[SECURITY] [DSA 1527-1] New debian-goodies packages fix privilege escalation

[Thijs Kinkhorst]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1527-1  [EMAIL PROTECTED]
http://www.debian.org/security/  Thijs Kinkhorst
March 24, 2008http://www.debian.org/security/faq
- 

Package: debian-goodies
Vulnerability  : insufficient input sanitising
Problem type   : local
Debian-specific: yes
CVE Id(s)  : CVE-2007-3912
Debian Bug : 440411

Thomas de Grenier de Latour discovered that the checkrestart tool in the
debian-goodies suite of utilities, allowed local users to gain privileges
via shell metacharacters in the name of the executable file for a running
process.

For the stable distribution (etch), this problem has been fixed in
version 0.27+etch1.

For the old stable distribution (sarge), this problem has been fixed in
version 0.23+sarge1.

For the unstable distribution (sid), this problem has been fixed in
version 0.34.

We recommend that you upgrade your debian-goodies package.


Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

Source archives:

  
http://security.debian.org/pool/updates/main/d/debian-goodies/debian-goodies_0.23+sarge1.tar.gz
Size/MD5 checksum:11779 e0834e7e962fabc65362a60c73362585
  
http://security.debian.org/pool/updates/main/d/debian-goodies/debian-goodies_0.23+sarge1.dsc
Size/MD5 checksum:  819 37eb124fef7c9897ea41ec861ec740ff

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/d/debian-goodies/debian-goodies_0.23+sarge1_all.deb
Size/MD5 checksum:22488 c8bc8eab12c7e3f29e53f4172ee837a4

Debian GNU/Linux 4.0 alias etch
- ---

Source archives:

  
http://security.debian.org/pool/updates/main/d/debian-goodies/debian-goodies_0.27+etch1.dsc
Size/MD5 checksum:  836 8653d033f9e6b9f0949fab2cc1813970
  
http://security.debian.org/pool/updates/main/d/debian-goodies/debian-goodies_0.27+etch1.tar.gz
Size/MD5 checksum:28708 089ff8f154eb3fe4bc47dd85f1581a65

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/d/debian-goodies/debian-goodies_0.27+etch1_all.deb
Size/MD5 checksum:36868 2739973911e8b0d9ec12559507f6a708


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show pkg' and http://packages.debian.org/pkg
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR+e+pmz0hbPcukPfAQKaXQgAp/pr+VzHt3ffa8JXbydWVn4uBGsXs/Xe
eEJHc9amXTpDXvV6M3MOspbmX7bNXLCVpAx3TEudeJN+NqPodygIlZbh1sNoGE+y
uXR7bhCK4lHobQPEhCINEaIeP3sIQSpPGIafXFQccSgIxFcu3tJZMXbFNDJ5dfVp
YFgR7fCuIf0OAMEEyLR/RaUTuuU4MO7be31JNxBhqsqm0fxm7Rhz9MXyslt5WXYp
H25noMcJa1sgVw9pworhXvSXq0GXAe7Z5Q9l50udN42/BrWXs7ud/BpWPVzrLRUZ
tMrADJFfxK6fnyj+Gacyf1N3k6Ph6TspJ5TuJGFrH8EJKDhhR7s66g==
=xQXP
-END PGP SIGNATURE-

[DSECRG-08-019] LFI in PowerBook 1.21

[Digital Security Research Group]

Hello, bugtraq.


[DSECRG-08-031] Digital Security Research Group [DSecRG] Advisory


Application:PowerBook
Versions Affected:  1.21
Vendor URL: http://www.powerscripts.org/
Bug:Local File Include
Exploits:   YES
Reported:   01.02.2008
Vendor Response:none
Solution:   none
Date of Public Advisory:..2008
Author: Digital Security Research Group [DSecRG] 
(research [at] dsec [dot] ru)



Description
***

Local File Include vulnerability found in script pb_inc/admincenter/index.php 

Non-authentication user can directly access to this script.

To exploit this vulnerability REGISTER_GLOBALS option must be ON in php config 
file.


Code

#

  if (!$page) {
 $page = home;
  }

  $page .= .inc.php;

  if(file_exists($page) == false) {
 echo 
div align=\center\Sorry, the page b$page/b does not exist!/div
 ;
  } else {
 include($page);
  }

#


Example:

http://[server]/[installdir]/pb_inc/admincenter/index.php?page=../../../../../../../../../../../../../etc/passwd%00



About
*

Digital Security is leading IT security company in Russia, providing 
information security consulting, audit and penetration testing services, risk 
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and 
PCI DSS standards. Digital Security Research Group focuses on web application 
and database security problems with vulnerability reports, advisories and 
whitepapers posted regularly on our website.


Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)



-- 
Alexandr Polyakov
DIGITAL SECURITY RESEARCH GROUP

   mailto:[EMAIL PROTECTED]

Re: Linksys phone adapter denial of service

[orsino]

There's a difference between being able to get onto a network (via wifi
maybe?) and getting physical access to a device.
 [EMAIL PROTECTED] wrote:
 Linksys phone adapter denial of service

 Product Information
 Product Name:   SPA-2102Serial Number:  FM500G582390
 Software Version:   3.3.6   Hardware Version:   1.2.5(a)

 Another device hit with the PoD!

 ping -l 65500 192.168.0.1

 Only seems to work on the internal network.

 discovered by sipher

 http://core.ifconfig.se/~core/


 This is just as bad as the pull the plug out of the device since
 you're local attack. Is Linksys going to provide an epoxy fix for the
 plug?

Re: Linksys phone adapter denial of service

[J. Oquendo]

orsino wrote:

There's a difference between being able to get onto a network (via wifi
maybe?) and getting physical access to a device.


For starters this is a VoIP device (Product Name:   SPA-2102), but even 
if it weren't it makes no difference to me and in the security realm it 
shouldn't make a difference to anyone else either.


1) I don't have an open network and if you do and are on this list its 
either going to be a honeypot or for theft of information (bad guys roam 
this list too)


2) Think about how insanely stupid it would be to go on a live network 
then ping a VoIP device offline. What does this accomplish other then 
pure stupidity.


3) Where is the vendor contact information. Was this meant to be posted 
to Bugtrag or Fool Disclosure?


--

J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x3AC173DB



smime.p7s
Description: S/MIME Cryptographic Signature

HIS-webshop is vulnerable against Directory-Traversal (www.shoppark.de)

[zero-x]

HIS-Webshop is a shopping-system written in Perl by www.shoppark.de

The script doesn´t check the t-parameter.


Example:

http://server.com/cgi-bin/his-webshop.pl?t=../../../../../../../../etc/passwd%00


 Greetz Zero X 

[SECURITY] [DSA 1528-1] New serendipity packages fix cross site scripting

[Thijs Kinkhorst]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1528-1  [EMAIL PROTECTED]
http://www.debian.org/security/  Thijs Kinkhorst
March 24, 2008http://www.debian.org/security/faq
- 

Package: serendipity
Vulnerability  : insufficient input sanitising
Problem type   : remote
Debian-specific: no
CVE Id(s)  : CVE-2007-6205 CVE-2008-0124
BugTraq ID : 28298
Debian Bug : 469667

Peter Hüwe and Hanno Böck discovered that Serendipity, a weblog manager,
did not properly sanitise input to several scripts which allowed for
cross site scripting.

For the stable distribution (etch), this problem has been fixed in version
1.0.4-1+etch1.

The old stable distribution (sarge) does not contain a serendipity package.

For the unstable distribution (sid), this problem has been fixed in
version 1.3-1.

We recommend that you upgrade your serendipity package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Source archives:

  
http://security.debian.org/pool/updates/main/s/serendipity/serendipity_1.0.4.orig.tar.gz
Size/MD5 checksum:  3058582 eaf26277af3d864fc3d6bbc6c42a00b7
  
http://security.debian.org/pool/updates/main/s/serendipity/serendipity_1.0.4-1+etch1.diff.gz
Size/MD5 checksum:21652 3de75c5011be95ffea76afe72ac2b598
  
http://security.debian.org/pool/updates/main/s/serendipity/serendipity_1.0.4-1+etch1.dsc
Size/MD5 checksum:  888 2f8a7d7009104ed9c7ca804c7b6a2b15

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/s/serendipity/serendipity_1.0.4-1+etch1_all.deb
Size/MD5 checksum:  2756036 4b2b44137ed11caacba846c0761204f6


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show pkg' and http://packages.debian.org/pkg
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR+fYn2z0hbPcukPfAQKg0wf/czuQH07svGh4MbuvWf+WWO5EuxiKKAdV
5W+YGT+7UmxIjQjZMIK68hpwtEuR0Ndem1p2fcGqoqozCd0mfuAhQ9UTua1xJr6L
kK97d8haU5c1NgdMw30ENNqOHLMzYkgsndkG2yzlnueXcI/YyIJVonyiNCoqO5WK
zsTMYiVaDzvGI4fsBvval1jqjXyWGXU/1ECvCzBBI+jioBbL09lFDLQE0Jn1RbDW
yqAZ2dIIeTf3wWYTM+uXu2lXi8ViRaFyYEGUfkUQ7T8k0B3csHIJ3BW/0MlhgERy
XhHWeMRl6VAgqmlLlnfCUuRFW2AFtCyBm1s7wN+44px9OCUoWXEI0Q==
=8CmS
-END PGP SIGNATURE-

[USN-590-1] bzip2 vulnerability

[Kees Cook]

=== 
Ubuntu Security Notice USN-590-1 March 24, 2008
bzip2 vulnerability
CVE-2008-1372
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libbz2-1.0  1.0.3-0ubuntu2.1

Ubuntu 6.10:
  libbz2-1.0  1.0.3-3ubuntu0.1

Ubuntu 7.04:
  libbz2-1.0  1.0.3-6ubuntu0.1

Ubuntu 7.10:
  libbz2-1.0  1.0.4-0ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that bzip2 did not correctly handle certain malformed
archives.  If a user or automated system were tricked into processing
a specially crafted bzip2 archive, applications linked against libbz2
could be made to crash, possibly leading to a denial of service.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1.diff.gz
  Size/MD5:72067 9b73f1a1cbea8f8e7dfba9b0cd358bf3

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1.dsc
  Size/MD5:  833 180fa43bfd8645b2a0c353b8927961c4
http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3.orig.tar.gz
  Size/MD5:   669075 8a716bebecb6e647d2e8a29ea5d8447f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1_amd64.deb
  Size/MD5:   268000 b9532e26529bda8991e97cd819544aba

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib32bz2-1.0_1.0.3-0ubuntu2.1_amd64.deb
  Size/MD5:38388 baf7e58f129b30288d0cf1f76df39255

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib32bz2-dev_1.0.3-0ubuntu2.1_amd64.deb
  Size/MD5:30688 1c98274562642c9a3dee9bb91c070b5a

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-0ubuntu2.1_amd64.deb
  Size/MD5:40978 b904382cd76c9ffcd0dc92a5c3219a1a

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-0ubuntu2.1_amd64.deb
  Size/MD5:32500 f6bf61f94fc0b4351fd79532df9025b1

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1_i386.deb
  Size/MD5:   265034 71b410100340e0df581c1dd8b5dfe316

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-0ubuntu2.1_i386.deb
  Size/MD5:35690 ad14744ff24eb1decb20995a7a9bbeb1

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-0ubuntu2.1_i386.deb
  Size/MD5:29518 a835eb9af19b2c045393c8c4c483f51c

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-0ubuntu2.1_i386.deb
  Size/MD5:43012 4407f311343b9ca791aabf98bfdcd751

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-0ubuntu2.1_i386.deb
  Size/MD5:32564 1b4dbd9a480cf4515cd7a7b64e1c215b

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1_powerpc.deb
  Size/MD5:   268616 c397d3782a2b937a84f05d39bbe0666d

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-0ubuntu2.1_powerpc.deb
  Size/MD5:39518 5dc92398adb2a55977e4aa395062deac

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-0ubuntu2.1_powerpc.deb
  Size/MD5:33064 d8d02ff467de3cb1aa966d01d55bff63

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-0ubuntu2.1_powerpc.deb
  Size/MD5:43586 2c0696f8499181a13ca2c4a019972b9f

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-0ubuntu2.1_powerpc.deb
  Size/MD5:33864 60dde6ba6b87d7bb261e04dfe1a89560

  sparc architecture (Sun SPARC/UltraSPARC):


http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1_sparc.deb
  Size/MD5:   266558 69f664880f5c2d982a7906c21d01b60d

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-0ubuntu2.1_sparc.deb
  Size/MD5:37524 1cc8f48aa7130c5d6523aa9be202b1d5

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-0ubuntu2.1_sparc.deb
  Size/MD5:31480 9a826b5230f20fe079150562ab96d427

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-0ubuntu2.1_sparc.deb
  Size/MD5:40510 3a5787038eb631638918245f0ecb0460

http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-0ubuntu2.1_sparc.deb
  Size/MD5:32010 7a05d5fe1e1b4a90dfef111e01e6c661

Updated packages for Ubuntu 6.10:

  Source archives:

[ GLSA 200803-31 ] MIT Kerberos 5: Multiple vulnerabilities

[Robert Buchholz]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200803-31
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: MIT Kerberos 5: Multiple vulnerabilities
  Date: March 24, 2008
  Bugs: #199205, #212363
ID: 200803-31

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilites have been found in MIT Kerberos 5, which could
allow a remote unauthenticated user to execute arbitrary code with root
privileges.

Background
==

MIT Kerberos 5 is a suite of applications that implement the Kerberos
network protocol. kadmind is the MIT Kerberos 5 administration daemon,
KDC is the Key Distribution Center.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  app-crypt/mit-krb5  1.6.3-r1 = 1.6.3-r1

Description
===

* Two vulnerabilities were found in the Kerberos 4 support in KDC: A
  global variable is not set for some incoming message types, leading
  to a NULL pointer dereference or a double free() (CVE-2008-0062) and
  unused portions of a buffer are not properly cleared when generating
  an error message, which results in stack content being contained in a
  reply (CVE-2008-0063).

* Jeff Altman (Secure Endpoints) discovered a buffer overflow in the
  RPC library server code, used in the kadmin server, caused when too
  many file descriptors are opened (CVE-2008-0947).

* Venustech AD-LAB discovered multiple vulnerabilities in the GSSAPI
  library: usage of a freed variable in the gss_indicate_mechs()
  function (CVE-2007-5901) and a double free() vulnerability in the
  gss_krb5int_make_seal_token_v3() function (CVE-2007-5971).

Impact
==

The first two vulnerabilities can be exploited by a remote
unauthenticated attacker to execute arbitrary code on the host running
krb5kdc, compromise the Kerberos key database or cause a Denial of
Service. These bugs can only be triggered when Kerberos 4 support is
enabled.

The RPC related vulnerability can be exploited by a remote
unauthenticated attacker to crash kadmind, and theoretically execute
arbitrary code with root privileges or cause database corruption. This
bug can only be triggered in configurations that allow large numbers of
open file descriptors in a process.

The GSSAPI vulnerabilities could be exploited by a remote attacker to
cause Denial of Service conditions or possibly execute arbitrary code.

Workaround
==

Kerberos 4 support can be disabled via disabling the krb4 USE flag
and recompiling the ebuild, or setting v4_mode=none in the
[kdcdefaults] section of /etc/krb5/kdc.conf. This will only work around
the KDC related vulnerabilities.

Resolution
==

All MIT Kerberos 5 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =app-crypt/mit-krb5-1.6.3-r1

References
==

  [ 1 ] CVE-2007-5901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5894
  [ 2 ] CVE-2007-5971
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5971
  [ 3 ] CVE-2008-0062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062
  [ 4 ] CVE-2008-0063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063
  [ 5 ] CVE-2008-0947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200803-31.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


signature.asc
Description: This is a digitally signed message part.

[ GLSA 200803-32 ] Wireshark: Denial of Service

[Pierre-Yves Rofes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200803-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Wireshark: Denial of Service
  Date: March 24, 2008
  Bugs: #212149
ID: 200803-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple Denial of Service vulnerabilities have been discovered in
Wireshark.

Background
==

Wireshark is a network protocol analyzer with a graphical front-end.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  net-analyzer/wireshark   0.99.8= 0.99.8

Description
===

Multiple unspecified errors exist in the SCTP, SNMP, and TFTP
dissectors.

Impact
==

A remote attacker could cause a Denial of Service by sending a
malformed packet.

Workaround
==

Disable the SCTP, SNMP, and TFTP dissectors.

Resolution
==

All Wireshark users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =net-analyzer/wireshark-0.99.8

References
==

  [ 1 ] CVE-2008-1070
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1070
  [ 2 ] CVE-2008-1071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1071
  [ 3 ] CVE-2008-1072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1072

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200803-32.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH6BUquhJ+ozIKI5gRApGzAJ4lfbH9WHNkx9aN7wQJy7BTPwV73gCfSoY+
lAHeENYUVycUipIjSerYOhw=
=Hh+U
-END PGP SIGNATURE-