ca6d6525d6859e74a845c0c5e962 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.3_ia64.deb Size/MD5 checksum: 682282 05312ad7277b07e8a26b54e481d53e4a http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.3_ia64.deb Size/MD5 checksum: 1228062 57b770f8890a2669413b2e33ed7452da HP Precision architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.3_hppa.deb Size/MD5 checksum: 563810 ea6257a1a8f31847102753686cebae35 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.3_hppa.deb Size/MD5 checksum: 1032614 eb968fd52646d9479eaf4c34de1b6c74 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.3_m68k.deb Size/MD5 checksum: 427442 dfcde4d3216e845b68fe5abe59921d0a http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.3_m68k.deb Size/MD5 checksum: 794446 51638d6101cb515a36d3f63e33a696d9 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.3_mips.deb Size/MD5 checksum: 555190 81dc69c860ae38220a35a21d39240fdd http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.3_mips.deb Size/MD5 checksum: 1016470 05be0bc2aa13bd8566075340e0db2aa1 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.3_mipsel.deb Size/MD5 checksum: 546214 f24fb28580495f080e9fdccc0378ee2c http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.3_mipsel.deb
[SECURITY] [DSA 620-1] New perl packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 620-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 30th, 2004 http://www.debian.org/security/faq - -- Package: perl Vulnerability : insecure temporary files / directories Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0452 CAN-2004-0976 Several vulnerabilities have been discovered in Perl, the popular scripting language. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2004-0452 Jeroen van Wolffelaar discovered that the rmtree() function in the File::Path module removes directory trees in an insecure manner which could lead to the removal of arbitrary files and directories through a symlink attack. CAN-2004-0976 Trustix developers discovered several insecure uses of temporary files in many modules which allow a local attacker to overwrite files via a symlink attack. For the stable distribution (woody) these problems have been fixed in version 5.6.1-8.8. For the unstable distribution (sid) these problems have been fixed in version 5.8.4-5. We recommend that you upgrade your perl packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8.dsc Size/MD5 checksum: 687 bdc819ee60db1a3b36c3dca291f52ace http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8.diff.gz Size/MD5 checksum: 172848 fd37736eb59a9818267ee7d857392ad7 http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1.orig.tar.gz Size/MD5 checksum: 5983695 ec1ff15464809b562aecfaa2e65edba6 Architecture independent components: http://security.debian.org/pool/updates/main/p/perl/libcgi-fast-perl_5.6.1-8.8_all.deb Size/MD5 checksum:31398 b3770a464c4829cffc57b6200d7aea5a http://security.debian.org/pool/updates/main/p/perl/perl-doc_5.6.1-8.8_all.deb Size/MD5 checksum: 3885590 67218848fb7f8d1c957c544e65cfec6f http://security.debian.org/pool/updates/main/p/perl/perl-modules_5.6.1-8.8_all.deb Size/MD5 checksum: 1278678 f9096ccecd9a4498710918630f5d1c33 Alpha architecture: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_alpha.deb Size/MD5 checksum: 620330 89d10e31a2d585a5e21f03ced90588ae http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_alpha.deb Size/MD5 checksum: 435780 f3f58d63f33ea7329643f3018557567c http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_alpha.deb Size/MD5 checksum: 1217954 ddc314501497c8fccce05836440725b7 http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_alpha.deb Size/MD5 checksum: 209206 47f3505b8f00c927c8418ee7f738a4e4 http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_alpha.deb Size/MD5 checksum: 2826662 fcfc45b3c132e3cbe611e938f107dfc4 http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_alpha.deb Size/MD5 checksum:34554 55824148ee93769d5cfa37b38e19ac8a ARM architecture: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_arm.deb Size/MD5 checksum: 516708 6282cf2711efc7fa7e5d64ee3cb1878a http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_arm.deb Size/MD5 checksum: 362942 726aead8125fdf9511da4b9a78b7bbf0 http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_arm.deb Size/MD5 checksum: 1164478 13138bd197201c32b928e4e5c3e0da54 http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_arm.deb Size/MD5 checksum: 545864 650daeadb1be2bc86226e1807dc2e57c http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_arm.deb Size/MD5 checksum: 2307242 7e28620ac4894efdb57f9b57a8af0309 http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_arm.deb Size/MD5 checksum:29192 fadf45170059bf5215dd759c32c79c83 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_i386.deb Size/MD5 checksum: 424662 217c74330cb9c12cbd906aec43abe92f http
[SECURITY] [DSA 618-1] New imlib packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 618-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 24th, 2004 http://www.debian.org/security/faq - -- Package: imlib Vulnerability : buffer overflows, integer overflows Problem-Type : local/remote Debian-specific: no CVE ID : CAN-2004-1025 CAN-2004-1026 BugTraq ID : 11830 Debian Bug : 284925 Pavel Kankovsky discovered that several overflows found in the libXpm library were also present in imlib, an imaging library for X and X11. An attacker could create a carefully crafted image file in such a way that it could cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2004-1025 Multiple heap-based buffer overflows. CAN-2004-1026 Multiple integer overflows. For the stable distribution (woody) these problems have been fixed in version 1.9.14-2woody2. For the unstable distribution (sid) these problems have been fixed in version 1.9.14-17.1. We recommend that you upgrade your imlib packages immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/i/imlib/imlib_1.9.14-2woody2.dsc Size/MD5 checksum: 805 6b89c44e7635494ab6309f31e8977a71 http://security.debian.org/pool/updates/main/i/imlib/imlib_1.9.14-2woody2.diff.gz Size/MD5 checksum: 273298 66b9b193f65f0f552a3c7475504b4aa3 http://security.debian.org/pool/updates/main/i/imlib/imlib_1.9.14.orig.tar.gz Size/MD5 checksum: 748591 1fa54011e4e1db532d7eadae3ced6a8c Architecture independent components: http://security.debian.org/pool/updates/main/i/imlib/imlib-base_1.9.14-2woody2_all.deb Size/MD5 checksum: 114710 04c82fdad40b4c81ca6145015d1ca9e7 Alpha architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_alpha.deb Size/MD5 checksum: 119716 e6b3de272b4ccded198ca1c7a8cbe9c7 http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_alpha.deb Size/MD5 checksum:97146 afa40cb2097baab7293694292a163373 http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_alpha.deb Size/MD5 checksum: 117364 43f345f06377fefe9a5976a3d571876c http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_alpha.deb Size/MD5 checksum: 262202 2baf347e73e7833f340b72d250709b2f http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_alpha.deb Size/MD5 checksum:97202 af8d9bcb83596b124cc7148b4b42a612 ARM architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_arm.deb Size/MD5 checksum:94088 97cab67730bda9ca0a83ff1e8fd646c7 http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_arm.deb Size/MD5 checksum:75402 db81fe94e6b35c3baa2505f533f6aa01 http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_arm.deb Size/MD5 checksum:94136 d6d974eb4fb709141cd8482b45756a74 http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_arm.deb Size/MD5 checksum: 258262 da89d3962a56d4d37bcb4084e5ae4176 http://security.debian.org/pool/updates/main/i/imlib/imlib1_1.9.14-2woody2_arm.deb Size/MD5 checksum:76330 b1f75f5cc08f4175b72ba932c7b34210 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib-dev_1.9.14-2woody2_i386.deb Size/MD5 checksum:77884 c24a0ebb06c178eb4d473c20433b7389 http://security.debian.org/pool/updates/main/i/imlib/gdk-imlib1_1.9.14-2woody2_i386.deb Size/MD5 checksum:69338 b284172f465ac35e7fdf44bea07504e8 http://security.debian.org/pool/updates/main/i/imlib/imlib-dev_1.9.14-2woody2_i386.deb Size/MD5 checksum:76452 acaaca70c492ee827d678743dd990d61 http://security.debian.org/pool/updates/main/i/imlib/imlib-progs_1.9.14-2woody2_i386.deb Size/MD5 checksum: 258354 790ada2bfc6205c0cd43459ae95fb127 http://security.debian.org/pool/updates/main/i/imlib
[SECURITY] [DSA 616-1] New telnetd-ssl packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 616-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 23rd, 2004 http://www.debian.org/security/faq - -- Package: netkit-telnet-ssl Vulnerability : format string Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0998 Joel Eriksson discovered a format string vulnerability in telnetd-ssl which may be able to lead to the execution of arbitrary code on the victims machine. For the stable distribution (woody) this problem has been fixed in version 0.17.17+0.1-2woody3. For the unstable distribution (sid) this problem has been fixed in version 0.17.24+0.1-6. We recommend that you upgrade your immediately package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/netkit-telnet-ssl_0.17.17+0.1-2woody3.dsc Size/MD5 checksum: 669 1911a91198987efcbfeaf54ba94994e2 http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/netkit-telnet-ssl_0.17.17+0.1-2woody3.diff.gz Size/MD5 checksum: 8721 901621f6abc0c1c6dc0713570994acf7 http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/netkit-telnet-ssl_0.17.17+0.1.orig.tar.gz Size/MD5 checksum: 167658 faf2d112bc4d44f522bad3bc73da8d6d Alpha architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody3_alpha.deb Size/MD5 checksum: 101104 b3e71d1b626e6f618bba5e337c5e0221 http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody3_alpha.deb Size/MD5 checksum:56962 847abe42f9b4f910156239c85b35e2a7 ARM architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody3_arm.deb Size/MD5 checksum:85194 1db7e7432d8025531b869ae5c737014b http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody3_arm.deb Size/MD5 checksum:48596 ad29db7a35ad3ee4e3d2c5c411b0edb9 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody3_i386.deb Size/MD5 checksum:85512 60cc558b94c132683259dcf6cce07874 http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody3_i386.deb Size/MD5 checksum:46708 1554de5105f77ebad4168c80d2cc4e83 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody3_ia64.deb Size/MD5 checksum: 123206 f04a1406feca437cd7acfd38214ea1d9 http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody3_ia64.deb Size/MD5 checksum:8 b87ace7ba0732798804ed9c247805d2d HP Precision architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody3_hppa.deb Size/MD5 checksum:86580 d02c49d43f91bd4b1509fe71d15bbc6f http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody3_hppa.deb Size/MD5 checksum:53920 d8b9f61a1203571b667159f834623157 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody3_m68k.deb Size/MD5 checksum:81420 437597b90358da1afee0818adf1c7242 http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody3_m68k.deb Size/MD5 checksum:45430 6bffe1c28aab33caa01bd26305029aac Big endian MIPS architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody3_mips.deb Size/MD5 checksum:97400 1af9df6a844768e2bb26a613044737e3 http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnetd-ssl_0.17.17+0.1-2woody3_mips.deb Size/MD5 checksum:52270 c94b3bfb596075ab4b6444a9976f3988 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet-ssl/telnet-ssl_0.17.17+0.1-2woody3_mipsel.deb Size/MD5 checksum:97254 a9e36f6f8ae3056d0d81434740c42640 http://security.debian.org
[SECURITY] [DSA 611-1] New htget packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 611-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 20th, 2004 http://www.debian.org/security/faq - -- Package: htget Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0852 infamous41md discovered a buffer overflow in htget, a file grabber that will get files from HTTP servers. It is possible to overflow a buffer and execute arbitrary code by accessing a malicious URL. For the stable distribution (woody) this problem has been fixed in version 0.93-1.1woody1. This package is not present in the testing and unstable distributions. We recommend that you upgrade your htget package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1.dsc Size/MD5 checksum: 462 35e77a77cfdfbf194a7ffa72199a0d9c http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1.tar.gz Size/MD5 checksum:30747 5ceb4c71d6a7356ba0c21c535649274c Alpha architecture: http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1_alpha.deb Size/MD5 checksum:19750 574b61323f92ebe875a240530f1841ad ARM architecture: http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1_arm.deb Size/MD5 checksum:14084 3ce8b4030ae5fe4f6f8906af364f63e1 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1_i386.deb Size/MD5 checksum:13650 93e282213c11f4401df7d6f5e01919ee Intel IA-64 architecture: http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1_ia64.deb Size/MD5 checksum:20714 11b76a5c8b90880f78d30b474f834ceb HP Precision architecture: http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1_hppa.deb Size/MD5 checksum:15278 aa6ed9c4c6163464716389f970597867 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1_m68k.deb Size/MD5 checksum:12984 f0337dbb8f3bf291c2051620a7e85498 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1_mips.deb Size/MD5 checksum:15346 59e45b51f5285220716362ff668c81fb Little endian MIPS architecture: http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1_mipsel.deb Size/MD5 checksum:15356 eebe539aa515993b252a5b3927892f21 PowerPC architecture: http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1_powerpc.deb Size/MD5 checksum:15200 a8987d09dd743dfa3da8e4d048ce2a4e IBM S/390 architecture: http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1_s390.deb Size/MD5 checksum:14430 0d48f492b6b6b6623652fdc352286790 Sun Sparc architecture: http://security.debian.org/pool/updates/main/h/htget/htget_0.93-1.1woody1_sparc.deb Size/MD5 checksum:17790 1b78f544092bf5908b2a792a98a544e5 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBxqGaW5ql+IAeqTIRAkJiAJ9B2GnLqCOqPvqCFg4jdOc0ZmKXUgCfYZr0 cxE9V16oKXYfqHtH/jgkEuM= =dVBI -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 610-1] New cscope packages fix insecure temporary file creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 610-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 17th, 2004 http://www.debian.org/security/faq - -- Package: cscope Vulnerability : insecure temporary file Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0996 BugTraq ID : 11697 Debian Bug : 282815 A vulnerability has been discovered in cscope, a program to interactively examine C source code, which may allow local users to overwrite files via a symlink attack. For the stable distribution (woody) this problem has been fixed in version 15.3-1woody2. For the unstable distribution (sid) this problem has been fixed in version 15.5-1. We recommend that you upgrade your cscope package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2.dsc Size/MD5 checksum: 593 92a1d4fc455afa78d855f61032726cfb http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2.diff.gz Size/MD5 checksum: 5750 2e991cad957c7fc76da2f6e05e02162d http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3.orig.tar.gz Size/MD5 checksum: 196580 7540514aab8c0a3737ee8dd08a5422ba Alpha architecture: http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2_alpha.deb Size/MD5 checksum: 129904 55a18b826ab935a85ff9b1151d7058cf ARM architecture: http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2_arm.deb Size/MD5 checksum: 111498 5da8a35ac3eaba039afa93ac1beba3ae Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2_i386.deb Size/MD5 checksum: 105106 9dc15376b2fafce9a63cdadae3784b35 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2_ia64.deb Size/MD5 checksum: 148664 9373976f2b1a14a165b71a04c3ed0c99 HP Precision architecture: http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2_hppa.deb Size/MD5 checksum: 121870 49f6e6a16ad6c9646b18a87790d775ca Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2_m68k.deb Size/MD5 checksum: 102290 428a0104834961d7e6fc8935d41653e3 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2_mips.deb Size/MD5 checksum: 119642 358d6239a38bc5d767ab3fceb4c4 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2_mipsel.deb Size/MD5 checksum: 119442 60c6abca0f605bf8efa6e0160716d351 PowerPC architecture: http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2_powerpc.deb Size/MD5 checksum: 114240 00df8d48376af2f93bda799ad9c95e16 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2_s390.deb Size/MD5 checksum: 10 c50a7ffc138d41c33ad6c7a7e768ff38 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cscope/cscope_15.3-1woody2_sparc.deb Size/MD5 checksum: 115174 4e14738f98c36bb1cb7a6d1a63bfc688 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBwqIUW5ql+IAeqTIRAj2ZAJ9Ij5FSXA1cFKt/IYqcGYTn+GMwCQCfVXPr kiebfD5mGpm8jGTDXY+OoDU= =k4Pr -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 603-1] New openssl packages fix insecure temporary file creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 603-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 1st, 2004 http://www.debian.org/security/faq - -- Package: openssl Vulnerability : insecure temporary file Problem-Type : local/remote Debian-specific: no CVE ID : CAN-2004-0975 Trustix developers discovered insecure temporary file creation in a supplemental script (der_chop) of the openssl package which may allow local users to overwrite files via a symlink attack. For the stable distribution (woody) this problem has been fixed in version 0.9.6c-2.woody.7. For the unstable distribution (sid) this problem has been fixed in version 0.9.7e-1. We recommend that you upgrade your openssl package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.7.dsc Size/MD5 checksum: 632 602dbc2dbc2ca2030c00f2fe4974b2ff http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.7.diff.gz Size/MD5 checksum:45284 9099375084f05be1f16e29426e206c6c http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc Architecture independent components: http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.7_all.deb Size/MD5 checksum: 984 a582c62beb11f42b194720a4aca778fb Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.7_alpha.deb Size/MD5 checksum: 1551570 e292eefea2c0377a724c568798674ad8 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.7_alpha.deb Size/MD5 checksum: 571464 95cad9ee036e17185570d296e20d9080 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.7_alpha.deb Size/MD5 checksum: 736594 96b53586706663281cfe5dfba0e79274 ARM architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.7_arm.deb Size/MD5 checksum: 1358204 7906fdccc0e785b27a792cb58ad8d974 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.7_arm.deb Size/MD5 checksum: 474270 95c0d657bf8dc54347a721cc159839b3 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.7_arm.deb Size/MD5 checksum: 729984 13a17525bb5ee02f710e576627cdaa29 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.7_i386.deb Size/MD5 checksum: 1290528 54b46bf19ba1543a2e10f02a27e81860 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.7_i386.deb Size/MD5 checksum: 461966 b5380c072591fc7601d1675983ac2c58 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.7_i386.deb Size/MD5 checksum: 723366 32dd684d4d6e4d77882cbfd5e26e5a16 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.7_ia64.deb Size/MD5 checksum: 1615432 f6d3a4ad7c86c560ba3bf1cf457fc4f3 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.7_ia64.deb Size/MD5 checksum: 711282 6923b5f064948242ce97758b3d870654 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.7_ia64.deb Size/MD5 checksum: 763686 4395eaf2e524871f9964d0e06fb11342 HP Precision architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.7_hppa.deb Size/MD5 checksum: 1435266 bd54f26da83b155d9d7277880cb41524 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.7_hppa.deb Size/MD5 checksum: 565130 a8aa7b3edddf38069acb76132f8f5339 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.7_hppa.deb Size/MD5 checksum: 742112 1602fe86f48babafc1b9cfde5a0566de Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.7_m68k.deb Size/MD5 checksum: 1266658
[SECURITY] [DSA 594-1] New Apache packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 594-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 17th, 2004 http://www.debian.org/security/faq - -- Package: apache Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0940 Two vulnerabilities have been identified in the Apache 1.3 webserver: CAN-2004-0940 Crazy Einstein has discovered a vulnerability in the mod_include module, which can cause a buffer to be overflown and could lead to the execution of arbitrary code. NO VULN ID Larry Cashdollar has discovered a potential buffer overflow in the htpasswd utility, which could be exploited when user-supplied is passed to the program via a CGI (or PHP, or ePerl, ...) program. For the stable distribution (woody) these problems have been fixed in version 1.3.26-0woody6. For the unstable distribution (sid) these problems have been fixed in version 1.3.33-2. We recommend that you upgrade your apache packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6.dsc Size/MD5 checksum: 668 fa649037f25230b2ba98f8efd713ad88 http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6.diff.gz Size/MD5 checksum: 299617 1765e5037ede60c140b9e23b063229ea http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26.orig.tar.gz Size/MD5 checksum: 2586182 5cd778bbe6906b5ef39dbb7ef801de61 Architecture independent components: http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.26-0woody6_all.deb Size/MD5 checksum: 1022694 f0446d04bf9c37df0b8a1f9be6f3aad6 Alpha architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_alpha.deb Size/MD5 checksum: 395536 15fdfaaa7dbbc72258e08796648f4b8e http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_alpha.deb Size/MD5 checksum: 926002 ebbf79cf5c21f90b195bbd43948013e4 http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_alpha.deb Size/MD5 checksum: 713916 fe8f05f9645bd3e8488390c6fd1b2b51 ARM architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_arm.deb Size/MD5 checksum: 361166 1c18634efb67b0cbb2de9a109dd02714 http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_arm.deb Size/MD5 checksum: 838810 9dc7aa64b92560e2af3310495726c5a4 http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_arm.deb Size/MD5 checksum: 544394 4f83a87a3efc91221f2de6e4b51495f1 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_i386.deb Size/MD5 checksum: 353260 5d8bba199ad51b93d69b3d93dd357bcc http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_i386.deb Size/MD5 checksum: 813432 0bb2c86f93d31ca3c677afc539f41835 http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_i386.deb Size/MD5 checksum: 535772 fc62f039e6164064956de81416564da3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_ia64.deb Size/MD5 checksum: 436892 d870f942fcf5f2176865ab0a0ff90ddc http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_ia64.deb Size/MD5 checksum: 1012454 f74ff7702abd1314867b5fd81874baad http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_ia64.deb Size/MD5 checksum: 949188 095050c609a54e53379c231629844a7c HP Precision architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_hppa.deb Size/MD5 checksum: 386218 86b1b77c83a3b7346b11e5f00db8865e http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_hppa.deb Size/MD5 checksum: 891646 65e8f5775d23b19084a7606ff808c336 http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_hppa.deb Size/MD5 checksum
[SECURITY] [DSA 593-1] New imagemagick packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 593-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 16th, 2004 http://www.debian.org/security/faq - -- Package: imagemagick Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0981 Debian Bug : 278401 A vulnerability has been reported for ImageMagick, a commonly used image manipulation library. Due to a boundary error within the EXIF parsing routine, a specially crafted graphic images could lead to the execution of arbitrary code. For the stable distribution (woody) this problem has been fixed in version 5.4.4.5-1woody4. For the unstable distribution (sid) this problem has been fixed in version 6.0.6.2-1.5. We recommend that you upgrade your imagemagick packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody4.dsc Size/MD5 checksum: 852 c053f06bcb00f7cc722814ece4c99462 http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody4.diff.gz Size/MD5 checksum:15309 bb1ec78c190677ceb5311ffe167b8184 http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5.orig.tar.gz Size/MD5 checksum: 3901237 f35e356b4ac1ebc58e3cffa7ea7abc07 Alpha architecture: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody4_alpha.deb Size/MD5 checksum: 1309792 f3e20f97b3a081cd3e73675c2131a345 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5_5.4.4.5-1woody4_alpha.deb Size/MD5 checksum: 154144 4b8abf5400526b55d41b6a23a747740d http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5-dev_5.4.4.5-1woody4_alpha.deb Size/MD5 checksum:56232 d6be366bdb42ff918de236b42e5fc03e http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5_5.4.4.5-1woody4_alpha.deb Size/MD5 checksum: 833420 811a90a17be12877a5352474b4ff50b0 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5-dev_5.4.4.5-1woody4_alpha.deb Size/MD5 checksum:67276 ea7ecc0c685293d0bfe90d7d5eec5eae http://security.debian.org/pool/updates/main/i/imagemagick/perlmagick_5.4.4.5-1woody4_alpha.deb Size/MD5 checksum: 113786 896b92eda8b1572090c28f7781617bcb ARM architecture: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody4_arm.deb Size/MD5 checksum: 1297076 1480d317943ebd0d62af4e91cb70e8bc http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5_5.4.4.5-1woody4_arm.deb Size/MD5 checksum: 118678 9bd22b4793a02f7d55178093950f2af1 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5-dev_5.4.4.5-1woody4_arm.deb Size/MD5 checksum:56272 dced3c2b19dadc4a9269ca8694a9fb17 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5_5.4.4.5-1woody4_arm.deb Size/MD5 checksum: 898586 0603ac9d5290dad892eb26cc9d3f5f9c http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5-dev_5.4.4.5-1woody4_arm.deb Size/MD5 checksum:67312 332b1462e38cab79c3baf075124f0a52 http://security.debian.org/pool/updates/main/i/imagemagick/perlmagick_5.4.4.5-1woody4_arm.deb Size/MD5 checksum: 109900 d5c8d8247af36dbf8e6d38343b451c0b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody4_i386.deb Size/MD5 checksum: 1295130 5c546d50eb6a1c1597c491849a74ba00 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5_5.4.4.5-1woody4_i386.deb Size/MD5 checksum: 122766 a778e5be49e9a22fea94f6a6d83f7035 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5-dev_5.4.4.5-1woody4_i386.deb Size/MD5 checksum:56254 2758908cfe92661e70e3def07595126a http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5_5.4.4.5-1woody4_i386.deb Size/MD5 checksum: 772498 17eb974bb841ad4332e1ebbc800f7ce2 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5-dev_5.4.4.5-1woody4_i386.deb
[SECURITY] [DSA 592-1] New ez-ipupdate packages fix format string vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 592-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 12th, 2004 http://www.debian.org/security/faq - -- Package: ez-ipupdate Vulnerability : format string Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0980 Ulf Härnhammar from the Debian Security Audit Project discovered a format string vulnerability in ez-ipupdate, a client for many dynamic DNS services. This problem can only be exploited if ez-ipupdate is running in daemon mode (most likely) with many but not all service types. For the stable distribution (woody) this problem has been fixed in version 3.0.11b5-1woody2. For the unstable distribution (sid) this problem has been fixed in version 3.0.11b8-8. We recommend that you upgrade your ez-ipupdate package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2.dsc Size/MD5 checksum: 591 5ea93510ea0985ee5bc5d46f11e77f2e http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2.diff.gz Size/MD5 checksum: 2908 2760ddd610c25aed2782a9ad08e1195a http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5.orig.tar.gz Size/MD5 checksum:82447 d56a0cb69ae880b427197dbba8843fe2 Alpha architecture: http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2_alpha.deb Size/MD5 checksum:37816 4aa590c57b9fa76ad36d87d5888ec0c3 ARM architecture: http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2_arm.deb Size/MD5 checksum:35524 b3e2beb2b01299b348d9123b57db43b0 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2_i386.deb Size/MD5 checksum:31564 4bbd440cbc9c46ee171a943fcabab515 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2_ia64.deb Size/MD5 checksum:44986 2245062816d79e79d966a04a9ef57331 HP Precision architecture: http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2_hppa.deb Size/MD5 checksum:38066 3a8babb63fe3e0e6425dc8be435ab43b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2_m68k.deb Size/MD5 checksum:29324 ba60cb9aac5678bac51895d84c8b7f6b Big endian MIPS architecture: http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2_mips.deb Size/MD5 checksum:33724 66f85badd42509876428e99dee7c5b73 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2_mipsel.deb Size/MD5 checksum:33800 3c660a8a28cd0ec4e05d2d2eb8833837 PowerPC architecture: http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2_powerpc.deb Size/MD5 checksum:33494 19f926ed91211ee91030c9ec5e03d0a0 IBM S/390 architecture: http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2_s390.deb Size/MD5 checksum:32192 b8b14df40410692608b90ccfa1bfaf5c Sun Sparc architecture: http://security.debian.org/pool/updates/main/e/ez-ipupdate/ez-ipupdate_3.0.11b5-1woody2_sparc.deb Size/MD5 checksum:36840 00356f122c8754e4de0e9fab48458ae3 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBlGy4W5ql+IAeqTIRAkvDAKC4JYxtwiT66OCezf0MExSkL4MYawCePGnC fEQDHEbYq5i/+0KEz/lLNMc= =qnSY -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject
[SECURITY] [DSA 589-1] New libgd1 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 589-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 9th, 2004 http://www.debian.org/security/faq - -- Package: libgd Vulnerability : integer overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0990 BugTraq ID : 11523 infamous41md discovered several integer overflows in the PNG image decoding routines of the GD graphics library. This could lead to the execution of arbitrary code on the victim's machine. For the stable distribution (woody) these problems have been fixed in version 1.8.4-17.woody3 of libgd1 and in version 2.0.1-10woody1 of libgd2. For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your libgd1 packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/libg/libgd/libgd_1.8.4-17.woody3.dsc Size/MD5 checksum: 707 475a021c51d4a13211a211c17b1551f6 http://security.debian.org/pool/updates/main/libg/libgd/libgd_1.8.4-17.woody3.diff.gz Size/MD5 checksum: 8695 d208e651d9d7eef22fcfd27455335c26 http://security.debian.org/pool/updates/main/libg/libgd/libgd_1.8.4.orig.tar.gz Size/MD5 checksum: 559248 813625508e31f5c205904a305bdc8669 Alpha architecture: http://security.debian.org/pool/updates/main/libg/libgd/libgd-dev_1.8.4-17.woody3_alpha.deb Size/MD5 checksum: 134716 18f7bb31f9c2df1876fcd43ee07cb317 http://security.debian.org/pool/updates/main/libg/libgd/libgd-noxpm-dev_1.8.4-17.woody3_alpha.deb Size/MD5 checksum: 133308 800918d9a4c773155bdc1328f8e46119 http://security.debian.org/pool/updates/main/libg/libgd/libgd1_1.8.4-17.woody3_alpha.deb Size/MD5 checksum: 111812 6ac46129674d4377a65140a26c320f3b http://security.debian.org/pool/updates/main/libg/libgd/libgd1-noxpm_1.8.4-17.woody3_alpha.deb Size/MD5 checksum: 88 53f277a1a0b1cd239a42e2f3e9558338 ARM architecture: http://security.debian.org/pool/updates/main/libg/libgd/libgd-dev_1.8.4-17.woody3_arm.deb Size/MD5 checksum: 123676 b73ca28de04f8eff9f2f2dc6200ae089 http://security.debian.org/pool/updates/main/libg/libgd/libgd-noxpm-dev_1.8.4-17.woody3_arm.deb Size/MD5 checksum: 123162 2616147546687bef695eaecbe87cd5da http://security.debian.org/pool/updates/main/libg/libgd/libgd1_1.8.4-17.woody3_arm.deb Size/MD5 checksum: 104214 ad6dfb3a678252b8aea3f1e942ed9e18 http://security.debian.org/pool/updates/main/libg/libgd/libgd1-noxpm_1.8.4-17.woody3_arm.deb Size/MD5 checksum: 103616 b5ed245e0b10ce9248c69a362c0023f4 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/libg/libgd/libgd-dev_1.8.4-17.woody3_i386.deb Size/MD5 checksum: 121132 5531183a357e500c3ec58f094caf6c89 http://security.debian.org/pool/updates/main/libg/libgd/libgd-noxpm-dev_1.8.4-17.woody3_i386.deb Size/MD5 checksum: 120650 73aa302b99d761988c6be28a0b6a866a http://security.debian.org/pool/updates/main/libg/libgd/libgd1_1.8.4-17.woody3_i386.deb Size/MD5 checksum: 104058 f2f25e0c784aa732d5f3a6941faf8d5e http://security.debian.org/pool/updates/main/libg/libgd/libgd1-noxpm_1.8.4-17.woody3_i386.deb Size/MD5 checksum: 103526 b315185c17011b5b061b2f660962c04d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/libg/libgd/libgd-dev_1.8.4-17.woody3_ia64.deb Size/MD5 checksum: 145576 57beb3ee63cfc0b0f959d8fe28ee73d8 http://security.debian.org/pool/updates/main/libg/libgd/libgd-noxpm-dev_1.8.4-17.woody3_ia64.deb Size/MD5 checksum: 144628 c5f3fc093c8f8b8ee02cbc4a434e072a http://security.debian.org/pool/updates/main/libg/libgd/libgd1_1.8.4-17.woody3_ia64.deb Size/MD5 checksum: 125622 59b992afcbfd47d9cf36a27e9e505472 http://security.debian.org/pool/updates/main/libg/libgd/libgd1-noxpm_1.8.4-17.woody3_ia64.deb Size/MD5 checksum: 124316 c506be2df33949840ab704c988509975 HP Precision architecture: http://security.debian.org/pool/updates/main/libg/libgd/libgd-dev_1.8.4-17.woody3_hppa.deb Size/MD5 checksum: 132100 6058fb1f80653f72e0adbce6fcfcb453
[SECURITY] [DSA 586-1] New ruby packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 586-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 8th, 2004 http://www.debian.org/security/faq - -- Package: ruby Vulnerability : infinite loop Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0983 The upstream developers of Ruby have corrected a problem in the CGI module for this language. Specially crafted requests could cause an infinite loop and thus cause the program to eat up cpu cycles. For the stable distribution (woody) this problem has been fixed in version ruby_1.6.7-3woody4. For the unstable distribution (sid) this problem has been fixed in version 1.6.8-12 of ruby1.6 and in version 1.8.1+1.8.2pre2-4 of ruby1.8. We recommend that you upgrade your ruby packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/r/ruby/ruby_1.6.7-3woody4.dsc Size/MD5 checksum: 909 199360fc56e90c03e2db35898539962f http://security.debian.org/pool/updates/main/r/ruby/ruby_1.6.7-3woody4.diff.gz Size/MD5 checksum:43409 c4c76a272d9d57142b2376146bc57297 http://security.debian.org/pool/updates/main/r/ruby/ruby_1.6.7.orig.tar.gz Size/MD5 checksum: 996835 a8859c679ee9acbfdf5056cdf26fcad3 Architecture independent components: http://security.debian.org/pool/updates/main/r/ruby/irb_1.6.7-3woody4_all.deb Size/MD5 checksum:51190 b6580615493b7f8c808f4f5eb515f477 http://security.debian.org/pool/updates/main/r/ruby/ruby-elisp_1.6.7-3woody4_all.deb Size/MD5 checksum:30256 88bcceab112fe1bcd53257744131eae1 http://security.debian.org/pool/updates/main/r/ruby/ruby-examples_1.6.7-3woody4_all.deb Size/MD5 checksum:37868 0cf747524848e0d2efa3645fb7c92689 Alpha architecture: http://security.debian.org/pool/updates/main/r/ruby/libcurses-ruby_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 129432 3cbff5f492c63cdc9f8fb4d024545ea1 http://security.debian.org/pool/updates/main/r/ruby/libdbm-ruby_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 128536 c81d37ad31fff057cf78609483e7271a http://security.debian.org/pool/updates/main/r/ruby/libgdbm-ruby_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 129916 3719a9eb879e07a1e57b3296008f6f69 http://security.debian.org/pool/updates/main/r/ruby/libnkf-ruby_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 134810 0f9dd8734048519d8b5e0816390c2378 http://security.debian.org/pool/updates/main/r/ruby/libpty-ruby_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 131850 8e272284f74f85a3d3eebdc913770658 http://security.debian.org/pool/updates/main/r/ruby/libreadline-ruby_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 128418 b733779d7cd49e56b5d66aebd19f37e7 http://security.debian.org/pool/updates/main/r/ruby/libruby_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 644334 87212bd04df1281c6a1d1a4193224c78 http://security.debian.org/pool/updates/main/r/ruby/libsdbm-ruby_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 132306 9ad79ac47ca27342fd43067f401d8022 http://security.debian.org/pool/updates/main/r/ruby/libsyslog-ruby_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 128898 2e1a420e607eb122b44d4569ed78b62d http://security.debian.org/pool/updates/main/r/ruby/libtcltk-ruby_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 147450 2dd530d288433af42f4ab618d6fca175 http://security.debian.org/pool/updates/main/r/ruby/libtk-ruby_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 161412 bb9d3de7e3762fae64988cdb32058542 http://security.debian.org/pool/updates/main/r/ruby/ruby_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 142598 06bb7a48e88f88b1181f84ea5afdc6f0 http://security.debian.org/pool/updates/main/r/ruby/ruby-dev_1.6.7-3woody4_alpha.deb Size/MD5 checksum: 625952 d061059d60fbba454b4fecb82a379142 ARM architecture: http://security.debian.org/pool/updates/main/r/ruby/libcurses-ruby_1.6.7-3woody4_arm.deb Size/MD5 checksum: 128410 9e3bd9c043823c09cc125147c822895c http://security.debian.org/pool/updates/main/r/ruby/libdbm-ruby_1.6.7-3woody4_arm.deb Size/MD5 checksum: 127288 aa864c4c7f530ccf721c9fd93f099dc8 http
[SECURITY] [DSA 587-1] New freeam packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 587-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 8th, 2004 http://www.debian.org/security/faq - -- Package: freeamp Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0964 Luigi Auriemma discovered a buffer overflow condition in the playlist module of freeamp which could lead to arbitrary code execution. Recent versions of freeamp were renamed into zinf. For the stable distribution (woody) this problem has been fixed in version 2.1.1.0-4woody2. For the unstable distribution (sid) this problem does not exist in the zinf packageas the code in question was rewritten. We recommend that you upgrade your freeamp packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2.dsc Size/MD5 checksum: 944 39d51f9def21f5b1d5542ccbcbc01e29 http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2.diff.gz Size/MD5 checksum:32347 783b34ce5201a8e4e10a8722fd00ad8f http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0.orig.tar.gz Size/MD5 checksum: 3116888 d465da9fcdcc6ee7991e9b6cd968127b Architecture independent components: http://security.debian.org/pool/updates/main/f/freeamp/freeamp-doc_2.1.1.0-4woody2_all.deb Size/MD5 checksum: 282330 ffb91e1362db38b0e063839afdb7eefa Alpha architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_alpha.deb Size/MD5 checksum: 2399962 187f779ad3fa78a1bcb6f79837a733ba http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_alpha.deb Size/MD5 checksum:90476 d184dd97abf70f5db80579e76bdca43a http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-alsa_2.1.1.0-4woody2_alpha.deb Size/MD5 checksum:34752 97704f6cd7245b6821d4683ee7999015 http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_alpha.deb Size/MD5 checksum:33376 77bbee46f4b02464e387d40fd850fac9 ARM architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_arm.deb Size/MD5 checksum: 2194684 c37e64837c2353be71062e9c74934028 http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_arm.deb Size/MD5 checksum:82794 6e6e0079c0f912c6aba7e3a73bc7963d http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-alsa_2.1.1.0-4woody2_arm.deb Size/MD5 checksum:29440 615324c7d033b4c327a883239b5afe9c http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_arm.deb Size/MD5 checksum:29342 d745a17d3a3c59dd6d004babcfa7563b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_i386.deb Size/MD5 checksum: 2032164 5c68a2b2940d9bfa3f5f3320f9a85d5b http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_i386.deb Size/MD5 checksum:73482 091fe47ddd9308edcd2df707b00fefc8 http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-alsa_2.1.1.0-4woody2_i386.deb Size/MD5 checksum:29382 3b22fa0992c89e05542d06b78ca263df http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_i386.deb Size/MD5 checksum:28476 0142da2d0ed0d50e7fe454171d7066da Intel IA-64 architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_ia64.deb Size/MD5 checksum: 2367142 c43140e99b8dd87934e9611a060fe1bc http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_2.1.1.0-4woody2_ia64.deb Size/MD5 checksum:84638 6e55107e3071f451b08d77aed3260d44 http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esound_2.1.1.0-4woody2_ia64.deb Size/MD5 checksum:27532 84b0e8df2b31326b378ce79e404ec4cd HP Precision architecture: http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0-4woody2_hppa.deb Size/MD5 checksum: 2184294
[SECURITY] [DSA 588-1] New gzip packages fix insecure temporary files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 588-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 8th, 2004 http://www.debian.org/security/faq - -- Package: gzip Vulnerability : insecure temporary files Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0970 BugTraq ID : 11288 Trustix developers discovered insecure temporary file creation in supplemental scripts in the gzip package which may allow local users to overwrite files via a symlink attack. For the stable distribution (woody) these problems have been fixed in version 1.3.2-3woody3. The unstable distribution (sid) is not affected by these problems. We recommend that you upgrade your gzip package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3.dsc Size/MD5 checksum: 577 3b5fd05de61de0a41973facf1edc6692 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3.diff.gz Size/MD5 checksum: 6371 cdb2a28b380ba84bae2c652eb156ca5a http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2.orig.tar.gz Size/MD5 checksum: 311011 57bff96b6b4bcbb060566bdbed29485d Alpha architecture: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3_alpha.deb Size/MD5 checksum:76456 3b8b2991a66b675198febc281ca59e84 ARM architecture: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3_arm.deb Size/MD5 checksum:68776 c049ef9bec9ac21c99c1f7eefc6ceb2e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3_i386.deb Size/MD5 checksum:62076 536b666d29bcc648a1f105b3e5ef0708 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3_ia64.deb Size/MD5 checksum:86840 dd973820227968197c4da091db22bf18 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3_hppa.deb Size/MD5 checksum:72594 70eb93310c314cd923091c93e0eded97 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3_m68k.deb Size/MD5 checksum:61278 a47c8230f4f721e2a1adc6545aa25198 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3_mips.deb Size/MD5 checksum:71762 68707f5373f065430d43cd2700902b60 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3_mipsel.deb Size/MD5 checksum:71660 50646d0590343e2b90dc9f32fade4d54 PowerPC architecture: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3_powerpc.deb Size/MD5 checksum:69280 9f49c09ec45ae1d4135e384e94914b72 IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3_s390.deb Size/MD5 checksum:66726 c2a0ca55f66fa0a6631756fc68d14b8d Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody3_sparc.deb Size/MD5 checksum:70298 88378dc40c8e762b97da5a16058190af These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBj5IwW5ql+IAeqTIRAoYJAJ41JFb6u0yuf2fomIzGcYNNPgrkIACgmfz/ ljBz6K9A7PBxJLYAzXHFUbc= =L+Am -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 585-1] New shadow packages fix unintended behaviour
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 585-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 5th, 2004 http://www.debian.org/security/faq - -- Package: shadow Vulnerability : programming error Problem-Type : local Debian-specific: no CVE ID : CAN-2004-1001 A vulnerability has been discovered in the shadow suite which provides programs like chfn and chsh. It is possible for a user, who is logged in but has an expired password to alter his account information with chfn or chsh without having to change the password. The problem was originally thought to be more severe. For the stable distribution (woody) this problem has been fixed in version 2902-12woody1. For the unstable distribution (sid) this problem has been fixed in version 4.0.3-30.3. We recommend that you upgrade your passwd package (from the shadow suite). Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/shadow/shadow_2902-12woody1.dsc Size/MD5 checksum: 639 0cf86eed97dc4d7e378828e2fe28e886 http://security.debian.org/pool/updates/main/s/shadow/shadow_2902-12woody1.diff.gz Size/MD5 checksum:92075 5e6f576d4f073a114473126ce9e90c10 http://security.debian.org/pool/updates/main/s/shadow/shadow_2902.orig.tar.gz Size/MD5 checksum: 733922 b51537fa6f3f717d440b6f0cf95eab57 Alpha architecture: http://security.debian.org/pool/updates/main/s/shadow/login_2902-12woody1_alpha.deb Size/MD5 checksum: 119920 a8cb335e5b64386c204c98664a2498bf http://security.debian.org/pool/updates/main/s/shadow/passwd_2902-12woody1_alpha.deb Size/MD5 checksum: 406874 e12a34689305388ff172511188b179a4 ARM architecture: http://security.debian.org/pool/updates/main/s/shadow/login_2902-12woody1_arm.deb Size/MD5 checksum: 103790 87fe95eac228c211f551b3a4de8bb8a5 http://security.debian.org/pool/updates/main/s/shadow/passwd_2902-12woody1_arm.deb Size/MD5 checksum: 272012 4a2cea7a31236ed7b0472f59edf01f4a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/shadow/login_2902-12woody1_i386.deb Size/MD5 checksum: 103778 338095117a08787f51256fa2e86661c3 http://security.debian.org/pool/updates/main/s/shadow/passwd_2902-12woody1_i386.deb Size/MD5 checksum: 275410 bd5487f119d3837150a4aee18ade236b Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/shadow/login_2902-12woody1_ia64.deb Size/MD5 checksum: 133494 bbd187d6fe4da8a8c503141e7c234802 http://security.debian.org/pool/updates/main/s/shadow/passwd_2902-12woody1_ia64.deb Size/MD5 checksum: 507214 37128be0a49818afc7dd9fac3d0d2f88 HP Precision architecture: http://security.debian.org/pool/updates/main/s/shadow/login_2902-12woody1_hppa.deb Size/MD5 checksum: 109046 773cf097fbb1dcce39a23bd5be1f49e7 http://security.debian.org/pool/updates/main/s/shadow/passwd_2902-12woody1_hppa.deb Size/MD5 checksum: 313074 ee019fbdbc733b59a0d0a71b82d05c66 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/shadow/login_2902-12woody1_m68k.deb Size/MD5 checksum: 101886 4d9a34f0172a44de4611b83c9c89f339 http://security.debian.org/pool/updates/main/s/shadow/passwd_2902-12woody1_m68k.deb Size/MD5 checksum: 259036 20dba3b63116c50ed1e1480a5da34e10 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/s/shadow/login_2902-12woody1_mips.deb Size/MD5 checksum: 109012 6e50e2fa756270744ce99233e080d4c0 http://security.debian.org/pool/updates/main/s/shadow/passwd_2902-12woody1_mips.deb Size/MD5 checksum: 368544 a7a3ad3c0a6bf2acf78e43f89ba7b428 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/s/shadow/login_2902-12woody1_mipsel.deb Size/MD5 checksum: 109206 b461b11835846033937877db49915aee http://security.debian.org/pool/updates/main/s/shadow/passwd_2902-12woody1_mipsel.deb Size/MD5 checksum: 366398 0a7d4f1b15b0088272160ffd68970374 PowerPC architecture: http
[SECURITY] [DSA 584-1] New dhcp packages fix format string vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 584-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 4th, 2004 http://www.debian.org/security/faq - -- Package: dhcp Vulnerability : format string vulnerability Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-1006 infamous41md noticed that the log functions in dhcp 2.x, which is still distributed in the stable Debian release, contained pass parameters to function that use format strings. One use seems to be exploitable in connection with a malicious DNS server. For the stable distribution (woody) these problems have been fixed in version 2.0pl5-11woody1. For the unstable distribution (sid) these problems have been fixed in version 2.0pl5-19.1. We recommend that you upgrade your dhcp package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-11woody1.dsc Size/MD5 checksum: 683 9fbc12c28d4c973fc85157331c26aae5 http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-11woody1.diff.gz Size/MD5 checksum:48678 11af0bf9045654e302da7704d856ead4 http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5.orig.tar.gz Size/MD5 checksum: 294909 ab22f363a7aff924e2cc9d1019a21498 Alpha architecture: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-11woody1_alpha.deb Size/MD5 checksum: 230656 6c7c2c912063527503ca64b59e3a58ac http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-11woody1_alpha.deb Size/MD5 checksum: 215658 24dabab111aec962caacf5a793d15338 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-11woody1_alpha.deb Size/MD5 checksum: 159940 a447290821e3737d567c5949f7ca9966 ARM architecture: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-11woody1_arm.deb Size/MD5 checksum: 211188 636b1709fbb6cea278b4248130e320c0 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-11woody1_arm.deb Size/MD5 checksum: 198582 e0efe5b93e0ecbc34caec0c7a15c9700 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-11woody1_arm.deb Size/MD5 checksum: 148746 0ce691f9f921277d9b526161921999c3 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-11woody1_i386.deb Size/MD5 checksum: 204550 9dd0affebf04890280d57cc27221d12c http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-11woody1_i386.deb Size/MD5 checksum: 192092 8f70ab57e89a22dd7b9ce5c1d9f51a35 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-11woody1_i386.deb Size/MD5 checksum: 144962 c03163e469f7477f4479d2400a16ea5e Intel IA-64 architecture: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-11woody1_ia64.deb Size/MD5 checksum: 295214 483b1ad144c76ac994c3db46d0dce32f http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-11woody1_ia64.deb Size/MD5 checksum: 277702 31597876b5623a7d1b24b28db3fc4e55 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-11woody1_ia64.deb Size/MD5 checksum: 197380 00747f82e74e9b8856b9676d9c14124f HP Precision architecture: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-11woody1_hppa.deb Size/MD5 checksum: 209292 317aeeacb930a39d7d2dc5e59c532f3a http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-11woody1_hppa.deb Size/MD5 checksum: 197714 4ba10395c93aae31d4c27fa193964a65 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-11woody1_hppa.deb Size/MD5 checksum: 149114 322771b83583570cd6f350ba6a1e4b0f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-11woody1_m68k.deb Size/MD5 checksum: 200208 c931a802045b2be93488bd45b6dc4eed http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-11woody1_m68k.deb Size/MD5 checksum: 188024 d25022b06425b4717d7e884fe44403d2 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5
[SECURITY] [DSA 583-1] New lvm10 packages fix insecure temporary directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 583-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 3rd, 2004 http://www.debian.org/security/faq - -- Package: lvm10 Vulnerability : insecure temporary directory Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0972 Debian Bug : 279229 Trustix developers discovered insecure temporary file creation in a supplemental script in the lvm10 package that didn't check for existing temporary directories, allowing local users to overwrite files via a symlink attack. For the stable distribution (woody) this problem has been fixed in version 1.0.4-5woody2. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your lvm10 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2.dsc Size/MD5 checksum: 561 e5870dc0de9c2e47201d8f7dab0af624 http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2.diff.gz Size/MD5 checksum: 7964 a9eb089d9ed491a569889a1ca0bd1be4 http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4.orig.tar.gz Size/MD5 checksum: 373104 9081ae96e94bef6c4c2e8c5f2dcc654c Alpha architecture: http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_alpha.deb Size/MD5 checksum: 1199872 95321cf32c955269ef5e22eb35177c85 ARM architecture: http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_arm.deb Size/MD5 checksum: 2078632 02b80c8320640d88da71503228c088b7 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_i386.deb Size/MD5 checksum: 1987842 546d12296630017a50ab164b385fbfb4 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_ia64.deb Size/MD5 checksum: 1633240 da929a10feb0e9d5f7869034fc4a311b HP Precision architecture: http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_hppa.deb Size/MD5 checksum: 2110980 07bc200b8abbfc9b050df98794fc0bf9 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_m68k.deb Size/MD5 checksum: 1995258 504c02f300ef94797076b24aeffac698 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_mips.deb Size/MD5 checksum: 818778 c11595f00382bee32dbf839461e173eb Little endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_mipsel.deb Size/MD5 checksum: 800362 21d8ec07ef0d6592fce08921e3e11b6f PowerPC architecture: http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_powerpc.deb Size/MD5 checksum: 2213258 9b92a1958c65664c6256c41a7e29fba7 IBM S/390 architecture: http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_s390.deb Size/MD5 checksum: 2043052 9395c323525bc9cfe04bf045ba76dd30 Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_sparc.deb Size/MD5 checksum: 2095860 ba67c6e9188fad3ca653279f199188a6 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBiJcEW5ql+IAeqTIRArpvAJ95pcj89BLJDJqdkRuvMQ67av/K0gCcDIE2 XvOOraBlf5SNAYMXmWJaEY0= =ePem -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 578-1] New mpg123 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 578-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 1st, 2004 http://www.debian.org/security/faq - -- Package: mpg123 Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0982 Carlos Barros has discovered a buffer overflow in the HTTP authentication routine of mpg123, a popular (but non-free) MPEG layer 1/2/3 audio player. If a user opened a malicious playlist or URL, an attacker might execute arbitrary code with the rights of the calling user. For the stable distribution (woody) this problem has been fixed in version 0.59r-13woody4. For the unstable distribution (sid) this problem has been fixed in version 0.59r-17. We recommend that you upgrade your mpg123 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4.dsc Size/MD5 checksum: 748 386de2941605795a833ccdddf200f26b http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4.diff.gz Size/MD5 checksum:24568 bf98712baa4bb429768762ea9c20404a http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r.orig.tar.gz Size/MD5 checksum: 159028 95df59ad1651dd2346d49fafc83747e7 Alpha architecture: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_alpha.deb Size/MD5 checksum:94630 18738b85cf26807ea4d29b1c82767d63 http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody4_alpha.deb Size/MD5 checksum:94590 f550ba5af79ae1bf5f8024178c391e0c ARM architecture: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_arm.deb Size/MD5 checksum:89708 6b5bc7522cf6e91c7ec21662f8809bc3 Intel IA-32 architecture: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_i386.deb Size/MD5 checksum:81688 9c5fb2322632dc72d64e18ec404abad8 http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody4_i386.deb Size/MD5 checksum:81642 a06e8185f9b0da320ab46c348e55be5a http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-nas_0.59r-13woody4_i386.deb Size/MD5 checksum:83626 a00b78f948d8967ec23cb2874847f638 http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-3dnow_0.59r-13woody4_i386.deb Size/MD5 checksum:81334 204b7db5b537d81741f04dee9bf80a40 http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-i486_0.59r-13woody4_i386.deb Size/MD5 checksum:87940 0c9d0b30b8a832f30de5cc3d29c321b0 HP Precision architecture: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_hppa.deb Size/MD5 checksum:97516 428e9dd2c7805424976c82f7aa37e54b Motorola 680x0 architecture: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_m68k.deb Size/MD5 checksum:75998 b08ad56ec624c0f8a3624596cef423ea PowerPC architecture: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_powerpc.deb Size/MD5 checksum:88528 442b5e1d2462121fcfb1c4eda82429f3 http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody4_powerpc.deb Size/MD5 checksum:88448 d885597a3cb24ae2d92309def283ab5b Sun Sparc architecture: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_sparc.deb Size/MD5 checksum:88776 b905ba3b69cc2196cc9d84ddefb9b16b These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBhjsbW5ql+IAeqTIRApHrAJ4m83ekW9Gm+H/Ke4sp+RMASjwjbwCfYUU1 ro+9qiQHpADqYb3mbusTkg8= =YBAn
Re: Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)
Steve Kemp wrote: On Fri, Oct 29, 2004 at 10:12:33PM +0200, Frank Lichtenheld wrote: Perhaps someone with a little more experience in identifying security problems should take a look, too. I CC'ed debian-security. Here's a quick summery : To be clear there are three flaws being discussed in xsok: CAN-2004-0074 - overflow with LANG environmental variable. - overflow due to long '-xsokdir' parameter. CAN-2003-0949 - Failure to drop privileges when unzipping. The second one was discovered by me and closed in DSA-405-1 The first one is in two parts, the environmental variable overflow is patched already by the package maintainer. The second appears to be not an issue given this code: if (strlen(savedir) MAXSAVEFILELEN-16 || strlen(xsokdir) MAXXSOKDIRLEN || [2] strlen(p-xpmdir) MAXXSOKDIRLEN) { fprintf(stderr, directory too long\n); exit(1); } The second line [2] seems to test its bounds - unless I missed an earlier usage. I've got it installed here, but sadly I have no X available so I cant test it. Run the following command to test if it's vulnerable: xsok -xsokdir `perl -e 'print Xx3000'` Thanks a lot! I'll addd it to the non-vuln list. Regards, Joey -- Those who don't understand Unix are condemned to reinvent it, poorly. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 577-1] New postgresql packages fix symlink vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 577-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 29th, 2004 http://www.debian.org/security/faq - -- Package: postgresql Vulnerability : local Problem-Type : insecure temporary file Debian-specific: no CVE ID : CAN-2004-0977 Debian Bug : 278336 Trustix Security Engineers identified insecure temporary file creation in a script included in the postgresql suite, an object-relational SQL database. This could lead an attacker to trick a user to overwrite arbitrary files he has write access to. For the stable distribution (woody) this problem has been fixed in version 7.2.1-2woody6. For the unstable distribution (sid) this problem has been fixed in version 7.4.6-1. We recommend that you upgrade your postgresql packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.2.1-2woody6.dsc Size/MD5 checksum: 966 ded5f8b8dc34a7e1916526cc4fd7dc5a http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.2.1-2woody6.diff.gz Size/MD5 checksum: 119740 deb2918afe376395a218ebb3af0a58f2 http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.2.1.orig.tar.gz Size/MD5 checksum: 9237680 d075e9c49135899645dff57bc58d6233 Architecture independent components: http://security.debian.org/pool/updates/main/p/postgresql/postgresql-doc_7.2.1-2woody6_all.deb Size/MD5 checksum: 2069286 761ab47664aa2091451117b36c1ed27a Alpha architecture: http://security.debian.org/pool/updates/main/p/postgresql/libecpg3_7.2.1-2woody6_alpha.deb Size/MD5 checksum:34456 ca83cb3c6c50453ef1b9d985f381f94b http://security.debian.org/pool/updates/main/p/postgresql/libpgperl_7.2.1-2woody6_alpha.deb Size/MD5 checksum:68434 a74ea2a89fd9204c15b5f69bc72b2c20 http://security.debian.org/pool/updates/main/p/postgresql/libpgsql2_7.2.1-2woody6_alpha.deb Size/MD5 checksum:77692 3734b0f8deaa70a1d6767a3c64540ffd http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.2.1-2woody6_alpha.deb Size/MD5 checksum:67398 df0adaaa2e9515a022535630e9578b5b http://security.debian.org/pool/updates/main/p/postgresql/odbc-postgresql_7.2.1-2woody6_alpha.deb Size/MD5 checksum: 290006 a34a7323c402b398ab69632f5ba1502c http://security.debian.org/pool/updates/main/p/postgresql/pgaccess_7.2.1-2woody6_alpha.deb Size/MD5 checksum: 425130 cff2adecf3350847358fcc73f342d7cb http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.2.1-2woody6_alpha.deb Size/MD5 checksum: 1816990 e44d03b061447dd5c7f3a2398755d2d9 http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.2.1-2woody6_alpha.deb Size/MD5 checksum: 319618 60341c5a6e04bb7eb35d51e0b74438b8 http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.2.1-2woody6_alpha.deb Size/MD5 checksum: 387260 fca85d766f1b8a5b5bc36c65b7fd3ab0 http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.2.1-2woody6_alpha.deb Size/MD5 checksum: 540920 17ec27505d8780845b5ee8c46b508447 http://security.debian.org/pool/updates/main/p/postgresql/python-pygresql_7.2.1-2woody6_alpha.deb Size/MD5 checksum:65062 71df8dfcc3bd1e01c61afef8d4f542a2 ARM architecture: http://security.debian.org/pool/updates/main/p/postgresql/libecpg3_7.2.1-2woody6_arm.deb Size/MD5 checksum:31544 dceca235c5f3761563c0496bbdf8081a http://security.debian.org/pool/updates/main/p/postgresql/libpgperl_7.2.1-2woody6_arm.deb Size/MD5 checksum:64554 4685e3c5d18e05ee04aa9151f300f872 http://security.debian.org/pool/updates/main/p/postgresql/libpgsql2_7.2.1-2woody6_arm.deb Size/MD5 checksum:65408 23267380f3ce726d12026622fd46ebb5 http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.2.1-2woody6_arm.deb Size/MD5 checksum:57632 d6c511486fea0cc1a4279cd493836a4e http://security.debian.org/pool/updates/main/p/postgresql/odbc-postgresql_7.2.1-2woody6_arm.deb Size/MD5 checksum: 233960
[SECURITY] [DSA 575-1] New catdoc packages fix temporary file vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 575-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 28th, 2004 http://www.debian.org/security/faq - -- Package: catdoc Vulnerability : insecure temporary file Problem-Type : local Debian-specific: no CVE ID : CAN-2003-0193 Debian Bug : 183525 A temporary file problem has been discovered in xlsview from the catdoc suite, convertors from Word to TeX and plain text, which could lead to local users being able to overwrite arbitrary files via a symlink attack on predictable temporary file names. For the stable distribution (woody) this problem has been fixed in version 0.91.5-1.woody3. For the unstable distribution (sid) this problem has been fixed in version 0.91.5-2. We recommend that you upgrade your catdoc package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3.dsc Size/MD5 checksum: 571 5fbd54b800449adcf10d9498fec33c4c http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3.diff.gz Size/MD5 checksum:14289 652e8c7c13aeb743db5b22ad19b86358 http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5.orig.tar.gz Size/MD5 checksum: 123460 9d9b32b4d579ea143989533e91bc196c Alpha architecture: http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_alpha.deb Size/MD5 checksum:78750 a95948f97107f79d1ae917128c489729 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_i386.deb Size/MD5 checksum:66898 94f0f2f0bccb8abbed2f70fd70d8d9f1 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_ia64.deb Size/MD5 checksum:83648 7ad9075148ffeda180c904ee680f75e5 HP Precision architecture: http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_hppa.deb Size/MD5 checksum:71094 ca3b29e69806dbaf8e452c44fa240785 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_m68k.deb Size/MD5 checksum:65900 59af477395669716660602080a337d76 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_mips.deb Size/MD5 checksum:73720 116e8e1521724514c9d93226f616ad56 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_mipsel.deb Size/MD5 checksum:73726 6d8e050ad06cee6970fa4771da484b45 PowerPC architecture: http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_powerpc.deb Size/MD5 checksum:68090 d9d5e32d398c76497fbc3408b163ed18 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_s390.deb Size/MD5 checksum:67120 0834a0f473eaf106576e7b7034e3fe5c Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_sparc.deb Size/MD5 checksum:70882 3977e5706886c40c320062b3a4800b7e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBgPsXW5ql+IAeqTIRAnXjAJ9tXLhsgxuNoGEnWcncVNO0g4dbJwCeOTVy j/uBuBMJ8rinn6Sfj/5gNgM= =SeNd -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 574-1] New cabextract packages fix unintended directory traversal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 574-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 28th, 2004 http://www.debian.org/security/faq - -- Package: cabextract Vulnerability : missing directory sanitising Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0916 Debian Bug : 277522 The upstream developers discovered a problem in cabextract, a tool to extract cabinet files. The program was able to overwrite files in upper directories. This could lead an attacker to overwrite arbitrary files. For the stable distribution (woody) this problem has been fixed in version 0.2-2b. For the unstable distribution (sid) this problem has been fixed in version 1.1-1. We recommend that you upgrade your cabextract package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b.dsc Size/MD5 checksum: 568 72c81704917abe1f37ae4694392c97e3 http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b.diff.gz Size/MD5 checksum: 2314 d31e74e1186f00a60dc944bec28829f9 http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2.orig.tar.gz Size/MD5 checksum:66136 8f59514ec67cfb43658c57c67c864b74 Alpha architecture: http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_alpha.deb Size/MD5 checksum:20344 2eba57f87ea2348e3e0322eb5d7ce3a5 ARM architecture: http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_arm.deb Size/MD5 checksum:16514 0c1b72dfef4454c9a4140d4728b6d56d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_i386.deb Size/MD5 checksum:15054 f0b5a915d31a51dbad5df5163c326204 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_ia64.deb Size/MD5 checksum:23934 7a180cb2c7321533839d88edfde0664e HP Precision architecture: http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_hppa.deb Size/MD5 checksum:17784 50e507a1108c883a550f6b14b01238be Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_m68k.deb Size/MD5 checksum:15034 e576be7c48a6217bc3d04f850b622ea9 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_mips.deb Size/MD5 checksum:17948 427396df5074b07059f35d1603512423 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_mipsel.deb Size/MD5 checksum:17884 de2d86ebeb9fdcaf58f99e403ca4ba86 PowerPC architecture: http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_powerpc.deb Size/MD5 checksum:16572 f087bc23f1a5ff782ad4a15563482af0 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_s390.deb Size/MD5 checksum:16658 44e78328ade15ef1b71fe5fec2738bc7 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_sparc.deb Size/MD5 checksum:18692 ad98229293a9a753db5d371cab657d06 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBgH7wW5ql+IAeqTIRAo/oAKCp8cfa0FAGZccSf1Z/cThHrha8dACePC+c RFwKfrysKwA898z3JLSmEGw= =rbCk -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 572-1] New ecartis packages fix unauthorised access to admin interface
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 572-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 21st, 2004 http://www.debian.org/security/faq - -- Package: ecartis Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0913 A problem has been discovered in ecartis, a mailing-list manager, which allows an attacker in the same domain as the list admin to gain administrator privileges and alter list settings. For the stable distribution (woody) this problem has been fixed in version 0.129a+1.0.0-snap20020514-1.3. For the unstable distribution (sid) this problem has been fixed in version 1.0.0+cvs.20030911-8. We recommend that you upgrade your ecartis package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.3.dsc Size/MD5 checksum: 633 3c5b01ccdb8efdd3f0b01ab1c420f0bd http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.3.diff.gz Size/MD5 checksum:11136 deb52dba3044f51a775687dc3de435d4 http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514.orig.tar.gz Size/MD5 checksum: 326215 2772a595a3fe7ea5073874113da813ec Alpha architecture: http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.3_alpha.deb Size/MD5 checksum: 256810 0756e2937a73c64e06a65001d7955877 http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.3_alpha.deb Size/MD5 checksum:34084 ef3ac15efae9aaa6ef01083e535d96a6 ARM architecture: http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.3_arm.deb Size/MD5 checksum: 238590 c039d61d90f7163d0a5ae3a964fa28c6 http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.3_arm.deb Size/MD5 checksum:34256 27530fa34db9ccfce0dea27d2367a581 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.3_i386.deb Size/MD5 checksum: 199458 b486c027d445489c6fb27a705133e65f http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.3_i386.deb Size/MD5 checksum:26382 1a46d1a71f53b9cbe8ce774c308e0b63 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.3_ia64.deb Size/MD5 checksum: 338176 f34f303a82c07e94fbc4f740615b285a http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.3_ia64.deb Size/MD5 checksum:44402 3d96424af960b67c1eff7ed8281a28cc HP Precision architecture: http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.3_hppa.deb Size/MD5 checksum: 237276 86be667295c0110787c48483935304a9 http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.3_hppa.deb Size/MD5 checksum:34186 0427d04c72cd89788d7662e7ba84713b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.3_m68k.deb Size/MD5 checksum: 210846 6ef4f00bcf7eb6855dff350f4ed2d6eb http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.3_m68k.deb Size/MD5 checksum:29470 cfdbd27c6f172a1fa75890d7bab9be26 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.3_mips.deb Size/MD5 checksum: 203434 37c63c68433b47af4773d9fd1620bd6d http://security.debian.org/pool/updates/main/e/ecartis/ecartis-cgi_0.129a+1.0.0-snap20020514-1.3_mips.deb Size/MD5 checksum:26454 7b1212a12d462e5d02c59e4c80fb6120 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.3_mipsel.deb Size/MD5 checksum: 203806 29b30b1f6a89f5f738fd6e2a25ce8e3f http://security.debian.org/pool/updates/main/e
[SECURITY] [DSA 573-1] New cupsys packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 573-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 21st, 2004 http://www.debian.org/security/faq - -- Package: cupsys Vulnerability : integer overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0888 Chris Evans discovered several integer overflows in xpdf, that are also present in CUPS, the Common UNIX Printing System, which can be exploited remotely by a specially crafted PDF document. For the stable distribution (woody) these problems have been fixed in version 1.1.14-5woody10. For the unstable distribution (sid) these problems have been fixed in version 1.1.20final+rc1-10. We recommend that you upgrade your CUPS packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody10.dsc Size/MD5 checksum: 712 ae31959c46f48c5385b676f26a2e842d http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody10.diff.gz Size/MD5 checksum:40124 baba5be8d7564311a27cb81ce914e035 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14.orig.tar.gz Size/MD5 checksum: 6150756 0dfa41f29fa73e7744903b2471d2ca2f Alpha architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody10_alpha.deb Size/MD5 checksum: 1900822 a70479f7bb60a8286689480b6d308d25 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody10_alpha.deb Size/MD5 checksum:74422 d98680769dc77eb8e87d1340a8168abf http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody10_alpha.deb Size/MD5 checksum:93052 1fbb64fd54fe3b66fbf3e2f27842518f http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody10_alpha.deb Size/MD5 checksum: 2445890 333911b1b11bd1058c453f6190979da9 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody10_alpha.deb Size/MD5 checksum: 138086 fc159f99d5f10e551d05e56fe9385f34 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody10_alpha.deb Size/MD5 checksum: 181022 8aede5734f2bc35dff191664ca07481d ARM architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody10_arm.deb Size/MD5 checksum: 1821796 d842e1185dd4a50cd9fa2f71fd7f216a http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody10_arm.deb Size/MD5 checksum:68558 c575b8ba9a7bbe9ab4bd5ff003787c80 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody10_arm.deb Size/MD5 checksum:85752 442b511623d5641ec33d0913e9756fe6 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody10_arm.deb Size/MD5 checksum: 2345934 64a06768229c53e681e5bdb0f9b56197 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody10_arm.deb Size/MD5 checksum: 113060 5677fdf18c89fe349fd18a1eecef562f http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody10_arm.deb Size/MD5 checksum: 150474 c8c4653a290a66724d717a709ae18a66 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody10_i386.deb Size/MD5 checksum: 1788626 9cb6367a1455987dfbbc03e26d4a0ab9 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody10_i386.deb Size/MD5 checksum:68074 d5b263fabbe23c5714d43770ea81b612 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody10_i386.deb Size/MD5 checksum:84244 e6cb1b13280664e12ded8709cfefebcc http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody10_i386.deb Size/MD5 checksum: 2312054 ab9511108a2281079e86da8e9e450349 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody10_i386.deb Size/MD5 checksum: 111096 7eb7f16bd74c6dba80c1dd3b39b697db http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody10_i386.deb Size/MD5 checksum: 136658
[SECURITY] [DSA 556-2] New netkit-telnet packages really fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 556-2 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze X 8th, 2004 http://www.debian.org/security/faq - -- Package: netkit-telnet Vulnerability : invalid free(3) Problem-Type : remote Debian-specific: yes CVE ID : CAN-2004-0911 Debian Bug : 273694 This is an update for DSA 556-1 which was intended to fix a denial of service situation in netkit-telnet but didn't. The update for unstable did fix the problem. For completeness below is the original advisory text: Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user). For the unstable distribution (sid) this problem has been fixed in version 0.17-26. For the stable distribution (woody) this problem has been fixed in version 0.17-18woody2. We recommend that you upgrade your netkit-telnet-ssl package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/n/netkit-telnet/netkit-telnet_0.17-18woody2.dsc Size/MD5 checksum: 602 5c4291548c60df2607baabc8af77fe88 http://security.debian.org/pool/updates/main/n/netkit-telnet/netkit-telnet_0.17-18woody2.diff.gz Size/MD5 checksum:21969 e29d25caa0138fe87b26f2fee609698d http://security.debian.org/pool/updates/main/n/netkit-telnet/netkit-telnet_0.17.orig.tar.gz Size/MD5 checksum: 133749 d6beabaaf53fe6e382c42ce3faa05a36 Alpha architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody2_alpha.deb Size/MD5 checksum:84150 5cd0073e1d87493de0e9347e08b33e4c http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody2_alpha.deb Size/MD5 checksum:45804 4f5924c6b71a716bbae5ff32aebdaee1 ARM architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody2_arm.deb Size/MD5 checksum:69924 8bb25a534f053a693aa971df0e15d71f http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody2_arm.deb Size/MD5 checksum:39618 2cfc8d96f00bb739333adf0659caceb6 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody2_i386.deb Size/MD5 checksum:70944 f8361dcb79029ba42c929a4eec1c9f2c http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody2_i386.deb Size/MD5 checksum:38594 8619caa3b44632443cde32a032100d3f Intel IA-64 architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody2_ia64.deb Size/MD5 checksum: 102740 d9839694911c708b6e76de4f41434b24 http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody2_ia64.deb Size/MD5 checksum:52486 8d7c4b6f977d5f01e93ef2437829202d HP Precision architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody2_hppa.deb Size/MD5 checksum:69972 f5eb1bcafb1306cad596edc9e177eb7d http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody2_hppa.deb Size/MD5 checksum:43514 00b12715674693c3413dc74393d13cd7 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody2_m68k.deb Size/MD5 checksum:67156 3a4ba0fc24b5fbdc6cd07dfe369ff051 http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody2_m68k.deb Size/MD5 checksum:37452 951df56394fe48d8b2545c9595280307 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/n/netkit-telnet/telnet_0.17-18woody2_mips.deb Size/MD5 checksum:80850 b2b47cef8c63aeae88939319ccffeb4a http://security.debian.org/pool/updates/main/n/netkit-telnet/telnetd_0.17-18woody2_mips.deb Size/MD5
[SECURITY] [DSA 568-1] New cyrus-sasl-mit packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 568-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 16th, 2004 http://www.debian.org/security/faq - -- Package: cyrus-sasl-mit Vulnerability : unsanitised input Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0884 Debian Bug : 275498 A vulnerability has been discovered in the Cyrus implementation of the SASL library, the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. The library honors the environment variable SASL_PATH blindly, which allows a local user to link against a malicious library to run arbitrary code with the privileges of a setuid or setgid application. The MIT version of the Cyrus implementation of the SASL library provides bindings against MIT GSSAPI and MIT Kerberos4. For the stable distribution (woody) this problem has been fixed in version 1.5.24-15woody3. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your libsasl packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/cyrus-sasl-mit_1.5.24-15woody3.dsc Size/MD5 checksum: 737 c28b9688bbb9de9f920594ba8ac2b9d5 http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/cyrus-sasl-mit_1.5.24-15woody3.diff.gz Size/MD5 checksum: 125280 324fed374135082dce487d78f46db72f http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/cyrus-sasl-mit_1.5.24.orig.tar.gz Size/MD5 checksum: 494457 ac3837c071c258b80021325936db2583 Alpha architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_alpha.deb Size/MD5 checksum:38780 daa298d1425c5381e5d223c04fd16312 http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_alpha.deb Size/MD5 checksum:30282 d6b4f4eb7a96a320094ea8ff698a68bd ARM architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_arm.deb Size/MD5 checksum:37270 85d60315293f4115f5b8469262a8e839 http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_arm.deb Size/MD5 checksum:28368 834ab3c7b7db63e7b6420986ecbcfe02 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_i386.deb Size/MD5 checksum:37012 0a70a5abb8a75f9407a492f7342360be http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_i386.deb Size/MD5 checksum:28188 8e472ccc4076d9ce7596363e53c4401f Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_ia64.deb Size/MD5 checksum:41274 fa2ef8e398ca8c1cf733ea86f017a8ea http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_ia64.deb Size/MD5 checksum:32360 4933dc10dcc21dd22968a7eb9ecee6a7 HP Precision architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_hppa.deb Size/MD5 checksum:38502 07c04f8e1709650cfc8a9dcf06dcca82 http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_hppa.deb Size/MD5 checksum:29204 fa6282350f600ab5aacc0cdc9c1ee808 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_m68k.deb Size/MD5 checksum:36788 bad1e3f4176662fba63453703e211257 http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_m68k.deb Size/MD5 checksum:27630 628baec08c7e6a80aff4488a51f02cad Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_mips.deb Size/MD5 checksum:37782 c2f35e650480997a46e5b4c1cc296e7e http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24
[SECURITY] [DSA 563-3] New cyrus-sasl packages fix arbitrary code execution on sparc and arm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 563-3 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 14th, 2004 http://www.debian.org/security/faq - -- Package: cyrus-sasl Vulnerability : unsanitised input Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0884 Debian Bug : 275498 This advisory is an addition to DSA 563-1 and 563-2 which weren't able to supersede the library on sparc and arm due to a different version number for them in the stable archive. Other architectures were updated properly. Another problem was reported in connection with sendmail, though, which should be fixed with this update as well. For the stable distribution (woody) this problem has been fixed in version 1.5.27-3.1woody5. For reference the advisory text follows: A vulnerability has been discovered in the Cyrus implementation of the SASL library, the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. The library honors the environment variable SASL_PATH blindly, which allows a local user to link against a malicious library to run arbitrary code with the privileges of a setuid or setgid application. For the unstable distribution (sid) this problem has been fixed in version 1.5.28-6.2 of cyrus-sasl and in version 2.1.19-1.3 of cyrus-sasl2. We recommend that you upgrade your libsasl packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3.1woody5.dsc Size/MD5 checksum: 715 cdce985e2ba692a11997a311d656511d http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3.1woody5.diff.gz Size/MD5 checksum:40625 ae2eeaa949464a5dd01a4e52183476b2 http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27.orig.tar.gz Size/MD5 checksum: 528252 76ea426e2e2da3b8d2e3a43af5488f3b Alpha architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_alpha.deb Size/MD5 checksum:76224 f90bf340c1af2cc6e784b86b9a3e6225 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_alpha.deb Size/MD5 checksum:19096 ea4dfe8c7a234b694fab1520fc7b591f http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_alpha.deb Size/MD5 checksum:14948 13dd74ae0ccea40bcb318020f347bfc3 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_alpha.deb Size/MD5 checksum: 172500 e2ae41a1297a905fda5413bfa1480358 http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_alpha.deb Size/MD5 checksum:13414 0aca9803f883f2851a7e95e7fe16a6a5 ARM architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_arm.deb Size/MD5 checksum:70164 b04b21e09ae3f4b37d8cafacf35e5b96 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_arm.deb Size/MD5 checksum:15034 56f66723aa826cec0b60c4b69634741d http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_arm.deb Size/MD5 checksum:12452 1ca90c2ef0e47722b9203b916a07865a http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_arm.deb Size/MD5 checksum: 166076 230b02c4b07e68e764aec818d911ea30 http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_arm.deb Size/MD5 checksum:10852 fa3611896617bb8b2bc6265fe60860cd Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_i386.deb Size/MD5 checksum:65282 fe8d68f5699c2dd6328f5d6fb41de5d4 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_i386.deb Size/MD5 checksum:13298 23a049e4a683d11d6c92612770842188 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_i386.deb Size/MD5 checksum
[SECURITY] [DSA 566-1] New CUPS packages fix information leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 566-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 14th, 2004 http://www.debian.org/security/faq - -- Package: cupsys Vulnerability : unsanitised input Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0923 CERT advisory : VU#557062 An information leak has been detected in CUPS, the Common UNIX Printing System, which may lead to the disclosure of sensitive information, such as user names and passwords which are written into log files. The used patch only eliminates the authentication information in the device URI which is logged in the error_log file. It does not eliminate the URI from the environment and process table, which is why the CUPS developers recommend that system administrators do not code authentication information in device URIs in the first place. For the stable distribution (woody) this problem has been fixed in version 1.1.14-5woody7. For the unstable distribution (sid) this problem has been fixed in version 1.1.20final+rc1-9. We recommend that you upgrade your CUPS package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7.dsc Size/MD5 checksum: 710 cc64cacbd7546a5609d78f47dbcd0e78 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7.diff.gz Size/MD5 checksum:39147 90020c9ccf4c20d75545d2b9fc804f12 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14.orig.tar.gz Size/MD5 checksum: 6150756 0dfa41f29fa73e7744903b2471d2ca2f Alpha architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_alpha.deb Size/MD5 checksum: 1899802 4f68d49c505e401ec65c45fc89baaef0 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_alpha.deb Size/MD5 checksum:74186 87538022f3f049de24a67524f6b6e374 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_alpha.deb Size/MD5 checksum:92828 a97dec155e925386ec24723825fb821b http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_alpha.deb Size/MD5 checksum: 2445680 b0ee9dc5e73ab807fc4befa4f62ed2e4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_alpha.deb Size/MD5 checksum: 137850 4c95ecf39a123d7fc2b20a11471478d4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_alpha.deb Size/MD5 checksum: 180786 1daecceb7cfdce5a2715ae10cd227c0d ARM architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_arm.deb Size/MD5 checksum: 1821486 8e7f3aca59e978f96d5d85ed7d9b132c http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_arm.deb Size/MD5 checksum:68322 6cb0d1d79e7c630e62a316f9991d04c6 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_arm.deb Size/MD5 checksum:85500 303f4eb613479f112c84f496190c9b72 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_arm.deb Size/MD5 checksum: 2345676 99216618a594ee5bb5a87c3023428355 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_arm.deb Size/MD5 checksum: 112826 52e2ea3acbdcfdb3b0182833b5713541 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_arm.deb Size/MD5 checksum: 150236 b49e83f022a165d4a1c84b757d3f9292 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_i386.deb Size/MD5 checksum: 1788306 a96f7bf460aa90e3f26e0a0dff99090d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_i386.deb Size/MD5 checksum:67852 ee72adda3436557359f244a48088ee5d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_i386.deb Size/MD5 checksum:84012 fdcfac62cfdd73d412a82d6f7d4d5659 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_i386.deb Size/MD5
[SECURITY] [DSA 563-2] New cyrus-sasl packages really fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 563-2 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 12th, 2004 http://www.debian.org/security/faq - -- Package: cyrus-sasl Vulnerability : unsanitised input Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0884 Debian Bug : 275498 This advisory corrects DSA 563-1 which contained a library that caused other programs to fail unindented. For the stable distribution (woody) this problem has been fixed in version 1.5.27-3woody3. For reference the advisory text follows: A vulnerability has been discovered in the Cyrus implementation of the SASL library, the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. The library honors the environment variable SASL_PATH blindly, which allows a local user to link against a malicious library to run arbitrary code with the privileges of a setuid or setgid application. For the unstable distribution (sid) this problem has been fixed in version 1.5.28-6.2 of cyrus-sasl and in version 2.1.19-1.3 of cyrus-sasl2. We recommend that you upgrade your libsasl packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3woody3.dsc Size/MD5 checksum: 711 91b4d0c36b104620ec5d67a95908da5a http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3woody3.diff.gz Size/MD5 checksum:40428 56130ac3dde75943d2f5d594881d4f31 http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27.orig.tar.gz Size/MD5 checksum: 528252 76ea426e2e2da3b8d2e3a43af5488f3b Alpha architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_alpha.deb Size/MD5 checksum:76226 7450c31b1634f789234dcd045c72ba1c http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_alpha.deb Size/MD5 checksum:19100 80dff5ceced2b6902557e2f2753b2c10 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_alpha.deb Size/MD5 checksum:14944 1ebe9da02e5fa969591472fc1d7d86a2 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_alpha.deb Size/MD5 checksum: 172332 d4c236501921a441e5bdbe97f18e3818 http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_alpha.deb Size/MD5 checksum:13422 43012f7ffc98161bf238d1eccd124c1b ARM architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_arm.deb Size/MD5 checksum:70170 d4cdf775981a8f4bb41f4aec28562862 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_arm.deb Size/MD5 checksum:15038 c34c52e62a3ecd1099daca1146a2c325 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_arm.deb Size/MD5 checksum:12450 8cc784fd0e7a9f6c3fc8c85440f5d0da http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_arm.deb Size/MD5 checksum: 165914 32d2be1e5f58283b36d65904857c38d7 http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_arm.deb Size/MD5 checksum:10850 bba9b1694a4ea2bbbc533a029b589b26 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_i386.deb Size/MD5 checksum:65292 91c7e706fbc6d6bf211960d8e4811eb2 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_i386.deb Size/MD5 checksum:13298 433d2d98195e6ca5e216543c8943 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_i386.deb Size/MD5 checksum:11754 c97a58448542f29a1067291b52b94780 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_i386.deb Size/MD5 checksum: 162896 3b0e73e6f1425d9c5fad18377961d84b http://security.debian.org/pool/updates/main/c/cyrus
[SECURITY] [DSA 563-1] New cyrus-sasl packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 563-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 12th, 2004 http://www.debian.org/security/faq - -- Package: cyrus-sasl Vulnerability : unsanitised input Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0884 Debian Bug : 275498 A vulnerability has been discovered in the Cyrus implementation of the SASL library, the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. The library honors the environment variable SASL_PATH blindly, which allows a local user to link against a malicious library to run arbitrary code with the privileges of a setuid or setgid application. For the stable distribution (woody) this problem has been fixed in version 1.5.27-3woody2. For the unstable distribution (sid) this problem has been fixed in version 1.5.28-6.2 of cyrus-sasl and in version 2.1.19-1.3 of cyrus-sasl2. We recommend that you upgrade your libsasl packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3woody2.dsc Size/MD5 checksum: 711 5eef2264f52bb4f3dc2a655285a889d2 http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3woody2.diff.gz Size/MD5 checksum:40375 35007ca458f24aedebc3a651bbb5f9d2 http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27.orig.tar.gz Size/MD5 checksum: 528252 76ea426e2e2da3b8d2e3a43af5488f3b Alpha architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_alpha.deb Size/MD5 checksum:76260 6263d2d53f5cc606d11c372d078ffc63 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_alpha.deb Size/MD5 checksum:19100 8a901b0282fbd4ced40b820a961b01c0 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_alpha.deb Size/MD5 checksum:14944 dd2ce3541cd52e2564e829b9616cba76 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_alpha.deb Size/MD5 checksum: 172284 759030ca07a99ac03d8243dca9c2cad1 http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_alpha.deb Size/MD5 checksum:13414 076ea2b666ab7dd47de390829c9b59ab ARM architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_arm.deb Size/MD5 checksum:70148 e4d6ea105d776178620d7b12c4a0896a http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_arm.deb Size/MD5 checksum:15040 9691c34f18d88e24037dcbb1606156e9 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_arm.deb Size/MD5 checksum:12452 e42407c240af8914be263deda7790cb0 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_arm.deb Size/MD5 checksum: 165868 4091e9262e8603612c1a3515f907fd6b http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_arm.deb Size/MD5 checksum:10850 22d3bd0b8a64cf6b907ca268b55cb80d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_i386.deb Size/MD5 checksum:65256 a56f4a88b5ff92ce7928cb73729044fd http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_i386.deb Size/MD5 checksum:13296 0b9d7f91fb9b0216098dc79b74530add http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_i386.deb Size/MD5 checksum:11750 ceaeb52a01badb855be07fa38cd90c4b http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_i386.deb Size/MD5 checksum: 162842 e2ef2c121fe75a17a88494f405d57d1f http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_i386.deb Size/MD5 checksum:11072 cbaca72bbc2c11ccb0958779aafccb27 Intel IA-64 architecture: http://security.debian.org
[SECURITY] [DSA 562-1] New mysql packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 562-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 11th, 2004 http://www.debian.org/security/faq - -- Package: mysql Vulnerability : several vulnerabilities Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0835 CAN-2004-0836 CAN-2004-0837 Severl problems have been discovered in MySQL, a commonly used SQL database on Unix servers. The following problems have been identified by the Common Vulnerabilities and Exposures Project: CAN-2004-0835 Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. CAN-2004-0836 Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. CAN-2004-0837 Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. For the stable distribution (woody) these problems have been fixed in version 3.23.49-8.8. For the unstable distribution (sid) these problems have been fixed in version 4.0.21-1. We recommend that you upgrade your mysql and related packages and restart services linking against them (e.g. Apache/PHP). Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.8.dsc Size/MD5 checksum: 883 adab4c7e7fcde533254e37d99f8d832b http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.8.diff.gz Size/MD5 checksum:66315 d376044fa0d6f8a501993ab02abc4a6b http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz Size/MD5 checksum: 11861035 a2820d81997779a9fdf1f4b3c321564a Architecture independent components: http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.8_all.deb Size/MD5 checksum:17262 2e5ebe0702d91a53ec449146b01a573a http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.5_all.deb Size/MD5 checksum: 1962992 a4cacebaadf9d5988da0ed1a336b48e6 Alpha architecture: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_alpha.deb Size/MD5 checksum: 278096 4ac1bf890f801a32a87b9e304da35f41 http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_alpha.deb Size/MD5 checksum: 779166 2efba3f9821343f3863c8927352bd4b9 http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_alpha.deb Size/MD5 checksum: 163880 643c6c339b4d2dc131beff973cbbe7e2 http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_alpha.deb Size/MD5 checksum: 3634956 cd912ffbb52a4f58a5a2b98ec8526815 ARM architecture: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_arm.deb Size/MD5 checksum: 238696 1a96397e60328bc6f889660d94468261 http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_arm.deb Size/MD5 checksum: 635036 41cbebd5050bf90fc1bed870310dc102 http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_arm.deb Size/MD5 checksum: 124314 4ad3587a1423e1302f30a7c24e443dcf http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_arm.deb Size/MD5 checksum: 2806658 bd143a0f5e7bac001d8870f69ebe7d69 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_i386.deb Size/MD5 checksum: 235078 5ec7d023107015d11d0168e728864ef8 http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_i386.deb Size/MD5 checksum: 576912 3672d903045723481241a8aa2c6adf49 http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_i386.deb Size/MD5 checksum: 122896 c3bb667905a98b2fe0c1cbc3358ae3db http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_i386.deb Size/MD5 checksum: 2800926 710ec1b9eeb3af57db869dffe1b4f515 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49
[SECURITY] [DSA 561-1] New libxpm packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 561-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 11th, 2004 http://www.debian.org/security/faq - -- Package: xfree86 Vulnerability : integer and stack overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0687 CAN-2004-0688 CERT advisory : VU#537878 VU#882750 Chris Evans discovered several stack and integer overflows in the libXpm library which is provided by X.Org, XFree86 and LessTif. For the stable distribution (woody) this problem has been fixed in version 4.1.0-16woody4. For the unstable distribution (sid) this problem has been fixed in version 4.3.0.dfsg.1-8. We recommend that you upgrade your libxpm packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/x/xfree86/xfree86_4.1.0-16woody4.dsc Size/MD5 checksum: 1512 5e1d11c3dd166f6afa790fb6b7c272d9 http://security.debian.org/pool/updates/main/x/xfree86/xfree86_4.1.0-16woody4.diff.gz Size/MD5 checksum: 1607469 bd864f8544e59539d631dcb84f69e366 http://security.debian.org/pool/updates/main/x/xfree86/xfree86_4.1.0.orig.tar.gz Size/MD5 checksum: 54433247 ea7a32e6a81a850e9f19428f3104c300 Architecture independent components: http://security.debian.org/pool/updates/main/x/xfree86/x-window-system_4.1.0-16woody4_all.deb Size/MD5 checksum:60522 8a82a0c70e44ee49b7906a8c952b3681 http://security.debian.org/pool/updates/main/x/xfree86/xfonts-100dpi-transcoded_4.1.0-16woody4_all.deb Size/MD5 checksum: 8333690 b92755e4e625bda2d26d3941d526dc9c http://security.debian.org/pool/updates/main/x/xfree86/xfonts-100dpi_4.1.0-16woody4_all.deb Size/MD5 checksum: 4442454 1617858c8fd44978ebb6ed6e1e20117d http://security.debian.org/pool/updates/main/x/xfree86/xfonts-75dpi-transcoded_4.1.0-16woody4_all.deb Size/MD5 checksum: 7225800 d77395dc77e6894d5b41963178e1f6d6 http://security.debian.org/pool/updates/main/x/xfree86/xfonts-75dpi_4.1.0-16woody4_all.deb Size/MD5 checksum: 3931742 712607a48832d2fd9736af25690bddd3 http://security.debian.org/pool/updates/main/x/xfree86/xfonts-base-transcoded_4.1.0-16woody4_all.deb Size/MD5 checksum: 1105434 6a321ef1773e6c62493bc7e544a928fb http://security.debian.org/pool/updates/main/x/xfree86/xfonts-base_4.1.0-16woody4_all.deb Size/MD5 checksum: 5028878 872fb3c224ae627d838b17bedd2c1844 http://security.debian.org/pool/updates/main/x/xfree86/xfonts-cyrillic_4.1.0-16woody4_all.deb Size/MD5 checksum: 438690 c68a0e7b6c29b7b1b2b746dfab9e2709 http://security.debian.org/pool/updates/main/x/xfree86/xfonts-pex_4.1.0-16woody4_all.deb Size/MD5 checksum:69062 0913bb7c4f8156a733e381a14c79a843 http://security.debian.org/pool/updates/main/x/xfree86/xfonts-scalable_4.1.0-16woody4_all.deb Size/MD5 checksum: 796434 fc4fa233232ffaf8cb6cea55f86c3018 http://security.debian.org/pool/updates/main/x/xfree86/xfree86-common_4.1.0-16woody4_all.deb Size/MD5 checksum: 546556 363e2c72bc90e481b99ea22c67921498 http://security.debian.org/pool/updates/main/x/xfree86/xlib6g-dev_4.1.0-16woody4_all.deb Size/MD5 checksum:60488 909fa89726b3ea3732eed9e43faf46e2 http://security.debian.org/pool/updates/main/x/xfree86/xlib6g_4.1.0-16woody4_all.deb Size/MD5 checksum:60678 835025cdf2dd8095986e495f64a15871 http://security.debian.org/pool/updates/main/x/xfree86/xspecs_4.1.0-16woody4_all.deb Size/MD5 checksum: 4165618 8b3210018650e4d3e021eb844dfbc34f Alpha architecture: http://security.debian.org/pool/updates/main/x/xfree86/lbxproxy_4.1.0-16woody4_alpha.deb Size/MD5 checksum: 165718 0324178cf59961a3456376908c092213 http://security.debian.org/pool/updates/main/x/xfree86/libdps-dev_4.1.0-16woody4_alpha.deb Size/MD5 checksum: 306978 34724b8d2b43738ef370ccd6f511e67b http://security.debian.org/pool/updates/main/x/xfree86/libdps1_4.1.0-16woody4_alpha.deb Size/MD5 checksum: 198742 46df2372f35cb31f2836a86c0e87a539 http://security.debian.org/pool/updates/main/x/xfree86/libdps1-dbg_4.1.0-16woody4_alpha.deb Size/MD5 checksum: 779126
[SECURITY] [DSA 458-3] New python2.2 packages really fix buffer overflow and restore functionality
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 458-3 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 10th, 2004 http://www.debian.org/security/faq - -- Package: python2.2 Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE Ids: CAN-2004-0150 BugTraq ID : 9836 Debian Bug : 248946 269548 This security advisory corrects DSA 458-2 which caused a problem in the gethostbyaddr routine. The original advisory said: Sebastian Schmidt discovered a buffer overflow bug in Python's getaddrinfo function, which could allow an IPv6 address, supplied by a remote attacker via DNS, to overwrite memory on the stack. This bug only exists in python 2.2 and 2.2.1, and only when IPv6 support is disabled. The python2.2 package in Debian woody meets these conditions (the 'python' package does not). For the stable distribution (woody), this bug has been fixed in version 2.2.1-4.6. The testing and unstable distribution (sid) are not affected by this problem. We recommend that you update your python2.2 packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6.dsc Size/MD5 checksum: 1150 65937052d54f0c7b0cc3af1edddc1925 http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6.diff.gz Size/MD5 checksum:92911 a4e0ecb2438f2fd253e8314cca65327b http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1.orig.tar.gz Size/MD5 checksum: 6536167 88aa07574673ccfaf35904253c78fc7d Architecture independent components: http://security.debian.org/pool/updates/main/p/python2.2/idle-python2.2_2.2.1-4.6_all.deb Size/MD5 checksum: 113072 5f7e9187d077e1692088e6945d5c7ae7 http://security.debian.org/pool/updates/main/p/python2.2/python2.2-doc_2.2.1-4.6_all.deb Size/MD5 checksum: 1313122 2af0221c188e29ff449b438949d73614 http://security.debian.org/pool/updates/main/p/python2.2/python2.2-elisp_2.2.1-4.6_all.deb Size/MD5 checksum:50170 ef6cc05e32cfe7fc4ada960c37ecd6c7 http://security.debian.org/pool/updates/main/p/python2.2/python2.2-examples_2.2.1-4.6_all.deb Size/MD5 checksum: 477836 445ea46dcdac693d5a46b6168950e337 Alpha architecture: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_alpha.deb Size/MD5 checksum: 2138618 71014802aca636504b0489184fd99481 http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_alpha.deb Size/MD5 checksum: 863846 c02b730460cfcd58e7feaf45d955850c http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_alpha.deb Size/MD5 checksum:18172 8a7cb26f7d8d2e9c551010037180b4b5 http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_alpha.deb Size/MD5 checksum:21812 7ea83935f55be726e4a7d3bfb7e5856e http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_alpha.deb Size/MD5 checksum:86310 e65ff0d1a43d76438003cefa82f7102f http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_alpha.deb Size/MD5 checksum:52408 9cc59f32c82565169f9a2686fd2d273e ARM architecture: http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.6_arm.deb Size/MD5 checksum: 1952012 104fba9e75b4d8e696f612627492ba5c http://security.debian.org/pool/updates/main/p/python2.2/python2.2-dev_2.2.1-4.6_arm.deb Size/MD5 checksum: 774610 57a868d154434c5cf1488d1fb841fb29 http://security.debian.org/pool/updates/main/p/python2.2/python2.2-gdbm_2.2.1-4.6_arm.deb Size/MD5 checksum:16984 6e9a3fd519fae3420b38c5481ac11a61 http://security.debian.org/pool/updates/main/p/python2.2/python2.2-mpz_2.2.1-4.6_arm.deb Size/MD5 checksum:20234 9f15f04284c29f052d4266c382854d90 http://security.debian.org/pool/updates/main/p/python2.2/python2.2-tk_2.2.1-4.6_arm.deb Size/MD5 checksum:84596 da71c2d6ac6e66b4f497b0fb15767214 http://security.debian.org/pool/updates/main/p/python2.2/python2.2-xmlbase_2.2.1-4.6_arm.deb Size
[SECURITY] [DSA 560-1] New lesstif packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 560-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 7th, 2004 http://www.debian.org/security/faq - -- Package: lesstif1-1 Vulnerability : integer and stack overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0687 CAN-2004-0688 CERT advisory : VU#537878 VU#882750 Chris Evans discovered several stack and integer overflows in the libXpm library which is included in LessTif. For the stable distribution (woody) this problem has been fixed in version 0.93.18-5. For the unstable distribution (sid) this problem has been fixed in version 0.93.94-10. We recommend that you upgrade your lesstif packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif1-1_0.93.18-5.dsc Size/MD5 checksum: 692 a1757aae53924ec16a8582d60acfa5ec http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif1-1_0.93.18-5.diff.gz Size/MD5 checksum:18115 9fa1574040e20fcc8f9db88b142dfd5d http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif1-1_0.93.18.orig.tar.gz Size/MD5 checksum: 3600427 74bce66719adb680009f145ef801bce2 Architecture independent components: http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-doc_0.93.18-5_all.deb Size/MD5 checksum: 339348 86aaf17c6eccbac85ec4e194b62d05b7 Alpha architecture: http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-bin_0.93.18-5_alpha.deb Size/MD5 checksum: 183756 aaa375321301bf45ec95fcd7e376a925 http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-dbg_0.93.18-5_alpha.deb Size/MD5 checksum: 7399496 6c8839d9a882ccaf3bc99d6c88685b41 http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-dev_0.93.18-5_alpha.deb Size/MD5 checksum: 1100714 fc5b0393ea458073ffd29eddcae4dd0d http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif1_0.93.18-5_alpha.deb Size/MD5 checksum: 713120 e9bd9d63307eef50c29a1fc48f9f1e1e ARM architecture: http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-bin_0.93.18-5_arm.deb Size/MD5 checksum: 158462 0bb887e815c83842d879be197e41c426 http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-dbg_0.93.18-5_arm.deb Size/MD5 checksum: 6214936 86810e278a8c46a27cb98ee0444b1024 http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-dev_0.93.18-5_arm.deb Size/MD5 checksum: 894320 d94f7f15ade5cc03e0ac419a921fa335 http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif1_0.93.18-5_arm.deb Size/MD5 checksum: 620784 78d6a08103ad50220119de9bdd218acc Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-bin_0.93.18-5_i386.deb Size/MD5 checksum: 148112 c464f618bda90bcfc8ddf09d59070c4b http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-dbg_0.93.18-5_i386.deb Size/MD5 checksum: 5954758 300ea20ec0af04d67aecd0a9e68cccbb http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-dev_0.93.18-5_i386.deb Size/MD5 checksum: 738430 fa48592fe8b3b345e4df8c56ec4e8b10 http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif1_0.93.18-5_i386.deb Size/MD5 checksum: 536492 ca45180dbbaf3537e2aad5405942ac17 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-bin_0.93.18-5_ia64.deb Size/MD5 checksum: 222072 6b1def7a98cd201e991dae273b93988a http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-dbg_0.93.18-5_ia64.deb Size/MD5 checksum: 10756100 fb15b36bd10dcffe1fdcc5b2658d430a http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-dev_0.93.18-5_ia64.deb Size/MD5 checksum: 1249232 f4c80e2ce686e59fc9f5960674059c30 http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif1_0.93.18-5_ia64.deb Size/MD5 checksum: 944234 4e78634a4c817273d5c293590708548d HP Precision architecture: http://security.debian.org/pool/updates/main/l/lesstif1-1/lesstif-bin_0.93.18-5_hppa.deb Size
[SECURITY] [DSA 559-1] New net-acct packages fix insecure temporary file creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 559-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 6th, 2004 http://www.debian.org/security/faq - -- Package: net-acct Vulnerability : insecure temporary file Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0851 Debian Bug : 270359 Stefan Nordhausen has identified a local security hole in net-acct, a user-mode IP accounting daemon. Old and redundant code from some time way back in the past created a temporary file in an insecure fashion. For the stable distribution (woody) this problem has been fixed in version 0.71-5woody1. For the unstable distribution (sid) this problem has been fixed in version 0.71-7. We recommend that you upgrade your net-acct package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1.dsc Size/MD5 checksum: 562 72c93549d6dd86d7365d206706ff9a62 http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1.diff.gz Size/MD5 checksum: 9950 ab1dd923a4e18d520793c34738d2a8f4 http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71.orig.tar.gz Size/MD5 checksum:44741 87daae6d4b06144534205b3fc201c058 Alpha architecture: http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1_alpha.deb Size/MD5 checksum:52922 339d98c59e34655dc8762e076251fbd3 ARM architecture: http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1_arm.deb Size/MD5 checksum:50096 f7a21521634202264dacfae238716bf5 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1_i386.deb Size/MD5 checksum:49346 c90d2f7b3f777905c5f8f90f8edd6b57 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1_ia64.deb Size/MD5 checksum:58530 df761be43caec7fa543d37279c265afd HP Precision architecture: http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1_hppa.deb Size/MD5 checksum:51702 145f469e3c2bfae125ff4e0a23729a0a Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1_m68k.deb Size/MD5 checksum:46882 e1dabe763136c5cfd0b04de8fd691fb7 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1_mips.deb Size/MD5 checksum:49332 7393517e4ac4f83e0fbc6efda5118a2f Little endian MIPS architecture: http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1_mipsel.deb Size/MD5 checksum:49380 60ae8a7d4c1265fb07adaaf6d49cbe2f PowerPC architecture: http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1_powerpc.deb Size/MD5 checksum:49824 3442f397b0db858aa4bfb9e4d418a5f4 IBM S/390 architecture: http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1_s390.deb Size/MD5 checksum:47688 69c06b385a4ff25df34dd60052c88fc4 Sun Sparc architecture: http://security.debian.org/pool/updates/main/n/net-acct/net-acct_0.71-5woody1_sparc.deb Size/MD5 checksum:51684 083a1078e261fd3621f37f17c8305885 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBY+dmW5ql+IAeqTIRAuOjAKCcFfAtJBrSdp8RoUiPHkvlmWU3GQCgjJdI FwMrf2WeGJ47K7dtO5IwHfI= =Lv9/ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 557-1] New rp-pppoe packages fix potential root compromise
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 557-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 4th, 2004 http://www.debian.org/security/faq - -- Package: rp-pppoe, pppoe Vulnerability : missing privilegue dropping Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0564 Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system. For the stable distribution (woody) this problem has been fixed in version 3.3-1.2. For the unstable distribution (sid) this problem has been fixed in version 3.5-4. We recommend that you upgrade your pppoe package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/r/rp-pppoe/rp-pppoe_3.3-1.2.dsc Size/MD5 checksum: 571 20a98e281e9effbdbe253d5f1ec7c07b http://security.debian.org/pool/updates/main/r/rp-pppoe/rp-pppoe_3.3-1.2.diff.gz Size/MD5 checksum:17171 840c64159a02c63bcd84ad84acbcfbbe http://security.debian.org/pool/updates/main/r/rp-pppoe/rp-pppoe_3.3.orig.tar.gz Size/MD5 checksum: 171480 1cd6bc22f7601f769bb654db4a15b15d Alpha architecture: http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_alpha.deb Size/MD5 checksum:83104 ea1e596bbd07d28d272c723ef627b935 ARM architecture: http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_arm.deb Size/MD5 checksum:60492 6f90f09bbb0115dd8b5aa08970fc7007 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_i386.deb Size/MD5 checksum:54276 765e571caff2562b74bdae9636712d58 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_ia64.deb Size/MD5 checksum:90212 c03d1045236ee6aaf0bec77e287b0a50 HP Precision architecture: http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_hppa.deb Size/MD5 checksum:64064 8669b8c254a243fbb4620e9cf5ac5905 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_m68k.deb Size/MD5 checksum:51000 23a16fdf89476bdf62107667d9f71d50 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_mips.deb Size/MD5 checksum:68078 750310a89f7f34d0e8921efb45999cda Little endian MIPS architecture: http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_mipsel.deb Size/MD5 checksum:68320 eb2c9ea82226df16363392e78ab04fb1 PowerPC architecture: http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_powerpc.deb Size/MD5 checksum:56970 dd068ef0338515cc0a846ed1dfdf0dbc IBM S/390 architecture: http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_s390.deb Size/MD5 checksum:58376 8b520d4fc7ff356d40e7f7fc1b10b8e3 Sun Sparc architecture: http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_sparc.deb Size/MD5 checksum:64326 c5523f8e12ec9bd01a003912df5611a7 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBYSMJW5ql+IAeqTIRAtO0AJ92EvDNM/PdhkdErRBGPecw64hhfACdFHEz Qyws0FhUZmFPQdgRAVW72Rw= =GgYg -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DSA 557-1 and CAN-2004-0564
David F. Skoll wrote: On Mon, 4 Oct 2004, Martin Schulze wrote: There are reasons users install it setuid / setgid, and these installations are vulnerable. I disagree. There is absolutely *no* reason to install rp-pppoe setuid-root. It is normally invoked by pppd, and pppd must be either invoked by root or setuid-root itself. Could you name a scenario in which a setuid-root rp-pppoe is needed? Please talk to the Debian maintainer of rp-pppoe since pppoe is installed root.dip and setuid in Debian sarge and sid. The maintainer can be reached through [EMAIL PROTECTED] Details about this package can be found here: http://packages.debian.org/pppoe Regards, Joey -- Everybody talks about it, but nobody does anything about it! -- Mark Twain Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 555-1] New frenet6 packages fix potential information leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 555-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 30th, 2004http://www.debian.org/security/faq - -- Package: freenet6 Vulnerability : wrong file permissions Problem-Type : local Debian-specific: yes CVE ID : CAN-2004-0563 Debian Bug : 254709 Simon Josefsson noticed that the tspc.conf configuration file in freenet6, a client to configure an IPv6 tunnel to freenet6.net, is set world readable. This file can contain the username and the password used to contact the IPv6 tunnelbroker freenet6.net. For the stable distribution (woody) this problem has been fixed in version 0.9.6-1woody2. For the unstable distribution (sid) this problem has been fixed in version 1.0-2.2. We recommend that you upgrade your freenet6 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2.dsc Size/MD5 checksum: 577 07d5a61effbf3748e61db855bf0afb4a http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2.diff.gz Size/MD5 checksum:12385 9a30a4b9420bd4949e375358f974addc http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6.orig.tar.gz Size/MD5 checksum: 334333 c846c0e734d93c7abdc1553781e1fa5b Alpha architecture: http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2_alpha.deb Size/MD5 checksum:42380 3865b018d1808f349ade4d0d9e010af1 ARM architecture: http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2_arm.deb Size/MD5 checksum:39996 a9f3b9d6b98173bdbc0173b32b602698 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2_i386.deb Size/MD5 checksum:38434 2217e61b208d1a7a0ba7aa358861946a Intel IA-64 architecture: http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2_ia64.deb Size/MD5 checksum:54672 d8f7d48de839f7b117cb91da4880f1e3 HP Precision architecture: http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2_hppa.deb Size/MD5 checksum:39498 efb23a7b33d5c75dc12774b924f7adb7 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2_m68k.deb Size/MD5 checksum:37766 2c81680bcbd3a113e1e3f3cd08446e7c Big endian MIPS architecture: http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2_mips.deb Size/MD5 checksum:40490 0181be8c2a012f601872e02284ad22e6 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2_mipsel.deb Size/MD5 checksum:40538 a2f052292ddfadd2cf5f99d67e4b20fa PowerPC architecture: http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2_powerpc.deb Size/MD5 checksum:38578 5e0aad661c57e19ed64376ee5d59a932 IBM S/390 architecture: http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2_s390.deb Size/MD5 checksum:39094 3e3f26c92e1ff8169bc5016a8215e11e Sun Sparc architecture: http://security.debian.org/pool/updates/main/f/freenet6/freenet6_0.9.6-1woody2_sparc.deb Size/MD5 checksum:41458 1d3b8998d4dc533f4e6af82386e92515 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBW8MMW5ql+IAeqTIRAh19AJ9RLzYVuAes9jNbWb5KKZ9ZMRRenQCeOZ6L S0iCjHIpMP0b0sx77UMjKiQ= =+SqI -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 553-1] New getmail packages fix root compromise
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 553-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 27th, 2004http://www.debian.org/security/faq - -- Package: getmail Vulnerability : symlink vulnerability Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0880 CAN-2004-0881 Debian Bug : 272561 A security problem has been discovered in getmail, a POP3 and APOP mail gatherer and forwarder. An attacker with a shell account on the victims host could utilise getmail to overwrite arbitrary files when it is running as root. For the stable distribution (woody) this problem has been fixed in version 2.3.7-2. For the unstable distribution (sid) this problem has been fixed in version 3.2.5-1. We recommend that you upgrade your getmail package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/getmail/getmail_2.3.7-2.dsc Size/MD5 checksum: 583 6263f8d2d75ec3eb21dd302e0b9d6729 http://security.debian.org/pool/updates/main/g/getmail/getmail_2.3.7-2.diff.gz Size/MD5 checksum: 2645 ff40d8f72744bfec8a963ece950e0bcd http://security.debian.org/pool/updates/main/g/getmail/getmail_2.3.7.orig.tar.gz Size/MD5 checksum:70944 4eef6be77a4cbe1a86eef75affd31b05 Architecture independent components: http://security.debian.org/pool/updates/main/g/getmail/getmail_2.3.7-2_all.deb Size/MD5 checksum:74388 f2b9e79b1ddd8ef8bf719d4e1894f051 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBV+ydW5ql+IAeqTIRAjKVAJ4jTCBi6jY/HaghCNdQUVfyy2giOQCbB688 7yr1RQ2U25tXqQDxJZqHyPE= =3lYo -END PGP SIGNATURE-
[SECURITY] [DSA 554-1] New sendmail packages fix potential open relay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 554-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 27th, 2004http://www.debian.org/security/faq - -- Package: sendmail Vulnerability : pre-set password Problem-Type : remote Debian-specific: yes CVE ID : CAN-2004-0833 Hugo Espuny discovered a problem in sendmail, a commonly used program to deliver electronic mail. When installing sasl-bin to use sasl in connection with sendmail, the sendmail configuration script use fixed user/pass information to initialise the sasl database. Any spammer with Debian systems knowledge could utilise such a sendmail installation to relay spam. For the stable distribution (woody) this problem has been fixed in version 8.12.3-7.1. For the unstable distribution (sid) this problem has been fixed in version 8.13.1-13. We recommend that you upgrade your sendmail package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-7.1.dsc Size/MD5 checksum: 751 f87d51444a4f2e04a59fafeb7f097bbc http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-7.1.diff.gz Size/MD5 checksum: 258790 c2f8dcc37edf99eada5fb65b26bb9e72 http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3.orig.tar.gz Size/MD5 checksum: 1840401 b198b346b10b3b5afc8cb4e12c07ff4d Architecture independent components: http://security.debian.org/pool/updates/main/s/sendmail/sendmail-doc_8.12.3-7.1_all.deb Size/MD5 checksum: 747880 2ae5775f103472f8f7941e0662786930 Alpha architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-7.1_alpha.deb Size/MD5 checksum: 267968 69dab41dfc47d348ec7ee5603971c68b http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-7.1_alpha.deb Size/MD5 checksum: 1109604 9f64220f46ac154f7426450478f101dc ARM architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-7.1_arm.deb Size/MD5 checksum: 247700 6bb4396b026113ec4e12026377a18d17 http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-7.1_arm.deb Size/MD5 checksum: 979550 718d6fb7066f753dcba7c71aa7d76ed0 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-7.1_i386.deb Size/MD5 checksum: 237456 111a0ee4b50eafdfdf89845dc633aa1b http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-7.1_i386.deb Size/MD5 checksum: 918104 ad5cc37cb435ed63022ab3a16ae01f6e Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-7.1_ia64.deb Size/MD5 checksum: 282146 360db5037b71cb5eab9015ae8292aca3 http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-7.1_ia64.deb Size/MD5 checksum: 1332930 f25bedb4ac5beb5372a704a99dc4d2ac HP Precision architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-7.1_hppa.deb Size/MD5 checksum: 261806 5aebadbfa1f4c5b63a97034a5bdd3b5a http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-7.1_hppa.deb Size/MD5 checksum: 1081296 1fc96f0e94f384c4f8007358243a4e5e Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-7.1_m68k.deb Size/MD5 checksum: 231282 8d498605748163c67d9ff0f467e01966 http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-7.1_m68k.deb Size/MD5 checksum: 866108 b41e130ed77f5224f80178375f25664c Big endian MIPS architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-7.1_mips.deb Size/MD5 checksum: 255334 699b5f21580f659cd22311150bf0ba5c http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-7.1_mips.deb Size/MD5 checksum: 1022342 2b627d3fdc4c7c9841c6d150b33c1c2a Little endian MIPS architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-7.1_mipsel.deb Size/MD5 checksum: 255012
[SECURITY] [DSA 552-1] New imlib2 packages fix potential arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 552-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 22nd, 2004http://www.debian.org/security/faq - -- Package: imlib2 Vulnerability : unsanitised input Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0802 Debian Bug : 271375 Marcus Meissner discovered a heap overflow error in imlib2, an imaging library for X and X11 and the successor of imlib, that may be utilised by an attacker to execute arbitrary code on the victims machine. For the stable distribution (woody) this problem has been fixed in version 1.0.5-2woody1. For the unstable distribution (sid) this problem has been fixed in version 1.1.0-12.4. We recommend that you upgrade your imlib2 packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.0.5-2woody1.dsc Size/MD5 checksum: 733 6e0c48c0bb26f71779994f48a1276f7d http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.0.5-2woody1.diff.gz Size/MD5 checksum:23552 75fc0654f4d5e8541a3def4e9b8682ea http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.0.5.orig.tar.gz Size/MD5 checksum: 688261 3b1a80c95ff2a4cfb3bce49e27d94461 Alpha architecture: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody1_alpha.deb Size/MD5 checksum: 191008 1932e664898be7eb536ed57c13c72092 http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody1_alpha.deb Size/MD5 checksum: 482610 412010c09df703e76c35d772c8a94e27 ARM architecture: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody1_arm.deb Size/MD5 checksum: 165138 58f39fa64ab03d1426edb509a2bdba4f http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody1_arm.deb Size/MD5 checksum: 440882 6241d966c3f4ea7e1c4e5df327b424e1 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody1_i386.deb Size/MD5 checksum: 149288 8cb2235e5b522658c8a1bfd08f8deb77 http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody1_i386.deb Size/MD5 checksum: 403260 263d6ce6bebe21750107b6b8e01133d3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody1_ia64.deb Size/MD5 checksum: 246578 4b36c9ec394e4eb52ccbbaa45812e71e http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody1_ia64.deb Size/MD5 checksum: 508040 d9d004de6215343005bd9103c3bde9e1 HP Precision architecture: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody1_hppa.deb Size/MD5 checksum: 193378 bff4a447aa4ccf25639afa48dfc1d66a http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody1_hppa.deb Size/MD5 checksum: 467328 6e126882e888d9eee559695747527d0c Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody1_m68k.deb Size/MD5 checksum: 149228 f8de84277791acfe4d21980c18dc785f http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody1_m68k.deb Size/MD5 checksum: 402160 e47af6aa12039f334361c0847bef326b Big endian MIPS architecture: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody1_mips.deb Size/MD5 checksum: 157820 c320f8730e74ab8fef95315c12eef054 http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody1_mips.deb Size/MD5 checksum: 447128 8e890ee8e806f922bc236025890d96df Little endian MIPS architecture: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody1_mipsel.deb Size/MD5 checksum: 156994 a5eb9cd7a19e755e225435d42a1bc1b9 http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody1_mipsel.deb Size/MD5 checksum: 439402 dedf6435b9984f7595b44e554af52031 PowerPC architecture: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody1_powerpc.deb Size/MD5 checksum
Re: missing DSA for python2.2 ?
Noèl Köthe wrote: Hello, there is a stable update for python2.2 (http://security.debian.org/pool/updates/main/p/python2.2/) available but there is no DSA for python2.2 on the webpage or mailinglist. Is it missing or is the update wrong? Hmm, you are correct. I started to send out the advisory on August 28th, but it wasn't sent out. I guess it's due to a broken console at home and I forgot about it. I'll restart it. Regards, Joey -- There are lies, statistics and benchmarks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 542-1] New Qt packages fix arbitrary code execution and denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 542-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 30th, 2004 http://www.debian.org/security/faq - -- Package: qt-copy Vulnerability : unsanitised input Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0691 CAN-2004-0692 CAN-2004-0693 Debian Bug : 267092 Several vulnerabilities were discovered in recent versions of Qt, a commonly used graphic widget set, used in KDE for example. The first problem allows an attacker to execute arbitrary code, while the other two only seem to pose a denial of service danger. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CAN-2004-0691: Chris Evans has discovered a heap-based overflow when handling 8-bit RLE encoded BMP files. CAN-2004-0692: Marcus Meissner has discovered a crash condition in the XPM handling code, which is not yet fixed in Qt 3.3. CAN-2004-0693: Marcus Meissner has discovered a crash condition in the GIF handling code, which is not yet fixed in Qt 3.3. For the stable distribution (woody) this problem has been fixed in version 3.0.3-20020329-1woody2. For the unstable distribution (sid) this problem has been fixed in version 3.3.3-4 of qt-x11-free. We recommend that you upgrade your qt packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/q/qt-copy/qt-copy_3.0.3-20020329-1woody2.dsc Size/MD5 checksum: 974 8310ba3e5a86f6d366ff8b3de0bba5e8 http://security.debian.org/pool/updates/main/q/qt-copy/qt-copy_3.0.3-20020329-1woody2.diff.gz Size/MD5 checksum: 3389 4639e4bf10aa3f9582769fb517b192e3 http://security.debian.org/pool/updates/main/q/qt-copy/qt-copy_3.0.3-20020329.orig.tar.gz Size/MD5 checksum: 15576630 1d91e7f90e8c6e2dd7d93738ae42a0b4 Architecture independent components: http://security.debian.org/pool/updates/main/q/qt-copy/qt3-doc_3.0.3-20020329-1woody2_all.deb Size/MD5 checksum: 8602244 a36ca7f4be9889f6d2a6141c6b11f0fb Alpha architecture: http://security.debian.org/pool/updates/main/q/qt-copy/libqt3_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum: 3313166 937a81563cd1aa7f8c962d6662ce21e2 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-dev_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum: 1419182 003d0e8e54039c13a5cbe3203a178308 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mt_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum: 3494652 7c436d0f781947e1a7b6213273b81aaf http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mt-dev_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:17402 d86e3efa04c9ab4562771dc695f2b705 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mt-mysql_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:37404 3d37ea2458a20d916d793c04804087d9 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mt-odbc_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:46664 895d3c0497acbcac5ac6d9fd49e564ae http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-mysql_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:37352 94f05fa06512370db653150643445cb8 http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-odbc_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:46616 d524b57c7988e7b0af2cb02e2d7ac5ce http://security.debian.org/pool/updates/main/q/qt-copy/libqxt0_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum:31378 635e21687a646e9b206b51b725f7340d http://security.debian.org/pool/updates/main/q/qt-copy/qt3-tools_3.0.3-20020329-1woody2_alpha.deb Size/MD5 checksum: 1825146 a09b064d09e4c1fc1f0135fb4e013879 ARM architecture: http://security.debian.org/pool/updates/main/q/qt-copy/libqt3_3.0.3-20020329-1woody2_arm.deb Size/MD5 checksum: 2683822 3949d54da77df42a40f18e6d70de36fc http://security.debian.org/pool/updates/main/q/qt-copy/libqt3-dev_3.0.3-20020329-1woody2_arm.deb Size/MD5 checksum: 1119934 28ad280b4b285abea031db5a3a254557 http://security.debian.org/pool/updates/main/q
[SECURITY] [DSA 519-1] New CVS packages fix several potential security problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 519-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 15th, 2004 http://www.debian.org/security/faq - -- Package: cvs Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0416 CAN-2004-0417 CAN-2004-0418 Sebastian Krahmer and Stefan Esser discovered several vulnerabilities in the CVS server, which serves the popular Concurrent Versions System. The Common Vulnerability and Exposures project identifies the following problems: CAN-2004-0416: double-free() in error_prog_name CAN-2004-0417: argument integer overflow CAN-2004-0418: out of bound writes in serve_notify() For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-9woody7. For the unstable distribution (sid) this problem has been fixed in version 1.12.9-1. We recommend that you upgrade your cvs package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7.dsc Size/MD5 checksum: 693 808c55e071608254b399c5cf8288c478 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7.diff.gz Size/MD5 checksum:55929 5c87146893651805658b497c8d2164f3 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian.orig.tar.gz Size/MD5 checksum: 2621658 500965ab9702b31605f8c58aa21a6205 Alpha architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_alpha.deb Size/MD5 checksum: 1178992 d411cdd545809660443ff35d49c6e105 ARM architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_arm.deb Size/MD5 checksum: 1106154 5839fcf6673e32d51fc8814591cb49d1 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_i386.deb Size/MD5 checksum: 1086800 1283329c4e9337eb1308945ab77738a7 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_ia64.deb Size/MD5 checksum: 1272232 e71070f4b415c03b996fbc5e14006094 HP Precision architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_hppa.deb Size/MD5 checksum: 1148086 8e70b23bba46da919774913f5b3d3b83 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_m68k.deb Size/MD5 checksum: 1066546 e7f59327f9afdeeec311178839c6997e Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_mips.deb Size/MD5 checksum: 1130478 08811baa91dabf7619b2ca9bb3c84fe6 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_mipsel.deb Size/MD5 checksum: 1131936 6f51edb9c8f078f8c37ffeb87db686e7 PowerPC architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_powerpc.deb Size/MD5 checksum: 1116890 c50418a92b897b0bd698a389a3dd5ba5 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_s390.deb Size/MD5 checksum: 1097614 1e967b9a0ea2f2feaf4f83b4fb082750 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_sparc.deb Size/MD5 checksum: 1107928 49e348f931f71a861140995edb0fcd30 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAzrK8W5ql+IAeqTIRAr8XAJ94PsjJeiEmk+30TWRQqTu20hTyIACeMmZp xDgNabtz7WdT+TlC3In2tZk= =iKaZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL
[SECURITY] [DSA 518-1] New kdelibs packages fix URI handler vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 518-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 14th, 2004 http://www.debian.org/security/faq - -- Package: kdelibs Vulnerability : unsanitised input Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0411 iDEFENSE identified a vulnerability in the Opera web browser that could be used by remote attackers to create or truncate arbitrary files on the victims machine. The KDE team discovered that a similar vulnerability exists in KDE. A remote attacker could entice a user to open a carefully crafted telnet URI which may either create or truncate a file in the victims home directory. In KDE 3.2 and later versions the user is first explicitly asked to confirm the opening of the telnet URI. For the stable distribution (woody) this problem has been fixed in version 2.2.2-13.woody.10. We recommend that you upgrade your KDE libraries. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.10.dsc Size/MD5 checksum: 1355 87b8870b059562d84f714463817558df http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.10.diff.gz Size/MD5 checksum:58099 bb59b94d62d1bb27246963be8e136d57 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2.orig.tar.gz Size/MD5 checksum: 6396699 7a9277a2e727821338f751855c2ce5d3 Architecture independent components: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-doc_2.2.2-13.woody.10_all.deb Size/MD5 checksum: 2564260 0f1630714b822c193bfdf710c60274f6 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 757490 c9d07cba479a5bba3d6567eb1c54129d http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 7553390 abff91d8d50f756f788ba70d36ce2a02 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 137442 334acae5a3d0491511bfbae8e88bbf1f http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 202010 dea66d7e08d3fdeb2033b223a73871cb http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 1022340 50826efc1e71dd8c84c900bc5e458805 http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 1029254 bbfcf86398ecaf7751ef8ac20b4e8deb http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 198246 b8f5ba1e60bc9f201798c6f463b38973 http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 174696 b7d640daca300ea09645ac35e3a99d32 http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 178164 1a6527f89f38ccad33dee8402a026955 http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum:37266 5fb0f3bb093183f808debd11e77abfcf ARM architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.10_arm.deb Size/MD5 checksum: 743780 9c1e0839cf5a603d5b6eacd8644165fe http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.10_arm.deb Size/MD5 checksum: 6604906 b2001cc89feafed549dac4d3fe74bb8d http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.10_arm.deb Size/MD5 checksum: 104600 00b7481a711d88bcdb2702562fceace1 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.10_arm.deb Size/MD5 checksum: 186592 5deadb59a4dce5b7d1d1e9f97b065a73 http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.10_arm.deb Size/MD5 checksum: 651780 bcd3e9e1b313c746ac213766144b282b http://security.debian.org/pool
[SECURITY] [DSA 517-1] New CVS packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 517-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 10th, 2004 http://www.debian.org/security/faq - -- Package: cvs Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0414 Derek Robert Price discovered a potential buffer overflow vulnerability in the CVS server, based on a malformed Entry, which serves the popular Concurrent Versions System. For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-9woody6. For the unstable distribution (sid) this problem has been fixed in version 1.12.8-1. We recommend that you upgrade your cvs package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6.dsc Size/MD5 checksum: 693 78cbaadcaaca26b6314519f07438f315 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6.diff.gz Size/MD5 checksum:53411 8929158c0e561a3a9dfffb3fe139ebcc http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian.orig.tar.gz Size/MD5 checksum: 2621658 500965ab9702b31605f8c58aa21a6205 Alpha architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_alpha.deb Size/MD5 checksum: 1178980 a0cbfe582bc24d6aeaabf73864cf5ea7 ARM architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_arm.deb Size/MD5 checksum: 1105486 b72090d480345f2d53a9865508ccbde6 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_i386.deb Size/MD5 checksum: 1086270 045983b8647b3c1ddfdf790f38827099 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_ia64.deb Size/MD5 checksum: 1271230 345ffdefe2745de88627909480628d3c HP Precision architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_hppa.deb Size/MD5 checksum: 1147628 d13cf3f32407ec327dff62079825aa97 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_m68k.deb Size/MD5 checksum: 1065934 61ace03fa7975fd2d16b52973635823a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_mips.deb Size/MD5 checksum: 1130030 a246813a0ec77d80ca670dd4d8b3cf6e Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_mipsel.deb Size/MD5 checksum: 1131336 0e207672b627d0273967a98893d85afd PowerPC architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_powerpc.deb Size/MD5 checksum: 1116424 d43475e6515397d7b2cdabbf3841e4eb IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_s390.deb Size/MD5 checksum: 1097264 547f092cf847da218eea35301575319c Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_sparc.deb Size/MD5 checksum: 1107512 c960e899d7e95b357a1fff411d86bd6e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAyDFHW5ql+IAeqTIRAiCWAKCUYkcmWjLglEe3wWwL1Uy/TR6FVQCfdVWw 5+MIEiHtNnT1nu4Q5F5Hkek= =DvXe -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 514-1] New Linux 2.2.20 packages fix local root exploit (sparc)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 514-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 4th, 2004 http://www.debian.org/security/faq - -- Package: kernel-source-2.2.20, kernel-image-2.2-sparc Vulnerability : failing function and TLB flush Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0077 CERT advisory : VU#981222 Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course. For the stable distribution (woody) these problems have been fixed in version 9woody1 of Linux 2.2 kernel images for the sparc architecture and in version 2.2.20-5woody3 of Linux 2.2.20 source. For the unstable distribution (sid) these problems have been fixed in version 9.1 of Linux 2.2 kernel images for the sparc architecture. This problem has been fixed for other architectures already. We recommend that you upgrade your Linux kernel package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20-5woody3.dsc Size/MD5 checksum: 661 4eede8cde6013e6660459173dacd8e4e http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20-5woody3.diff.gz Size/MD5 checksum: 159991 26db63a4af138d5c67c433da29778102 http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20.orig.tar.gz Size/MD5 checksum: 19394649 57c0edf86cb23a5b215db9121c9b3557 http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-sparc-2.2_9woody1.dsc Size/MD5 checksum: 768 58d7d78f4cc97af50074cafa2322ca7c http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-sparc-2.2_9woody1.tar.gz Size/MD5 checksum:25540 af1005c87ca491c28108fda2a66efb2c Architecture independent components: http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-doc-2.2.20_2.2.20-5woody3_all.deb Size/MD5 checksum: 1162414 d244e1206d51a785d2a298df8ffbb9e8 http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20-5woody3_all.deb Size/MD5 checksum: 15848780 33170e34a3d4c56e910314be93f0b184 http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-headers-2.2.20-sparc_9woody1_all.deb Size/MD5 checksum: 1122094 e5bdced5ca4b46cffec44e531c238a56 Sun Sparc architecture: http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-2.2.20-sun4cdm_9woody1_sparc.deb Size/MD5 checksum: 1617420 3789f331d7aa2e9c10b3ffee08c82b94 http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-2.2.20-sun4dm-smp_9woody1_sparc.deb Size/MD5 checksum: 1653324 e0b6db9b869d1dd51e2a615a0eaef8a1 http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-2.2.20-sun4u_9woody1_sparc.deb Size/MD5 checksum: 2023252 50b820b56ed032a532d5e0bbff5f58b1 http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-2.2.20-sun4u-smp_9woody1_sparc.deb Size/MD5 checksum: 2066292 9144adfbf2bce6098028b69ee28658b8 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http
[SECURITY] [DSA 505-1] New cvs packages fix remote exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 505-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 19th, 2004 http://www.debian.org/security/faq - -- Package: cvs Vulnerability : heap overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0396 Stefan Esser discovered a heap overflow in the CVS server, which serves the popular Concurrent Versions System. Malformed Entry Lines in combination with Is-modified and Unchanged can be used to overflow malloc()ed memory. This was prooven to be exploitable. For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-9woody4. For the unstable distribution (sid) this problem has been fixed in version 1.12.5-6. We recommend that you upgrade your cvs package immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4.dsc Size/MD5 checksum: 693 c4580daf3d02e68bf271c3fc2fa9fe8c http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4.diff.gz Size/MD5 checksum:52212 a44f53ccf950679f3257a2f3487220b7 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian.orig.tar.gz Size/MD5 checksum: 2621658 500965ab9702b31605f8c58aa21a6205 Alpha architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_alpha.deb Size/MD5 checksum: 1178736 503ab302999d5fec9c4cb41f735bc2ab ARM architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_arm.deb Size/MD5 checksum: 1105276 8b2536e975a3272b5d10590bd768b6c7 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_i386.deb Size/MD5 checksum: 1085994 195aa822dbd450bbb3321f17442b3644 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_ia64.deb Size/MD5 checksum: 1270986 2adee3e24f61234e0c597c55983257df HP Precision architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_hppa.deb Size/MD5 checksum: 1147338 e1a7eec47c9f6ca11d342c7a680abd93 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_m68k.deb Size/MD5 checksum: 1065866 5238933fe0b1d9a9e7e2506cc39d8411 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_mips.deb Size/MD5 checksum: 1129740 c6e9a932c2bdabbfee51c792d813a439 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_mipsel.deb Size/MD5 checksum: 1131106 05424d6056d0c9123c88b7e7f6b27f7d PowerPC architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_powerpc.deb Size/MD5 checksum: 1116184 1fe49f6356a160087cf669f7afc12700 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_s390.deb Size/MD5 checksum: 1097006 6e98ead7e926fc07203cf43e84b1152d Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_sparc.deb Size/MD5 checksum: 1107284 47f8dad7b309c9c19542bf1fc9502f77 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAqyGzW5ql+IAeqTIRAjZyAJ4mtABnKF6VAFCZxb0CE4of0iukRwCguIi6 qlV+sX6Sz2V14AW5qdH7J/I= =iN93 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 498-1] New libpng packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 498-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze April 30th, 2004http://www.debian.org/security/faq - -- Package: libpng, libpng3 Vulnerability : out of bound access Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0421 Steve Grubb discovered a problem in the Portable Network Graphics library libpng which is utilised in several applications. When processing a broken PNG image, the error handling routine will access memory that is out of bounds when creating an error message. Depending on machine architecture, bounds checking and other protective measures, this problem could cause the program to crash if a defective or intentionally prepared PNG image file is handled by libpng. This could be used as a denial of service attack against various programs that link against this library. The following commands will show you which packages utilise this library and whose programs should probably restarted after an upgrade: apt-cache showpkg libpng2 apt-cache showpkg libpng3 The following security matrix explains which package versions will contain a correction. Package stable (woody) unstable (sid) libpng 1.0.12-3.woody.5 1.0.15-5 libpng31.2.1-1.1.woody.5 1.2.5.0-6 We recommend that you upgrade your libpng and related packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12-3.woody.5.dsc Size/MD5 checksum: 579 bb372469c10598bdab815584a793012e http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12-3.woody.5.diff.gz Size/MD5 checksum: 8544 eb859ba53f11527e17f9ee6f841dea51 http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12.orig.tar.gz Size/MD5 checksum: 481387 3329b745968e41f6f9e55a4d04a4964c http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5.dsc Size/MD5 checksum: 582 474b8919fcd3913c2c0e269a4341cacb http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5.diff.gz Size/MD5 checksum: 8948 ec0d3a12f3fff3b54e0473832e8b4264 http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1.orig.tar.gz Size/MD5 checksum: 493105 75a21cbfae566158a0ac6d9f39087c4d Alpha architecture: http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_alpha.deb Size/MD5 checksum: 129804 ba59e28e96642d247c49dec5b490df90 http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_alpha.deb Size/MD5 checksum: 270048 5a0c90a374ec854b5245db92c64e18c0 http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_alpha.deb Size/MD5 checksum: 276140 2a1277e1e48c0b04c09d1d6907458bb6 http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_alpha.deb Size/MD5 checksum: 133120 e5aae07a6504392c3af924f0516594a5 ARM architecture: http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_arm.deb Size/MD5 checksum: 108432 ccde2f056e0573decab54dc9b5863a03 http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_arm.deb Size/MD5 checksum: 241164 37f7b9a7e70f8ada93ef4144f3a7b112 http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_arm.deb Size/MD5 checksum: 247362 9a03e85528176935ee656412d1d39f5c http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_arm.deb Size/MD5 checksum: 111638 61a50fb248af723cd7e7a8359531335f Intel IA-32 architecture: http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_i386.deb Size/MD5 checksum: 106928 5ebba610b5ea04e708b4b859a421e94d http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_i386.deb Size/MD5 checksum: 227334 4faf9b8916bbc2def04b0e15f4933c24 http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_i386.deb Size/MD5
[SECURITY] [DSA 497-1] New mc packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 497-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze April 29th, 2004http://www.debian.org/security/faq - -- Package: mc Vulnerability : several vulnerabilities Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0226 CAN-2004-0231 CAN-2004-0232 Jacub Jelinek discovered several vulnerabilities in the Midnight Commander, a powerful file manager for GNU/Linux systems. The problems were classified as follows: CAN-2004-0226 Buffer overflows CAN-2004-0231 Insecure temporary file and directory creations CAN-2004-0232 Format string problems For the stable distribution (woody) this problem has been fixed in version 4.5.55-1.2woody3. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your mc packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody3.dsc Size/MD5 checksum: 797 958cc4620dba90784a057bc6ba532e6e http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody3.diff.gz Size/MD5 checksum:45258 66565de188d7cdcc29c2f26db4e86dfd http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55.orig.tar.gz Size/MD5 checksum: 4850321 82772e729bb2ecfe486a6c219ebab09f Alpha architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody3_alpha.deb Size/MD5 checksum: 1184466 519b7ed72de67efeb46fdd142ad1b529 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody3_alpha.deb Size/MD5 checksum: 561802 bbd74fcd32085d36927aa4baef59b619 http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody3_alpha.deb Size/MD5 checksum: 1351132 e19786fa0cd63a48b25782546ba7247b ARM architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody3_arm.deb Size/MD5 checksum: 1026660 a1a74f85c31f71c18139a9e734890991 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody3_arm.deb Size/MD5 checksum: 479206 27d38e4f2c9622fae54fed612187c72c http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody3_arm.deb Size/MD5 checksum: 1351204 0fa7747b9a714bb141fefea263fca8d4 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody3_i386.deb Size/MD5 checksum: 993560 760892261579382eb13757f2e11dd0c9 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody3_i386.deb Size/MD5 checksum: 454538 91a5288221322b6602757c98df964979 http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody3_i386.deb Size/MD5 checksum: 1351156 641ad9b4b21e052412e80dc4c94a4e7c Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody3_ia64.deb Size/MD5 checksum: 1433290 9c9ed150bc3a781358df0e5c78d16cc6 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody3_ia64.deb Size/MD5 checksum: 688156 5d80a2b3d586361582da7b87dc833605 http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody3_ia64.deb Size/MD5 checksum: 1351062 c7ac22188c4230ac1ba806dfbf653e08 HP Precision architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody3_hppa.deb Size/MD5 checksum: 1143718 90756f4d04d02b3657dd373dd0f18f31 http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody3_hppa.deb Size/MD5 checksum: 540394 812e6a1932ee8b9124cbf8aec86857aa http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody3_hppa.deb Size/MD5 checksum: 1351524 ae1122258f89db3d74ebc102568bc742 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mc/gmc_4.5.55-1.2woody3_m68k.deb Size/MD5 checksum: 956886 5880e158c9b87bec535fe27de39e3c2d http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody3_m68k.deb Size/MD5 checksum: 435954 f5bccc4486775810befea8fef9707530 http://security.debian.org/pool/updates/main/m/mc/mc-common_4.5.55-1.2woody3_m68k.deb Size/MD5 checksum: 1351644
[SECURITY] [DSA 493-1] New xchat packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 493-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze April 21st, 2004http://www.debian.org/security/faq - -- Package: xchat Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0409 Debian Bug : 244184 A buffer overflow has been discovered in the Socks-5 proxy code of XChat, an IRC client for X similar to AmIRC. This allows an attacker to execute arbitrary code on the users' machine. For the stable distribution (woody) this problem has been fixed in version 1.8.9-0woody3. For the unstable distribution (sid) this problem has been fixed in version 2.0.8-1. We recommend that you upgrade your xchat and related packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3.dsc Size/MD5 checksum: 877 80161873b2e115faa33cd38000645dce http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3.diff.gz Size/MD5 checksum:18200 215990506f737d853b23911843a68b41 http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9.orig.tar.gz Size/MD5 checksum: 1310151 05701f0c567ce1ece6577c69f146e6b3 Architecture independent components: http://security.debian.org/pool/updates/main/x/xchat/xchat-common_1.8.9-0woody3_all.deb Size/MD5 checksum: 598110 9a586950e3db6f9ebee14c9637d8d61a Alpha architecture: http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_alpha.deb Size/MD5 checksum: 223084 90b4e3be1d3ef7ec25231e72ebc1130b http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_alpha.deb Size/MD5 checksum: 229794 d26d9de27c8567e3dffb483c5174df02 http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_alpha.deb Size/MD5 checksum: 122376 3d69e44fff6af517f8f166bb750b6c4a ARM architecture: http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_arm.deb Size/MD5 checksum: 179850 656145636a317c8ab847183ee68c3337 http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_arm.deb Size/MD5 checksum: 186350 d25c11fe60901dfdd128e46d5e3e88e1 http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_arm.deb Size/MD5 checksum:92846 d207049438e8eaf61a342c69112addec Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_i386.deb Size/MD5 checksum: 168598 3a9cb05afb7a7e4c7c77d4979aa24470 http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_i386.deb Size/MD5 checksum: 174968 1bdf20e898c3ee9fd268c1207ed1901c http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_i386.deb Size/MD5 checksum:87394 8d11e3d2a13e73a5c3bc8d1f751244e9 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_ia64.deb Size/MD5 checksum: 289266 7322e0d408f74a9c68eb582db9828585 http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_ia64.deb Size/MD5 checksum: 297118 b70f1cc13747a01d96a266a7d08c00bc http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_ia64.deb Size/MD5 checksum: 149788 96e423bd9ec333b9a2b106a4c870f8d5 HP Precision architecture: http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_hppa.deb Size/MD5 checksum: 207100 71997ea804e37ab7fb6293db978b4ef2 http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_hppa.deb Size/MD5 checksum: 213642 d7987c5011d5bc3611e6464e918c401d http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_hppa.deb Size/MD5 checksum: 107238 37c42b96721e8f3875a9cd0407c157cc Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_m68k.deb Size/MD5 checksum: 157760 427f7bb644140e438f5df3768099753d http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_m68k.deb Size/MD5
[SECURITY] [DSA 470-1] New Linux 2.4.17 packages fix several local root exploits (hppa)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 470-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze April 1st, 2004 http://www.debian.org/security/faq - -- Package: kernel-image-2.4.17-hppa Vulnerability : several vulnerabilities Problem-Type : local Debian-specific: no CVE ID : CAN-2003-0961 CAN-2003-0985 CAN-2004-0077 Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the mips kernel 2.4.19 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: CAN-2003-0961: An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. CAN-2003-0985: Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. CAN-2004-0077: Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. For the stable distribution (woody) these problems have been fixed in version 32.3 of kernel-image-2.4.17-hppa. For the unstable distribution (sid) these problems have been fixed in version 2.4.25-1 of kernel-image-2.4.25-hppa. We recommend that you upgrade your Linux kernel packages immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-hppa_32.3.dsc Size/MD5 checksum: 713 f5b7956a75870aaff51ccb52c96a0ab2 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-hppa_32.3.tar.gz Size/MD5 checksum: 29958048 44cb813807b9b1c45984fadfc18d4ba1 Architecture independent components: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-source-2.4.17-hppa_32.3_all.deb Size/MD5 checksum: 24109698 cefc1a3ebfce0d30f97b556ed62674d4 HP Precision architecture: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-headers-2.4.17-hppa_32.3_hppa.deb Size/MD5 checksum: 3531296 605f593d9648fd2ab1aa2d6f106263af http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-32_32.3_hppa.deb Size/MD5 checksum: 2737992 793396152e7dea3f9a1ea8ea10c4dbe7 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-32-smp_32.3_hppa.deb Size/MD5 checksum: 2870174 2f2df476a902378a9efa96a79367eed2 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-64_32.3_hppa.deb Size/MD5 checksum: 3024282 1a687ccbedbba298a7e98ba7d2b20650 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-64-smp_32.3_hppa.deb Size/MD5 checksum: 3165702 795b734b1e17a75a76c40af8f49e6ec7 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAbDzxW5ql+IAeqTIRAkGYAJ0T4ycYceqnSp1P5zvElT9jsXpW0ACgoBMX ekopsdUvlccu2maqF7C0TXs= =3m0l -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 449-1] New metamail packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 449-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 24th, 2004 http://www.debian.org/security/faq - -- Package: metamail Vulnerability : buffer overflow, format string bugs Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0104 CAN-2004-0105 Ulf Härnhammar discovered two format string bugs (CAN-2004-0104) and two buffer overflow bugs (CAN-2004-0105) in metamail, an implementation of MIME. An attacker could create a carefully-crafted mail message which will execute arbitrary code as the victim when it is opened and parsed through metamail. We have been devoting some effort to trying to avoid shipping metamail in the future. It became unmaintainable and these are probably not the last of the vulnerabilities. For the stable distribution (woody) these problems have been fixed in version 2.7-45woody.2. For the unstable distribution (sid) these problems will be fixed in version 2.7-45.2. We recommend that you upgrade your metamail package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2.dsc Size/MD5 checksum: 613 eb8246a16fb3e6dbbd80247b53ae8153 http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2.diff.gz Size/MD5 checksum: 333224 532b053589bc1038ea55d340ab93ee6e http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7.orig.tar.gz Size/MD5 checksum: 156656 c6967e9bc5d3c919764b02df24efca01 Alpha architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2_alpha.deb Size/MD5 checksum: 165818 92127db2f58390fdbb168c9cf2ccc2ce ARM architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2_arm.deb Size/MD5 checksum: 153160 72b8d81c7c4a9027b508c45fd5d8b39e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2_i386.deb Size/MD5 checksum: 150252 2f3905d2923d8ecded2df290762b3c56 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2_ia64.deb Size/MD5 checksum: 205530 8cfce92a64a7df4c9630f3214aafc9e7 HP Precision architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2_hppa.deb Size/MD5 checksum: 153204 4e49ebddf0830708fb30a6cc0bfb064b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2_m68k.deb Size/MD5 checksum: 146136 45fe19d01f7f76e394a09264bc2f57fb Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2_mips.deb Size/MD5 checksum: 158316 1b4ad52779b866c71c06f68f1c62e195 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2_mipsel.deb Size/MD5 checksum: 158310 97c128e30297e62459bd9d277c407b33 PowerPC architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2_powerpc.deb Size/MD5 checksum: 148476 a7b070e618315e1a45690c701f532435 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2_s390.deb Size/MD5 checksum: 151256 121b87823b2a3e4ead430bd4c165526e Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2_sparc.deb Size/MD5 checksum: 155234 24e5afafa0c3eb18540267e12651a337 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAOzWNW5ql+IAeqTIRAjhWAJ41ohFPS7eQjratA/W+0bVziLDFZgCgrCM7 Ds41gk7e1499x49phcgOyeg= =Tsu9
[SECURITY] [DSA 438-1] New Linux 2.4.18 packages fix local root exploit (alpha+i386+powerpc)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 438-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 18th, 2004 http://www.debian.org/security/faq - -- Package: kernel-source-2.4.18, kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-image-2.4.18-i386bf, kernel-patch-2.4.18-powerpc Vulnerability : missing function return value check Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0077 Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. For the stable distribution (woody) this problem has been fixed in version 2.4.18-14.2 of kernel-source, version 2.4.18-14 of alpha images, version 2.4.18-12.2 of i386 images, version 2.4.18-5woody7 of i386bf images and version 2.4.18-1woody4 of powerpc images. Other architectures will probably mentioned in a separate advisory or are not affected (m68k). For the unstable distribution (sid) this problem is fixed in version 2.4.24-3 for source, i386 and alpha images and version 2.4.22-10 for powerpc images. This problem is also fixed in the upstream version of Linux 2.4.25 and 2.6.3. We recommend that you upgrade your Linux kernel packages immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.2.dsc Size/MD5 checksum: 664 38e578dda3dd54a5daa6b8badcac1a58 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.2.diff.gz Size/MD5 checksum:67490 e1ef6246f639481dfd8b3c5b15d8668e http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18.orig.tar.gz Size/MD5 checksum: 29818323 24b4c45a04a23eb4ce465eb326a6ddf2 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-14.dsc Size/MD5 checksum: 876 7774c946590a5a80332ca920f67cc8ec http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-14.tar.gz Size/MD5 checksum:24477 b9c0ba46774c2da3be69851110d6f2f9 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.2.dsc Size/MD5 checksum: 1193 b44a4e8f803bb2214bd0c4c3e9f88d81 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.2.tar.gz Size/MD5 checksum:70044 f4caad005d02a1c7cadfa73bfc4952fb http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/kernel-image-2.4.18-i386bf_2.4.18-5woody7.dsc Size/MD5 checksum: 656 e091295663f495df0ea8273703decef0 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/kernel-image-2.4.18-i386bf_2.4.18-5woody7.tar.gz Size/MD5 checksum:26249 f84d855e356c1f5290f6fe96d9e039c8 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/kernel-patch-2.4.18-powerpc_2.4.18-1woody4.dsc Size/MD5 checksum: 713 7f68980058d55c40a037c354ffe9 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/kernel-patch-2.4.18-powerpc_2.4.18-1woody4.tar.gz Size/MD5 checksum:79541 bff712e95a6960659a0e96dab9732ed4 Architecture independent components: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-doc-2.4.18_2.4.18-14.2_all.deb Size/MD5 checksum: 1719692 32cb6638a9be7e7f7332152c04854bba http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.2_all.deb Size/MD5 checksum: 24133918 306f15a8a6279221394b6a8ac2c5a69c http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/kernel-patch-2.4.18-powerpc_2.4.18-1woody4_all.deb Size/MD5 checksum:79274 8ea5d169fd45e464c1213e729e4e5368 Alpha architecture: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers
[SECURITY] [DSA 439-1] New Linux 2.4.16 packages fix several local root exploits (arm)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 439-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 18th, 2004 http://www.debian.org/security/faq - -- Package: kernel-image-2.4.16-lart, kernel-image-2.4.16-netwinder, kernel-image-2.4.16-riscpc, kernel-patch-2.4.16-arm Vulnerability : several vulnerabilities Problem-Type : local Debian-specific: no CVE ID : CAN-2003-0961 CAN-2003-0985 CAN-2004-0077 Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PowerPC/Apus kernel for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: CAN-2003-0961: An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. CAN-2003-0985: Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. CAN-2004-0077: Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. For the stable distribution (woody) this problem has been fixed in version 2.4.26/20040204 of lart, netwinder and riscpc image and in version 20040204 of kernel-patch-2.4.16-arm. Other architectures will probably mentioned in a separate advisory or are not affected (m68k). For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your Linux kernel packages immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.16-arm/kernel-patch-2.4.16-arm_20040204.dsc Size/MD5 checksum: 562 7bd0b443e490132da8f26188ca560f75 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.16-arm/kernel-patch-2.4.16-arm_20040204.tar.gz Size/MD5 checksum: 579045 853b5f05e03217dfb47f28cf852dca4c http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-lart/kernel-image-2.4.16-lart_20040204.dsc Size/MD5 checksum: 586 e2cb96946739cfffd4327ae1e218a982 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-lart/kernel-image-2.4.16-lart_20040204.tar.gz Size/MD5 checksum:16443 9b5b8c8311cc6ba23abc2e121882281a http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-netwinder/kernel-image-2.4.16-netwinder_20040204.dsc Size/MD5 checksum: 624 d2258e373574684da142a45ecfc4312f http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-netwinder/kernel-image-2.4.16-netwinder_20040204.tar.gz Size/MD5 checksum:21783 fc07fb8db829045ef9a8ee6881e1af48 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-riscpc/kernel-image-2.4.16-riscpc_20040204.dsc Size/MD5 checksum: 592 f2252946f185d1c52796a68a1d442cb0 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-riscpc/kernel-image-2.4.16-riscpc_20040204.tar.gz Size/MD5 checksum:19104 144bfd5b87a5daccf879049334b24bcd Architecture independent components: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.16-arm/kernel-patch-2.4.16-arm_20040204_all.deb Size/MD5 checksum: 583148 6a4951879008cc3d882d6a30112d0cbc ARM architecture: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-lart/kernel-image-2.4.16-lart_20040204_arm.deb Size/MD5 checksum: 717092 eb20d52fed79cfe95981f1838bc38e0c http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-netwinder/kernel-headers-2.4.16_20040204_arm.deb Size/MD5 checksum: 3421140 3e0dfbdcb48437ab733d43c92deb0157 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-netwinder/kernel-image-2.4.16-netwinder_20040204_arm.deb
[SECURITY] [DSA 440-1] New Linux 2.4.17 packages fix several local root exploits (powerpc/apus)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 440-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 18th, 2004 http://www.debian.org/security/faq - -- Package: kernel-source-2.4.17, kernel-patch-2.4.17-apus Vulnerability : several vulnerabilities Problem-Type : local Debian-specific: no CVE ID : CAN-2003-0961 CAN-2003-0985 CAN-2004-0077 Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PowerPC/Apus kernel for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: CAN-2003-0961: An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. CAN-2003-0985: Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. CAN-2004-0077: Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. For the stable distribution (woody) these problems have been fixed in version 2.4.17-4 of powerpc/apus images. Other architectures will probably mentioned in a separate advisory or are not affected (m68k). For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your Linux kernel packages immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody2.dsc Size/MD5 checksum: 690 f4f41d8b5ce68462139eadff5e340b2f http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody2.diff.gz Size/MD5 checksum:38791 17b8f97671d0f1be7c595123bcf0c86c http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17.orig.tar.gz Size/MD5 checksum: 29445154 d5de2a4dc49e32c37e557ef856d5d132 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.17-apus_2.4.17-4.dsc Size/MD5 checksum: 667 beff21e365dba9487c3d1009e6bb8ce7 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.17-apus_2.4.17-4.tar.gz Size/MD5 checksum: 489649 3feef2fdda2cb1385e12fb18b33c3787 Architecture independent components: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-doc-2.4.17_2.4.17-1woody2_all.deb Size/MD5 checksum: 1719904 4299b7aeebc01ede7eb5a2f2f5ba0b45 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody2_all.deb Size/MD5 checksum: 23878388 15202df8a94f2aa17f09382f520021fc PowerPC architecture: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-headers-2.4.17-apus_2.4.17-4_powerpc.deb Size/MD5 checksum: 3365696 0f03db43dd1c83a6c02cbd474ae54685 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-image-2.4.17-apus_2.4.17-4_powerpc.deb Size/MD5 checksum: 2210948 1f12b255f6644f144e3426fa5865b27e http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-image-apus_2.4.17-4_powerpc.deb Size/MD5 checksum: 4078 6a495ea4088b900129c60dd769f7da8d http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.17-apus_2.4.17-4_powerpc.deb Size/MD5 checksum: 490346 41eebb692f46cfcb118818048de6d6ad These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp