New cfingerd 1.4.0 - Configurable Finger Daemon
After several years of development I'm happy to present a new version of the configurable finger daemon. The original author and former maintainer Ken Hollis has handed over development to me as stated before. So this release is authorized. I feel a need for this second posting because the new release also addresses old security reports and not just the most recent one. This release fixes all security problems that have been reported to bugtraq before. I've went to the archive of bugtraq and found some reports that weren't ever addressed officially but only locally on some systems. I've created a security web page on which I have listed these reports. Please find them at http://www.Infodrom.North.DE/cfingerd/security.html . Addressed security reports include: . Don't allow userlist through search.* [May 1997] . Don't allow userlist through search.** [May 1997] . Buffer overflow in username [July 1999 and before] . Root compromise through scripts [August 1998] . Possibility to regain root access [August 1999] Please find the new version of cfingerd at: ftp://ftp.infodrom.north.de/pub/people/joey/cfingerd/ A general homepage has been created at http://www.Infodrom.North.DE/cfingerd/ Regards, Joey -- Experience is something you don't get until just after you need it. Please always Cc to me when replying to me on the lists. PGP signature
Re: XDM Insecurity revisited
Jochen Bauer wrote: On Wed, 26 Nov 1997 Eric Augustus ([EMAIL PROTECTED]) posted a message on BUGTRAQ about the fact, that the default Xaccess file allows XDMCP connections from any host. As you know, this can be used to get a login screen on any host and therefore get around access control mechanisms like tcpwrapper and root login restriction to the console. I'm not sure if I have understood your considerations. The intruder still needs an account on the local host, so it is as insecure as allowing telnet access to your host. Or not? However, I agree that XDMCP should be restricted to the local LAN by default. Tcpwrappers are no major security improvement. It's just a little bit restictive. You'll still have to manually add host that you permit or deny access to your services. The paranoid flag does not keep hackers off of your host but people who are beaten with dumb admins who don't care about reverse DNS. Regards, Joey -- GNU does not eliminate all the world's problems, only some of them. -- The GNU Manifesto
Insecure use of file in /tmp by trn
Richard Kettlewell [EMAIL PROTECTED] has reported a security problem with trn. Trn comes with a newsgroups shell script that uses a hardcoded filename in /tmp as temporary storage. As you all know, this could be exploited to overwrite arbitrary files. If the file already exists as symbolic link to users files they will be overwritten. This was not intentional by the author, he tried to use tempfile(1) to create the temporary filename. However, due to a thinko, the name was hardcoded into the script. I propose this patch against version 3.6. diff -u -Nur --exclude CVS orig/trn-3.6/newsgroups.SH trn-3.6/newsgroups.SH --- orig/trn-3.6/newsgroups.SH Thu Aug 19 12:05:40 1999 +++ trn-3.6/newsgroups.SH Thu Aug 19 12:04:59 1999 @@ -33,7 +33,7 @@ #NORMAL~*) active=\`$filexp \$active\` ;; #NORMALesac #NNTP -#NNTPactive=`tempfile -p active` #"/tmp/active.\$\$" +#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$" #NNTPrnlib=$privlib #NNTPcase \$rnlib in #NNTP~*) rnlib=\`$filexp \$rnlib\` ;; Regards, Joey -- Debian GNU/Linux .Security Managers . [EMAIL PROTECTED] [EMAIL PROTECTED] Christian Hudon . Wichert Akkerman . Martin Schulze [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED] PGP signature
Re: Insecure use of file in /tmp by trn
Rogier Wolff wrote: Martin Schulze wrote: This was not intentional by the author, he tried to use tempfile(1) to create the temporary filename. However, due to a thinko, the name was hardcoded into the script. [...] +#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$" So now you're using tempfile? This usually yields an easily No, but now we're using tempfile in a proper way. In the original source code it was used like: NNTPactive=`tempfile -p active` that lead into this code in /usr/bin/newsgroups active=/tmp/activea98b82 This was hardcoded and predictable, thus very bad. Now the program /usr/bin/newsgroups contains this line: active=`tempfile -p active` which will use /tmp/active9292s for the first call and /tmp/active9x92y for the second call. tempfile will also check if the file exists and use a different name otherwise, and will create the file so it can be used by scripts later on. This is ought to be safe. predictable filename, for which the same exploits hold. Just keep an eye out for the last PID issued, and OK, this time you might need to flip a link (provided that tempfile indeed refuses to return a file that is currently symlinked.) It does refuse. However there is a small chance that it only does this in Debian, but I don't hope so. Regards, Joey -- A mathematician is a machine for converting coffee into theorems.
Vixie Cron version 3.0pl1 vulnerable to root exploit
Red Hat has recently released a Security Advisory (RHSA-1999:030-01)
covering a reverse denial of service bug in the vixie cron package.
As user you could restart sendmail even if the host should not receive
mail through the SMTP port.
Further investigation discovered that it was even worse. Vixie cron
runs as root at the time sending acknowledge mail to a user. Passing
arbitrary parameters to sendmail at this time leads into a possible
root exploit (like -C/tmp/myexploitsendmail.cf).
Olaf Kirch has developed the following patch that will send the mail
as user instead of root and removes the possibility to pass arguments
to the installed MTA.
Fixed packages available:
Red Hat - already released
Caldera - in progress
Debian - in progress
Slackware - no Vixie cron, they use Dillen's Cron Daemon instead
diff -ur cron-3.0pl1.orig/config.h cron-3.0pl1/config.h
--- cron-3.0pl1.orig/config.h Thu Aug 26 15:03:15 1999
+++ cron-3.0pl1/config.hThu Aug 26 17:00:14 1999
@@ -42,11 +42,13 @@
*/
#define MAILCMD _PATH_SENDMAIL /*-*/
-#define MAILARGS "%s -FCronDaemon -odi -oem -or0s %s" /*-*/
+#define MAILARGS "%s -FCronDaemon -odi -oem %s"/*-*/
/* -Fx = set full-name of sender
* -odi = Option Deliverymode Interactive
* -oem = Option Errors Mailedtosender
* -or0s = Option Readtimeout -- don't time out
+* XXX: sendmail doesn't allow -or0s when invoked
+* by joe user. --okir
*/
/* #define MAILCMD "/bin/mail" /*-*/
diff -ur cron-3.0pl1.orig/cron.h cron-3.0pl1/cron.h
--- cron-3.0pl1.orig/cron.h Thu Aug 26 15:03:16 1999
+++ cron-3.0pl1/cron.h Thu Aug 26 16:45:07 1999
@@ -221,7 +221,7 @@
entry *load_entry __P((FILE *, void (*)(),
struct passwd *, char **));
-FILE *cron_popen __P((char *, char *));
+FILE *cron_popen __P((char *, char *, entry *));
/* in the C tradition, we only create
diff -ur cron-3.0pl1.orig/do_command.c cron-3.0pl1/do_command.c
--- cron-3.0pl1.orig/do_command.c Thu Aug 26 15:03:16 1999
+++ cron-3.0pl1/do_command.cThu Aug 26 17:14:23 1999
@@ -95,6 +95,21 @@
usernm = env_get("LOGNAME", e-envp);
mailto = env_get("MAILTO", e-envp);
+ /* Check for arguments */
+ if (mailto) {
+ const char *end;
+
+ /* These chars have to match those cron_popen()
+* uses to split the command string */
+ mailto += strspn(mailto, " \t\n");
+ end = mailto + strcspn(mailto, " \t\n");
+ if (*mailto == '-' || *end != '\0') {
+ printf("Bad Mailto karma.\n");
+ log_it("CRON",getpid(),"error","bad mailto");
+ mailto = NULL;
+ }
+ }
+
#ifdef USE_SIGCHLD
/* our parent is watching for our death by catching SIGCHLD. we
* do not care to watch for our children's deaths this way -- we
@@ -368,7 +383,7 @@
(void) gethostname(hostname, MAXHOSTNAMELEN);
(void) snprintf(mailcmd, sizeof(mailcmd),
MAILARGS, MAILCMD, mailto);
- if (!(mail = cron_popen(mailcmd, "w"))) {
+ if (!(mail = cron_popen(mailcmd, "w", e))) {
perror(MAILCMD);
(void) _exit(ERROR_EXIT);
}
diff -ur cron-3.0pl1.orig/popen.c cron-3.0pl1/popen.c
--- cron-3.0pl1.orig/popen.cThu Aug 26 15:03:16 1999
+++ cron-3.0pl1/popen.c Thu Aug 26 17:01:24 1999
@@ -44,8 +44,9 @@
static int fds;
FILE *
-cron_popen(program, type)
+cron_popen(program, type, e)
char *program, *type;
+ entry *e;
{
register char *cp;
FILE *iop;
@@ -115,6 +116,14 @@
}
(void)close(pdes[1]);
}
+ /* Lose root privilege */
+ setgid(e-gid);
+# if defined(BSD) || defined(POSIX)
+ initgroups(env_get("LOGNAME", e-envp), e-gid);
+# endif
+ setuid(e-uid);
+ chdir(env_get("HOME", e-envp));
+
#if WANT_GLOBBING
execvp(gargv[0], gargv);
#else
The exploit has also been developed by Olaf Kirch:
Set the user's crontab to
MAILTO=" -C/tmp/myexploitsendmail.cf"
* * * * * ls
In /tmp/myexploitsendmail.cf you basically modify the local mailer:
O DefaultUser=root:root
Mlocal, P=/tmp/hackme, F=lsDFMAw5:/|@qXfmnz9, S=10/30,
R=20/40,
T=DNS/RFC822/X-Unix,
A=mail.local -l
i.e. remove
Re: Vixie Cron version 3.0pl1 vulnerable to root exploit
Valentin Nechayev wrote: Quite more simple and correct variant is to append "--" to mailargs: -#define MAILARGS "%s -FCronDaemon -odi -oem -or0s %s" /*-*/ +#define MAILARGS "%s -FCronDaemon -odi -oem -- %s" /*-*/ After it, it's possible to use real local parts starting with '-'. ;) getopt() stops parsing after "--", and arguments after it will be parsed as positional, not as flags. This will only work for those MTA's that use getopt or that use the -- feature. For example, Smail does not. Thus this would fix the bug in connection with sendmail but not in connection with Smail. Haven't checked Postfix, Exim, Zmailer and Qmail, but it may be similar. Regards, Joey -- There are lies, statistics and benchmarks.
Re: SuSe / Debian man package format string vulnerability
StyX wrote: Joao Gouveia wrote: Hi, This issue has been discussed in vuln-dev (2001-01-26), see: http://www.securityfocus.com/templates/archive.pike?end=2001-01-27tid=15872 4fromthread=0start=2001-01-21threads=1list=82 Posted also on suse security list, and aparently overlooked. The man package that ships with SuSe Linux ( at least versions 6.1 throught 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is confirmed to have the same problem. quote jroberto@spike:~ man -l %x%x%x%x man: 4000bc7438049af00: No such file or directory /quote Regards, Joao Gouveia [EMAIL PROTECTED] Hmm... What about this? styx@SuxOS-devel:~$ man -l %n%n%n%n man: Segmentation fault styx@SuxOS-devel:~$ This was on my Debian 2.2 potato system (It doesn't dump core though). Please tell me what you gain from this. man does not run setuid root/man but only setgid man. So all you can exploit this to is a shell running under your ownl user ide. Please correct me if I'm mistaken. Regards, Joey -- GNU GPL: "The source will be with you... always."
[SECURITY] [DSA 125-1] New analog packages fix cross-site scripting vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 125-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 28th, 2002 - -- Package: analog Vulnerability : cross-site scripting Problem-Type : remote Debian-specific: no Yuji Takahashi discovered a bug in analog which allows a cross-site scripting type attack. It is easy for an attacker to insert arbitrary strings into any web server logfile. If these strings are then analysed by analog, they can appear in the report. By this means an attacker can introduce arbitrary Javascript code, for example, into an analog report produced by someone else and read by a third person. Analog already attempted to encode unsafe characters to avoid this type of attack, but the conversion was incomplete. This problem has been fixed in the upstream version 5.22 of analog. Unfortunately patching the old version of analog in the stable distribution of Debian instead is a very large job that defeats us. We recommend that you upgrade your analog package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - Source archives: http://security.debian.org/dists/stable/updates/main/source/analog_5.22-0potato1.dsc MD5 checksum: 051f6c13d7d1777aeef3c0d050b7ff94 http://security.debian.org/dists/stable/updates/main/source/analog_5.22-0potato1.diff.gz MD5 checksum: 294d6547c695f8b5f3b62950d7728dcf http://security.debian.org/dists/stable/updates/main/source/analog_5.22.orig.tar.gz MD5 checksum: 7548e31ac6b21bec31966f98a789b426 Alpha architecture: http://security.debian.org/dists/stable/updates/main/binary-alpha/analog_5.22-0potato1_alpha.deb MD5 checksum: 64becc17b7bf444c989866424805fc7a ARM architecture: http://security.debian.org/dists/stable/updates/main/binary-arm/analog_5.22-0potato1_arm.deb MD5 checksum: 3d446034c79efd08854d59906a5e925c Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/analog_5.22-0potato1_i386.deb MD5 checksum: 6ffd39c59948d83d2a7fd890be846360 Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/main/binary-m68k/analog_5.22-0potato1_m68k.deb MD5 checksum: 16fc1029300ec44a6b56be54112b2345 PowerPC architecture: http://security.debian.org/dists/stable/updates/main/binary-powerpc/analog_5.22-0potato1_powerpc.deb MD5 checksum: dde2890837d9392b5112337ea85f82ad Sun Sparc architecture: http://security.debian.org/dists/stable/updates/main/binary-sparc/analog_5.22-0potato1_sparc.deb MD5 checksum: 59ce433a886f8c3ec1d30fbd27bcd2ab These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8otiwW5ql+IAeqTIRAjWVAJ9rAmdKeUai+ILk0d/Mm7SyYQVSvQCeImza sf0Wt3eir4eTkdgzPESNxZg= =ls0t -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 137-1] New mm packages fix insecure temporary file creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 137-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 30th, 2002 - -- Package: mm Vulnerability : insecure temporary files Problem-Type : local Debian-specific: no CVE Id : CAN-2002-0658 Marcus Meissner and Sebastian Krahmer discovered and fixed a temporary file vulnerability in the mm shared memory library. This problem can be exploited to gain root access to a machine running Apache which is linked against this library, if shell access to the user ``www-data'' is already available (which could easily be triggered through PHP). This problem has been fixed in the upstream version 1.2.0 of mm, which will be uploaded to the unstable Debian distribution while this advisory is released. Fixed packages for potato (Debian 2.2) and woody (Debian 3.0) are linked below. We recommend that you upgrade your libmm packages immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - Source archives: http://security.debian.org/pool/updates/main/m/mm/mm_1.0.11-1.2.dsc Size/MD5 checksum: 553 6bf8816fa3395bc685451501f203b60b http://security.debian.org/pool/updates/main/m/mm/mm_1.0.11.orig.tar.gz Size/MD5 checksum: 142893 e8f12c85582bd9994369ea4098c3424c http://security.debian.org/pool/updates/main/m/mm/mm_1.0.11-1.2.diff.gz Size/MD5 checksum: 5184 81bd3aaa499f029254fa64a7fc9a1660 Alpha architecture: http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_alpha.deb Size/MD5 checksum:13788 e45aec9dc3688a0a8500c88d04c49f33 http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_alpha.deb Size/MD5 checksum:32060 3a20277fd97bdf52afc511c5cf7a922a ARM architecture: http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_arm.deb Size/MD5 checksum:11876 36bf40e33e1e58ab59bdbc7e6b27327a http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_arm.deb Size/MD5 checksum:29194 eeba5fb89081bfc67cc1eb4c8ae7beaf Intel ia32 architecture: http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_i386.deb Size/MD5 checksum:12100 52a6b793c890790319b5d328ee1b7a0d http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_i386.deb Size/MD5 checksum:28924 888a040a28f6c942424b609bb92ddc88 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_m68k.deb Size/MD5 checksum:11560 f86c03c040087127c74f8ddb0ebb23b4 http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_m68k.deb Size/MD5 checksum:28752 aba689b014f669d0cadeefaa7720b9d7 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_powerpc.deb Size/MD5 checksum:12286 159aa5cb4938fa844ad6b93990d125b3 http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_powerpc.deb Size/MD5 checksum:30340 785b5ed0a9cb5b00f4e3182b7a457b44 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_sparc.deb Size/MD5 checksum:12170 f4f4911490dcec804e2215d8c6dcb373 http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_sparc.deb Size/MD5 checksum:29664 fa63ddb6ab216e7d7d7caa09531a6967 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mm/mm_1.1.3-6.1.dsc Size/MD5 checksum: 565 90c7910a97454ac9aa1abc0bc79cf316 http://security.debian.org/pool/updates/main/m/mm/mm_1.1.3.orig.tar.gz Size/MD5 checksum: 137951 ba14a90239e26337eef079b698f35eae http://security.debian.org/pool/updates/main/m/mm/mm_1.1.3-6.1.diff.gz Size/MD5 checksum: 4300 44c3bd2710d53798f19228ffb4a32b78 Alpha architecture: http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_alpha.deb Size/MD5 checksum:15884 e95d9355d8c1ce4e67b057e9f7b644ed http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_alpha.deb Size/MD5 checksum:35894 613548b6398dff2a72d8831dfa0bd405 ARM architecture: http://security.debian.org/pool/updates/main/m/mm
[SECURITY] [DSA 139-1] New super packages fix local root exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 139-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 1st, 2002 - -- Package: super Vulnerability : format string vulnerability Problem-Type : local Debian-specific: no GOBBLES found an insecure use of format strings in the super package. The included program super is intended to provide access to certain system users for particular users and programs, similar to the program super. Exploiting this format string vulnerability a local user can gain unauthorized root accesss. This problem has been fixed in version 3.12.2-2.1 for the old stable distribution (potato), in version 3.16.1-1.1 for the current stable distribution (woody) and in version 3.18.0-3 for the unstable distribution (sid). We recommend that you upgrade your super package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - Source archives: http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1.dsc Size/MD5 checksum: 525 e7d8d68670dbbe1be3b4d3da143f7301 http://security.debian.org/pool/updates/main/s/super/super_3.12.2.orig.tar.gz Size/MD5 checksum: 170839 4b9be58190fd965bb8b5bdc0351aea5a http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1.diff.gz Size/MD5 checksum: 5061 7da15c978b9ba8187e68dcafe1a02925 Alpha architecture: http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_alpha.deb Size/MD5 checksum: 113136 bbd91617476dd6733799e13165b66f7f ARM architecture: http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_arm.deb Size/MD5 checksum: 101638 33a4e450ca4dd532cc59a2db58f4a676 Intel ia32 architecture: http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_i386.deb Size/MD5 checksum:97404 fddd44e7a6a73143bf6ca1127ec5f7df Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_m68k.deb Size/MD5 checksum:94634 a92d5a82eb5c58326b087f6919260d30 PowerPC architecture: http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_powerpc.deb Size/MD5 checksum: 102352 fd6e7fc3c2af75a9d36c0e4c29dd04bf Sun Sparc architecture: http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_sparc.deb Size/MD5 checksum: 106092 ca8af9d1b1430486fb738e76a7d0f856 Debian GNU/Linux 3.0 alias woody - Due to a bug in the libc6-dev package, we are currently unable to provide a fixed package for the ARM architecture. We will install it in the archive as soon as we're able to compile it again. Until that, please remove the super package from your arm systems. Due to an unknown failure we're also unable to provide a fixed package for the S/390 architecture, which will be installed later. Source archives: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1.dsc Size/MD5 checksum: 574 7b18da0326c7b93011f55ebc3cc48119 http://security.debian.org/pool/updates/main/s/super/super_3.16.1.orig.tar.gz Size/MD5 checksum: 192062 cc868b2fc2b44c47d86da314a11acf0b http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1.diff.gz Size/MD5 checksum: 9827 8f0f3415753f4d76c67820d582bd56c9 Alpha architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_alpha.deb Size/MD5 checksum: 126730 7ad7502c4d94657fee70d9791217e1e7 Intel ia32 architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_i386.deb Size/MD5 checksum: 110732 0401517e321fcd66793492d0d6a9bd1b Intel ia64 architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_ia64.deb Size/MD5 checksum: 144422 213076409ae41c0a2a5c3a0840bdf952 HP Precision architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_hppa.deb Size/MD5 checksum: 124002 710a1e693ee29e11a292b6608b61426c Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_m68k.deb Size/MD5 checksum: 108172 32e37a1deec47756e58426117affdf5d Big endian MIPS architecture: http://security.debian.org/pool
[SECURITY] [DSA 140-1] New libpng packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 140-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 1st, 2002 - -- Package: libpng2, libpng3 Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no Developers of the PNG library have fixed a buffer overflow in the progressive reader when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. Such deliberately malformed datastreams would crash applications which could potentially allow an attacker to execute malicious code. Programs such as Galeon, Konquerer and various others make use of these libraries. To find out which packages depend on this library, you may want to execute the following commands: apt-cache showpkg libpng2 apt-cache showpkg libpng3 This problem has been fixed in version 1.0.12-3.woody.1 of libpng and version 1.2.1-1.1.woody.1 of libpng3 for the current stable distribution (woody) and in version 1.0.12-4 of libpng and version 1.2.1-2 of libpng3 for the unstable distribution (sid). We recommend that you upgrade your libpng packages immediately and restart programs and daemons that link to these libraries and read external data, such as web browsers. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - The potato release of Debian does not seem to be vulnerable. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12-3.woody.1.diff.gz Size/MD5 checksum: 7669 be9367cff7f1dcf419d0d05d802c5944 http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12-3.woody.1.dsc Size/MD5 checksum: 622 6d23d6e1158b9a9108992f796e75e19a http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12.orig.tar.gz Size/MD5 checksum: 481387 3329b745968e41f6f9e55a4d04a4964c http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.1.diff.gz Size/MD5 checksum: 8068 74ad33afe027c4707f82a6717d57fa61 http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.1.dsc Size/MD5 checksum: 625 d575b2e4bd1f603bd7587b7118592943 http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1.orig.tar.gz Size/MD5 checksum: 493105 75a21cbfae566158a0ac6d9f39087c4d Alpha architecture: http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.1_alpha.deb Size/MD5 checksum: 129634 885ef09eee9a15be7ab4a31695235e36 http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.1_alpha.deb Size/MD5 checksum: 270222 2d798e90db55f3656f06e1cb704f2002 http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.1_alpha.deb Size/MD5 checksum: 133058 b4ef97d3a57ad81c360d057a3c74850d http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.1_alpha.deb Size/MD5 checksum: 276350 417643ea3928b6c57179cace2a4fd416 ARM architecture: http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.1_arm.deb Size/MD5 checksum: 108116 5ba4eb39cd465795e144fb2a2ed90f6d http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.1_arm.deb Size/MD5 checksum: 241198 8739ebfde3e6a9880771cd8710b75c8d http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.1_arm.deb Size/MD5 checksum: 111416 527abeb9d914b678de915c30bd3f60cc http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.1_arm.deb Size/MD5 checksum: 247460 b796ea4b65914d932a61a47e6767dafc Intel ia32 architecture: http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.1_i386.deb Size/MD5 checksum: 106362 51afc4e74c966611d09c86cd7618232a http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.1_i386.deb Size/MD5 checksum: 227330 9d5ea3fb4a4f574bbca0b36d1bb920b0 http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.1_i386.deb Size/MD5 checksum: 109626 fd82990366d175a321770f06a61a6f26 http://security.debian.org/pool/updates/main
[SECURITY] [DSA 141-1] New mpack packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 141-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 1st, 2002 - -- Package: mpack Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no Eckehard Berns discovered a buffer overflow in the munpack program which is used for decoding (respectively) binary files in MIME (Multipurpose Internet Mail Extensions) format mail messages. If munpack is run on an appropriately malformed email (or news article) then it will crash, and perhaps can be made to run arbitrary code. Herbert Xu reported a second vulnerability which affected malformed filenames that refer to files in upper directories like ../a. The security impact is limited, though, because only a single leading ../ was accepted and only new files can be created (i.e. no files will be overwritten). Both problems were been fixed in version 1.5-5potato2 for the old stable distribution (potato), in version 1.5-7woody2 for the current stable distribution (woody) and in version 1.5-9 for the unstable distribution (sid). We recommend that you upgrade your mpack package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - Source archives: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-5potato2.dsc Size/MD5 checksum: 527 96670945b237c260638c859e38e8 http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-5potato2.diff.gz Size/MD5 checksum: 3200 60abfda1db9175fdee0efe10d8bebf9b http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5.orig.tar.gz Size/MD5 checksum: 154859 c1914b27d02f830c3872973c342d5d9e Alpha architecture: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-5potato2_alpha.deb Size/MD5 checksum:50602 7ecd69d7a2e0ae49aa0aae3803ea75eb ARM architecture: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-5potato2_arm.deb Size/MD5 checksum:40266 c1d2a70472b84fd0b0f5f8c135c42d27 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-5potato2_i386.deb Size/MD5 checksum:34576 77de4d66ac154790edcae66113b7a639 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-5potato2_m68k.deb Size/MD5 checksum:33228 ce7175e3ce4122eeac14d7477c51cd84 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-5potato2_powerpc.deb Size/MD5 checksum:40502 d33adcda017f7b757554ee025dc362b8 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-5potato2_sparc.deb Size/MD5 checksum:45078 3b7858416e6a1e90b80b9d459d51d6e5 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-7woody2.dsc Size/MD5 checksum: 523 4204582ee8d21fe861b7f1dc8cd92546 http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-7woody2.diff.gz Size/MD5 checksum: 3915 d67bd3a65f5f020f791c17cdee3ad55f http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5.orig.tar.gz Size/MD5 checksum: 154859 c1914b27d02f830c3872973c342d5d9e Alpha architecture: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-7woody2_alpha.deb Size/MD5 checksum:49442 c991dd1e3c4623b1ac9bb46dd9025551 ARM architecture: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-7woody2_arm.deb Size/MD5 checksum:40526 83fd03952908fa7f399243940f20e4d1 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-7woody2_i386.deb Size/MD5 checksum:35090 7765259cd9b990caa39452fc67050187 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-7woody2_ia64.deb Size/MD5 checksum:59156 7cb1c76fe9f1f7d87e0981878edf2d2e HP Precision architecture: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-7woody2_hppa.deb Size/MD5 checksum:45454 3a49ec1a19a527346c129aa2c1797df8 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mpack/mpack_1.5-7woody2_m68k.deb Size/MD5 checksum:33912
[SECURITY] [DSA 147-1] New mailman packages fix cross-site scripting problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 147-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 8th, 2002 - -- Package: mailman Vulnerability : cross-site scripting Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-0388 A cross-site scripting vulnerability was discovered in mailman, a software to manage electronic mailing lists. When a properly crafted URL is accessed with Internet Explorer (other browsers don't seem to be affected), the resulting webpage is rendered similar to the real one, but the javascript component is executed as well, which could be used by an attacker to get access to sensitive information. The new version for Debian 2.2 also includes backports of security related patches from mailman 2.0.11. This problem has been fixed in version 2.0.11-1woody2 for the current stable distribution (woody), in version 1.1-10.1 for the old stable distribution (woody) and in version 2.0.12-1 for the unstable distribution (sid). We recommend that you upgrade your mailman package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/m/mailman/mailman_1.1-10.1.dsc Size/MD5 checksum: 528 91d75b840f97ab2dcd700678e5c03d4a http://security.debian.org/pool/updates/main/m/mailman/mailman_1.1-10.1.diff.gz Size/MD5 checksum:22053 adb539c2a3709490a58416ea69ec92cd http://security.debian.org/pool/updates/main/m/mailman/mailman_1.1.orig.tar.gz Size/MD5 checksum: 322247 42d499f4e1de6959c50b20a4eb0f432a Alpha architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_1.1-10.1_alpha.deb Size/MD5 checksum: 329118 0b9ba1dc599532594dd9c30787e1fed3 ARM architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_1.1-10.1_arm.deb Size/MD5 checksum: 327118 0ab80d4de1d9c674d7971e3cb91dca2c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_1.1-10.1_i386.deb Size/MD5 checksum: 328680 58aab5cf2c13a03952f22097c7224e01 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_1.1-10.1_m68k.deb Size/MD5 checksum: 328190 84b30c21c3e0bce5b1f6f5778d4b34e7 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_1.1-10.1_powerpc.deb Size/MD5 checksum: 328926 527f56d4dbe531d3889a8aaf61d73729 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_1.1-10.1_sparc.deb Size/MD5 checksum: 334170 bcec29e94554042ba97f8330aeac04fe Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody2.dsc Size/MD5 checksum: 595 5cceabc484906689b7408f71869dfb59 http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody2.diff.gz Size/MD5 checksum:30899 dd977c232b4deab55ab45a39e306fa10 http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11.orig.tar.gz Size/MD5 checksum: 415129 915264cb1ac8d7b78ea9eff3ba38ee04 Alpha architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody2_alpha.deb Size/MD5 checksum: 460872 5434c7767498b7966072d5c4f77ff22b ARM architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody2_arm.deb Size/MD5 checksum: 458520 759b2a9aa822ec6ce37087e98dcd9546 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody2_i386.deb Size/MD5 checksum: 474860 ed7707ac59ea0901db6a7d4519193bdb Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody2_ia64.deb Size/MD5 checksum: 461646 cb36836e6f69fc3c788f4c3c2127 HP Precision architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody2_hppa.deb Size/MD5 checksum: 459152 e9db053ea86b48f66e28ab0ca96bae15 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody2_m68k.deb Size/MD5 checksum: 458594
[SECURITY] [DSA 150-1] New interchange packages fix illegal file exposition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 150-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 13th, 2002 - -- Package: interchange Vulnerability : illegal file exposition Problem-Type : remote Debian-specific: no A problem has been discovered in Interchange, an e-commerce and general HTTP database display system, which can lead to an attacker being able to read any file to which the user of the Interchange daemon has sufficient permissions, when Interchange runs in INET mode (internet domain socket). This is not the default setting in Debian packages, but configurable with Debconf and via configuration file. We also believe that this bug cannot exploited on a regular Debian system. This problem has been fixed by the package maintainer in version 4.8.3.20020306-1.woody.1 for the current stable distribution (woody) and in version 4.8.6-1 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't ship the Interchange system. We recommend that you upgrade your interchange packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1.dsc Size/MD5 checksum: 883 ffa49ff2144a7bd4320eb9c2198d24b3 http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1.diff.gz Size/MD5 checksum: 528 60c7cb2c1798ae2f61365e130d1772d3 http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306.orig.tar.gz Size/MD5 checksum: 1858749 660c7e65732a052a81d2ae6e4c6ed2b5 Architecture independent components: http://security.debian.org/pool/updates/main/i/interchange/interchange-cat-foundation_4.8.3.20020306-1.woody.1_all.deb Size/MD5 checksum: 635062 6ebceb949aad1dc23e364dd297125c8f http://security.debian.org/pool/updates/main/i/interchange/interchange-ui_4.8.3.20020306-1.woody.1_all.deb Size/MD5 checksum: 432068 3f9574521ced0bc39c40793c74841947 Alpha architecture: http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_alpha.deb Size/MD5 checksum: 856324 a903c5f415978bda83ebc64e533d6513 http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_alpha.deb Size/MD5 checksum:13812 21dcdb083b2d93e8b72cb06e3b9b3d77 ARM architecture: http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_arm.deb Size/MD5 checksum: 854980 80a5246531dc085d5ef629dd1337271c http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_arm.deb Size/MD5 checksum:13198 63fe3b689099793c61b2bbb870c101e3 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_i386.deb Size/MD5 checksum: 852744 7a40058ecc9119c740826b3dbc9660d0 http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_i386.deb Size/MD5 checksum:13156 234c7d614aa28de64d5d33dcb49e654d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_ia64.deb Size/MD5 checksum: 858420 6f16f350d5d162b2bbac98bb4e7dc857 http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_ia64.deb Size/MD5 checksum:15670 fcfacf2758ac97a9ee6390bf20b9f64b HP Precision architecture: http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_hppa.deb Size/MD5 checksum: 856104 4d7932a5d476acf49eda3ca2ecc4bf89 http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_hppa.deb Size/MD5 checksum:13920 a4593d918b5c9c87434544ed7d0af579 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_m68k.deb Size/MD5 checksum: 855146 de6a211e1b615dded617c9ff9877b897 http://security.debian.org/pool/updates/main/i
[SECURITY] [DSA 152-1] New l2tpd packages adds better randomization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 152-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 13th, 2002 - -- Package: l2tpd Vulnerability : missing random seed Problem-Type : remote Debian-specific: no Current versions of l2tpd, a layer 2 tunneling client/server program, forgot to initialize the random generator which made it vulnerable since all generated random number were 100% guessable. When dealing with the size of the value in an attribute value pair, too many bytes were able to be copied, which could lead into the vendor field being overwritten. These problems have been fixed in version 0.67-1.1 for the current stable distribution (woody) and in version 0.68-1 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain the l2tpd package. We recommend that you upgrade your l2tpd packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1.dsc Size/MD5 checksum: 556 ffe4fded4647ac003ffdd4978661ca15 http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1.diff.gz Size/MD5 checksum: 2339 b647394faed6dba02687e7709299836a http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67.orig.tar.gz Size/MD5 checksum: 121685 d40065070e34c44389e4c749b61916c6 Alpha architecture: http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1_alpha.deb Size/MD5 checksum:99940 a3caa77d343536f68753ea64aa336a45 ARM architecture: http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1_arm.deb Size/MD5 checksum:90756 603a9b88e98001c1602d464571dce765 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1_i386.deb Size/MD5 checksum:88130 bbd745997296fd61edc9777de121c9a5 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1_ia64.deb Size/MD5 checksum: 110726 dc180c2040f8f29f868e5039e09b0879 HP Precision architecture: http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1_hppa.deb Size/MD5 checksum:94918 9629d5a679cf336036d485a32fa0b6db Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1_m68k.deb Size/MD5 checksum:84818 c61280d6f968b9052dfc9f9e5c34cbd5 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1_mips.deb Size/MD5 checksum:94608 62cfeab1e06185f58b79c7c8f3b93cce Little endian MIPS architecture: http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1_mipsel.deb Size/MD5 checksum:94944 6d164b24e067355b26b7234434ff21cb PowerPC architecture: http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1_powerpc.deb Size/MD5 checksum:89318 a736a5fc05493393e1b0ade0097f60a0 IBM S/390 architecture: http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1_s390.deb Size/MD5 checksum:87736 6e1d259729d21a92537c38d315f0286f Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/l2tpd/l2tpd_0.67-1.1_sparc.deb Size/MD5 checksum:91790 faade7c56590eae84e8b0ef14014a29b These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9WVr+W5ql+IAeqTIRAvo4AJ0Rvi9biPFQgsQEyxXw/BglLiBtNwCaA9i9 T/dAtiI4sriCChCHy+AzCwI= =YgC4 -END PGP SIGNATURE-
[SECURITY] [DSA 151-1] New xinetd packages fix local denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 151-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 13th, 2002 - -- Package: xinetd Vulnerability : pipe exposure Problem-Type : local Debian-specific: no Solar Designer found a vulnerability in xinetd, a replacement for the BSD derived inetd. File descriptors for the signal pipe introduced in version 2.3.4 are leaked into services started from xinetd. The descriptors could be used to talk to xinetd resulting in crashing it entirely. This is usually called a denial of service. This problem has been fixed by the package maintainer in version 2.3.4-1.2 for the current stable distribution (woody) and in version 2.3.7-1 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain the signal pipe. We recommend that you upgrade your xinetd packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2.dsc Size/MD5 checksum: 596 6e437a7317228d6baaf1013cc060dcd9 http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2.diff.gz Size/MD5 checksum:34109 ea09f66719c48976345d104c94d8d7a0 http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4.orig.tar.gz Size/MD5 checksum: 270723 8f7ac612910aaf811c4554f4ab40fd65 Alpha architecture: http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2_alpha.deb Size/MD5 checksum: 144548 4a380b4e80f789be31e41b3cc1ca6c25 ARM architecture: http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2_arm.deb Size/MD5 checksum: 119372 e9f22ebf109fbbb45e2488090b024a78 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2_i386.deb Size/MD5 checksum: 114380 82e2f7248fcec69f1a4390d4e22c799d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2_ia64.deb Size/MD5 checksum: 170536 a0545b8a5b0989e04f1178592aeec414 HP Precision architecture: http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2_hppa.deb Size/MD5 checksum: 134914 b2f95d5464fe03115f8b6c88f2587939 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2_m68k.deb Size/MD5 checksum: 109000 1c59983898111932ed5554708742fd73 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2_mips.deb Size/MD5 checksum: 133488 711b97de8092f465b89a8c3b332c0198 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2_mipsel.deb Size/MD5 checksum: 134214 21ef9ae6317261fade057163cafc7d01 PowerPC architecture: http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2_powerpc.deb Size/MD5 checksum: 124404 87b9958221e1bf9048a4d3650cd89e21 IBM S/390 architecture: http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2_s390.deb Size/MD5 checksum: 120268 1248fb8bbb886916c25e2ac5d2523bd4 Sun Sparc architecture: http://security.debian.org/pool/updates/main/x/xinetd/xinetd_2.3.4-1.2_sparc.deb Size/MD5 checksum: 124144 055c71fccc937b6784d114cb7860a171 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9WVI2W5ql+IAeqTIRApdfAJ9fpjryUishlLEwbyPXqvN+pkONAQCgpSns Bprg3xBeN6xqrFVoxuka25U= =HYnh -END PGP SIGNATURE-
[SECURITY] [DSA 147-2] New mailman packages fix cross-site scripting problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 147-2 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 26th, 2002 http://www.debian.org/security/faq - -- Package: mailman Vulnerability : cross-site scripting Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-0388 Quoting DSA 147-1: A cross-site scripting vulnerability was discovered in mailman, a software to manage electronic mailing lists. When a properly crafted URL is accessed with Internet Explorer (other browsers don't seem to be affected), the resulting webpage is rendered similar to the real one, but the javascript component is executed as well, which could be used by an attacker to get access to sensitive information. The new version for Debian 2.2 also includes backports of security related patches from mailman 2.0.11. This has been fixed in DSA 147-1 already, however, contrary to popular belief, it turned out that the Python packaging does not upgrade Python 1.5 users to 2.1 when upgrading from potato to woody. It also turned out that the mailman security update unwittingly introduced a dependency to Python 2.1, both in the security update and upstream, which left the package unusable on some systems. This problem has been fixed in version 2.0.11-1woody4 for the current stable distribution (woody). Others are not affected. We recommend that you upgrade your mailman package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4.dsc Size/MD5 checksum: 595 b154928ff9853f95ea301c452f23605d http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4.diff.gz Size/MD5 checksum:31005 08c23b520ae4b9f4e7ef45b465ad7e47 http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11.orig.tar.gz Size/MD5 checksum: 415129 915264cb1ac8d7b78ea9eff3ba38ee04 Alpha architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4_alpha.deb Size/MD5 checksum: 460960 e1d8a4257577fb4ebb66705275fa38a0 ARM architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4_arm.deb Size/MD5 checksum: 458600 f969eb59fd48e34f9fa0ac0709315c26 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4_i386.deb Size/MD5 checksum: 475002 64035fc874ed300ade121957bd550e24 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4_ia64.deb Size/MD5 checksum: 461502 bfa37aa587621a19f8fe606157b9d207 HP Precision architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4_hppa.deb Size/MD5 checksum: 459156 0116618a21c275f085b8d54aba503ae7 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4_m68k.deb Size/MD5 checksum: 458684 233315c6f2fcd7914fc88bb4d775dacf Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4_mips.deb Size/MD5 checksum: 459154 14fe9870d61986680c7b36568ba070b4 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4_mipsel.deb Size/MD5 checksum: 459120 e401830cfcbb84a0fa79bfacfd291460 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4_powerpc.deb Size/MD5 checksum: 459464 e3793f4d40a7b363b4c6b9787635bf1a IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4_s390.deb Size/MD5 checksum: 459472 0ea41eaa4395227f8c58d4e979ac014b Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody4_sparc.deb Size/MD5 checksum: 463962 e7f4892277153b9a24e2b5331703e2b7 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp
[SECURITY] [DSA 158-1] New gaim packages fix arbitrary program execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 158-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 27th, 2002 http://www.debian.org/security/faq - -- Package: gaim Vulnerability : arbitrary program execution Problem-Type : remote Debian-specific: no The developers of Gaim, an instant messenger client that combines several different networks, found a vulnerability in the hyperlink handling code. The 'Manual' browser command passes an untrusted string to the shell without escaping or reliable quoting, permitting an attacker to execute arbitrary commands on the users machine. Unfortunately, Gaim doesn't display the hyperlink before the user clicks on it. Users who use other inbuilt browser commands aren't vulnerable. This problem has been fixed in version 0.58-2.2 for the current stable distribution (woody) and in version 0.59.1-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't ship the Gaim program. The fixed version of Gaim no longer passes the user's manual browser command to the shell. Commands which contain the %s in quotes will need to be amended, so they don't contain any quotes. The 'Manual' browser command can be edited in the 'General' pane of the 'Preferences' dialog, which can be accessed by clicking 'Options' from the login window, or 'Tools' and then 'Preferences' from the menu bar in the buddy list window. We recommend that you upgrade your gaim package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2.dsc Size/MD5 checksum: 681 388e7ad7ea82f72e80f5e7b950b74d9f http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2.diff.gz Size/MD5 checksum:21077 f40a10f65ec69c219209f3833a601451 http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58.orig.tar.gz Size/MD5 checksum: 1928057 644df289daeca5f9dd3983d65c8b2407 Alpha architecture: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_alpha.deb Size/MD5 checksum: 479720 4d8e4ea7f37653cc63bd9c6f3f5b2698 http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_alpha.deb Size/MD5 checksum: 674568 60234f1a1896d77e924e9ebb99eee12b http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_alpha.deb Size/MD5 checksum: 501208 932052409cdc11ea89330709a41f32e4 ARM architecture: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_arm.deb Size/MD5 checksum: 401834 6a25ab2f49f104a8cb60dfb266687b4e http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_arm.deb Size/MD5 checksum: 614864 251f521cfe92b00282f3d633e2ecdc06 http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_arm.deb Size/MD5 checksum: 422330 420edd09bad2f4587b843f18e7c56a0c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_i386.deb Size/MD5 checksum: 389256 bb1688d11f1e444e7116e3ce48d4b299 http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_i386.deb Size/MD5 checksum: 606056 ff6443a2cc3be13f8d97f8c56f93bf05 http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_i386.deb Size/MD5 checksum: 409108 028dc6cfa04b921f94500853d65f1069 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_ia64.deb Size/MD5 checksum: 557146 d99d9f408b423e4ecb572d6c529ec271 http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_ia64.deb Size/MD5 checksum: 765084 20cf4447c02e5691f90f7c19088dc556 http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_ia64.deb Size/MD5 checksum: 569896 829bba8b920ff5355cbc72dc918bc6a4 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_hppa.deb Size/MD5 checksum: 459416 42f17cb42279fd9148a44be663244298 http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_hppa.deb Size/MD5 checksum: 690992 b6e1d262705760055eb6fd3c2a8b393e http://security.debian.org/pool/updates/main/g/gaim/gaim
[SECURITY] [DSA 159-1] New Python packages fix insecure temporary file use
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 159-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 28th, 2002 http://www.debian.org/security/faq - -- Package: python Vulnerability : insecure temporary files Problem-Type : local Debian-specific: no Zack Weinberg discovered an insecure use of a temporary file in os._execvpe from os.py. It uses a predictable name which could lead execution of arbitrary code. This problem has been fixed in several versions of Python: For the current stable distribution (woody) it has been fixed in version 1.5.2-23.1 of Python 1.5, in version 2.1.3-3.1 of Python 2.1 and in version 2.2.1-4.1 of Python 2.2. For the old stable distribution (potato) this has been fixed in version 1.5.2-10potato12 for Python 1.5. For the unstable distribution (sid) this has been fixed in version 1.5.2-24 of Python 1.5, in version 2.1.3-6a of Python 2.1 and in version 2.2.1-8 of Python 2.2. Python 2.3 is not affected by this problem. We recommend that you upgrade your Python packages immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - Source archives: http://security.debian.org/pool/updates/main/p/python/python_1.5.2-10potato12.dsc Size/MD5 checksum: 814 d4368a244ae130c0a879dc583d74ebb6 http://security.debian.org/pool/updates/main/p/python/python_1.5.2-10potato12.diff.gz Size/MD5 checksum:85380 cef4ee264c041385d26a6e7a914f66cf http://security.debian.org/pool/updates/main/p/python/python_1.5.2.orig.tar.gz Size/MD5 checksum: 2533053 e9d677ae6d5a3efc6937627ed8a3e752 Alpha architecture: http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato12_alpha.deb Size/MD5 checksum: 928612 9cbc6a1fc341c7f5668da7f14ddfd336 ARM architecture: http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato12_arm.deb Size/MD5 checksum: 848442 778e22c98169028d94ba9fe3634dd113 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato12_i386.deb Size/MD5 checksum: 825052 a2b34f89248287e5f61e1a9ae051b6ae Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato12_m68k.deb Size/MD5 checksum: 837528 55065573b7ed3b5f19ced5bb35cc PowerPC architecture: http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato12_powerpc.deb Size/MD5 checksum: 872370 6e45dfbc1694e89f4707e1803f65943a Sun Sparc architecture: http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato12_sparc.deb Size/MD5 checksum: 854034 3ef80fbe6213c198d713046a4405cdff Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.1.dsc Size/MD5 checksum: 916 59cda94465a7108d34294050e141b0ba http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.1.diff.gz Size/MD5 checksum: 147550 0246bc4b24874e3c0f8b6c6af47b262d http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2.orig.tar.gz Size/MD5 checksum: 2533570 d9ade0d7613466e0353561d277ff02fe http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.1.dsc Size/MD5 checksum: 1283 2193a191f73cac617edc851ce1dc0874 http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.1.diff.gz Size/MD5 checksum:70192 eacc3d64dd0717ecf47fb2793a6b94c2 http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3.orig.tar.gz Size/MD5 checksum: 6194246 1ae739aa5824de263923df3516eeaf80 http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.1.dsc Size/MD5 checksum: 1150 029ee1aa079f8884283d57d765889d37 http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.1.diff.gz Size/MD5 checksum:91682 de92eb806eea24f0a00289a9179cce7a http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1.orig.tar.gz Size/MD5 checksum: 6536167 88aa07574673ccfaf35904253c78fc7d Alpha architecture: http://security.debian.org/pool/updates/main/p
[SECURITY] [DSA 160-1] New scrollkeeper packages fix insecure temporary file creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 160-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 3rd, 2002 http://www.debian.org/security/faq - -- Package: scrollkeeper Vulnerability : insecure temporary file creation Problem-Type : local Debian-specific: no CVE Id : CAN-2002-0662 Spybreak discovered a problem in scrollkeeper, a free electronic cataloging system for documentation. The scrollkeeper-get-cl program creates temporary files in an insecure manner in /tmp using guessable filenames. Since scrollkeeper is called automatically when a user logs into a Gnome session, an attacker with local access can easily create and overwrite files as another user. This problem has been fixed in version 0.3.6-3.1 for the current stable distribution (woody) and in version 0.3.11-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain the scrollkeeper package. We recommend that you upgrade your scrollkeeper packages immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1.dsc Size/MD5 checksum: 761 f0ab585dd23c31804f94c9a97c4c3d8d http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1.diff.gz Size/MD5 checksum:72068 889445a036c7b618e87a7e23aca5f641 http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6.orig.tar.gz Size/MD5 checksum: 405812 6500ce56d6926443fc8c15f37c79aa0a Alpha architecture: http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_alpha.deb Size/MD5 checksum:18446 471e49dab7c97860af932c3a09639c04 http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_alpha.deb Size/MD5 checksum:88266 e6e04bcd74a54a7196113d791205029a http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_alpha.deb Size/MD5 checksum:82398 033f27b836ffaf8f08f36177f8253651 ARM architecture: http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_arm.deb Size/MD5 checksum:13412 6425afd69256a6333748d30d346e3482 http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_arm.deb Size/MD5 checksum:86326 e50819ee737f344459e6ec6b9ddbf5d6 http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_arm.deb Size/MD5 checksum:78352 bde15d75ee4ff34314c897ab61e2c55b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_i386.deb Size/MD5 checksum:12282 69e797d0c3e5e87bf59411f3b9416062 http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_i386.deb Size/MD5 checksum:85814 c2124cd6d3528ec36d05c7bfe1a99a07 http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_i386.deb Size/MD5 checksum:78818 a7e536042ebad89ed21fb27dcf41fc8f Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_ia64.deb Size/MD5 checksum:1 13604ae70ee15f87d708806c5de55e2a http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_ia64.deb Size/MD5 checksum:93456 d9b42065cfcdd6b8b284b18505b06f07 http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_ia64.deb Size/MD5 checksum:84730 54d3894395f4298f247cec050c18ac5e HP Precision architecture: http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_hppa.deb Size/MD5 checksum:17086 deadc423ce2455865656a3ea33914425 http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_hppa.deb Size/MD5 checksum:88734 61ebf5f9dcffd70b15600f811a19c0b4 http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_hppa.deb Size/MD5 checksum:80562 00a782bf063d4427e38d72de655985e1 Motorola 680x0 architecture: http
[SECURITY] [DSA 161-1] New Mantis package fixes privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 161-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 4th, 2002 http://www.debian.org/security/faq - -- Package: mantis Vulnerability : privilege escalation Problem-Type : remote Debian-specific: no A problem with user privileges has been discovered in the Mantis package, a PHP based bug tracking system. The Mantis system didn't check whether a user is permitted to view a bug, but displays it right away if the user entered a valid bug id. Another bug in Mantis caused the 'View Bugs' page to list bugs from both public and private projects when no projects are accessible to the current user. These problems have been fixed in version 0.17.1-2.5 for the current stable distribution (woody) and in version 0.17.5-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain the mantis package. We recommend that you upgrade your mantis packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-2.5.dsc Size/MD5 checksum: 572 00aad7574f22125e001d3b243bad9fdb http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-2.5.diff.gz Size/MD5 checksum:15188 23e1e66e5285bcbb33ebf7d7a80ebd5e http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1.orig.tar.gz Size/MD5 checksum: 220458 d8bac093eaf31ef5812e714db5c07f82 Architecture independent components: http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-2.5_all.deb Size/MD5 checksum: 250066 e1b6b6240c18fcdd943a85407a494779 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9dh1HW5ql+IAeqTIRAs+zAJ9Q0aBdG1lDqUlF0NTQPnUS8qcK2ACghImz HP47/FcqYtvpui8SK2REeg8= =vl8A -END PGP SIGNATURE-
[SECURITY] [DSA 162-1] New ethereal packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 162-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 6th, 2002 http://www.debian.org/security/faq - -- Package: ethereal Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-0834 BugTraq Id : 5573 Ethereal developers discovered a buffer overflow in the ISIS protocol dissector. It may be possible to make Ethereal crash or hang by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. It may be possible to make Ethereal run arbitrary code by exploiting the buffer and pointer problems. This problem has been fixed in version 0.9.4-1woody2 for the current stable stable distribution (woody), in version 0.8.0-4potato.1 for the old stable distribution (potato) and in version 0.9.6-1 for the unstable distribution (sid). We recommend that you upgrade your ethereal packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - Source archives: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.8.0-4potato.1.dsc Size/MD5 checksum: 628 ab3421f7cfe2592bcae97ee21d2037f0 http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.8.0-4potato.1.diff.gz Size/MD5 checksum:52487 8f845d3572e699bd09ed8b7590ef5c8c http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.8.0.orig.tar.gz Size/MD5 checksum: 1033560 297ae32cc23a154497dad6a1f964bdb1 Alpha architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.8.0-4potato.1_alpha.deb Size/MD5 checksum: 725082 8ce2153f5f27d7f6c22aa45187c85a6b ARM architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.8.0-4potato.1_arm.deb Size/MD5 checksum: 559580 da451f098a62af65f67c5c93dedff929 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.8.0-4potato.1_i386.deb Size/MD5 checksum: 520452 c04c0c6253dc91ea8f773cb1607258df Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.8.0-4potato.1_m68k.deb Size/MD5 checksum: 489770 dd7d17f57ed7b44922453f72d483c55d PowerPC architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.8.0-4potato.1_powerpc.deb Size/MD5 checksum: 573334 13d6a9f30560b0d7056bb2938d62c5bf Sun Sparc architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.8.0-4potato.1_sparc.deb Size/MD5 checksum: 554286 7540dd04b2f43db168b579a5b5e4640e Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody2.dsc Size/MD5 checksum: 679 3422eaafcc0c6790921c2fadcfb45c21 http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody2.diff.gz Size/MD5 checksum:34257 9ba55fbe1973fa07eaea17ceddb0a47b http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz Size/MD5 checksum: 3278908 42e999daa659820ee9339ea1e9ea Alpha architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody2_alpha.deb Size/MD5 checksum: 1939060 dfb7750119b7688c3d8d8650d17f0d7c http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody2_alpha.deb Size/MD5 checksum: 333594 56dff0c9ce5c97aa17b7ddec5764fc7e http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody2_alpha.deb Size/MD5 checksum: 221390 7387c42257ef764a2ff02af5f6f10800 http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody2_alpha.deb Size/MD5 checksum: 1705962 f8269a5cb64515afe3a4c898e2e35b81 ARM architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody2_arm.deb Size/MD5 checksum: 1633044 e90d102738aeb2534c7e70acb7873c73 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody2_arm.deb Size/MD5 checksum: 296362 20785f615601377d95a35c18509428c8 http://security.debian.org/pool/updates/main/e/ethereal
[SECURITY] [DSA 168-1] New PHP packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 168-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 18th, 2002http://www.debian.org/security/faq - -- Package: PHP3, PHP4 Vulnerability : bypassing safe_mode, CRLF injection Problem-Type : remote Debian-specific: no CVE ID : CAN-2002-0985 CAN-2002-0986 BugTraq ID : 5681 Wojciech Purczynski found out that it is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode, which is the case for newer PHP versions and for the versions below. This does not affect PHP3, though. Wojciech Purczynski also found out that arbitrary ASCII control characters may be injected into string arguments of mail() function. If mail() arguments are taken from user's input it may give the user ability to alter message content including mail headers. Ulf Harnhammar discovered that file() and fopen() are vulnerable to CRLF injection. An attacker could use it to escape certain restrictions and add arbitrary text to alleged HTTP requests that are passed through. However this only happens if something is passed to these functions which is neither a valid file name nor a valid url. Any string that contains control chars cannot be a valid url. Before you pass a string that should be an url to any function you must use urlencode() to encode it. Three problems have been identified in PHP: 1. The mail() function can allow arbitrary email headers to be specified if a recipient address or subject contains CR/LF characters. 2. The mail() function does not properly disable the passing of arbitrary command-line options to sendmail when running in Safe Mode. 3. The fopen() function, when retrieving a URL, can allow manipulation of the request for the resource through a URL containing CR/LF characters. For example, headers could be added to an HTTP request. These problems have been fixed in version 3.0.18-23.1woody1 for PHP3 and 4.1.2-5 for PHP4 for the current stable distribution (woody), in version 3.0.18-0potato1.2 for PHP3 and 4.0.3pl1-0potato4 for PHP4 in the old stable distribution (potato) and in version 3.0.18-23.2 for PHP3 and 4.2.3-3 for PHP4 for the unstable distribution (sid). We recommend that you upgrade your PHP packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2.dsc Size/MD5 checksum: 1079 82d2b9adff31130eafe78fe9c647d098 http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2.diff.gz Size/MD5 checksum:39264 e44f4917ce887f53ac7019ab4e3692ba http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18.orig.tar.gz Size/MD5 checksum: 2203818 da541ac71d951c47a011ceb26664ba2d http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4.dsc Size/MD5 checksum: 1125 e9b5dbf3554c63dd654e69c83da63a97 http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4.diff.gz Size/MD5 checksum: 134587 9a862082a0b60f6e2f0fa9c993d3ff19 http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1.orig.tar.gz Size/MD5 checksum: 2214630 e65b706a7fc4469d1ccd564ef8a2c534 Alpha architecture: http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_alpha.deb Size/MD5 checksum: 438822 748bb657dff328c22920c186e2ab83a1 http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_alpha.deb Size/MD5 checksum: 619332 e9dca7c64949f2d635ff5ed7da682c5d http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_alpha.deb Size/MD5 checksum: 520090 76a0ac1f943c108f28a4238723415367 http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_alpha.deb Size/MD5 checksum: 868874 b8041d6976c11fbb63d0481869351658 ARM architecture: http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_arm.deb Size/MD5 checksum: 379276 3900254a218ea8b08f12adcee5826978 http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18
[SECURITY] [DSA 149-2] New glibc packages fix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 149-2 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 26th, 2002http://www.debian.org/security/faq - -- Package: glibc Vulnerability : division by zero Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-0391 CERT advisory : VU#192995 Wolfram Gloger discovered that the bugfix from DSA 149-1 unintentially replaced potential integer overflows in connection with malloc() with more likely divisions by zero. This called for an update. For completeness the original security advisory said: An integer overflow bug has been discovered in the RPC library used by GNU libc, which is derived from the SunRPC library. This bug could be exploited to gain unauthorized root access to software linking to this code. The packages below also fix integer overflows in the malloc code. This is fixed in version 2.2.5-11.2 for the current stable distribution (woody) by using a patch from the stable glibc-2_2 branch by Wolfgang and in version 2.1.3-24 for the old stable release (potato). We recommend that you upgrade your libc6 packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/g/glibc/glibc_2.1.3-24.dsc Size/MD5 checksum: 1060 56a209944950edd0e7bd154bb49a6ff0 http://security.debian.org/pool/updates/main/g/glibc/glibc_2.1.3-24.diff.gz Size/MD5 checksum: 148278 ed41b49981c00c3c8799dc42c48563b1 http://security.debian.org/pool/updates/main/g/glibc/glibc_2.1.3.orig.tar.gz Size/MD5 checksum: 6598238 aea1bb5c28f793013153d1b8f91eb746 Architecture independent components: http://security.debian.org/pool/updates/main/g/glibc/glibc-doc_2.1.3-24_all.deb Size/MD5 checksum: 2189546 68a3e801ef1db64d5d72370daa5ed517 http://security.debian.org/pool/updates/main/g/glibc/i18ndata_2.1.3-24_all.deb Size/MD5 checksum: 1062248 a04dad5fc72732421427bb2372d31ed6 Alpha architecture: http://security.debian.org/pool/updates/main/g/glibc/libc6.1_2.1.3-24_alpha.deb Size/MD5 checksum: 7198726 f2fd9f61fbdc92245ae7dc18d4abd081 http://security.debian.org/pool/updates/main/g/glibc/libc6.1-dbg_2.1.3-24_alpha.deb Size/MD5 checksum: 2111990 f730a0d1895e5e5a5a6950a203bf7f5f http://security.debian.org/pool/updates/main/g/glibc/libc6.1-dev_2.1.3-24_alpha.deb Size/MD5 checksum: 3046530 390e61ccb0c61f55355a73ba7fd5ee3a http://security.debian.org/pool/updates/main/g/glibc/libc6.1-pic_2.1.3-24_alpha.deb Size/MD5 checksum: 1115348 8313dad63b91fda24d03cf1b8db5766b http://security.debian.org/pool/updates/main/g/glibc/libc6.1-prof_2.1.3-24_alpha.deb Size/MD5 checksum: 1696132 6f88d706cc9ff6ef9e5a4acf48430299 http://security.debian.org/pool/updates/main/g/glibc/libnss1-compat_2.1.3-24_alpha.deb Size/MD5 checksum: 208516 0c21765032758a8cd6dbeb4dd63f5887 http://security.debian.org/pool/updates/main/g/glibc/locales_2.1.3-24_alpha.deb Size/MD5 checksum: 2283806 e8f70b2194d507167a7df3673ce69a75 http://security.debian.org/pool/updates/main/g/glibc/nscd_2.1.3-24_alpha.deb Size/MD5 checksum: 108726 116b94fde805a6facef2c63c9078e431 ARM architecture: http://security.debian.org/pool/updates/main/g/glibc/libc6_2.1.3-24_arm.deb Size/MD5 checksum: 2023802 fe38eb56dfaf0f74272179441d600f50 http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.1.3-24_arm.deb Size/MD5 checksum: 2334918 ab47d6a506a61db071739fe4a649f1bb http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.1.3-24_arm.deb Size/MD5 checksum: 2366110 5f55c612f4e0652bed5acb39a1f38b9b http://security.debian.org/pool/updates/main/g/glibc/libc6-pic_2.1.3-24_arm.deb Size/MD5 checksum: 751874 af5831b0095c4ce31c8aa615916da982 http://security.debian.org/pool/updates/main/g/glibc/libc6-prof_2.1.3-24_arm.deb Size/MD5 checksum: 1067678 64b9528fd5ba7f4f19bd77570438dd7d http://security.debian.org/pool/updates/main/g/glibc/locales_2.1.3-24_arm.deb Size/MD5 checksum: 2284570 962a17552acf2f14228ab68a74b8135e http://security.debian.org/pool/updates/main/g/glibc/nscd_2.1.3-24_arm.deb Size/MD5 checksum:36882
[SECURITY] [DSA 169-1] New tomcat packages fix unintended source code disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 169-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October, 4th, 2002 http://www.debian.org/security/faq - -- Package: tomcat4 Vulnerability : source code disclosure Problem-Type : remote Debian-specific: no A security vulnerability has been found in all Tomcat 4.x releases. This problem allows an attacker to use a specially crafted URL to return the unprocessed source code of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraints, without the need for being properly authenticated. This problem has been fixed in version 4.0.3-3woody1 for the current stable distribution (woody) and in version 4.1.12-1 for the unstable release (sid). The old stable release (potato) does not contain tomcat packages. Also, packages for tomcat3 are not vulnerable to this problem. We recommend that you upgrade your tomcat package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody1.dsc Size/MD5 checksum: 735 a289e7ca78555790041f9f156bb43d6b http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody1.diff.gz Size/MD5 checksum:15271 a95ea3dac14fcc124d2ac34d8ef685cd http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3.orig.tar.gz Size/MD5 checksum: 1588186 2b2e0d859f7152e5225633933e6585d6 Architecture independent components: http://security.debian.org/pool/updates/contrib/t/tomcat4/libtomcat4-java_4.0.3-3woody1_all.deb Size/MD5 checksum: 1133954 913a12f0bc47c3dd7b32416b3ebbd1a5 http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4-webapps_4.0.3-3woody1_all.deb Size/MD5 checksum: 1385482 395d7482c58aa9e41702e605071792c9 http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody1_all.deb Size/MD5 checksum: 126030 904242e382289346c58cf93cfc2ddc9b These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9nZK4W5ql+IAeqTIRAsplAJ4++oiAO6UpCnmcRWp6zSEwFvU+cACguiWN mq16YniVRCik2BsveIIpVj8= =FHmI -END PGP SIGNATURE-
[SECURITY] [DSA 169-1] New ht://Check packages fix cross site scripting problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 169-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 25th, 2002http://www.debian.org/security/faq - -- [ Resent since this advisory did not appear in the list archive. Also, this is the real DSA 169-1. ] Package: htcheck Vulnerability : cross site scripting Problem-Type : remote Debian-specific: no Ulf Harnhammer discovered a problem in ht://Check's PHP interface. The PHP interface displays information unchecked which was gathered from crawled external web servers. This could lead into a cross site scripting attack if somebody has control over the server responses of a remote web server which is crawled by ht://Check. This problem has been fixed in version 1.1-1.1 for the current stable distribution (woody) and in version 1.1-1.2 for the unstable release (sid). The old stable release (potato) does not contain the htcheck package. We recommend that you upgrade your htcheck package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1.dsc Size/MD5 checksum: 613 d21f5fbf771b87840340810783019bb4 http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1.diff.gz Size/MD5 checksum:26394 191d7a90427dd27799ef1b8e71ade0a8 http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1.orig.tar.gz Size/MD5 checksum: 621515 53cd633f11cc38671d17d4dc68cbe926 Architecture independent components: http://security.debian.org/pool/updates/main/h/htcheck/htcheck-php_1.1-1.1_all.deb Size/MD5 checksum:42150 8714bfe5188922baf0026d1d09eaf657 Alpha architecture: http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1_alpha.deb Size/MD5 checksum: 332958 f65daba68e7874161f111b7c875cf32e ARM architecture: http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1_arm.deb Size/MD5 checksum: 306162 a6f99ed393a6618e972cc2c2e9b538e2 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1_i386.deb Size/MD5 checksum: 299164 d5116655ecba8997e38e75578bd090bf Intel IA-64 architecture: http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1_ia64.deb Size/MD5 checksum: 345016 6f3c0c708ebbab80a2d62d8c2fe8d6ee HP Precision architecture: http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1_hppa.deb Size/MD5 checksum: 324600 23530dceb3d48d0c7a925edc47ff2e89 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1_m68k.deb Size/MD5 checksum: 291574 cf88a2efd4e4478561c90a6f371039b7 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1_mips.deb Size/MD5 checksum: 306856 a0a515062a27d143e462b4a20f7e1545 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1_mipsel.deb Size/MD5 checksum: 304234 fd2cd262d9dbdc2d987a9f9690383d02 PowerPC architecture: http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1_powerpc.deb Size/MD5 checksum: 295642 162e7a347589186e8e8e158c7607a430 IBM S/390 architecture: http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1_s390.deb Size/MD5 checksum: 286584 1075cb5d014b048b10dc4d567563a399 Sun Sparc architecture: http://security.debian.org/pool/updates/main/h/htcheck/htcheck_1.1-1.1_sparc.deb Size/MD5 checksum: 291184 e68969c143c341825d26a9a79a943d36 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9ozjrW5ql+IAeqTIRAswuAJ9hno1vN2/e8foGjdOW4I/xzd2vPACfdw2a Mmceqch/D4EIRsKxK9D0doU= =RD0i -END PGP SIGNATURE-
[SECURITY] [DSA 171-1] New fetchmail packages fix buffer overflows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 171-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 7th, 2002 http://www.debian.org/security/faq - -- [ Resent since this advisory did not appear in the list archive. ] Package: fetchmail, fetchmail-ssl Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no Stefan Esser discovered several buffer overflows and a broken boundary check within fetchmail. If fetchmail is running in multidrop mode these flaws can be used by remote attackers to crash it or to execute arbitrary code under the user id of the user running fetchmail. Depending on the configuration this even allows a remote root compromise. These problems have been fixed in version 5.9.11-6.1 for both fetchmail and fetchmail-ssl for the current stable distribution (woody), in version 5.3.3-4.2 for fetchmail for the old stable distribution (potato) and in version 6.1.0-1 for both fetchmail and fetchmail-ssl for the unstable distribution (sid). There are no fetchmail-ssl packages for the old stable distribution (potato) and thus no updates. We recommend that you upgrade your fetchmail packages immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2.dsc Size/MD5 checksum: 566 86a1178baa3487e805a33355ad3ae9ca http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2.diff.gz Size/MD5 checksum:27775 0333f3e025e4b37abee2a64491f38eea http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3.orig.tar.gz Size/MD5 checksum: 755731 d2cffc4594ec2d36db6681b800f25e2a Architecture independent components: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.3.3-4.2_all.deb Size/MD5 checksum:63276 0b4940f3a569415e7c28dd96c38320cb Alpha architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_alpha.deb Size/MD5 checksum: 371634 1baca38aca2bf43437d56e10ed88a862 ARM architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_arm.deb Size/MD5 checksum: 349456 44de8a9abf92435bbf5b964f3acc0fa6 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_i386.deb Size/MD5 checksum: 319508 a6574ad75f79694b96f51b9773be623b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_m68k.deb Size/MD5 checksum: 315662 cfce75c2bf709837dfbc3dc6708abd81 PowerPC architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_powerpc.deb Size/MD5 checksum: 350250 8129d3f2ce8d0c0bd2403266b48a6bde Sun Sparc architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_sparc.deb Size/MD5 checksum: 350714 2c12d41c04324b5df87238d46f80cb76 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1.dsc Size/MD5 checksum: 712 f10e451766beab56196f34798c7ba9db http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1.diff.gz Size/MD5 checksum: 300108 b9fa639e6a9582ac96d7ec4a495b0a3c http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11.orig.tar.gz Size/MD5 checksum: 950273 fff00cbf7be1d01a17605fee23ac96dd http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1.dsc Size/MD5 checksum: 707 43775de628a7fc825041f699c59a9578 http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1.diff.gz Size/MD5 checksum: 296194 e1e0e64a296b6f0454298fc1dedf808d http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11.orig.tar.gz Size/MD5 checksum: 950273 fff00cbf7be1d01a17605fee23ac96dd Architecture independent components: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-common_5.9.11-6.1_all.deb Size/MD5 checksum: 165264 7256588af225867b680d786915073439 http
[SECURITY] [DSA 173-1] New bugzilla packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 173-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 9th, 2002 http://www.debian.org/security/faq - -- Package: bugzilla Vulnerability : privilege escalation Problem-Type : remote Debian-specific: no The developers of Bugzilla, a web-based bug tracking system, discovered a problem in the handling of more than 47 groups. When a new product is added to an installation with 47 groups or more and usebuggroups is enabled, the new group will be assigned a groupset bit using Perl math that is not exact beyond 2^48. This results in the new group being defined with a bit that has several bits set. As users are given access to the new group, those users will also gain access to spurious lower group privileges. Also, group bits were not always reused when groups were deleted. This problem has been fixed in version 2.14.2-0woody2 for the current stable distribution (woody) and will soon be fixed in the unstable distribution (sid). The old stable distribution (potato) doesn't contain a bugzilla package. We recommend that you upgrade your bugzilla package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2-0woody2.dsc Size/MD5 checksum: 621 7d349c9c1d7839c5e7476d6c1c103fd0 http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2-0woody2.diff.gz Size/MD5 checksum:37231 4e5d176101d70d2cec42204c1cfed71d http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2.orig.tar.gz Size/MD5 checksum: 933766 0c60df541e63e33d92ac9ba0fbb05be3 Architecture independent components: http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla-doc_2.14.2-0woody2_all.deb Size/MD5 checksum: 489348 de8dbc7aa0b14d6e798a8cc94760ae19 http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2-0woody2_all.deb Size/MD5 checksum: 273932 74eedc712211c3d740291333ffc7e022 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9pD6hW5ql+IAeqTIRAorPAKCfNQYzUjq0dBzAxgXJaNyHQwo89gCeNA/v YJ1djNqx5g6pvFogld2Wh38= =odfN -END PGP SIGNATURE-
[SECURITY] [DSA 174-1] New heartbeat packages fix buffer overflows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 174-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 14th, 2002 http://www.debian.org/security/faq - -- Package: heartbeat Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no Upstream URL : http://linux-ha.org/security/sec01.txt Nathan Wallwork discovered a buffer overflow in heartbeat, a subsystem for High-Availability Linux. A remote attacker could send a specially crafted TCP packet that overflows a buffer, leaving heartbeat to execute arbitrary code as root. This problem has been fixed in version 0.4.9.0l-7.2 for the current stable distribution (woody) and version 0.4.9.2-1 for the unstable distribution (sid). The old stable distribution (potato) doesn't contain a heartbeat package. We recommend that you upgrade your heartbeat package immediately if you run internet connected servers that are heartbeat-monitored. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l-7.2.dsc Size/MD5 checksum: 658 4e8837e9eb95922aa5afc247a494db5f http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l-7.2.diff.gz Size/MD5 checksum:46755 411725a4fd7aa7eef881cf51ba1a8cfb http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l.orig.tar.gz Size/MD5 checksum: 308033 1dcae9e87ad2e5c2113e91a884c1ca8e Architecture independent components: http://security.debian.org/pool/updates/main/h/heartbeat/ldirectord_0.4.9.0l-7.2_all.deb Size/MD5 checksum:33118 27d3073cade1d823e0405755b9b4ebd1 Alpha architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l-7.2_alpha.deb Size/MD5 checksum: 207742 bad9f314f54f855aca65766778a6c0b6 http://security.debian.org/pool/updates/main/h/heartbeat/libstonith-dev_0.4.9.0l-7.2_alpha.deb Size/MD5 checksum:15444 461b6552e2ad5ed112bbad3a13e083b7 http://security.debian.org/pool/updates/main/h/heartbeat/libstonith0_0.4.9.0l-7.2_alpha.deb Size/MD5 checksum:14078 1a03d5c6f3dff85bcd9a20e5b1286c79 http://security.debian.org/pool/updates/main/h/heartbeat/stonith_0.4.9.0l-7.2_alpha.deb Size/MD5 checksum:63892 3a8013ede5a68f62af818bd6f13369ea ARM architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l-7.2_arm.deb Size/MD5 checksum: 193994 b2547bee30b2db32b8fd53943a6a0c1e http://security.debian.org/pool/updates/main/h/heartbeat/libstonith-dev_0.4.9.0l-7.2_arm.deb Size/MD5 checksum:15108 1e284480e2ec8e1e45c11d6035847f37 http://security.debian.org/pool/updates/main/h/heartbeat/libstonith0_0.4.9.0l-7.2_arm.deb Size/MD5 checksum:13430 3424c37fbb757be208ac220636b1a3e6 http://security.debian.org/pool/updates/main/h/heartbeat/stonith_0.4.9.0l-7.2_arm.deb Size/MD5 checksum:53572 9ee34e2dc31d9bb9eb7f430e9c259c3e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l-7.2_i386.deb Size/MD5 checksum: 185196 b59c131ae306280c722716ac3d54ac37 http://security.debian.org/pool/updates/main/h/heartbeat/libstonith-dev_0.4.9.0l-7.2_i386.deb Size/MD5 checksum:14786 c5524b1271c4dd6863d16af09b3f5427 http://security.debian.org/pool/updates/main/h/heartbeat/libstonith0_0.4.9.0l-7.2_i386.deb Size/MD5 checksum:13300 b95830c76892050c2f78e924a4881b6c http://security.debian.org/pool/updates/main/h/heartbeat/stonith_0.4.9.0l-7.2_i386.deb Size/MD5 checksum:51018 c1b98bd10d698030abde5e608a694762 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l-7.2_ia64.deb Size/MD5 checksum: 259426 34814d6a05215a9cbd3e5c96420d16dd http://security.debian.org/pool/updates/main/h/heartbeat/libstonith-dev_0.4.9.0l-7.2_ia64.deb Size/MD5 checksum:16156 65ff55faefafac7d4283ce57441d7d00 http://security.debian.org/pool/updates/main/h/heartbeat/libstonith0_0.4.9.0l-7.2_ia64.deb Size/MD5 checksum:15240 ff38757ef93dc3bf1027062c6f3bc06e http://security.debian.org/pool/updates/main/h/heartbeat/stonith_0.4.9.0l
[SECURITY] [DSA 175-1] New syslog-ng packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 175-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 15th, 2002 http://www.debian.org/security/faq - -- Package: syslog-ng Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no Péter Höltzl discovered a problem in the way syslog-ng handles macro expansion. When a macro is expanded a static length buffer is used accompanied by a counter. However, when constant chharacters are appended, the counter is not updated properly, leading to incorrect boundary checking. An attacker may be able to use specially crafted log messages inserted via UDP which overflows the buffer. This problem has been fixed in version 1.5.15-1.1 for the current stable distribution (woody), in version 1.4.0rc3-3.2 for the old stable distribution (potato) and version 1.5.21-1 for the unstable distribution (sid). We recommend that you upgrade your syslog-ng package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.4.0rc3-3.2.dsc Size/MD5 checksum: 613 6aa0985c45358530b6886edfb40ba55d http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.4.0rc3-3.2.diff.gz Size/MD5 checksum: 6027 e192d859ae8f6aa077d22a9ceaf1db3d http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.4.0rc3.orig.tar.gz Size/MD5 checksum: 341571 55bc706dec2da38549a620232ff1bb31 Alpha architecture: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.4.0rc3-3.2_alpha.deb Size/MD5 checksum: 129784 e2762d2dec84fc5dbc8eb4519b5c73d2 ARM architecture: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.4.0rc3-3.2_arm.deb Size/MD5 checksum: 117054 584fe115716f8088d009e7fbf211e181 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.4.0rc3-3.2_i386.deb Size/MD5 checksum: 116240 720bb0fb394521f3c4b9de13ca3455e4 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.4.0rc3-3.2_m68k.deb Size/MD5 checksum: 114184 bf81d26e9c551ec8476593ae893428f8 PowerPC architecture: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.4.0rc3-3.2_powerpc.deb Size/MD5 checksum: 118396 d495b080190766e4fea35c84a8477b89 Sun Sparc architecture: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.4.0rc3-3.2_sparc.deb Size/MD5 checksum: 118796 a72511e779c6df6cea40cce201dedcee Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.5.15-1.1.dsc Size/MD5 checksum: 622 40cf5863ad2f2403c6c53c13f6604d55 http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.5.15-1.1.diff.gz Size/MD5 checksum:14228 b36ccf10e4b01c299a778c472caeae18 http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.5.15.orig.tar.gz Size/MD5 checksum: 424780 1b862a2445e507a4a9e0b14fba537bf5 Alpha architecture: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.5.15-1.1_alpha.deb Size/MD5 checksum: 170560 19b3612cffaa649584794f439d17181b ARM architecture: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.5.15-1.1_arm.deb Size/MD5 checksum: 156408 68a75202df1355fdef3a5dd3d6aea56b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.5.15-1.1_i386.deb Size/MD5 checksum: 155318 88806f9e5f6e81bea811a119b1c236e8 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.5.15-1.1_ia64.deb Size/MD5 checksum: 184208 dd66fec7aa9c3a0a5a23bce501c5a2af HP Precision architecture: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.5.15-1.1_hppa.deb Size/MD5 checksum: 166202 855cd75ca68ec05884413d0a4b19a082 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/syslog-ng/syslog-ng_1.5.15-1.1_m68k.deb Size/MD5 checksum: 152972
[SECURITY] [DSA 176-1] New gv packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 176-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 16th, 2002 http://www.debian.org/security/faq - -- Package: gv Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-0838 BugTraq ID : 5808 Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer for X11. This problem is triggered by scanning the PostScript file and can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker is able to cause arbitrary code to be run with the privileges of the victim. This problem has been fixed in version 3.5.8-26.1 for the current stable distribution (woody), in version 3.5.8-17.1 for the old stable distribution (potato) and version 3.5.8-27 for the unstable distribution (sid). We recommend that you upgrade your gv package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1.dsc Size/MD5 checksum: 555 3aa3cb663f578cbf02c09f370951a814 http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1.diff.gz Size/MD5 checksum:29382 2e9e7149b69bf36a80632c8b695b6495 http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8.orig.tar.gz Size/MD5 checksum: 369609 8f2f0bd97395d6cea52926ddee736da8 Alpha architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_alpha.deb Size/MD5 checksum: 278646 b12dd5fef60ff840b3921a511eb28c74 ARM architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_arm.deb Size/MD5 checksum: 238918 52892bea304128845836b4c9976d39a3 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_i386.deb Size/MD5 checksum: 226416 4f44d7df45cec7b132c1c7c9a6ba84ea Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_m68k.deb Size/MD5 checksum: 217712 2decb437f1a28beac92edb63f3d31444 PowerPC architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_powerpc.deb Size/MD5 checksum: 244382 cb3bd27b214e391ada83ce0593e16715 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_sparc.deb Size/MD5 checksum: 237878 ba1bdf19f68f62d36c8f58c015867287 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1.dsc Size/MD5 checksum: 559 e7a2b5dfb91d7217d1b171b24682ea41 http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1.diff.gz Size/MD5 checksum:18453 f9910a58912e1a6fbaef33ff4fe27b94 http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8.orig.tar.gz Size/MD5 checksum: 369609 8f2f0bd97395d6cea52926ddee736da8 Alpha architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_alpha.deb Size/MD5 checksum: 273262 6cb8adebf56cc25ef43d1358636dc9ca ARM architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_arm.deb Size/MD5 checksum: 243382 2707a8a87e133a45cc2a98dd223e7c8f Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_i386.deb Size/MD5 checksum: 226106 304f32b84e649761a26c9dc5c1fd Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_ia64.deb Size/MD5 checksum: 313888 522c58c4d2fecb99424533c4980d1409 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_hppa.deb Size/MD5 checksum: 252054 aa50a00ebb6d5c304ec94bbf1e65a2c9 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_m68k.deb Size/MD5 checksum: 216922 d11c3c10e70fb1593ce15c2b6c3863be Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_mips.deb Size/MD5 checksum: 252064 6b944b4c04f4488ea380063bdf3324ad Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_mipsel.deb Size/MD5 checksum: 250914
[SECURITY] [DSA 179-1] New gnome-gv packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 179-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 18th, 2002 http://www.debian.org/security/faq - -- Package: gnome-gv Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-0838 BugTraq ID : 5808 Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer for X11. The same code is present in gnome-gv. This problem is triggered by scanning the PostScript file and can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker is able to cause arbitrary code to be run with the privileges of the victim. This problem has been fixed in version 1.1.96-3.1 for the current stable distribution (woody), in version 0.82-2.1 for the old stable distribution (potato) and version 1.99.7-9 for the unstable distribution (sid). We recommend that you upgrade your gnome-gv package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1.dsc Size/MD5 checksum: 807 82140169547f88c38b9965be1bc9a69c http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1.diff.gz Size/MD5 checksum: 8494 103905f14d882282d0e976a29111bbb2 http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82.orig.tar.gz Size/MD5 checksum: 369538 c4542420f0f7aeafea6764718b398341 Alpha architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_alpha.deb Size/MD5 checksum: 145076 05ebc47d64924740b4a6efced375ed00 ARM architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_arm.deb Size/MD5 checksum: 131928 44f502cc48717739484999b677b23e52 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_i386.deb Size/MD5 checksum: 131118 7d2712b05b78e757568efabee83c9bc0 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_m68k.deb Size/MD5 checksum: 126710 38225171738cca0d10b9c1f91313ad0d PowerPC architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_powerpc.deb Size/MD5 checksum: 132002 b3208e369afc8754480f80f6aa2b11c5 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_0.82-2.1_sparc.deb Size/MD5 checksum: 136274 156b99fa91b627e91f5e2c3dde50ffc7 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1.dsc Size/MD5 checksum: 831 4f3c53098ca78e9532f62778f0cf3b0a http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1.diff.gz Size/MD5 checksum:23903 b33d66f44f186f88829a0537da99d549 http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96.orig.tar.gz Size/MD5 checksum: 742271 5d80db150adb4bfc5398d8a90ee2f9dd Alpha architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_alpha.deb Size/MD5 checksum: 340232 87adcdb4e9ef30d25b95734555f3c134 ARM architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_arm.deb Size/MD5 checksum: 325244 4a5e426144987c2ab8372976ef65c34e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_i386.deb Size/MD5 checksum: 320834 73fc7baeba28750356b628eac22e7ec7 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_ia64.deb Size/MD5 checksum: 380740 e814ebf7089f0717e8d86912ed38cf4b HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_hppa.deb Size/MD5 checksum: 345956 f9bfa25c891ea680d15e2c68498ba7cc Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnome-gv/gnome-gv_1.1.96-3.1_m68k.deb Size/MD5 checksum: 314324 dfee84b168b5acc1f2ae7239f7d07f28 Big endian MIPS architecture: http://security.debian.org/pool/updates
[SECURITY] [DSA 180-1] New NIS packages fix information leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 180-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 21st, 2002 http://www.debian.org/security/faq - -- Package: nis Vulnerability : information leak Problem-Type : remote Debian-specific: no Thorsten Kukuck discovered a problem in the ypserv program which is part of the Network Information Services (NIS). A memory leak in all versions of ypserv prior to 2.5 is remotely exploitable. When a malicious user could request a non-existing map the server will leak parts of an old domainname and mapname. This problem has been fixed in version 3.9-6.1 for the current stable distribution (woody), in version 3.8-2.1 for the old stable distribution (potato) and in version 3.9-6.2 for the unstable distribution (sid). We recommend that you upgrade your nis package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/n/nis/nis_3.8-2.1.dsc Size/MD5 checksum: 549 0648773dc9405dfc7db374119fdfff29 http://security.debian.org/pool/updates/main/n/nis/nis_3.8-2.1.diff.gz Size/MD5 checksum:20525 0a95b9ded7ff489c1286063d6072d457 http://security.debian.org/pool/updates/main/n/nis/nis_3.8.orig.tar.gz Size/MD5 checksum: 497044 69bd8aa6b24cb22266cdc04354d3e287 Alpha architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.8-2.1_alpha.deb Size/MD5 checksum: 243476 2e4e1daacb4d89b0447eaacd2ba524eb ARM architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.8-2.1_arm.deb Size/MD5 checksum: 179622 68949d909772b5dd84a8b81090bd51bd Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.8-2.1_i386.deb Size/MD5 checksum: 165064 bae6f9b96c61c2dea0f23acb96795e3a Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.8-2.1_m68k.deb Size/MD5 checksum: 158486 5601d33852631af0e5d742724cdc21fe PowerPC architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.8-2.1_powerpc.deb Size/MD5 checksum: 169010 9ff45f7490b1832dea2a48ef4549c707 Sun Sparc architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.8-2.1_sparc.deb Size/MD5 checksum: 182990 07989d24beb219f9c5dc881b2e7439e2 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/n/nis/nis_3.9-6.1.dsc Size/MD5 checksum: 583 39867a9d09bec5430a09c1a797af267c http://security.debian.org/pool/updates/main/n/nis/nis_3.9-6.1.diff.gz Size/MD5 checksum:39172 5ffbfd98d5a2b795842800723c987e67 http://security.debian.org/pool/updates/main/n/nis/nis_3.9.orig.tar.gz Size/MD5 checksum: 495695 b4d1c45619d8e3b20ef4b6032911a78c Alpha architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.9-6.1_alpha.deb Size/MD5 checksum: 203838 c1d79fbf7a7bc9b95ae6ea3c0355ba0e ARM architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.9-6.1_arm.deb Size/MD5 checksum: 165466 c73c0ea67dcf72d802164fadb52ed1f4 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.9-6.1_i386.deb Size/MD5 checksum: 166214 e0b4d5496ea0063c2a2ab184d0ca8688 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.9-6.1_ia64.deb Size/MD5 checksum: 236278 2573ec9f729f55634392d80c7ca7fdcf HP Precision architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.9-6.1_hppa.deb Size/MD5 checksum: 182482 b23d0bb92aee63825c186068c6971c17 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.9-6.1_m68k.deb Size/MD5 checksum: 160114 70f5226204ebc3dadf9baacc3f7ea084 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.9-6.1_mips.deb Size/MD5 checksum: 176766 27275782bbb48e3ea8f230d5b7a55974 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/n/nis/nis_3.9-6.1_mipsel.deb Size/MD5 checksum: 176782 d1b102f9a84b0213c89a8d0f7e63bf60 PowerPC architecture: http
[SECURITY] [DSA 181-1] New mod_ssl packages fix cross site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 181-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 22nd, 2002 http://www.debian.org/security/faq - -- Package: libapache-mod-ssl Vulnerability : cross site scripting Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1157 Joe Orton discovered a cross site scripting problem in mod_ssl, an Apache module that adds Strong cryptography (i.e. HTTPS support) to the webserver. The module will return the server name unescaped in the response to an HTTP request on an SSL port. Like the other recent Apache XSS bugs, this only affects servers using a combination of UseCanonicalName off (default in the Debian package of Apache) and wildcard DNS. This is very unlikely to happen, though. Apache 2.0/mod_ssl is not vulnerable since it already escapes this HTML. With this setting turned on, whenever Apache needs to construct a self-referencing URL (a URL that refers back to the server the response is coming from) it will use ServerName and Port to form a canonical name. With this setting off, Apache will use the hostname:port that the client supplied, when possible. This also affects SERVER_NAME and SERVER_PORT in CGI scripts. This problem has been fixed in version 2.8.9-2.1 for the current stable distribution (woody), in version 2.4.10-1.3.9-1potato4 for the old stable distribution (potato) and version 2.8.9-2.3 for the unstable distribution (sid). We recommend that you upgrade your libapache-mod-ssl package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4.dsc Size/MD5 checksum: 705 db7c60ce194c218b07b79968585a3065 http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4.diff.gz Size/MD5 checksum:20194 4c9fd112ca2a50ccbb21f76917012b88 http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9.orig.tar.gz Size/MD5 checksum: 695247 cb0f2e07065438396f0d5df403dd2c16 Architecture independent components: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.4.10-1.3.9-1potato4_all.deb Size/MD5 checksum: 278090 12bc6e09fb5ec76f4b37ed5c295470eb Alpha architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_alpha.deb Size/MD5 checksum: 211734 c4d690aed7c335ceeb204dd913e36a39 ARM architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_arm.deb Size/MD5 checksum: 203106 5847b3d90d092dfa6e806a6d9ee8fe90 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_i386.deb Size/MD5 checksum: 199266 6c89113c7cf5d0e82c436fe967c7b2f3 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_m68k.deb Size/MD5 checksum: 203612 0631d1e03e921c5a10ff2f4f6e0093f8 PowerPC architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_powerpc.deb Size/MD5 checksum: 201282 98666b5d76aa20e5a5e1b5ee331a9b71 Sun Sparc architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_sparc.deb Size/MD5 checksum: 202150 9f9df58c9cf85683d65ddd92f2c8551e Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1.dsc Size/MD5 checksum: 678 8326399384a276295ed312f3314f8b2a http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1.diff.gz Size/MD5 checksum:21672 3c6e87aad1113d19c04e2824e7fc6345 http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9.orig.tar.gz Size/MD5 checksum: 752613 aad438a4ea29ae74483f7afe9db0
[SECURITY] [DSA 178-1] New Heimdal packages fix remote command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 178-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 17th, 2002 http://www.debian.org/security/faq - -- Package: heimdal Vulnerability : remote command execution Problem-Type : remote Debian-specific: no The SuSE Security Team has reviewed critical parts of the Heimdal package such as the kadmind and kdc server. While doing so several potential buffer overflows and other bugs have been uncovered and fixed. Remote attackers can probably gain remote root access on systems without fixes. Since these services usually run on authentication servers these bugs are considered very serious. These problems have been fixed in version 0.4e-7.woody.4 for the current stable distribution (woody), in version 0.2l-7.4 for the old stable distribution (potato) and version 0.4e-21 for the unstable distribution (sid). We recommend that you upgrade your Heimdal packages immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.2l-7.4.dsc Size/MD5 checksum: 763 64980797cebf036434aad00ed354ff7e http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.2l-7.4.diff.gz Size/MD5 checksum:16592 9552d2fa882ccd56144229b3c33c3f69 http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.2l.orig.tar.gz Size/MD5 checksum: 2114221 89397c0a42701d0a554e040e4408f03f Architecture independent components: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-docs_0.2l-7.4_all.deb Size/MD5 checksum:61646 adb0de1995199d6be05823855cc7bcc9 Alpha architecture: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.4_alpha.deb Size/MD5 checksum:94434 fef452993d7e126d3320a8e4b4f949d9 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.4_alpha.deb Size/MD5 checksum: 208118 72b0630e76160101bd63df0ee39f8847 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.4_alpha.deb Size/MD5 checksum:66268 30d873f99599887325903c1f24d9b6e6 ARM architecture: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.4_arm.deb Size/MD5 checksum:86264 8b29c1128e966b0f4ef08f6290a95886 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.4_arm.deb Size/MD5 checksum: 173084 44619f3aeef1170e9183ceb05ec16a1d http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.4_arm.deb Size/MD5 checksum:61626 c0eaa6d3ccd65a00b9bea494d82aaa2f Intel IA-32 architecture: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.4_i386.deb Size/MD5 checksum:86940 6d6c03223d9c37acd4ebcbad72a95fa3 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.4_i386.deb Size/MD5 checksum: 171072 db95cb63bfa435c08c1964546c6140fd http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.4_i386.deb Size/MD5 checksum:61838 5053e97991ddd840179d2606e34c1eac Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.4_m68k.deb Size/MD5 checksum:85368 bc1713114e7b89b1367a5a29399fda35 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.4_m68k.deb Size/MD5 checksum: 165394 a1d3deff214b654de2bfd1444e56d292 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.4_m68k.deb Size/MD5 checksum:61552 785efc01f18d2ed44b15979bcab8e804 PowerPC architecture: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.4_powerpc.deb Size/MD5 checksum:86764 d878b05cd78ec48106e8a7311d0f3e7a http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.4_powerpc.deb Size/MD5 checksum: 174678 cd78e19292a2b99425c7ca7b143129c8 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.4_powerpc.deb Size/MD5 checksum:62276 a8e01389ab1189a9822f0bcede2ab918 Sun Sparc architecture: http://security.debian.org/pool/updates/main/h
[SECURITY] [DSA 177-1] New PAM packages fix serious security violation in Debian/unstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 177-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 17th, 2002 http://www.debian.org/security/faq - -- Package: pam Vulnerability : serious security violation Problem-Type : remote Debian-specific: no Distributions : unstable only Paul Aurich and Samuele Giovanni Tonon discovered a serious security violation in PAM. Disabled passwords (i.e. those with '*' in the password file) were classified as empty password and access to such accounts is granted through the regular login procedure (getty, telnet, ssh). This works for all such accounts whose shell field in the password file does not refer to /bin/false. Only version 0.76 of PAM seems to be affected by this problem. This problem has been fixed in version 0.76-6 for the current unstable distribution (sid). The stable distribution (woody), the old stable distribution (potato) and the testing distribution (sarge) are not affected by this problem. As stated in the Debian security team FAQ (see URL in header), testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. This security advisory is an exception to that rule, due to the seriousness of the problem. We recommend that you upgrade your PAM packages immediately if you are running Debian/unstable. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages Debian GNU/Linux unstable alias sid - --- Source archives: http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.dsc Size/MD5 checksum: 732 c7661ad0dcbc7df4ca967e58e93edd2e http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz Size/MD5 checksum:87185 39d8f45620b6750b34ad9128814328e7 http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76.orig.tar.gz Size/MD5 checksum: 424671 22dd4019934cbd71bc67f13a5c2e10ec Architecture independent components: http://ftp.debian.org/debian/pool/main/p/pam/libpam-doc_0.76-6_all.deb Size/MD5 checksum: 651724 b3fc72ee81ac4e4413c696ec42fa4ef3 http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb Size/MD5 checksum:51922 28398b55b183e122984c4bf1a64183a9 Alpha architecture: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_alpha.deb Size/MD5 checksum:53808 462dcd1a02dd799b761a05687cf08699 http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb Size/MD5 checksum: 179588 e2719b40c82af6891471c7182d8008f7 http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_alpha.deb Size/MD5 checksum:74146 727185b2d9c55a084105e2e4c43afcd0 http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_alpha.deb Size/MD5 checksum: 116148 970c63cf78a3b7311e122069225caa06 ARM architecture: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_arm.deb Size/MD5 checksum:52268 c8f6709b9b92cac992168bfa957762cd http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb Size/MD5 checksum: 153494 12a21eb18e0cb8fb3043c23a78b410a8 http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_arm.deb Size/MD5 checksum:67952 bf8953d4d7227a5f8c837921da2745c4 http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_arm.deb Size/MD5 checksum: 110738 10ecfcb5e44bb5af98deb4f5b27c16cb Intel IA-32 architecture: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_i386.deb Size/MD5 checksum:52116 f91a3a10c47a08aae349bd16d161a644 http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb Size/MD5 checksum: 146290 88216fe253c9e5042e8a6902bc807153 http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_i386.deb Size/MD5 checksum:67504 a02c56dfa8949cf9abc071fc3b75ade1 http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_i386.deb Size/MD5 checksum: 107490 366d7a40aecdc674920c76f8c71684b3 Intel IA-64 architecture: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_ia64.deb Size/MD5 checksum:56320 a52fc9867c6af83788e5d999fb3c5289 http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb Size/MD5 checksum: 204086 1b85b7156e03bef224c783e45c4f8f36 http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_ia64.deb
[SECURITY] [DSA 182-1] New kghostview packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 182-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 28th, 2002 http://www.debian.org/security/faq - -- Package: kdegraphics Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-0838 BugTraq ID : 5808 Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer for X11. The same code is present in kghostview which is part of the KDE-Graphics package. This problem is triggered by scanning the PostScript file and can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker is able to cause arbitrary code to be run with the privileges of the victim. This problem has been fixed in version 2.2.2-6.8 for the current stable distribution (woody) and in version 2.2.2-6.9 for the unstable distribution (sid). The old stable distribution (potato) is not affected since no KDE is included. We recommend that you upgrade your kghostview package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_2.2.2-6.8.dsc Size/MD5 checksum: 978 92a3fa3751c538608857c57a713a9487 http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_2.2.2-6.8.diff.gz Size/MD5 checksum:59276 fe7f3a7ed39f52457efca69226bccc33 http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_2.2.2.orig.tar.gz Size/MD5 checksum: 1640320 4dc8538c4c8dd8b13ef4f8e62446d777 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_2.2.2-6.8_alpha.deb Size/MD5 checksum: 165978 fba04ef31acd55249d3df119b6712444 ARM architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_2.2.2-6.8_arm.deb Size/MD5 checksum: 146588 b76885389c6d29dbd11db488385b395f Intel IA-32 architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_2.2.2-6.8_i386.deb Size/MD5 checksum: 146264 e574c2d69f9392ce94a9a03d1297a218 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_2.2.2-6.8_ia64.deb Size/MD5 checksum: 197724 9a35cfc75c5672a0ddba1c17a9d9d62e HP Precision architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_2.2.2-6.8_hppa.deb Size/MD5 checksum: 171188 0c683f2d0f8f667c93ded25dde41332f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_2.2.2-6.8_m68k.deb Size/MD5 checksum: 142828 68fa4e43a0af7a2d024c55da219b99ad Big endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_2.2.2-6.8_mips.deb Size/MD5 checksum: 138378 842a9be4b081394452ec550cc564d0b7 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_2.2.2-6.8_mipsel.deb Size/MD5 checksum: 136866 d884fae95437379052339da29ccc5afd PowerPC architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_2.2.2-6.8_powerpc.deb Size/MD5 checksum: 146622 fbf4c9b3164b0a0f3329df556ec722be IBM S/390 architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_2.2.2-6.8_s390.deb Size/MD5 checksum: 146122 eea9e2c0f0bb23303ee0e29e95a6e3e4 Sun Sparc architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_2.2.2-6.8_sparc.deb Size/MD5 checksum: 148240 62902f062d14a4c6a6794d1368be49d4 Please note that the source packages mentioned above produce more binary packages than the ones listed above. They are not relevant for the fixed problems, though. These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version
[SECURITY] [DSA 183-1] New krb5 packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 183-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 29th, 2002 http://www.debian.org/security/faq - -- Package: krb5 Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CERT advisory : CA-2002-29 VU#875073 Tom Yu and Sam Hartman of MIT discovered another stack buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server. This kadmind bug has a working exploit code circulating, hence it is considered serious. The MIT krb5 implementation includes support for version 4, including a complete v4 library, server side support for krb4, and limited client support for v4. This problem has been fixed in version 1.2.4-5woody3 for the current stable distribution (woody) and in version 1.2.6-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected since no krb5 packages are included. We recommend that you upgrade your krb5 packages immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.4p1-0woody1.dsc Size/MD5 checksum: 715 d96f63ec5433fe5e34541322f2ec4e6f http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.4p1-0woody1.diff.gz Size/MD5 checksum: 117016 050172c17604c6075d5141adf62721bb http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.4p1.orig.tar.gz Size/MD5 checksum: 837668 459c1d0262e939d6432f193c7a4ba8a8 Architecture independent components: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.2.4-5woody3_all.deb Size/MD5 checksum: 512122 3251d449218f3bf0b0213673af896e0b Alpha architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody3_alpha.deb Size/MD5 checksum: 252934 b4e771884fd06110bc2a92b9af35 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody3_alpha.deb Size/MD5 checksum: 216676 25c692258e31681e0bea2b4aff46588d http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody3_alpha.deb Size/MD5 checksum:62164 8cb0b15538fdfe85b1b3aa05110d14c5 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody3_alpha.deb Size/MD5 checksum: 250954 c07d58d0cc664479a0f41603f4c4ea7b http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody3_alpha.deb Size/MD5 checksum:75580 f0909c659c54059bd9169c74886c27e1 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody3_alpha.deb Size/MD5 checksum:58214 75ff1f4a8c4b6a155de6cd9535ed0854 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody3_alpha.deb Size/MD5 checksum: 206710 bc6837a7c4cf4ca75d6aa8e70189a255 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody3_alpha.deb Size/MD5 checksum:82866 579ee1397e94b0c05d272b1045f0bb33 http://security.debian.org/pool/updates/main/h/heimdal/libkrb5-17-heimdal_0.4e-7.woody.4_alpha.deb Size/MD5 checksum: 132206 3bec799a9eb5b0f2ce44307e9c0ebb39 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody3_alpha.deb Size/MD5 checksum: 631462 c9a5e04dcbfbd04eeb3fb65f9f0fab4c http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody3_alpha.deb Size/MD5 checksum: 365948 6ea077bed9d0422f4b3c4908dd6847bb http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.4p1-0woody1_alpha.deb Size/MD5 checksum: 888284 316905140f35ee70aeb8c0c5bee4dce2 ARM architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody3_arm.deb Size/MD5 checksum: 196420 3613e4289af8f188aff2aebd20acfba3 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody3_arm.deb Size/MD5 checksum: 159746 1acfa778a0248074a4c6c417b8578e71 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody3_arm.deb Size/MD5 checksum:47950 731025e3b666295aa9e16937ee0dd6da http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4
[SECURITY] [DSA 184-1] New krb4 packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 184-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 30th, 2002 http://www.debian.org/security/faq - -- Package: krb4 Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CERT advisory : CA-2002-29 VU#875073 Tom Yu and Sam Hartman of MIT discovered another stack buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server. This kadmind bug has a working exploit code circulating, hence it is considered serious. This problem has been fixed in version 1.1-8-2.2 for the current stable distribution (woody), in version 1.0-2.2 for the old stable distribution (potato) and in version 1.1-11-8 for the unstable distribution (sid). We recommend that you upgrade your krb4 packages immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/k/krb4/krb4_1.0-2.2.dsc Size/MD5 checksum: 810 603ae125455b1ddb609e3c6ca094bb03 http://security.debian.org/pool/updates/main/k/krb4/krb4_1.0-2.2.diff.gz Size/MD5 checksum:13872 d2a852e791a81fb04924ae78a7dd1072 http://security.debian.org/pool/updates/main/k/krb4/krb4_1.0.orig.tar.gz Size/MD5 checksum: 1383337 847d13e410778af000d9a42d3ad52d04 Alpha architecture: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.0-2.2_alpha.deb Size/MD5 checksum: 214422 40dbbc867b0c1dd2f75246f910408e7e http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.0-2.2_alpha.deb Size/MD5 checksum: 171488 2bbea4225ea5c1da1f73003cef4aa521 http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.0-2.2_alpha.deb Size/MD5 checksum:73862 597fd8b9d751c0cd9ccb6ed976cf9552 http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-services_1.0-2.2_alpha.deb Size/MD5 checksum: 212946 86b36dac7bf52ddd056def1908bc4a3f http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-user_1.0-2.2_alpha.deb Size/MD5 checksum: 117776 fa937bcb2c48a0be22d79bf6eb74b6ef http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-x11_1.0-2.2_alpha.deb Size/MD5 checksum:69812 0a1b63b714fd3e962dfe60186de5d0d6 http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth1_1.0-2.2_alpha.deb Size/MD5 checksum: 235080 1737c89f0c9b3db1660aa2733f219141 ARM architecture: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.0-2.2_arm.deb Size/MD5 checksum: 166768 afb6035551df81b2cc3a7cf44871704a http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.0-2.2_arm.deb Size/MD5 checksum: 135256 021e9fc9bf3826657b82e641ac560d9e http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.0-2.2_arm.deb Size/MD5 checksum:58974 cfc595302880e2037a7290ad389db4b5 http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-services_1.0-2.2_arm.deb Size/MD5 checksum: 163204 38e6cbf9dbdcc70ad1b717538ed23608 http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-user_1.0-2.2_arm.deb Size/MD5 checksum: 104468 852edb096d5565718a557c40e5e94cd5 http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-x11_1.0-2.2_arm.deb Size/MD5 checksum:55218 7b5cd2afa26faf657516232fe98dbe45 http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth1_1.0-2.2_arm.deb Size/MD5 checksum: 212316 4de37802fc7dfe314864d2bbf670b4ab Intel IA-32 architecture: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.0-2.2_i386.deb Size/MD5 checksum: 159672 97ecbfdc6e8244f2bf6e2a83829def29 http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.0-2.2_i386.deb Size/MD5 checksum: 126022 b71a64833cba04b729ae61d767523715 http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.0-2.2_i386.deb Size/MD5 checksum:59414 a573f174689381d3043e5137dec68d43 http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-services_1.0-2.2_i386.deb Size/MD5 checksum: 159176 44fd474735dfd8fbc26cccdf1f488e2a http://security.debian.org/pool/updates
[SECURITY] [DSA 185-1] New heimdal packages fix buffer overflows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 185-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 31st, 2002 http://www.debian.org/security/faq - -- Package: heimdal Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CERT advisory : CA-2002-29 VU#875073 A stack buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server was discovered, which is provided by Heimdal as well. A working exploit for this kadmind bug is already circulating, hence it is considered serious. The roken library also contains a vulnerability which could lead to another root exploit. These problems have been fixed in version 0.4e-7.woody.5 for the current stable distribution (woody), in version 0.2l-7.6 for the old stable distribution (potato) and in version 0.4e-22 for the unstable distribution (sid). We recommend that you upgrade your heimdal packages immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.2l-7.6.dsc Size/MD5 checksum: 763 b605a93627f77e98fa3ccba83a1b39c1 http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.2l-7.6.diff.gz Size/MD5 checksum:17287 c012e6006ca16a9742c5affe5a9e0bde http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.2l.orig.tar.gz Size/MD5 checksum: 2114221 89397c0a42701d0a554e040e4408f03f Architecture independent components: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-docs_0.2l-7.6_all.deb Size/MD5 checksum:61812 8800ca27900faa13d5491ab85b8ca743 Alpha architecture: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients_0.2l-7.6_alpha.deb Size/MD5 checksum: 277964 6bd13f32a5f263c83a7373e89c3d573b http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients-x_0.2l-7.6_alpha.deb Size/MD5 checksum:84260 969ebb36a3f24af98cdc305261c10066 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-dev_0.2l-7.6_alpha.deb Size/MD5 checksum: 518870 18b6e7c24b75877933be9b12b7100d39 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.6_alpha.deb Size/MD5 checksum:94614 cc4c4ff342ffa3e020298022fed7dc8f http://security.debian.org/pool/updates/main/h/heimdal/heimdal-lib_0.2l-7.6_alpha.deb Size/MD5 checksum: 360102 8b77081d542547f1206fe364f3c7b9bc http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.6_alpha.deb Size/MD5 checksum: 208300 ec8f8d8e970150d1a4c540a0725f3905 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.6_alpha.deb Size/MD5 checksum:66448 e8d7e2c6d164de0f0ccca5996264795c ARM architecture: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients_0.2l-7.6_arm.deb Size/MD5 checksum: 228942 857cb2a2c42240f11474c5fd93693472 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients-x_0.2l-7.6_arm.deb Size/MD5 checksum:76640 7e625941e44dfa5c41157bbad27e4270 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-dev_0.2l-7.6_arm.deb Size/MD5 checksum: 407596 1b7babd0202ba7a5ba2ee0ae696b3b79 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.6_arm.deb Size/MD5 checksum:86440 baf263e4ce5e16d30848745677cf5f87 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-lib_0.2l-7.6_arm.deb Size/MD5 checksum: 291356 4ebc6b0d29ead47631294793b56d32d0 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.6_arm.deb Size/MD5 checksum: 173268 6c190796bf4b9bde4ba5ec7900ada70d http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.6_arm.deb Size/MD5 checksum:61802 d0ab755d80cb383dfcd7e3523af33000 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients_0.2l-7.6_i386.deb Size/MD5 checksum: 222136 eaaadfeb3cf1f1e6fbd33e1854d78332 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients-x_0.2l-7.6_i386.deb Size/MD5 checksum:75178 cdf233c8471f89c0d886095cf8d06044 http
[SECURITY] [DSA 186-1] New log2mail packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 186-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 1st, 2002 http://www.debian.org/security/faq - -- Package: log2mail Vulnerability : buffer overflow Problem-Type : remote, local Debian-specific: no Enrico Zini discovered a buffer overflow in log2mail, a daemon for watching logfiles and sending lines with matching patterns via mail. The log2mail daemon is started upon system boot and runs as root. A specially crafted (remote) log message could overflow a static buffer, potentially leaving log2mail to execute arbitrary code as root. This problem has been fixed in version 0.2.5.1 the current stable distribution (woody) and in version for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a log2mail package We recommend that you upgrade your log2mail package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1.dsc Size/MD5 checksum: 483 8e995f49a3dd170b6c736aec46f9b8ca http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1.tar.gz Size/MD5 checksum:28992 c87f9e8dedba478f8df8c7e7284891c3 Alpha architecture: http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1_alpha.deb Size/MD5 checksum:70210 5be1472a8bd242c1fdb2b7847a3e2901 ARM architecture: http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1_arm.deb Size/MD5 checksum:31340 fe1d7c47b0059389fa9e0005293c5eee Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1_i386.deb Size/MD5 checksum:38532 ca7b3f97063ee1de06eb2ec97c3c4f52 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1_ia64.deb Size/MD5 checksum:49148 15761601c3ad47f58bdf033fd68b5b59 HP Precision architecture: http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1_hppa.deb Size/MD5 checksum:44656 6e7585d858feaa409f98c24a3f2845dc Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1_m68k.deb Size/MD5 checksum:38626 e7b51b9ccf6a92a9e449f8b6dbaaf948 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1_mips.deb Size/MD5 checksum:48476 feb5fcd33b64f105a7a19653629f Little endian MIPS architecture: http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1_mipsel.deb Size/MD5 checksum:47776 614f65fe2efa766732f12c7f364751bb PowerPC architecture: http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1_powerpc.deb Size/MD5 checksum:36960 cd7dec5cb03828f1b68a061fdae8e3bb IBM S/390 architecture: http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1_s390.deb Size/MD5 checksum:37192 6043652b8d87daf781ddb3b6540c591c Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.1_sparc.deb Size/MD5 checksum:34836 e3c4cabc3e534c13d3fc8170384d3757 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wp5YW5ql+IAeqTIRAtmoAJ4kC4sMLu35a45VekRDZoAHmvE06QCcCPe5 UuSGWVZbKTosrVG1pAF4iJQ= =4Cfc -END PGP SIGNATURE-
[SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 187-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 4th, 2002 http://www.debian.org/security/faq - -- Package: apache Vulnerability : several Problem-Type : remote, local Debian-specific: no CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 CAN-2002-1233 BugTraq ID : 5847 5884 5887 According to David Wagner, iDEFENSE and the Apache HTTP Server Project, several remotely exploitable vulnerabilities have been found in the Apache package, a commonly used webserver. These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross scripting attack. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: 1. CAN-2002-0839: A vulnerability exists on platforms using System V shared memory based scoreboards. This vulnerability allows an attacker who can execute under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial of service attack. 2. CAN-2002-0840: Apache is susceptible to a cross site scripting vulnerability in the default 404 page of any web server hosted on a domain that allows wildcard DNS lookups. 3. CAN-2002-0843: There were some possible overflows in the utility ApacheBench (ab) which could be exploited by a malicious server. 4. CAN-2002-1233: A race condition in the htpasswd and htdigest program enables a malicious local user to read or even modify the contents of a password file or easily create and overwrite files as the user running the htpasswd (or htdigest respectively) program. 5. CAN-2001-0131: htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack. This is the same vulnerability as CAN-2002-1233, which was fixed in potato already but got lost later and was never applied upstream. 5. NO-CAN: Several buffer overflows have been found in the ApacheBench (ab) utility that could be exploited by a remote server returning very long strings. These problems have been fixed in version 1.3.26-0woody3 for the current stable distribution (woody) and in 1.3.9-14.3 for the old stable distribution (potato). Corrected packages for the unstable distribution (sid) are expected soon. We recommend that you upgrade your Apache package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3.diff.gz Size/MD5 checksum: 345741 5f88eecddfe95c8366888bb71e0917ce http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3.dsc Size/MD5 checksum: 666 d69af430768983c68a2d881c4c9ee236 http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9.orig.tar.gz Size/MD5 checksum: 1691969 6758fe8b931be0b634b6737d9debf703 Architecture independent components: http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.9-14.3_all.deb Size/MD5 checksum: 544588 95611594e54cb8bf69b5ffa47598a17d Alpha architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_alpha.deb Size/MD5 checksum: 409920 178a31efa994c54161515d7e5dceb32a http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.9-14.3_alpha.deb Size/MD5 checksum: 809564 102b7a7ed3be7752ff80f209c755ca8e http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.9-14.3_alpha.deb Size/MD5 checksum: 754386 39db60aedbba0afaa45015149e6cabd6 ARM architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_arm.deb Size/MD5 checksum: 366248 3cba61971237b64017d19ed554d89d99 http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.9-14.3_arm.deb Size/MD5 checksum: 738516 650be6a02b3f3dd8ede817e29ab81afa http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.9-14.3_arm.deb Size/MD5 checksum: 555462 cf94ce0aff0b69003a015e6fba73cc3c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_i386.deb Size
[SECURITY] [DSA 189-1] New luxman packages fix local root exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 189-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 6th, 2002 http://www.debian.org/security/faq - -- Package: luxman Vulnerability : local root exploit Problem-Type : local Debian-specific: yes CVE Id : CAN-2002-1245 iDEFENSE reported about a vulnerability in LuxMan, a maze game for GNU/Linux, similar to the PacMan arcade game. When successfully exploited it a local attacker with read write access to the Memory, leading to a local root compromise in many ways, examples of which include scanning the file for fragments of the master password file and modifying kernel memory to re-map system calls. This problem has been fixed in version 0.41-17.1 the current stable distribution (woody) and in version 0.41-19 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a luxman package We recommend that you upgrade your luxman package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - This package is only available for the IA-32 architecture. Source archives: http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41-17.1.dsc Size/MD5 checksum: 570 6f07d15342abd605028d3cfde3dd1e6a http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41-17.1.diff.gz Size/MD5 checksum: 6955 0ede91f130be23bd67383f47e6b51ccb http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41.orig.tar.gz Size/MD5 checksum: 268279 aa389327578e2d65f3f5035193e407cb Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41-17.1_i386.deb Size/MD5 checksum: 290680 e9aa37d421068e828307ef5c816ad72d These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9yUzuW5ql+IAeqTIRAsXmAJ9usqDUTuFeIX65nUYjI1RlrYpm7QCffVfa oleR295Xc9NM5zFLW2SIUvQ= =kQKJ -END PGP SIGNATURE-
[SECURITY] [DSA 191-1] New squirrelmail packages fix cross site scripting bugs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 191-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 7th, 2002 http://www.debian.org/security/faq - -- Package: squirrelmail Vulnerability : cross site scripting Problem-Type : remote Debian-specific: no BugTraq ID : 5949 CVE ID : CAN-2002-1131 CAN-2002-1132 Several cross site scripting vulnerabilities have been found in squirrelmail, a feature-rich webmail package written in PHP4. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: 1. CAN-2002-1131: User input is not always sanitized so execution of arbitrary code on a client computer is possible. This can happen after following a malicious URL or by viewing a malicious addressbook entry. 2. CAN-2002-1132: Another problem could make it possible for an attacker to gain sensitive information under some conditions. When a malformed argument is appended to a link, an error page will be generated which contains the absolute pathname of the script. However, this information is available through the Contents file of the distribution anyway. These problems have been fixed in version 1.2.6-1.1 the current stable distribution (woody) and in version 1.2.8-1.1 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a squirrelmail package We recommend that you upgrade your squirrelmail package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.1.dsc Size/MD5 checksum: 586 9d0435049c42d65d9a443a1c95103bae http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.1.diff.gz Size/MD5 checksum:15093 03a59d0aeb178176f3cf0b069931cb99 http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz Size/MD5 checksum: 1856087 be9e6be1de8d3dd818185d596b41a7f1 Architecture independent components: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.1_all.deb Size/MD5 checksum: 1839498 9e9c7ff1f5b42aaea021af563b76deaa These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9yprfW5ql+IAeqTIRAlPyAJ0T4yLbbFaBqrlXLxL3ShEHkC6MQACgr60P +9JZ0HBzz7XM112XCmRfZzo= =SosQ -END PGP SIGNATURE-
[SECURITY] [DSA 188-1] New Apache-SSL packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 188-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 5th, 2002 http://www.debian.org/security/faq - -- Package: apache-ssl Vulnerability : several Problem-Type : remote, local Debian-specific: no CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 CAN-2002-1233 BugTraq ID : 5847 5884 5887 According to David Wagner, iDEFENSE and the Apache HTTP Server Project, several vulnerabilities have been found in the Apache package, a commonly used webserver. Most of the code is shared between the Apache and Apache-SSL packages, so vulnerabilities are shared as well. These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross scripting attack, or steal cookies from other web site users. Vulnerabilities in the included lecacy programs htdigest, htpasswd and ApacheBench can be exploited when called via CGI. Additionally the insecure temporary file creation in htdigest and htpasswd can also be exploited locally. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: 1. CAN-2002-0839: A vulnerability exists on platforms using System V shared memory based scoreboards. This vulnerability allows an attacker to execute code under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial of service attack. 2. CAN-2002-0840: Apache is susceptible to a cross site scripting vulnerability in the default 404 page of any web server hosted on a domain that allows wildcard DNS lookups. 3. CAN-2002-0843: There were some possible overflows in the utility ApacheBench (ab) which could be exploited by a malicious server. 4. CAN-2002-1233: A race condition in the htpasswd and htdigest program enables a malicious local user to read or even modify the contents of a password file or easily create and overwrite files as the user running the htpasswd (or htdigest respectively) program. 5. CAN-2001-0131: htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack. This is the same vulnerability as CAN-2002-1233, which was fixed in potato already but got lost later and was never applied upstream. 5. NO-CAN: Several buffer overflows have been found in the ApacheBench (ab) utility that could be exploited by a remote server returning very long strings. These problems have been fixed in version 1.3.26.1+1.48-0woody3 for the current stable distribution (woody) and in 1.3.9.13-4.2 for the old stable distribution (potato). Corrected packages for the unstable distribution (sid) are expected soon. We recommend that you upgrade your Apache-SSL package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/a/apache-ssl/apache-ssl_1.3.9.13-4.2.dsc Size/MD5 checksum: 741 9b4125e33235ec9635042f439cb00f56 http://security.debian.org/pool/updates/main/a/apache-ssl/apache-ssl_1.3.9.13-4.2.diff.gz Size/MD5 checksum:32210 b182c280fef5c37ee5a5beab73ad9719 http://security.debian.org/pool/updates/main/a/apache-ssl/apache-ssl_1.3.9.13.orig.tar.gz Size/MD5 checksum: 2061578 e28b3b656449a5a2f9080286ae3d743e Alpha architecture: http://security.debian.org/pool/updates/main/a/apache-ssl/apache-ssl_1.3.9.13-4.2_alpha.deb Size/MD5 checksum: 464208 1a4a83064ea982b2c65c6b996089938c ARM architecture: http://security.debian.org/pool/updates/main/a/apache-ssl/apache-ssl_1.3.9.13-4.2_arm.deb Size/MD5 checksum: 412988 312bd6f05abf39042bc3f1b8decf52e6 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/a/apache-ssl/apache-ssl_1.3.9.13-4.2_i386.deb Size/MD5 checksum: 407672 06e8c865ae2e345ee0d0c79e784d4882 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/a/apache-ssl/apache-ssl_1.3.9.13-4.2_m68k.deb Size/MD5 checksum: 396318 2ea46b30e0c7c0d1925736b823a6b4a3 PowerPC architecture: http://security.debian.org/pool/updates/main/a/apache-ssl/apache-ssl_1.3.9.13-4.2_powerpc.deb
[SECURITY] [DSA 192-1] New html2ps packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 192-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 8th, 2002 http://www.debian.org/security/faq - -- Package: html2ps Vulnerability : arbitrary code execution Problem-Type : local Debian-specific: no The SuSE Security Team found a vulnerability in html2ps, a HTML to PostScript converter, that opened files based on unsanitized input insecurely. This problem can be exploited when html2ps is installed as filter within lrpng and the attacker has previously gained access to the lp account. These problems have been fixed in version 1.0b3-1.1 for the current stable distribution (woody), in version 1.0b1-8.1 for the old stable distribution (potato) and in version 1.0b3-2 for the unstable distribution (sid). We recommend that you upgrade your html2ps package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - Source archives: http://security.debian.org/pool/updates/main/h/html2ps/html2ps_1.0b1-8.1.dsc Size/MD5 checksum: 532 0186c9b695fe3dbac232b9cf1c7eb6f6 http://security.debian.org/pool/updates/main/h/html2ps/html2ps_1.0b1-8.1.diff.gz Size/MD5 checksum:35539 c1fa5da32f69eea2a3adcc4f721c7dd0 http://security.debian.org/pool/updates/main/h/html2ps/html2ps_1.0b1.orig.tar.gz Size/MD5 checksum: 107435 00fb5ac8c3769473b53ec4ad20e9b7cb Architecture independent components: http://security.debian.org/pool/updates/main/h/html2ps/html2ps_1.0b1-8.1_all.deb Size/MD5 checksum: 134728 5932b4a4d5942c839b1a65817becf641 Debian GNU/Linux 3.0 alias woody - - Source archives: http://security.debian.org/pool/updates/main/h/html2ps/html2ps_1.0b3-1.1.dsc Size/MD5 checksum: 532 b35f5a5faee268bd86628d77d8022134 http://security.debian.org/pool/updates/main/h/html2ps/html2ps_1.0b3-1.1.diff.gz Size/MD5 checksum:38137 557760a0fac4d14fb987cc527cfe7632 http://security.debian.org/pool/updates/main/h/html2ps/html2ps_1.0b3.orig.tar.gz Size/MD5 checksum: 121826 984eff60249bcf2d6ce871e32acefb9a Architecture independent components: http://security.debian.org/pool/updates/main/h/html2ps/html2ps_1.0b3-1.1_all.deb Size/MD5 checksum: 146400 4d87852a670ab172aa3d50b99eb049a6 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9y+/nW5ql+IAeqTIRApYDAJ95qAQ/8cMVIQPdQxtvVgKSpUHmTwCeKefq BDpRETwdZrusD47mBQ2dOQM= =pq2C -END PGP SIGNATURE-
[SECURITY] [DSA 191-2] New squirrelmail packages fix problem in options page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 191-2 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 7th, 2002 http://www.debian.org/security/faq - -- Package: squirrelmail Vulnerability : cross site scripting Problem-Type : remote Debian-specific: no BugTraq ID : 5949 CVE ID : CAN-2002-1131 CAN-2002-1132 The security update for Squirrelmail (DSA 191-1) unfortunately introduced a bug in the options page. This problem is fixed in version 1.2.6-1.2 the current stable distribution (woody). The unstable distribution (sid) and the old stable distribution (potato) were not affected by this. For completeness please find below the original security advisory: Several cross site scripting vulnerabilities have been found in squirrelmail, a feature-rich webmail package written in PHP4. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: 1. CAN-2002-1131: User input is not always sanitized so execution of arbitrary code on a client computer is possible. This can happen after following a malicious URL or by viewing a malicious addressbook entry. 2. CAN-2002-1132: Another problem could make it possible for an attacker to gain sensitive information under some conditions. When a malformed argument is appended to a link, an error page will be generated which contains the absolute pathname of the script. However, this information is available through the Contents file of the distribution anyway. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.2.dsc Size/MD5 checksum: 586 6d692e30af267ebc530da83e0affe56c http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.2.diff.gz Size/MD5 checksum:15260 b5a119c93fba2b3e8a4687c0f572b592 http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz Size/MD5 checksum: 1856087 be9e6be1de8d3dd818185d596b41a7f1 Architecture independent components: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.2_all.deb Size/MD5 checksum: 1839570 f4b77b5d0c95c336a8b882e917c53f50 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9z3IWW5ql+IAeqTIRApaaAJ9LD5kiHMZejOgi6NFR1V0Q0Gd9HgCgrayG AxDR2+UAgOpbk9QBpND/Z4c= =RRm0 -END PGP SIGNATURE-
[SECURITY] [DSA 193-1] New klisa packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 193-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 11th, 2002 http://www.debian.org/security/faq - -- Package: kdenetwork Vulnerability : buffer overflow Problem-Type : local Debian-specific: no CVE Id : CAN-2002-1247 iDEFENSE reports a security vulnerability in the klisa package, that provides a LAN information service similar to Network Neighbourhood, which was discovered by Texonet. It is possible for a local attacker to exploit a buffer overflow condition in resLISa, a restricted version of KLISa. The vulnerability exists in the parsing of the LOGNAME environment variable, an overly long value will overwrite the instruction pointer thereby allowing an attacker to seize control of the executable. This problem has been fixed in version 2.2.2-14.2 the current stable distribution (woody) and in version 2.2.2-14.3 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a kdenetwork package We recommend that you upgrade your klisa package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kdenetwork/kdenetwork_2.2.2-14.2.dsc Size/MD5 checksum: 902 30ea9de901850dd86078a4579a15a828 http://security.debian.org/pool/updates/main/k/kdenetwork/kdenetwork_2.2.2-14.2.diff.gz Size/MD5 checksum:27235 e78c14ecc95942e66a53a3d09e6282be http://security.debian.org/pool/updates/main/k/kdenetwork/kdenetwork_2.2.2.orig.tar.gz Size/MD5 checksum: 3319181 25fbfc5d2592937480c0d3796a2416e0 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_alpha.deb Size/MD5 checksum: 188864 b1693a71418d3175b7a60594a6462ed8 ARM architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_arm.deb Size/MD5 checksum: 155726 333a771bfdbf7b4bc4bb7f16370d5092 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_i386.deb Size/MD5 checksum: 150248 447ca978df2eabe8971f0106d75dd5df Intel IA-64 architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_ia64.deb Size/MD5 checksum: 210980 b17bb3613cf9fc2aead59062f9a1451e HP Precision architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_hppa.deb Size/MD5 checksum: 217942 65650fd70d68aadd52ade4e9f2cdda12 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_m68k.deb Size/MD5 checksum: 141476 1ae9ae0e344b160b1c1291fef6f053af Big endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_mips.deb Size/MD5 checksum: 143114 71aed55cd0d402bcd560b2f26b9a228b Little endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_mipsel.deb Size/MD5 checksum: 142900 a0396da967699113e88c6494fd3404e3 PowerPC architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_powerpc.deb Size/MD5 checksum: 151782 fd2a725326925326882e98cc9116e91a IBM S/390 architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_s390.deb Size/MD5 checksum: 143358 f20e164fd56ac9d94c8298f07fb3d9a3 Sun Sparc architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_sparc.deb Size/MD5 checksum: 151462 2fca224f1668dfa48e46261c047b5d80 Please note that the source packages mentioned above produce more binary packages than the ones listed above. They are not relevant for the fixed problems, though. These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN
[SECURITY] [DSA 194-1] New masqmail packages fix buffer overflows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 194-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 12th, 2002 http://www.debian.org/security/faq - -- Package: masqmail Vulnerability : buffer overflows Problem-Type : local Debian-specific: no CVE Id : CAN-2002-1279 A set of buffer overflows have been discovered in masqmail, a mail transport agent for hosts without permanent internet connection. In addition to this privileges were dropped only after reading a user supplied configuration file. Together this could be exploited to gain unauthorized root access to the machine on which masqmail is installed. These problems have been fixed in version 0.1.16-2.1 for the current stable distribution (woody) and in version 0.2.15-1 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a masqmail package. We recommend that you upgrade your masqmail package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1.dsc Size/MD5 checksum: 616 5280d0a0dd4d35e59f55e96bb5db62ae http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1.diff.gz Size/MD5 checksum:10140 072e97e7ca9eb24a47257c25e0ca7a2e http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16.orig.tar.gz Size/MD5 checksum: 174634 0e391fd2d56d61b0a879f3c37b9e068d Alpha architecture: http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1_alpha.deb Size/MD5 checksum: 103550 50fee9f437212f257ee52cd5f38efe81 ARM architecture: http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1_arm.deb Size/MD5 checksum:90690 fbed6c28bbe66a4c440169c2eb617a7b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1_i386.deb Size/MD5 checksum:88358 586f60f60d81dc17379df547f5796f8a Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1_ia64.deb Size/MD5 checksum: 123600 f771c889fbd114ff0b598f80ccb44205 HP Precision architecture: http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1_hppa.deb Size/MD5 checksum:98890 3ef668d59181074f92fea4950c542762 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1_m68k.deb Size/MD5 checksum:86096 aa83c891f83cea9e7742d845479a58e5 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1_mips.deb Size/MD5 checksum:97278 5d61799a00d95c6d5816c5e71e274408 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1_mipsel.deb Size/MD5 checksum:99622 d76f774f35fbb0b00f9e05e67015258e PowerPC architecture: http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1_powerpc.deb Size/MD5 checksum:91898 f07d6ad9f52b11c86cb647506b943581 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1_s390.deb Size/MD5 checksum:90494 c09732ad8c400bb5d7f1a21a525395c9 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/masqmail/masqmail_0.1.16-2.1_sparc.deb Size/MD5 checksum:92568 01a43e7db6865c282e8dfb2ba64cc192 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE90S42W5ql+IAeqTIRAp+CAKCBdUiW2d5nSGllwizeZP7fGI2UpACeNagT lW2ets7s0YjNj0MI5WtIxqU= =8yOV -END PGP SIGNATURE-
[SECURITY] [DSA 195-1] New Apache-Perl packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 195-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 13th, 2002 http://www.debian.org/security/faq - -- Package: apache-perl Vulnerability : several Problem-Type : remote, local Debian-specific: no CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 CAN-2002-1233 BugTraq ID : 5847 5884 5887 According to David Wagner, iDEFENSE and the Apache HTTP Server Project, several vulnerabilities have been found in the Apache server package, a commonly used webserver. Most of the code is shared between the Apache and Apache-Perl packages, so vulnerabilities are shared as well. These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross site scripting attack, or steal cookies from other web site users. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: 1. CAN-2002-0839: A vulnerability exists on platforms using System V shared memory based scoreboards. This vulnerability allows an attacker to execute code under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial of service attack. 2. CAN-2002-0840: Apache is susceptible to a cross site scripting vulnerability in the default 404 page of any web server hosted on a domain that allows wildcard DNS lookups. 3. CAN-2002-0843: There were some possible overflows in the utility ApacheBench (ab) which could be exploited by a malicious server. No such binary programs are distributed by the Apache-Perl package, though. 4. CAN-2002-1233: A race condition in the htpasswd and htdigest program enables a malicious local user to read or even modify the contents of a password file or easily create and overwrite files as the user running the htpasswd (or htdigest respectively) program. No such binary programs are distributed by the Apache-Perl package, though. 5. CAN-2001-0131: htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack. No such binary programs are distributed by the Apache-Perl package, though. 6. NO-CAN: Several buffer overflows have been found in the ApacheBench (ab) utility that could be exploited by a remote server returning very long strings. No such binary programs are distributed by the Apache-Perl package, though. These problems have been fixed in version 1.3.26-1-1.26-0woody2 for the current stable distribution (woody), in 1.3.9-14.1-1.21.2309-1.1 for the old stable distribution (potato) and in version 1.3.26-1.1-1.27-3-1 for the unstable distribution (sid). We recommend that you upgrade your Apache-Perl package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/a/apache-perl/apache-perl_1.3.9-14.1-1.21.2309-1.1.dsc Size/MD5 checksum: 612 8fa1cd6e001b2621a749f4b5c649e970 http://security.debian.org/pool/updates/main/a/apache-perl/apache-perl_1.3.9-14.1-1.21.2309-1.1.tar.gz Size/MD5 checksum: 2403933 6d1ced52706288e401f84064cbff823d Alpha architecture: http://security.debian.org/pool/updates/main/a/apache-perl/apache-perl_1.3.9-14.1-1.21.2309-1.1_alpha.deb Size/MD5 checksum: 1126584 949eb23cd106f0d1be213a2d1f222e35 ARM architecture: http://security.debian.org/pool/updates/main/a/apache-perl/apache-perl_1.3.9-14.1-1.21.2309-1.1_arm.deb Size/MD5 checksum: 158 6403c48425e4b62e3e5d232eb0eca5d8 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/a/apache-perl/apache-perl_1.3.9-14.1-1.21.2309-1.1_i386.deb Size/MD5 checksum: 956320 da48dac81fbc5f66e7f9f350c2eb90bb Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/a/apache-perl/apache-perl_1.3.9-14.1-1.21.2309-1.1_m68k.deb Size/MD5 checksum: 923340 bdc936f40eb10f523a7f865f3a7bf19e PowerPC architecture: http://security.debian.org/pool/updates/main/a/apache-perl/apache-perl_1.3.9-14.1-1.21.2309-1.1_powerpc.deb Size/MD5 checksum: 1005128 a237e415455689fb02143ff8c8b94b50
[SECURITY] [DSA 197-1] New sqwebmail packages fix local information exposure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 197-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 15th, 2002 http://www.debian.org/security/faq - -- Package: courier Vulnerability : buffer overflow Problem-type : local Debian-specific: no A problem in the Courier sqwebmail package, a CGI program to grant authenticated access to local mailboxes, has been discovered. The program did not drop permissions fast enough upon startup under certain circumstances so a local shell user can execute the sqwebmail binary and manage to read an arbitrary file on the local filesystem. This problem has been fixed in version 0.37.3-2.3 for the current stable distribution (woody) and in version 0.40.0-1 for the unstable distribution (sid). The old stable distribution (potato) does not contain Courier sqwebmail packages. We recommend that you upgrade your sqwebmail package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/courier/courier_0.37.3-2.3.diff.gz Size/MD5 checksum:31812 1e442e4981a72331ee5cd14c3a9b38b6 http://security.debian.org/pool/updates/main/c/courier/courier_0.37.3-2.3.dsc Size/MD5 checksum: 913 b0f1eca2a415ad9489fcddffc763133c http://security.debian.org/pool/updates/main/c/courier/courier_0.37.3.orig.tar.gz Size/MD5 checksum: 3238013 350cbb2e8b5f384409bdf2a15d605bc9 Architecture independent components: http://security.debian.org/pool/updates/main/c/courier/courier-doc_0.37.3-2.3_all.deb Size/MD5 checksum: 313318 9ffb97bf4dfb7d8c81cad69a3a8e3fa9 Alpha architecture: http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_alpha.deb Size/MD5 checksum:52090 f0c8be437fab3970abe1f85fd3d031ef http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_alpha.deb Size/MD5 checksum:47134 5ab678174a550e0aaba0a66621bc1f4d http://security.debian.org/pool/updates/main/c/courier/courier-base_0.37.3-2.3_alpha.deb Size/MD5 checksum: 146116 d37e896ddceb6a22f9ab07839c58d142 http://security.debian.org/pool/updates/main/c/courier/courier-debug_0.37.3-2.3_alpha.deb Size/MD5 checksum:18480 aca373081b7bcc49f543a0f9f22c66a3 http://security.debian.org/pool/updates/main/c/courier/courier-imap_1.4.3-2.3_alpha.deb Size/MD5 checksum: 138688 6bbf7789d3d5b922c8804b5e92ef6498 http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.1_alpha.deb Size/MD5 checksum: 9770 011e7fa45ec87997bd350d9db9bdd5ae http://security.debian.org/pool/updates/main/c/courier/courier-ldap_0.37.3-2.3_alpha.deb Size/MD5 checksum:61156 2d09044e391d7a093ae3575b98520f29 http://security.debian.org/pool/updates/main/c/courier/courier-maildrop_0.37.3-2.3_alpha.deb Size/MD5 checksum: 208022 83c5fe4793107b4844f8553b859c470e http://security.debian.org/pool/updates/main/c/courier/courier-mlm_0.37.3-2.3_alpha.deb Size/MD5 checksum: 134074 280ac1c073b271412c0932e20ec1e045 http://security.debian.org/pool/updates/main/c/courier/courier-mta_0.37.3-2.3_alpha.deb Size/MD5 checksum: 667280 35b51e45df915bf437b978613b5932e1 http://security.debian.org/pool/updates/main/c/courier/courier-pcp_0.37.3-2.3_alpha.deb Size/MD5 checksum:62176 3776eb4c75541fb0c640a3d29b58f603 http://security.debian.org/pool/updates/main/c/courier/courier-pop_0.37.3-2.3_alpha.deb Size/MD5 checksum:40030 ef7e68249a62d103a230f4411174a1de http://security.debian.org/pool/updates/main/c/courier/courier-webadmin_0.37.3-2.3_alpha.deb Size/MD5 checksum:25174 98a826fc4b31ca9d21052a8830475ff0 http://security.debian.org/pool/updates/main/c/courier/sqwebmail_0.37.3-2.3_alpha.deb Size/MD5 checksum: 329272 8088db6cdb6dd3e6f48916769329a8a1 ARM architecture: http://security.debian.org/pool/updates/main/c/courier/courier-authdaemon_0.37.3-2.3_arm.deb Size/MD5 checksum:47026 d99f2b77e05fafaa03c4fd8cc14c2d68 http://security.debian.org/pool/updates/main/c/courier/courier-authmysql_0.37.3-2.3_arm.deb Size/MD5 checksum:42244 07a25700c5180e6bc66528a5e1418e34 http
[SECURITY] [DSA 199-1] New mhonarc packages fix cross site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 199-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 19th, 2002 http://www.debian.org/security/faq - -- Package: mhonarc Vulnerability : cross site scripting Problem-type : remote Debian-specific: no CVE Id : CAN-2002-1307 Steven Christey discovered a cross site scripting vulnerability in mhonarc, a mail to HTML converter. Carefully crafted message headers can introduce cross site scripting when mhonarc is configured to display all headers lines on the web. However, it is often useful to restrict the displayed header lines to To, From and Subject, in which case the vulnerability cannot be exploited. This problem has been fixed in version 2.5.2-1.2 for the current stable distribution (woody), in version 2.4.4-1.2 for the old stable distribution (potato) and in version 2.5.13-1 for the unstable distribution (sid). We recommend that you upgrade your mhonarc package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.4.4-1.2.dsc Size/MD5 checksum: 538 437de7328103a84b6916a1baaa61f477 http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.4.4-1.2.diff.gz Size/MD5 checksum: 6272 90646c64bc07c9c6c5264e2a87fb16f3 http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.4.4.orig.tar.gz Size/MD5 checksum: 451692 17bfacfc31d185f472695b0fac5d23b9 Architecture independent components: http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.4.4-1.2_all.deb Size/MD5 checksum: 453352 8e7f1a40ff78e0bef2d1c9593545baee Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.5.2-1.2.dsc Size/MD5 checksum: 560 8f9fed3cf8291da812c8f286c235aecb http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.5.2-1.2.diff.gz Size/MD5 checksum: 4737 a2883f16cba2cd5e71bbfc2afa1af67b http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.5.2.orig.tar.gz Size/MD5 checksum: 600942 5151b61a4dc2bd18214e9a8d47ec41df Architecture independent components: http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.5.2-1.2_all.deb Size/MD5 checksum: 573016 84fe390991cf60c2ccea131a681a6288 These files will probably be moved into the stable distribution on its next revision. Survey on the use of Debian GNU/Linux 2.2 alias potato: http://lists.debian.org/debian-devel-announce-0211/msg1.html - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE92lV7W5ql+IAeqTIRAkybAJ9omOQprcvcbEDHcgmApEvAU/4VeQCfb+Cj CYPFTDn54GwJmeBHSrRHwVE= =VnbY -END PGP SIGNATURE-
[SECURITY] [DSA 201-1] New Free/SWan packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 201-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 2nd, 2002 http://www.debian.org/security/faq - -- Package: freeswan Vulnerability : denial of service Problem-type : remore Debian-specific: no CERT advisory : VU#459371 Bindview discovered a problem in several IPSEC implementations that do not properly handle certain very short packets. IPSEC is a set of security extensions to IP which provide authentication and encryption. Free/SWan in Debain is affected by this and is said to cause a kernel panic. This problem has been fixed in version 1.96-1.4 for the current stable distribution (woody) and in version 1.99-1 for the unstable distribution (sid). The old stable distribution (potato) does not contain Free/SWan packages. We recommend that you upgrade your freeswan package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4.dsc Size/MD5 checksum: 637 1917ba063e4058123034247ddb105bfa http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4.diff.gz Size/MD5 checksum: 322480 ad70a2ecd67bbc1ae7b6eb6fcdb84da8 http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96.orig.tar.gz Size/MD5 checksum: 2251757 9ea1a778713e48d39f3c77de5f54752b Architecture independent components: http://security.debian.org/pool/updates/main/f/freeswan/kernel-patch-freeswan_1.96-1.4_all.deb Size/MD5 checksum: 889918 30c73e274e84b62125136ec96160d23a Alpha architecture: http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4_alpha.deb Size/MD5 checksum: 1761260 2463d0474314aa775126544baea6ec95 ARM architecture: http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4_arm.deb Size/MD5 checksum: 1700504 f15929f25fb8bb953748edbe188511ba Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4_i386.deb Size/MD5 checksum: 1678486 878523a3a03254bfa1e6a39052b50e1b Intel IA-64 architecture: http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4_ia64.deb Size/MD5 checksum: 1861640 8a1a611c76cd023311bae7126dfa5b8a HP Precision architecture: http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4_hppa.deb Size/MD5 checksum: 1723252 22df2896c7f4f96a693da436addc6d95 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4_m68k.deb Size/MD5 checksum: 1660918 a55f47febd01eefd216e0da3b200de76 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4_mips.deb Size/MD5 checksum: 1718046 e8fc45985fc4c25a2a9b9ab7d6e21e08 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4_mipsel.deb Size/MD5 checksum: 1721266 c1bd4591da7f720d3fe7b4e134ac9f22 PowerPC architecture: http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4_powerpc.deb Size/MD5 checksum: 1688682 0e1b5ce54d414da362c7eeda097acfa9 IBM S/390 architecture: http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4_s390.deb Size/MD5 checksum: 1689648 fa2ac3caafbb37cbcde0138ba9b8f6c6 Sun Sparc architecture: http://security.debian.org/pool/updates/main/f/freeswan/freeswan_1.96-1.4_sparc.deb Size/MD5 checksum: 1706714 53ef4472274ffaac7e24455d9ec6c1a1 These files will probably be moved into the stable distribution on its next revision. Survey on the use of Debian GNU/Linux 2.2 alias potato: http://lists.debian.org/debian-devel-announce-0211/msg1.html - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE963qkW5ql+IAeqTIRAmVzAKCYZA7rVb2+4/OiNXm3G6yIvBToagCgqD5x
[SECURITY] [DSA 202-1] New IM packages fix insecure temporary file creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 202-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 3rd, 2002 http://www.debian.org/security/faq - -- Package: im Vulnerability : temporary files Problem-Type : local Debian-specific: no Tatsuya Kinoshita discovered that IM, which contains interface commands and Perl libraries for E-mail and NetNews, creates temporary files insecurely. 1. The impwagent program creates a temporary directory in an insecure manner in /tmp using predictable directory names without checking the return code of mkdir, so it's possible to seize a permission of the temporary directory by local access as another user. 2. The immknmz program creates a temporary file in an insecure manner in /tmp using a predictable filename, so an attacker with local access can easily create and overwrite files as another user. These problems have been fixed in version 141-18.1 for the current stable distribution (woody), in version 133-2.2 of the old stable distribution (potato) and in version 141-20 for the unstable distribution (sid). We recommend that you upgrade your IM package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/i/im/im_133-2.2.dsc Size/MD5 checksum: 513 da21bcdcce62f783b15750469140595e http://security.debian.org/pool/updates/main/i/im/im_133-2.2.diff.gz Size/MD5 checksum: 6929 0669a546380d3e2d702f1ecd3ef6fd7b http://security.debian.org/pool/updates/main/i/im/im_133.orig.tar.gz Size/MD5 checksum: 205055 df14f9a251a8d47fc045b6303090be47 Architecture independent components: http://security.debian.org/pool/updates/main/i/im/im_133-2.2_all.deb Size/MD5 checksum: 217576 15a164603f65eb355f97515aaa97340a Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/i/im/im_141-18.1.dsc Size/MD5 checksum: 568 86a87c81e159d54359eeac2c3c383ffb http://security.debian.org/pool/updates/main/i/im/im_141-18.1.diff.gz Size/MD5 checksum:14110 2cb6b858ccda19f96b3c5315a48a41c0 http://security.debian.org/pool/updates/main/i/im/im_141.orig.tar.gz Size/MD5 checksum: 207576 9ecd2d6009048f1fecbc7b2e0e8cd489 Architecture independent components: http://security.debian.org/pool/updates/main/i/im/im_141-18.1_all.deb Size/MD5 checksum: 217416 41a6ad3bc0b0591ba180dd5d646387f9 These files will probably be moved into the stable distribution on its next revision. Survey on the use of Debian GNU/Linux 2.2 alias potato: http://lists.debian.org/debian-devel-announce-0211/msg1.html - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE97MVnW5ql+IAeqTIRAu8nAJ4oV1rwDaobtsTgltHOue4T1hQT7QCfdHnE 4S9cHhjwN4t77AmXA+vfOIE= =lArP -END PGP SIGNATURE-
[SECURITY] [DSA 203-1] New smb2www packages fix arbitrary command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 203-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 4th, 2002 http://www.debian.org/security/faq - -- Package: smb2www Vulnerability : arbitrary command execution Problem-Type : remote Debian-specific: no Robert Luberda found a security problem in smb2www, a Windows Network client that is accessible through a web browser. This could lead a remote attacker to execute arbitrary programs under the user id www-data on the host where smb2www is running. This problem has been fixed in version 980804-16.1 for the current stable distribution (woody), in version 980804-8.1 of the old stable distribution (potato) and in version 980804-17 for the unstable distribution (sid). We recommend that you upgrade your smb2www package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/s/smb2www/smb2www_980804-8.1.dsc Size/MD5 checksum: 531 09d916cdd021897ae9af0d46f11f9bb2 http://security.debian.org/pool/updates/main/s/smb2www/smb2www_980804-8.1.diff.gz Size/MD5 checksum: 9668 fcb0ddd008866ce9b3eff9c1e05d199b http://security.debian.org/pool/updates/main/s/smb2www/smb2www_980804.orig.tar.gz Size/MD5 checksum:67241 9a4fafcac398927a77bf18b669d50cd0 Architecture independent components: http://security.debian.org/pool/updates/main/s/smb2www/smb2www_980804-8.1_all.deb Size/MD5 checksum:72650 72d0d72844007aacdb091f1be5de0120 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/smb2www/smb2www_980804-16.1.dsc Size/MD5 checksum: 578 8529415e44fa30ab11a511d6547429e2 http://security.debian.org/pool/updates/main/s/smb2www/smb2www_980804-16.1.diff.gz Size/MD5 checksum:17076 d40536ef907334686935f8f2cb86bec5 http://security.debian.org/pool/updates/main/s/smb2www/smb2www_980804.orig.tar.gz Size/MD5 checksum:67241 9a4fafcac398927a77bf18b669d50cd0 Architecture independent components: http://security.debian.org/pool/updates/main/s/smb2www/smb2www_980804-16.1_all.deb Size/MD5 checksum:79050 6d443251ebe2389c26ac163e739ee80e These files will probably be moved into the stable distribution on its next revision. Survey on the use of Debian GNU/Linux 2.2 alias potato: http://lists.debian.org/debian-devel-announce-0211/msg1.html - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE97hthW5ql+IAeqTIRAtX4AKCoPOaOHC1vcHORT3cgXw3L1IrDvwCfWcPG ny5EWqmixrRv5Qo+mLK0BTQ= =0sm2 -END PGP SIGNATURE-
[SECURITY] [DSA 204-1] New kdlibs packages fix arbitrary program execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 204-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 5th, 2002 http://www.debian.org/security/faq - -- Package: kdelibs Vulnerability : arbitrary program execution Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1281 CAN-2002-1282 The KDE team has discovered a vulnerability in the support for various network protocols via the KIO The implementation of the rlogin and protocol allows a carefully crafted URL in an HTML page, HTML email or other KIO-enabled application to execute arbitrary commands on the system using the victim's account on the vulnerable machine. This problem has been fixed by disabling rlogin and telnet in version 2.2.2-13.woody.5 for the current stable distribution (woody) and in version 2.2.2-14.1 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain KDE. This problem has been fixed by disabling rlogin and telnet in version 2.2.2-13.woody.5 for the current stable distribution (woody). The old stable distribution (potato) is not affected since it doesn't contain KDE. A correction for the package in the unstable distribution (sid) is not yet available. We recommend that you upgrade your kdelibs3 package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.5.dsc Size/MD5 checksum: 1353 a1ec9070e7c6001622ababe1e089175e http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.5.diff.gz Size/MD5 checksum:38995 7b63146f3756571ffc7907d8b132e9ca http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2.orig.tar.gz Size/MD5 checksum: 6396699 7a9277a2e727821338f751855c2ce5d3 Architecture independent components: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-doc_2.2.2-13.woody.5_all.deb Size/MD5 checksum: 2567164 7ed60fb2a8aab2fadaea284b55af4cf2 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 756862 d3e4c4f454a07dc6b67f4381647ada65 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 7532352 5c527c94140518e8104488bd44dcce0b http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 137728 ec53f88c8d5d30f8ed2fee79a13600f3 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 201564 26f95b365102bf651d8aab5c01cc31e8 http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 1019242 80fffa496319f117c6c146e74db751ea http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 1026754 954df79f21bb017ed37b5d7e750011a8 http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 197818 a8938d049986d826a55e233e065d5c97 http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 173658 b7b66df52c21b088f6c73072e09876ed http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 176776 6d3df2f1c1b5b95b14b265cb1720f687 http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum:36824 fe05cccfe6f741cae8661c16ad602a39 ARM architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.5_arm.deb Size/MD5 checksum: 743060 642cd5da473ad4c65a3026a7ab8dd6c2 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.5_arm.deb Size/MD5 checksum: 6588608 e3c0d0dce80d28f1353b94f89aed3e2f http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.5_arm.deb Size/MD5 checksum: 103710 c2157b3663ab88253799dcd42ada2489 http://security.debian.org/pool/updates/main/k/kdelibs
[SECURITY] [DSA 208-1] New Perl packages correct Safe handling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 208-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 12th, 2002 http://www.debian.org/security/faq - -- Package: perl, perl-5.004, perl-5.005 Vulnerability : broken safe compartment Problem-type : local Debian-specific: no CVE Id: CAN-2002-1323 A security hole has been discovered in Safe.pm which is used in all versions of Perl. The Safe extension module allows the creation of compartments in which perl code can be evaluated in a new namespace and the code evaluated in the compartment cannot refer to variables outside this namespace. However, when a Safe compartment has already been used, there's no guarantee that it is Safe any longer, because there's a way for code to be executed within the Safe compartment to alter its operation mask. Thus, programs that use a Safe compartment only once aren't affected by this bug. This problem has been fixed in version 5.6.1-8.2 for the current stable distribution (woody), in version 5.004.05-6.2 and 5.005.03-7.2 for the old stable distribution (potato) and in version 5.8.0-14 for the unstable distribution (sid). We recommend that you upgrade your Perl packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2.dsc Size/MD5 checksum: 675 6fd3dd1d3346fed64da5a5af67730586 http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2.diff.gz Size/MD5 checksum:47924 a5b16d1599b04013a139510563206b24 http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05.orig.tar.gz Size/MD5 checksum: 2856190 b92ffc4e7bea3a367af102e8db136864 http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2.dsc Size/MD5 checksum: 694 7531125caf802bad131494e664c53ba2 http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2.diff.gz Size/MD5 checksum:96897 fffd8c16f393c20fbac4eef683cb81b3 http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03.orig.tar.gz Size/MD5 checksum: 3679040 427890d97e32430341c1fa80f55277a7 Architecture independent components: http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-doc_5.004.05-6.2_all.deb Size/MD5 checksum: 2296810 f96146c04692fad19a8d6372f86ed69d http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-doc_5.005.03-7.2_all.deb Size/MD5 checksum: 2849810 45ab33a3a00906413791b62c1c686aba Alpha architecture: http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_alpha.deb Size/MD5 checksum: 1634058 f0765237e1ac6133ce5e731a04f69c40 http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_alpha.deb Size/MD5 checksum: 452634 aae1fc314f90b6a1b8007a1e396db5ff http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_alpha.deb Size/MD5 checksum: 1984930 b2669cce93aeb5c6b5839cd75e946bff http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_alpha.deb Size/MD5 checksum: 346460 603729228532b771cd604349fe5699d6 http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_alpha.deb Size/MD5 checksum: 1978462 622b3d300bafcadf874a529efac4f4d2 http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_alpha.deb Size/MD5 checksum: 576628 df9878b0d71f9be6ea9a4f9f2e8a8bae http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_alpha.deb Size/MD5 checksum: 2218552 497012e99b26b25e28c3f0de6d6cd879 http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_alpha.deb Size/MD5 checksum: 373452 5e5c6bb092c749d580b5562263940ffa http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_alpha.deb Size/MD5 checksum: 1436580 8ac1e7a3a3cd9450558425223a711931 ARM architecture: http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_arm.deb Size/MD5 checksum: 1483602
[SECURITY] [DSA 211-1] New mICQ packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 211-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 13th, 2002 http://www.debian.org/security/faq - -- Package: micq Vulnerability : denial of service Problem-Type : remote Debian-specific: no RĂ¼diger Kuhlmann, upstream developer of mICQ, a text based ICQ client, discovered a problem in mICQ. Receiving certain ICQ message types that do not contain the required 0xFE seperator causes all versions to crash. For the current stable distribution (woody) this problem has been fixed in version 0.4.9-0woody3. For the old stable distribution (potato) this problem has been fixed in version 0.4.3-4.1. For the current unstable distribution (sid) this problem has been fixed in version 0.4.9.1-1. We recommend that you upgrade your micq package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.3-4.1.dsc Size/MD5 checksum: 518 f0f0475b6485a2ea29d11f122e48c56f http://security.debian.org/pool/updates/main/m/micq/micq_0.4.3-4.1.diff.gz Size/MD5 checksum: 3700 66f4327ddf4f1e5985b79f5a941269ba http://security.debian.org/pool/updates/main/m/micq/micq_0.4.3.orig.tar.gz Size/MD5 checksum: 100430 ddc011d3509d593284bf9336e0a9f829 Alpha architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.3-4.1_alpha.deb Size/MD5 checksum: 110916 f6d7fae1df9522eac47d8d294c98544e ARM architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.3-4.1_arm.deb Size/MD5 checksum:45934 ec658e43960c448350e7790cef2a9551 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.3-4.1_i386.deb Size/MD5 checksum:42682 1ed0c823d4ccc05bc9e2070c15a687be Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.3-4.1_m68k.deb Size/MD5 checksum:38426 5ed0e53eb1076a8e842f9e97f9b12f03 PowerPC architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.3-4.1_powerpc.deb Size/MD5 checksum:59664 bb34cef3e0160a1d348a411cdf992185 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.3-4.1_sparc.deb Size/MD5 checksum:60374 77ff9ef07e621f35bff70a08fb738e6b Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.9-0woody3.dsc Size/MD5 checksum: 568 a17ef67f61fa309172c1d4736b43cbb1 http://security.debian.org/pool/updates/main/m/micq/micq_0.4.9-0woody3.diff.gz Size/MD5 checksum: 3474 ca9382767417889409ce844e1b246e32 http://security.debian.org/pool/updates/main/m/micq/micq_0.4.9.orig.tar.gz Size/MD5 checksum: 419381 16a71fce3abba8d9f731fe7bd761b4b8 Alpha architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.9-0woody3_alpha.deb Size/MD5 checksum: 324512 80015dffaa7e80871568ef89356da8f1 ARM architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.9-0woody3_arm.deb Size/MD5 checksum: 295992 e03eba7bcff456cbc59c60b56424363f Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.9-0woody3_i386.deb Size/MD5 checksum: 289546 017ff4e61aa4a5041b2a5d55de3b1d2d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.9-0woody3_ia64.deb Size/MD5 checksum: 342760 53729a3a8c7c3531e88524291b510765 HP Precision architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.9-0woody3_hppa.deb Size/MD5 checksum: 306116 769de74fac901a4e0de33b2522c50df6 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.9-0woody3_m68k.deb Size/MD5 checksum: 281462 6ea6464fd8a0829a803736c6eb00aab1 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.9-0woody3_mips.deb Size/MD5 checksum: 299342 569fd2cb03a89770f1922645aba043e5 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/micq/micq_0.4.9-0woody3_mipsel.deb Size
[SECURITY] [DSA 214-1] New kdentwork packages fix buffer overflows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 214-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 20th, 2002 http://www.debian.org/security/faq - -- Package: kdenetwork Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1306 Olaf Kirch from SuSE Linux AG discovered another vulnerability in the klisa package, that provides a LAN information service similar to Network Neighbourhood. The lisa daemon contains a buffer overflow vulnerability which potentially enables any local user, as well any any remote attacker on the LAN who is able to gain control of the LISa port (7741 by default), to obtain root privileges. In addition, a remote attacker potentially may be able to gain access to a victim's account by using an rlan:// URL in an HTML page or via another KDE application. This problem has been fixed in version 2.2.2-14.5 for the current stable distribution (woody) and in version 2.2.2-14.20 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a kdenetwork package. We recommend that you upgrade your klisa package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kdenetwork/kdenetwork_2.2.2-14.5.dsc Size/MD5 checksum: 902 5703a3d55141bb8c5303f272ce621645 http://security.debian.org/pool/updates/main/k/kdenetwork/kdenetwork_2.2.2-14.5.diff.gz Size/MD5 checksum:27909 1fa64b0c666264437b12217e18cb2370 http://security.debian.org/pool/updates/main/k/kdenetwork/kdenetwork_2.2.2.orig.tar.gz Size/MD5 checksum: 3319181 25fbfc5d2592937480c0d3796a2416e0 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/kdict_2.2.2-14.5_alpha.deb Size/MD5 checksum: 231724 69da8e109fbba81e2ec39e7564a5e232 http://security.debian.org/pool/updates/main/k/kdenetwork/kit_2.2.2-14.5_alpha.deb Size/MD5 checksum: 154614 88cb75313d2e8a8ccdadec486e33cad4 http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.5_alpha.deb Size/MD5 checksum: 189032 3e56c15e999c1be92b29455e5b3840de http://security.debian.org/pool/updates/main/k/kdenetwork/kmail_2.2.2-14.5_alpha.deb Size/MD5 checksum: 998994 5bf7adec49121604648e74d3065cf64f http://security.debian.org/pool/updates/main/k/kdenetwork/knewsticker_2.2.2-14.5_alpha.deb Size/MD5 checksum: 439600 494fbe08c36be99bf26ad2a31262a41a http://security.debian.org/pool/updates/main/k/kdenetwork/knode_2.2.2-14.5_alpha.deb Size/MD5 checksum: 1287614 7b69275e0c836f0245f692c29a6338a2 http://security.debian.org/pool/updates/main/k/kdenetwork/korn_2.2.2-14.5_alpha.deb Size/MD5 checksum:98716 1ad5bc9a04019c2f2872a9393f78933e http://security.debian.org/pool/updates/main/k/kdenetwork/kppp_2.2.2-14.5_alpha.deb Size/MD5 checksum: 573114 96b607e8dc6fefde1eb7f4e7077ea9c3 http://security.debian.org/pool/updates/main/k/kdenetwork/ksirc_2.2.2-14.5_alpha.deb Size/MD5 checksum: 616110 a7273bd31f16694169379c1c302da72b http://security.debian.org/pool/updates/main/k/kdenetwork/ktalkd_2.2.2-14.5_alpha.deb Size/MD5 checksum: 135306 b314518232ac453a96a747422b7ed096 http://security.debian.org/pool/updates/main/k/kdenetwork/libkdenetwork1_2.2.2-14.5_alpha.deb Size/MD5 checksum: 157034 8419f7685053466df9d82fe5520111ff http://security.debian.org/pool/updates/main/k/kdenetwork/libmimelib-dev_2.2.2-14.5_alpha.deb Size/MD5 checksum:61828 c965e0f71b2ac37230d7eabdc5ad335f http://security.debian.org/pool/updates/main/k/kdenetwork/libmimelib1_2.2.2-14.5_alpha.deb Size/MD5 checksum: 100824 81f8f8b529298ccb2554e6739de18710 ARM architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/kdict_2.2.2-14.5_arm.deb Size/MD5 checksum: 212826 22613e94e6e1a8c4e66befe6848114c2 http://security.debian.org/pool/updates/main/k/kdenetwork/kit_2.2.2-14.5_arm.deb Size/MD5 checksum: 133850 d4255ccdf32692cbb78c00bd08993285 http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.5_arm.deb Size/MD5 checksum: 155852 563938f1bd87076aaf5c48817cf32139
[SECURITY] [DSA 215-1] New cyrus-imapd packages fix remote command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 215-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 23th, 2002 http://www.debian.org/security/faq - -- Package: cyrus-imapd Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-0379 CERT Advisory : VU#740169 BugTraq Id : 4713 Timo Sirainen discovered a buffer overflow in the Cyrus IMAP server, which could be exploited by a remote attacker prior to logging in. A malicious user could craft a request to run commands on the server under the UID and GID of the cyrus server. For the current stable distribution (woody) this problem has been fixed in version 1.5.19-9.1. For the old stable distribution (potato) this problem has been fixed in version 1.5.19-2.2. For the current unstable distribution (sid) this problem has been fixed in version 1.5.19-9.10. The cyrus21-imapd packages are not vulnerable We recommend that you upgrade your cyrus-imapd package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-imapd_1.5.19-2.2.dsc Size/MD5 checksum: 681 7ed2dc53009118f622c466c7490910eb http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-imapd_1.5.19-2.2.diff.gz Size/MD5 checksum:15807 75de24bbbf6906b2dcbc58ff94480faa http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-imapd_1.5.19.orig.tar.gz Size/MD5 checksum: 526190 b789ea3868be439c27b24a8aa6d0b99f Alpha architecture: http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-admin_1.5.19-2.2_alpha.deb Size/MD5 checksum:42610 042e48cefd32648ad22780b2dd75d3e4 http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-common_1.5.19-2.2_alpha.deb Size/MD5 checksum: 570800 37eba3e8c00ceee87637527fda215e90 http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-dev_1.5.19-2.2_alpha.deb Size/MD5 checksum:83332 2d5105eebbace38839fe45897898560d http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-imapd_1.5.19-2.2_alpha.deb Size/MD5 checksum: 165502 58d468b7568031ef6ebfb6d162a87ea2 http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-nntp_1.5.19-2.2_alpha.deb Size/MD5 checksum: 165366 a99934002ff65416f62949b48e161c2d http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-pop3d_1.5.19-2.2_alpha.deb Size/MD5 checksum:78606 5616b0c2232bf237cd62aa79c60a74f6 ARM architecture: http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-admin_1.5.19-2.2_arm.deb Size/MD5 checksum:38378 68c99d95c4bc94244aa11531643e752a http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-common_1.5.19-2.2_arm.deb Size/MD5 checksum: 427770 29731f1cd6ee7a1bc18fd43d21a30d99 http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-dev_1.5.19-2.2_arm.deb Size/MD5 checksum:77060 c3ef8e84ea192e1792811c889b7e64f6 http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-imapd_1.5.19-2.2_arm.deb Size/MD5 checksum: 130436 f4424382f2945d196ce68d9dfe51ce04 http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-nntp_1.5.19-2.2_arm.deb Size/MD5 checksum: 126334 290490d751199efae7feb518fe5e209a http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-pop3d_1.5.19-2.2_arm.deb Size/MD5 checksum:59246 55abe9bb680c1bf75a1d8ccda8d5c0ef Intel IA-32 architecture: http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-admin_1.5.19-2.2_i386.deb Size/MD5 checksum:37840 c86d3b23d50017c4caefebaffaa52c88 http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-common_1.5.19-2.2_i386.deb Size/MD5 checksum: 409216 e03b8b803fdd52b16f0da981a32d7cbd http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-dev_1.5.19-2.2_i386.deb Size/MD5 checksum:72742 7b41f08a21aab4683c60e0ff0c87f4ad http://security.debian.org/pool/updates/non-free/c/cyrus-imapd/cyrus-imapd_1.5.19-2.2_i386.deb Size/MD5 checksum: 121794 a1afc55e62e68546e1f746bebf215010
[SECURITY] [DSA 216-1] New fetchmail packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 216-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 24th, 2002 http://www.debian.org/security/faq - -- Package: fetchmail Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1365 (confirmed) Stefan Esser of e-matters discovered a buffer overflow in fetchmail, an SSL enabled POP3, APOP and IMAP mail gatherer/forwarder. When fetchmail retrieves a mail all headers that contain addresses are searched for local addresses. If a hostname is missing, fetchmail appends it but doesn't reserve enough space for it. This heap overflow can be used by remote attackers to crash it or to execute arbitrary code with the privileges of the user running fetchmail. For the current stable distribution (woody) this problem has been fixed in version 5.9.11-6.2 of fetchmail and fetchmail-ssl. For the old stable distribution (potato) this problem has been fixed in version 5.3.3-4.3. For the current unstable distribution (sid) this problem has been fixed in version 6.2.0-1 of fetchmail and fetchmail-ssl. We recommend that you upgrade your fetchmail packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3.dsc Size/MD5 checksum: 566 a1903624c0ec3bd32511423932643072 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3.diff.gz Size/MD5 checksum:27949 ba53d0ca7f33019f8aa377359adf1212 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3.orig.tar.gz Size/MD5 checksum: 755731 d2cffc4594ec2d36db6681b800f25e2a Architecture independent components: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.3.3-4.3_all.deb Size/MD5 checksum:63344 eeb78fb002b7cec35d21f782123638c5 Alpha architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_alpha.deb Size/MD5 checksum: 371692 f59ce881bc67072165a43c935d1c555b ARM architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_arm.deb Size/MD5 checksum: 349562 7f3512eed908f266268a5c92be1d2fd8 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_i386.deb Size/MD5 checksum: 342328 51380d2821f2837a7aaf3f14850fce83 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_m68k.deb Size/MD5 checksum: 336626 0fc917ae77fae36202be9db505de495e PowerPC architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_powerpc.deb Size/MD5 checksum: 350320 e3d5dbe15acefa05a6c7cbfdada1bf2a Sun Sparc architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_sparc.deb Size/MD5 checksum: 328084 1f5bc0689d1c1c86f81d022a53e9cff9 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2.dsc Size/MD5 checksum: 712 7dd3621fe339460971cc328484b0e279 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2.diff.gz Size/MD5 checksum: 300336 7503a6bbf5020b118c0061586e16822a http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11.orig.tar.gz Size/MD5 checksum: 950273 fff00cbf7be1d01a17605fee23ac96dd http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2.dsc Size/MD5 checksum: 707 69a8e2fa290af062b9740943d26df507 http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2.diff.gz Size/MD5 checksum: 296112 e4ecdeddc8bffa9a54f386ab449485fe http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11.orig.tar.gz Size/MD5 checksum: 950273 fff00cbf7be1d01a17605fee23ac96dd Architecture independent components: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-common_5.9.11-6.2_all.deb Size/MD5 checksum: 165338 fd022003903f569d077e36faf5ad2a21 http
[SECURITY] [DSA 217-1] New typespeed packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 217-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 27th, 2002 http://www.debian.org/security/faq - -- Package: typespeed Vulnerability : buffer overflow Problem-Type : local Debian-specific: no A problem has been discovered in the typespeed, a game that lets you measure your typematic speed. By overflowing a buffer a local attacker could execute arbitrary commands under the group id games. For the current stable distribution (woody) this problem has been fixed in version 0.4.1-2.1. For the old stable distribution (potato) this problem has been fixed in version 0.4.0-5.1. For the unstable distribution (sid) this problem has been fixed in version 0.4.2-2. We recommend that you upgrade your typespeed package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.0-5.1.dsc Size/MD5 checksum: 575 f6226194d5fc98835987d752904f7149 http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.0-5.1.diff.gz Size/MD5 checksum: 6763 deefebffe7313476dff4d1b076c46cd7 http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.0.orig.tar.gz Size/MD5 checksum:33037 587b3ca15b32142d24bd452881c64dd1 Alpha architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.0-5.1_alpha.deb Size/MD5 checksum:40752 2fdb1f039ddb6fa746e785744632590f ARM architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.0-5.1_arm.deb Size/MD5 checksum:34716 ae61105ff80f44f49ea6a92b48cce71e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.0-5.1_i386.deb Size/MD5 checksum:34326 b5bc6881676b8a102afcad03de4c4eb7 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.0-5.1_m68k.deb Size/MD5 checksum:33486 2b6d7bac7d6f582b77a61683d7afb437 PowerPC architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.0-5.1_powerpc.deb Size/MD5 checksum:37004 7ef642e4f567077c7eda5094359f6d8d Sun Sparc architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.0-5.1_sparc.deb Size/MD5 checksum:39132 521d46c4ffcb2315674388756bae0a5a Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.1-2.1.dsc Size/MD5 checksum: 575 fb28aec0af0ad71d5f3c424359082a32 http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.1-2.1.diff.gz Size/MD5 checksum: 8136 ccafdd4e0cf004587395ef4a72484efd http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.1.orig.tar.gz Size/MD5 checksum:35492 0af9809cd20bd9010732ced930090f32 Alpha architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.1-2.1_alpha.deb Size/MD5 checksum:44336 83b3ed65a67602831d5dc089f53bcfc5 ARM architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.1-2.1_arm.deb Size/MD5 checksum:39016 eb929720e523608b0e74876c28505a86 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.1-2.1_i386.deb Size/MD5 checksum:38708 03594d270467f1e603deb4a710cf1c54 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.1-2.1_ia64.deb Size/MD5 checksum:49902 c21eb5bcefee5e06c2d3172675f1dd1f HP Precision architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.1-2.1_hppa.deb Size/MD5 checksum:41824 f8366e40e1a202bc517c53f5c4318ff0 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.1-2.1_m68k.deb Size/MD5 checksum:37398 97cc30fc64831b29fa381525be5efdd5 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.1-2.1_mips.deb Size/MD5 checksum:41050
[SECURITY] [DSA 218-1] New bugzilla packages fix cross site scripting problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 218-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 30th, 2002 http://www.debian.org/security/faq - -- Package: bugzilla Vulnerability : cross site scripting Problem-Type : remote Debian-specific: no BugTraq Id : 6257 A cross site scripting vulnerability has been reported for Bugzilla, a web-based bug tracking system. Bugzilla does not properly sanitize any input submitted by users. As a result, it is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user, in the context of the website running Bugzilla. This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. This vulnerability only affects users who have the 'quips' feature enabled and who upgraded from version 2.10 which did not exist inside of Debian. The Debian package history of Bugzilla starts with 1.13 and jumped to 2.13. However, users could have installed version 2.10 prior to the Debian package. For the current stable distribution (woody) this problem has been fixed in version 2.14.2-0woody3. The old stable distribution (potato) does not contain a Bugzilla package. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your bugzilla packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2-0woody3.dsc Size/MD5 checksum: 621 5cffc6c1cb27caabaeab50f09d1eaba4 http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2-0woody3.diff.gz Size/MD5 checksum:37296 cdb8158a7d72a439c8dd04e207721a10 http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2.orig.tar.gz Size/MD5 checksum: 933766 0c60df541e63e33d92ac9ba0fbb05be3 Architecture independent components: http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla-doc_2.14.2-0woody3_all.deb Size/MD5 checksum: 489566 6575c255a98a0bcea4b55b24c064215e http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2-0woody3_all.deb Size/MD5 checksum: 274178 79345c65df4c9ede183089f0d5601fd7 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+EFQEW5ql+IAeqTIRAqyqAKCr6J0B7jWLVY3/H8kJ61eL7ntgcgCfTcV3 pl4aGLA23/PJZbH5Ie/H/ZY= =SVah -END PGP SIGNATURE-
[SECURITY] [DSA 219-1] New dhcpcd packages fix remote command execution vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 219-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 31st, 2002 http://www.debian.org/security/faq - -- Package: dhcpcd Vulnerability : remote command execution Problem-Type : remote Debian-specific: no BugTraq Id : 6200 Simon Kelly discovered a vulnerability in dhcpcd, an RFC2131 and RFC1541 compliant DHCP client daemon, that runs with root privileges on client machines. A malicious administrator of the regular or an untrusted DHCP server may execute any command with root privileges on the DHCP client machine by sending the command enclosed in shell metacharacters in one of the options provided by the DHCP server. This problem has been fixed in version 1.3.17pl2-8.1 for the old stable distribution (potato) and in version 1.3.22pl2-2 for the testing (sarge) and unstable (sid) distributions. The current stable distribution (woody) does not contain a dhcpcd package. We recommend that you upgrade your dhcpcd package (on the client machine). wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/d/dhcpcd/dhcpcd_1.3.17pl2-8.1.dsc Size/MD5 checksum: 538 1c19758ca0d21405a7d5558b79873bcd http://security.debian.org/pool/updates/main/d/dhcpcd/dhcpcd_1.3.17pl2-8.1.diff.gz Size/MD5 checksum:12839 95c26c2d2ea5bfc820b125ce7a409036 http://security.debian.org/pool/updates/main/d/dhcpcd/dhcpcd_1.3.17pl2.orig.tar.gz Size/MD5 checksum: 152368 c23be689d4725eca9bbc65ad3cb85049 Alpha architecture: http://security.debian.org/pool/updates/main/d/dhcpcd/dhcpcd_1.3.17pl2-8.1_alpha.deb Size/MD5 checksum:49666 d3e56f10c3a360dec6e32881dd29ee11 ARM architecture: http://security.debian.org/pool/updates/main/d/dhcpcd/dhcpcd_1.3.17pl2-8.1_arm.deb Size/MD5 checksum:40160 54f8b2b37f203ae7df2afb1342183989 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/d/dhcpcd/dhcpcd_1.3.17pl2-8.1_i386.deb Size/MD5 checksum:37422 2217cc83b78e829037faebf2c66cf1c5 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/d/dhcpcd/dhcpcd_1.3.17pl2-8.1_m68k.deb Size/MD5 checksum:36242 5aa43b776c6609a4b12fa20ce6be08fe PowerPC architecture: http://security.debian.org/pool/updates/main/d/dhcpcd/dhcpcd_1.3.17pl2-8.1_powerpc.deb Size/MD5 checksum:39432 53a3ab3c9ca17f562c7d9280c0ae7e56 Sun Sparc architecture: http://security.debian.org/pool/updates/main/d/dhcpcd/dhcpcd_1.3.17pl2-8.1_sparc.deb Size/MD5 checksum:41544 084cc56b2d43ab9c79ac075cef8d9f84 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+EZlKW5ql+IAeqTIRAtm8AJ0YZT72qaRrpD/2ATxQ+Xq87gqOyACguwn6 00RahV2hQ7UDES+/Y3xYwNY= =AO0h -END PGP SIGNATURE-
[SECURITY] [DSA 220-1] New squirrelmail packages fix cross site scripting problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 220-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 2nd, 2003 http://www.debian.org/security/faq - -- Package: squirrelmail Vulnerability : cross site scripting Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1341 BugTraq Id : 6302 A cross site scripting vulnerability has been discovered in squirrelmail, a feature-rich webmail package written in PHP4. Squirrelmail doesn't sanitize user provided variables in all places, leaving it vulnerable to a cross site scripting attack. For the current stable distribution (woody) this problem has been fixed in version 1.2.6-1.3. The old stable distribution (potato) is not affected since it doesn't contain a squirrelmail package. An updated package for the current unstable distribution (sid) is expected soon. We recommend that you upgrade your squirrelmail package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.3.dsc Size/MD5 checksum: 586 235dead908e8caeb873678575c1700c8 http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.3.diff.gz Size/MD5 checksum:15421 414b1afacc8880479f6a41b85cd79a73 http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz Size/MD5 checksum: 1856087 be9e6be1de8d3dd818185d596b41a7f1 Architecture independent components: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.3_all.deb Size/MD5 checksum: 1839686 8daaac2603c171b94bf5def5942f451a These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+FFTTW5ql+IAeqTIRAiCNAJ9SLmRKDgD/cg1FmehCjg1XYYaLdQCgtJes HzpOTMqmwxejtVwx++hcvhY= =COcy -END PGP SIGNATURE-
[SECURITY] [DSA 221-1] New mhonarc packages fix cross site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 221-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 3rd, 2003 http://www.debian.org/security/faq - -- Package: mhonarc Vulnerability : cross site scripting Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1388 Earl Hood, author of mhonarc, a mail to HTML converter, discovered a cross site scripting vulnerability in this package. A specially crafted HTML mail message can introduce foreign scripting content in archives, by-passing MHonArc's HTML script filtering. For the current stable distribution (woody) this problem has been fixed in version 2.5.2-1.3. For the old stable distribution (potato) this problem has been fixed in version 2.4.4-1.3. For the unstable distribution (sid) this problem has been fixed in version 2.5.14-1. We recommend that you upgrade your mhonarc package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.4.4-1.3.dsc Size/MD5 checksum: 538 85b90e1fdef1b2bd9ef5120e15eec735 http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.4.4-1.3.diff.gz Size/MD5 checksum: 6678 c73a6548e5a580037a0bf6491785fa9d http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.4.4.orig.tar.gz Size/MD5 checksum: 451692 17bfacfc31d185f472695b0fac5d23b9 Architecture independent components: http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.4.4-1.3_all.deb Size/MD5 checksum: 453522 4d0b4ed0497569652dfce1544826d959 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.5.2-1.3.dsc Size/MD5 checksum: 560 f72534abf58b0be253929d0dfb2db8c7 http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.5.2-1.3.diff.gz Size/MD5 checksum: 5467 a4494469a18e6218c764965aa0d04e1f http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.5.2.orig.tar.gz Size/MD5 checksum: 600942 5151b61a4dc2bd18214e9a8d47ec41df Architecture independent components: http://security.debian.org/pool/updates/main/m/mhonarc/mhonarc_2.5.2-1.3_all.deb Size/MD5 checksum: 573378 c60ffdc112a2ed9cdc0a30fab9478b75 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+FbMFW5ql+IAeqTIRAv5AAJ0RRMkx1aM9InjMFGdW6Aq5gZ7WlACeKA/5 sK8+0LSa/LYgdrD7RPgqh6g= =ZJDq -END PGP SIGNATURE-
[SECURITY] [DSA 224-1] New canna packages fix buffer overflow and denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 224-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 8th, 2002 http://www.debian.org/security/faq - -- Package: canna Vulnerability : buffer overflow and more Problem-Type : local, remote Debian-specific: no CVE Id : CAN-2002-1158 CAN-2002-1159 BugTraq Id : 6351 6354 Several vulnerabilities have been discovered in canna, a Japanese input system. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: * CAN-2002-1158 (BugTraq Id 6351): hsj of Shadow Penguin Security discovered a heap overflow vulnerability in the irw_through function in canna server. * CAN-2002-1159 (BugTraq Id 6354): Shinra Aida of the Canna project discovered that canna does not properly validate requests, which allows remote attackers to cause a denial of service or information leak. For the current stable distribution (woody) these problems have been fixed in version 3.5b2-46.2. For the old stable distribution (potato) these problems have been fixed in version 3.5b2-25.2. For the unstable distribution (sid) these problems have been fixed in version 3.6p1-1. We recommend that you upgrade your canna packages. Installation Instructions - - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/c/canna/canna_3.5b2-25.2.dsc Size/MD5 checksum: 621 3eefe4cadee26f2e74c148836428d6b1 http://security.debian.org/pool/updates/main/c/canna/canna_3.5b2-25.2.diff.gz Size/MD5 checksum: 131811 63bb6ebf66965b21fd2d80107f720dad http://ftp.debian.org/debian/dists/potato/main/source/utils/canna_3.5b2.orig.tar.gz Size/MD5 checksum: 1328622 5e1d8527d397c3914ce6104dac3db466 Alpha architecture: http://security.debian.org/pool/updates/main/c/canna/canna_3.5b2-25.2_alpha.deb Size/MD5 checksum: 901812 a4b31bcbfc19c9ce1ee5575595399301 http://security.debian.org/pool/updates/main/c/canna/canna-utils_3.5b2-25.2_alpha.deb Size/MD5 checksum: 119214 74679fa94fd305f40bb396dc993ba780 http://security.debian.org/pool/updates/main/c/canna/libcanna1g_3.5b2-25.2_alpha.deb Size/MD5 checksum: 478650 1e2d41c1ebca00e898652dcf720492a3 http://security.debian.org/pool/updates/main/c/canna/libcanna1g-dev_3.5b2-25.2_alpha.deb Size/MD5 checksum: 701894 a402fb38f84c3315e71efc468c009324 ARM architecture: http://security.debian.org/pool/updates/main/c/canna/canna_3.5b2-25.2_arm.deb Size/MD5 checksum: 839926 6b88eb89835706fa151d393dadbedd1a http://security.debian.org/pool/updates/main/c/canna/canna-utils_3.5b2-25.2_arm.deb Size/MD5 checksum: 107114 21b9623c1d662b2d23017634ebcb69dc http://security.debian.org/pool/updates/main/c/canna/libcanna1g_3.5b2-25.2_arm.deb Size/MD5 checksum: 409604 01e0b806a238fdf417d6892ab929b1d5 http://security.debian.org/pool/updates/main/c/canna/libcanna1g-dev_3.5b2-25.2_arm.deb Size/MD5 checksum: 593312 f04a0c824bed79d0e5ea6ee13a9ee838 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/canna/canna_3.5b2-25.2_i386.deb Size/MD5 checksum: 831452 79ede5024732deae7a3f106ca94d1d65 http://security.debian.org/pool/updates/main/c/canna/canna-utils_3.5b2-25.2_i386.deb Size/MD5 checksum: 104902 5e7805af7d37cb33729cb4dac9eba20b http://security.debian.org/pool/updates/main/c/canna/libcanna1g_3.5b2-25.2_i386.deb Size/MD5 checksum: 378598 6caec31ea8eb30886c67ea6b6b7f1de2 http://security.debian.org/pool/updates/main/c/canna/libcanna1g-dev_3.5b2-25.2_i386.deb Size/MD5 checksum: 524486 e1a321f6b721c3558d01c30bb7853ed0 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/canna/canna_3.5b2-25.2_m68k.deb Size/MD5 checksum: 822694 eb6ffca2442a0e349d75442c39b60058 http://security.debian.org/pool/updates/main/c/canna/canna-utils_3.5b2-25.2_m68k.deb Size/MD5 checksum: 103996 569c48f8230b8a32e1566abbe8119a97 http://security.debian.org/pool/updates/main/c/canna/libcanna1g_3.5b2-25.2_m68k.deb Size/MD5 checksum: 372478 c70244a70b11a0a12469e73a5d45700a http://security.debian.org/pool/updates
[SECURITY] [DSA 225-1] New tomcat packages fix source disclosure vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 225-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 9th, 2002 http://www.debian.org/security/faq - -- Package: tomcat4 Vulnerability : source disclosure Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1394 A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases, which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by a security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was identified as CAN-2002-1148. For the current stable distribution (woody) this problem has been fixed in version 4.0.3-3woody2. The old stable distribution (potato) does not contain tomcat packages. For the unstable distribution (sid) this problem does not exist in the current version 4.1.16-1. We recommend that you upgrade your tomcat packages. Installation Instructions - - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2.dsc Size/MD5 checksum: 708 0911f7c03a0ab71133fbe95bf45d0d20 http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2.diff.gz Size/MD5 checksum:15881 de9f6f0fb39374bfe4ece1ef4824d942 http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3.orig.tar.gz Size/MD5 checksum: 1588186 2b2e0d859f7152e5225633933e6585d6 Architecture independent components: http://security.debian.org/pool/updates/contrib/t/tomcat4/libtomcat4-java_4.0.3-3woody2_all.deb Size/MD5 checksum: 1134258 680c67daebdd36eb879ce593e6362f3b http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4-webapps_4.0.3-3woody2_all.deb Size/MD5 checksum: 1167502 34f71826d8441f967e3da0ee4ab9a1be http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2_all.deb Size/MD5 checksum: 126444 e7dbc07086a7e349474bff877342cb6d These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+HYzeW5ql+IAeqTIRAsF7AJwOJotOb7a4N02/Pk/J6dibAj6bagCbB7lY zdY2WnKneQ1GPGV7ZMkutNk= =mkx7 -END PGP SIGNATURE-
[SECURITY] [DSA 227-1] New openldap packages fix buffer overflows and remote exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 227-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January, 13th, 2003 http://www.debian.org/security/faq - -- Package: openldap2 Vulnerability : buffer overflows and other bugs Problem-Type : local, remote Debian-specific: no CVE Id : CAN-2002-1378 CAN-2002-1379 BugTraq Id : 6328 The SuSE Security Team reviewed critical parts of openldap2, an implementation of the Lightweight Directory Access Protocol (LDAP) version 2 and 3, and found several buffer overflows and other bugs remote attackers could exploit to gain access on systems running vulnerable LDAP servers. In addition to these bugs, various local exploitable bugs within the OpenLDAP2 libraries have been fixed. For the current stable distribution (woody) these problems have been fixed in version 2.0.23-6.3. The old stable distribution (potato) does not contain OpenLDAP2 packages. For the unstable distribution (sid) these problems have been fixed in version 2.0.27-3. We recommend that you upgrade your openldap2 packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/o/openldap2/openldap2_2.0.23-6.3.dsc Size/MD5 checksum: 763 45168fb49d17bcbefc2d920400705ac1 http://security.debian.org/pool/updates/main/o/openldap2/openldap2_2.0.23-6.3.diff.gz Size/MD5 checksum:20913 f0fa8fa225ccd5ce44504811511c9ad4 http://security.debian.org/pool/updates/main/o/openldap2/openldap2_2.0.23.orig.tar.gz Size/MD5 checksum: 1302928 d13cfded502c7d2b43b3c42b4e6dd599 Alpha architecture: http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_alpha.deb Size/MD5 checksum:87630 29068d6586e62aa8141995d19d85b5f2 http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_alpha.deb Size/MD5 checksum: 113812 ffe2c1b7afd49bbd45143b4d2c5738a3 http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_alpha.deb Size/MD5 checksum: 213992 5a20e5fa07a7e64c501fce960bafb00d http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_alpha.deb Size/MD5 checksum: 1833542 4554c75be54f37f98062874c1fd05ef3 http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_alpha.deb Size/MD5 checksum: 806478 e3ebfb7fefffdebdfc48127c53989b5a ARM architecture: http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_arm.deb Size/MD5 checksum:65998 395356a67fc07a37cb7ff83e4f433f08 http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_arm.deb Size/MD5 checksum:90090 2d6582bca66d8d4975767e9143610617 http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_arm.deb Size/MD5 checksum: 183032 202e9ee365ea54dab60b7b827d47b759 http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_arm.deb Size/MD5 checksum: 1789034 7144479db1c2c8433fcd89ee6b1cd693 http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_arm.deb Size/MD5 checksum: 672624 d93eddf64b805fe8ad456e1abb477237 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_i386.deb Size/MD5 checksum:65232 423b8b0b3fd8a09ef365d4ec25023d26 http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_i386.deb Size/MD5 checksum:86350 0bc201b83a18897972cecccb37beba0b http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_i386.deb Size/MD5 checksum: 172742 f508b8f6b0cf808ece56cfd639e9 http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_i386.deb Size/MD5 checksum: 1732946 1f98f56fb5b0215788c9581cc330a77a http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_i386.deb Size/MD5 checksum: 606922 42fc1c90d802d9bc155094cd2c5b3a05 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_ia64.deb Size/MD5 checksum:97926
[SECURITY] [DSA 229-1] New IMP packages fix SQL injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 229-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 15th, 2003 http://www.debian.org/security/faq - -- Package: imp Vulnerability : SQL injection Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0025 Jouko Pynnonen discovered a probem with IMP, a web based IMAP mail program. Using carefully crafted URLs a remote attacker is able to inject SQL code into SQL queries without proper user authentication. Even though results of SQL queries aren't directly readable from the screen, an attacker might. update his mail signature to contain wanted query results and then view it on the preferences page of IMP. The impact of SQL injection depends heavily on the underlying database and its configuration. If PostgreSQL is used, it's possible to execute multiple complete SQL queries separated by semicolons. The database contains session id's so the attacker might hijack sessions of people currently logged in and read their mail. In the worst case, if the hordemgr user has the required privilege to use the COPY SQL command (found in PostgreSQL at least), a remote user may read or write to any file the database user (postgres) can. The attacker may then be able to run arbitrary shell commands by writing them to the postgres user's ~/.psqlrc; they'd be run when the user starts the psql command which under some configurations happens regularly from a cron script. For the current stable distribution (woody) this problem has been fixed in version 2.2.6-5.1. For the old stable distribution (potato) this problem has been fixed in version 2.2.6-0.potato.5.1. For the unstable distribution (sid) these problems have been fixed in version 2.2.6-7. We recommend that you upgrade your IMP packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-0.potato.5.1.dsc Size/MD5 checksum: 557 76665368f11feb7adce9796815821d04 http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-0.potato.5.1.diff.gz Size/MD5 checksum:66837 18cfcbbc6eb09ed11085e84701cb1ffb Architecture independent components: http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-0.potato.5.1_all.deb Size/MD5 checksum: 410972 acf2cfbd75191cdcb68ec714b22d2adf Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-5.1.dsc Size/MD5 checksum: 638 8d877729002750b2962eff3b14294bb9 http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-5.1.diff.gz Size/MD5 checksum:95177 47ca6f61febbe839fc27f4e53f8fde8d Architecture independent components: http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-5.1_all.deb Size/MD5 checksum: 426826 134e3d543d2d32f1fe9f84664a819dd0 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+JXseW5ql+IAeqTIRAnfMAJ46nkfLSls5HQcs6Rn4ubFH0awL4ACdFTdL F7Tpw01pKvOULSV66lhEwOU= =RqK7 -END PGP SIGNATURE-
[SECURITY] [DSA 229-2] New IMP packages fix SQL injection and typo
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 229-2 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 15th, 2003 http://www.debian.org/security/faq - -- Package: imp Vulnerability : SQL injection Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0025 The advisory DSA 229-1 contained a typo in one file which could cause certain installations to fail suddenly. For completeness, here is the original advisory text: Jouko Pynnonen discovered a probem with IMP, a web based IMAP mail program. Using carefully crafted URLs a remote attacker is able to inject SQL code into SQL queries without proper user authentication. Even though results of SQL queries aren't directly readable from the screen, an attacker might. update his mail signature to contain wanted query results and then view it on the preferences page of IMP. The impact of SQL injection depends heavily on the underlying database and its configuration. If PostgreSQL is used, it's possible to execute multiple complete SQL queries separated by semicolons. The database contains session id's so the attacker might hijack sessions of people currently logged in and read their mail. In the worst case, if the hordemgr user has the required privilege to use the COPY SQL command (found in PostgreSQL at least), a remote user may read or write to any file the database user (postgres) can. The attacker may then be able to run arbitrary shell commands by writing them to the postgres user's ~/.psqlrc; they'd be run when the user starts the psql command which under some configurations happens regularly from a cron script. For the current stable distribution (woody) this problem has been fixed in version 2.2.6-5.2. For the old stable distribution (potato) this problem has been fixed in version 2.2.6-0.potato.5.2. For the unstable distribution (sid) this problem will be fixed in version 2.2.6-8. We recommend that you upgrade your IMP packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-0.potato.5.2.dsc Size/MD5 checksum: 557 44d08f19a1448314a6b909d72ccdc573 http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-0.potato.5.2.diff.gz Size/MD5 checksum:66875 c7d2431d975834000d08b86c7fe9df91 http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6.orig.tar.gz Size/MD5 checksum: 361731 8f7920c8173e1ef2724cb25a311f9ca8 Architecture independent components: http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-0.potato.5.2_all.deb Size/MD5 checksum: 410804 6aedc56344d1eea874c7ae39f3e536cd Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-5.2.dsc Size/MD5 checksum: 638 d2504b9b549e73c448851d291821a5eb http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-5.2.diff.gz Size/MD5 checksum:95209 2a18586731f2f3ae03353eb346eed8e4 http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6.orig.tar.gz Size/MD5 checksum: 361731 8f7920c8173e1ef2724cb25a311f9ca8 Architecture independent components: http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-5.2_all.deb Size/MD5 checksum: 426822 84d31910cec8dce85e00a89f5961307e These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+JZY9W5ql+IAeqTIRAoCZAKChyHuPuhwzbAghehNDSYwqN1KHjACfQ+lz pi89kxAU0XGfHhsTZX7FJCQ= =iQJC -END PGP SIGNATURE-
[SECURITY] [DSA 231-1] New dhcp3 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 231-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 17th, 2003 http://www.debian.org/security/faq - -- Package: dhcp3 Vulnerability : stack overflows Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0026 CERT advisory : VU#284857 CA-2003-01 The Internet Software Consortium discoverd several vulnerabilities during an audit of the ISC DHCP Daemon. The vulnerabilities exist in error handling routines within the minires library and may be exploitable as stack overflows. This could allow a remote attacker to execute arbitrary code under the user id the dhcpd runs under, usually root. Other DHCP servers than dhcp3 doesn't seem to be affected. For the stable distribution (woody) this problem has been fixed in version 3.0+3.0.1rc9-2.1. The old stable distribution (potato) does not contain dhcp3 packages. For the unstable distribution (sid) this problem has been fixed in version 3.0+3.0.1rc11-1. We recommend that you upgrade your dhcp3-server package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0+3.0.1rc9-2.1.dsc Size/MD5 checksum: 730 37209f2e8ff29f9d38e4f812183a8321 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0+3.0.1rc9-2.1.diff.gz Size/MD5 checksum:23781 d6b2e0bcf1b32d52423202ae5f988cf6 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0+3.0.1rc9.orig.tar.gz Size/MD5 checksum: 809803 3cc4758e5a59362315393a1874dfcb21 Alpha architecture: http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.1_alpha.deb Size/MD5 checksum: 416508 773f104e93a351675621d4b812dedb0d http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.1_alpha.deb Size/MD5 checksum: 216042 2a7c64e688ca68bf0b227334ba2d7833 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.1_alpha.deb Size/MD5 checksum: 106842 9020774e6cdc310a3a3cf2a42ba58d63 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.1_alpha.deb Size/MD5 checksum: 287082 189f63d99acb438981c10800d7783d44 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.1_alpha.deb Size/MD5 checksum: 526816 08d076cefd29fa5e0055fda006cac383 ARM architecture: http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.1_arm.deb Size/MD5 checksum: 386804 842b5eb5de805516022bada7f0094822 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.1_arm.deb Size/MD5 checksum: 188558 5dbbd9b9ab025f52024b19627bfbdc72 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.1_arm.deb Size/MD5 checksum:93316 57bfc9321b7d10ae70ec6214d59bcb2f http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.1_arm.deb Size/MD5 checksum: 273220 6a99a3da6a633477ae430d92f68f2184 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.1_arm.deb Size/MD5 checksum: 484438 677cd67a76fc9814fe2a7c3ca4a1a492 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.1_i386.deb Size/MD5 checksum: 375234 eadc1375ff236a3f6fd831340fa23bb2 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.1_i386.deb Size/MD5 checksum: 178496 afd9dda61da369a5ff76b15803fd4136 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.1_i386.deb Size/MD5 checksum:82020 6137706b46e9b5d0f8d85bf0188f2050 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.1_i386.deb Size/MD5 checksum: 269162 289c850ffa01157b09537ec57bf25d0c http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.1_i386.deb Size/MD5 checksum: 465074 fae064fc37dede8a61bf836248e97e34 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.1_ia64.deb Size/MD5
[SECURITY] [DSA 223-1] New geneweb packages fix information exposure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 223-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 7th, 2003 http://www.debian.org/security/faq - -- Package: geneweb Vulnerability : information exposure Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1390 A security issue has been discovered by Daniel de Rauglaudre, upstream author of geneweb, a genealogical software with web interface. It runs as a daemon on port 2317 by default. Paths are not properly sanitized, so a carefully crafted URL lead geneweb to read and display arbitrary files of the system it runs on. For the current stable distribution (woody) this problem has been fixed in version 4.06-2. The old stable distribution (potato) is not affected. For the unstable distribution (sid) this problem has been fixed in version 4.09-1. We recommend that you upgrade your geneweb package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/geneweb/geneweb_4.06-2.dsc Size/MD5 checksum: 610 55ccdf8143b1a96e056094de24e31074 http://security.debian.org/pool/updates/main/g/geneweb/geneweb_4.06-2.diff.gz Size/MD5 checksum:23357 1a3a36cbcef4e48b6a1effc5685023b6 http://security.debian.org/pool/updates/main/g/geneweb/geneweb_4.06.orig.tar.gz Size/MD5 checksum: 832896 a64a4373cb82d6a3044718c7345e45f7 Alpha architecture: http://security.debian.org/pool/updates/main/g/geneweb/geneweb_4.06-2_alpha.deb Size/MD5 checksum: 2336984 4a1a0e637ca669de6eefbf268a764d84 http://security.debian.org/pool/updates/main/g/geneweb/gwtp_4.06-2_alpha.deb Size/MD5 checksum: 207902 d9aadcc1d453da3ca8526823d2a152d7 ARM architecture: http://security.debian.org/pool/updates/main/g/geneweb/geneweb_4.06-2_arm.deb Size/MD5 checksum: 1944708 9034949c9a7e0bef78fbfd300e23e30b http://security.debian.org/pool/updates/main/g/geneweb/gwtp_4.06-2_arm.deb Size/MD5 checksum: 169542 dbfebb1e79bed418b115f9d70ca3e550 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/geneweb/geneweb_4.06-2_i386.deb Size/MD5 checksum: 1684746 5057e9e6b03bb4d0d6878952b501e219 http://security.debian.org/pool/updates/main/g/geneweb/gwtp_4.06-2_i386.deb Size/MD5 checksum: 144480 9c0734678de3b35399d98b421bf6943e Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/geneweb/geneweb_4.06-2_ia64.deb Size/MD5 checksum: 985752 07f39fee8a2d299dec7745a663dd92d7 http://security.debian.org/pool/updates/main/g/geneweb/gwtp_4.06-2_ia64.deb Size/MD5 checksum: 108274 da31852ab48cd19d6f31508706fecbf5 HP Precision architecture: http://security.debian.org/pool/updates/main/g/geneweb/geneweb_4.06-2_hppa.deb Size/MD5 checksum: 865398 9cc1369fe825651dd1b94b405606985a http://security.debian.org/pool/updates/main/g/geneweb/gwtp_4.06-2_hppa.deb Size/MD5 checksum:88378 28813c61dfe7b9122497b163a453c18e Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/geneweb/geneweb_4.06-2_m68k.deb Size/MD5 checksum: 769050 51b9e4662732cfe495f46179ee421144 http://security.debian.org/pool/updates/main/g/geneweb/gwtp_4.06-2_m68k.deb Size/MD5 checksum:72366 5b9bfb854358d5698636fcb579ce341a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/geneweb/geneweb_4.06-2_mips.deb Size/MD5 checksum: 830858 81707ac5153dbce3ef43814bb80ff0a1 http://security.debian.org/pool/updates/main/g/geneweb/gwtp_4.06-2_mips.deb Size/MD5 checksum:82782 cbafd1fa38f65e89f998ff85fe57502f Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/geneweb/geneweb_4.06-2_mipsel.deb Size/MD5 checksum: 828578 4ecbe3e11bdd06060c68ac8f056c1236 http://security.debian.org/pool/updates/main/g/geneweb/gwtp_4.06-2_mipsel.deb Size/MD5 checksum:82214 0f60da0df4e805b18b4bb47cfa18bea8 PowerPC architecture: http://security.debian.org/pool/updates/main/g/geneweb/geneweb_4.06-2_powerpc.deb Size/MD5 checksum: 1974062 53677870c90407d1ed124eac472696e4 http://security.debian.org/pool/updates/main/g/geneweb/gwtp_4.06-2_powerpc.deb
[SECURITY] [DSA 222-1] New xpdf packages fix arbitrary command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 222-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 6th, 2003 http://www.debian.org/security/faq - -- Package: xpdf Vulnerability : integer overflow Problem-Type : local, remote Debian-specific: no CVE Id : CAN-2002-1384 iDEFENSE discovered an integer overflow in the pdftops filter from the xpdf package that can be exploited to gain the privileges of the target user. This can lead to gaining privileged access to the 'lp' user if thee pdftops program is part of the print filter. For the current stable distribution (woody) this problem has been fixed in version 1.00-3.1. For the old stable distribution (potato) this problem has been fixed in version 0.90-8.1. For the unstable distribution (sid) this problem has been fixed in version 2.01-2. We recommend that you upgrade your xpdf package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/x/xpdf/xpdf_0.90-8.1.dsc Size/MD5 checksum: 574 2a6a10836edfa134643e54eabdf7800a http://security.debian.org/pool/updates/main/x/xpdf/xpdf_0.90-8.1.diff.gz Size/MD5 checksum: 5732 6048fc73fb6c3bdb84988bfa14f39e4d http://security.debian.org/pool/updates/main/x/xpdf/xpdf_0.90.orig.tar.gz Size/MD5 checksum: 391204 a7678b64713a466279b61c28ba01134b Alpha architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf_0.90-8.1_alpha.deb Size/MD5 checksum: 1186210 ec915ccf9d83ab7e80ab01b390e4d29d ARM architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf_0.90-8.1_arm.deb Size/MD5 checksum: 1044416 de2ee7c2dbc53fbd288e0c142eca2c73 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf_0.90-8.1_i386.deb Size/MD5 checksum: 970292 903b558758cecb9010d49bc011feba9c Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf_0.90-8.1_m68k.deb Size/MD5 checksum: 937202 414e5f0c67a0d8dbb5403d2b3f4cdefd PowerPC architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf_0.90-8.1_powerpc.deb Size/MD5 checksum: 998784 6e2c8520b103de3d997f22d5bd1edc43 Sun Sparc architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf_0.90-8.1_sparc.deb Size/MD5 checksum: 967906 4f91ac10e70deeddf31910c8b8804dcc Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.1.dsc Size/MD5 checksum: 705 10b8248182e33e5f808b918164c65e1a http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.1.diff.gz Size/MD5 checksum: 9193 b2a726030843f6dba93fca9cf7ee2f07 http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00.orig.tar.gz Size/MD5 checksum: 397750 81f3c381cef729e4b6f4ce21cf5bbf3c Architecture independent components: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_1.00-3.1_all.deb Size/MD5 checksum:38352 5d2bb590b9e8048777f97ae716ad7fd9 http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.1_all.deb Size/MD5 checksum: 1284 96fad618de11d4bb5a417597f52fd140 Alpha architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.1_alpha.deb Size/MD5 checksum: 570340 abcba0057c5163cfa16677861afe0444 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.1_alpha.deb Size/MD5 checksum: 1043778 fff419b1f683dda8d42c6cf5a532466a ARM architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.1_arm.deb Size/MD5 checksum: 486522 181d893a1d72fb57ec2a710b686d9653 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.1_arm.deb Size/MD5 checksum: 885110 197c160a3a8e369120ebf6c0b3887fc2 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.1_i386.deb Size/MD5 checksum: 449114 aaf65860ba521173078d4bd05d509221 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.1_i386.deb Size/MD5 checksum: 827038 8e6f7917d7beab9791ae199df03ed137 Intel IA-64
[SECURITY] [DSA 235-1] New kdegraphics packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 235-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 22nd, 2003 http://www.debian.org/security/faq - -- Package: kdegraphics Vulnerability : several Problem-type : local, remote Debian-specific: no CVE Id : CAN-2002-1393 The KDE team discovered several vulnerabilities in the K Desktop Environment. In some instances KDE fails to properly quote parameters of instructions passed to a command shell for execution. These parameters may incorporate data such as URLs, filenames and e-mail addresses, and this data may be provided remotely to a victim in an e-mail, a webpage or files on a network filesystem or other untrusted source. By carefully crafting such data an attacker might be able to execute arbitary commands on a vulnerable sytem using the victim's account and privileges. The KDE Project is not aware of any existing exploits of these vulnerabilities. The patches also provide better safe guards and check data from untrusted sources more strictly in multiple places. For the current stable distribution (woody), these problems have been fixed in version 2.2.2-6.10 The old stable distribution (potato) does not contain KDE packages. For the unstable distribution (sid), these problems will most probably not be fixed but new packages for KDE 3.1 for sid are expected for this year. We recommend that you upgrade your KDE packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_2.2.2-6.10.dsc Size/MD5 checksum: 980 74ac5c707a7c03d6866af25711782b1f http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_2.2.2-6.10.diff.gz Size/MD5 checksum:60273 a8684ac089f94f51d9dba35b8f2ef2ee http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_2.2.2.orig.tar.gz Size/MD5 checksum: 1640320 4dc8538c4c8dd8b13ef4f8e62446d777 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kamera_2.2.2-6.10_alpha.deb Size/MD5 checksum:68922 48acd5fbefe60dc12513e34693fb http://security.debian.org/pool/updates/main/k/kdegraphics/kcoloredit_2.2.2-6.10_alpha.deb Size/MD5 checksum:94962 b25389f837d87286c1543431ff11ac25 http://security.debian.org/pool/updates/main/k/kdegraphics/kfract_2.2.2-6.10_alpha.deb Size/MD5 checksum:65730 588dd564ade59459b95334f309270d56 http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_2.2.2-6.10_alpha.deb Size/MD5 checksum: 166106 af6d37e17256369cb467fd6b19d0b8a0 http://security.debian.org/pool/updates/main/k/kdegraphics/kiconedit_2.2.2-6.10_alpha.deb Size/MD5 checksum: 172674 c3a44bb868dd584fc54bbc3d153d5f82 http://security.debian.org/pool/updates/main/k/kdegraphics/kooka_2.2.2-6.10_alpha.deb Size/MD5 checksum: 115440 78c6251848e621e2b2157fffcc7296d9 http://security.debian.org/pool/updates/main/k/kdegraphics/kpaint_2.2.2-6.10_alpha.deb Size/MD5 checksum: 113282 57f5eae1e13539746519d73f05754976 http://security.debian.org/pool/updates/main/k/kdegraphics/kruler_2.2.2-6.10_alpha.deb Size/MD5 checksum:49274 4790c55f49193a64187df1eb37eeb730 http://security.debian.org/pool/updates/main/k/kdegraphics/ksnapshot_2.2.2-6.10_alpha.deb Size/MD5 checksum:61630 aeb3b58dc0b1e753e5fed61d1755c4ee http://security.debian.org/pool/updates/main/k/kdegraphics/kview_2.2.2-6.10_alpha.deb Size/MD5 checksum: 1056348 e32f60c13dac0f934a2856aab5252e21 http://security.debian.org/pool/updates/main/k/kdegraphics/libkscan-dev_2.2.2-6.10_alpha.deb Size/MD5 checksum:23446 8bc1b3c1d8452d80b492dc0a648a26bf http://security.debian.org/pool/updates/main/k/kdegraphics/libkscan1_2.2.2-6.10_alpha.deb Size/MD5 checksum: 125332 1b6fb756824620040843f7c7aecbd92e ARM architecture: http://security.debian.org/pool/updates/main/k/kdegraphics/kamera_2.2.2-6.10_arm.deb Size/MD5 checksum:60200 376e2db3bb90fd84afb925ded414db87 http://security.debian.org/pool/updates/main/k/kdegraphics/kcoloredit_2.2.2-6.10_arm.deb Size/MD5 checksum:75356
[SECURITY] [DSA 233-1] New cvs packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 233-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 21st, 2003 http://www.debian.org/security/faq - -- Package: cvs Vulnerability : doubly freed memory Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0015 Stefan Esser discovered a problem in cvs, a concurrent versions system, which is used for many Free Software projects. The current version contais a flaw that can be used by a remote attacker to execute arbitrary code on the CVS server under the user id the CVS server runs as. Anonymous read-only access is sufficient to exploit this problem. For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-8.1. For the old stable distribution (potato) this problem has been fixed in version 1.10.7-9.2. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your cvs package immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.10.7-9.2.dsc Size/MD5 checksum: 582 5c3493da60574f2d207376ffc8023964 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.10.7-9.2.diff.gz Size/MD5 checksum:35717 76d1e80427b67945e2b10c4bd449b1b7 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.10.7.orig.tar.gz Size/MD5 checksum: 2312181 614e72d2a6dff40f3f5bec2e9be270f2 Architecture independent components: http://security.debian.org/pool/updates/main/c/cvs/cvs-doc_1.10.7-9.2_all.deb Size/MD5 checksum: 875428 d7a1b05fc60c8524077b41abef40be82 Alpha architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.10.7-9.2_alpha.deb Size/MD5 checksum: 559820 6d27ca86cf46ffdec1ff9ca0710c74d2 ARM architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.10.7-9.2_arm.deb Size/MD5 checksum: 474478 93283c96da77a7c2906576632ff1f666 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.10.7-9.2_i386.deb Size/MD5 checksum: 455974 32924918a5a027f287c1fff64139aa98 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.10.7-9.2_m68k.deb Size/MD5 checksum: 434776 df8c02b15a87bec5658d88e913bb0617 PowerPC architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.10.7-9.2_powerpc.deb Size/MD5 checksum: 484070 78114da539eb4db94d5be1b77e6f1145 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.10.7-9.2_sparc.deb Size/MD5 checksum: 476174 159dc8aefaffe14e4188efc9efae1b1a Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-8.1.dsc Size/MD5 checksum: 687 3bd481f023c7d48ebf940f18f7c33676 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-8.1.diff.gz Size/MD5 checksum:46985 f82269f5699a64b3c8a1836f4307d5b1 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian.orig.tar.gz Size/MD5 checksum: 2621658 500965ab9702b31605f8c58aa21a6205 Alpha architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-8.1_alpha.deb Size/MD5 checksum: 1177920 eed3c107f8156965a2648ff6bc57ea1a ARM architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-8.1_arm.deb Size/MD5 checksum: 1104340 6d55d5b6013029726f33d27f756e8232 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-8.1_i386.deb Size/MD5 checksum: 1085010 db4c58e92bfdc56730c14df95ba8fab8 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-8.1_ia64.deb Size/MD5 checksum: 1269590 4cea089453af0476f3c304a9c0055092 HP Precision architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-8.1_hppa.deb Size/MD5 checksum: 1146366 157380627dc8e7e8c0cc3d6510bb8c85 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cvs
[SECURITY] [DSA 238-1] New kdepim packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 238-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 23rd, 2003 http://www.debian.org/security/faq - -- Package: kdepim Vulnerability : several Problem-type : local, remote Debian-specific: no CVE Id : CAN-2002-1393 The KDE team discovered several vulnerabilities in the K Desktop Environment. In some instances KDE fails to properly quote parameters of instructions passed to a command shell for execution. These parameters may incorporate data such as URLs, filenames and e-mail addresses, and this data may be provided remotely to a victim in an e-mail, a webpage or files on a network filesystem or other untrusted source. By carefully crafting such data an attacker might be able to execute arbitary commands on a vulnerable sytem using the victim's account and privileges. The KDE Project is not aware of any existing exploits of these vulnerabilities. The patches also provide better safe guards and check data from untrusted sources more strictly in multiple places. For the current stable distribution (woody), these problems have been fixed in version 2.2.2-5.2. The old stable distribution (potato) does not contain KDE packages. For the unstable distribution (sid), these problems will most probably not be fixed but new packages for KDE 3.1 for sid are expected for this year. We recommend that you upgrade your KDE packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kdepim/kdepim_2.2.2-5.2.dsc Size/MD5 checksum: 817 3a9b6d07e71b4a78fff95f1e0d5f3df1 http://security.debian.org/pool/updates/main/k/kdepim/kdepim_2.2.2-5.2.diff.gz Size/MD5 checksum: 104449 81c061d65307d74cb877766b57b22693 http://security.debian.org/pool/updates/main/k/kdepim/kdepim_2.2.2.orig.tar.gz Size/MD5 checksum: 2426387 e090f1aad8ebd1a3ea1ecd42d51532f9 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_alpha.deb Size/MD5 checksum: 109240 6c5235a3331c8d3a774f7830e048f3d8 http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_alpha.deb Size/MD5 checksum:22648 3a055bcaee8f6f88afe80b30e6f2211d http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_alpha.deb Size/MD5 checksum: 456832 578b1f4eac0aebac76e90fe4010fcfb9 http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_alpha.deb Size/MD5 checksum: 716432 50b9d71558a64615f1392cbe93033355 http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_alpha.deb Size/MD5 checksum: 824996 27aa213fa013720f5f5a926aed891845 ARM architecture: http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_arm.deb Size/MD5 checksum:84314 8fbc92a65edc80b03d56629677366371 http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_arm.deb Size/MD5 checksum:22646 7d035230f1ea1179e69ea25b167c7a96 http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_arm.deb Size/MD5 checksum: 362892 5261b05a017c810ec3a59aecb937f0b2 http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_arm.deb Size/MD5 checksum: 620202 c638b1d0ff98cd9d78ca3bb8ddebabee http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_arm.deb Size/MD5 checksum: 724560 b4cb3ab202e12b3e4ce1180280b7b7c4 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_i386.deb Size/MD5 checksum:84642 1cde319e7dc3939d6de153ebf9128140 http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_i386.deb Size/MD5 checksum:22638 072fc2043003c57ee1288b461fe5080e http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_i386.deb Size/MD5 checksum: 359282 60abc8750287b7acd90aea5f96ad681c http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_i386.deb Size/MD5 checksum: 598284 3272ea2762c45f9a97c868433750bf6c http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_i386
[SECURITY] [DSA 240-1] New kdegames packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 240-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 23rd, 2003 http://www.debian.org/security/faq - -- Package: kdegames Vulnerability : several Problem-type : local, remote Debian-specific: no CVE Id : CAN-2002-1393 The KDE team discovered several vulnerabilities in the K Desktop Environment. In some instances KDE fails to properly quote parameters of instructions passed to a command shell for execution. These parameters may incorporate data such as URLs, filenames and e-mail addresses, and this data may be provided remotely to a victim in an e-mail, a webpage or files on a network filesystem or other untrusted source. By carefully crafting such data an attacker might be able to execute arbitary commands on a vulnerable sytem using the victim's account and privileges. The KDE Project is not aware of any existing exploits of these vulnerabilities. The patches also provide better safe guards and check data from untrusted sources more strictly in multiple places. For the current stable distribution (woody), these problems have been fixed in version 2.2.2-2.2. The old stable distribution (potato) does not contain KDE packages. For the unstable distribution (sid), these problems will most probably not be fixed but new packages for KDE 3.1 for sid are expected for this year. We recommend that you upgrade your KDE packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kdegames/kdegames_2.2.2-2.2.dsc Size/MD5 checksum: 883 3614b7151489f0237a53e3d595fcdd27 http://security.debian.org/pool/updates/main/k/kdegames/kdegames_2.2.2-2.2.diff.gz Size/MD5 checksum:10064 8e217ed87d2f00c04d6cc76269e58369 http://ftp.debian.org/debian/pool/main/k/kdegames/kdegames_2.2.2.orig.tar.gz Size/MD5 checksum: 9427259 d9423da460cef3299d2ed4fcea719cfd Architecture independent components: http://security.debian.org/pool/updates/main/k/kdegames/kdecarddecks_2.2.2-2.2_all.deb Size/MD5 checksum: 4556736 a2d12e3769a26a3df8013a2791f44507 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdegames/kabalone_2.2.2-2.2_alpha.deb Size/MD5 checksum: 133210 cd6ffdce7d04a07dbd2bfb7cc9263927 http://security.debian.org/pool/updates/main/k/kdegames/kasteroids_2.2.2-2.2_alpha.deb Size/MD5 checksum: 435122 b0f9a065aa7811f632e641a7e36749e1 http://security.debian.org/pool/updates/main/k/kdegames/katomic_2.2.2-2.2_alpha.deb Size/MD5 checksum:80254 f26e2ae40953a2676502a15b4ee6bbe9 http://security.debian.org/pool/updates/main/k/kdegames/kbackgammon_2.2.2-2.2_alpha.deb Size/MD5 checksum: 439288 d9ede9b45517abba291da390f18491c8 http://security.debian.org/pool/updates/main/k/kdegames/kbattleship_2.2.2-2.2_alpha.deb Size/MD5 checksum: 389008 6b1d86781ca66f6960590546736f7694 http://security.debian.org/pool/updates/main/k/kdegames/kblackbox_2.2.2-2.2_alpha.deb Size/MD5 checksum:91840 66ab942c3e7f117c0621f850711f215b http://security.debian.org/pool/updates/main/k/kdegames/kjezz_2.2.2-2.2_alpha.deb Size/MD5 checksum: 102790 7398f126cf7ca934e16f54a0125368ee http://security.debian.org/pool/updates/main/k/kdegames/kjumpingcube_2.2.2-2.2_alpha.deb Size/MD5 checksum:70732 4367920a21c9baf70e6f651596dfc187 http://security.debian.org/pool/updates/main/k/kdegames/klines_2.2.2-2.2_alpha.deb Size/MD5 checksum: 132858 1dc62d7eeecb740dd211a16cec26dc32 http://security.debian.org/pool/updates/main/k/kdegames/kmahjongg_2.2.2-2.2_alpha.deb Size/MD5 checksum: 544912 961f5bcdbccf6bd410bf6e1b0b1e71e9 http://security.debian.org/pool/updates/main/k/kdegames/kmines_2.2.2-2.2_alpha.deb Size/MD5 checksum: 110344 2478d184dcb6206d28e093e9a6b98bdc http://security.debian.org/pool/updates/main/k/kdegames/konquest_2.2.2-2.2_alpha.deb Size/MD5 checksum: 138900 38609255433e3d4f39f78707fd0d7e1a http://security.debian.org/pool/updates/main/k/kdegames/kpat_2.2.2-2.2_alpha.deb Size/MD5 checksum: 298586 915a0445cdd2e5983ffaf99a498e0d26 http://security.debian.org/pool
[SECURITY] [DSA 241-1] New kdeutils packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 241-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 24th, 2003 http://www.debian.org/security/faq - -- Package: kdeutils Vulnerability : several Problem-type : local, remote Debian-specific: no CVE Id : CAN-2002-1393 The KDE team discovered several vulnerabilities in the K Desktop Environment. In some instances KDE fails to properly quote parameters of instructions passed to a command shell for execution. These parameters may incorporate data such as URLs, filenames and e-mail addresses, and this data may be provided remotely to a victim in an e-mail, a webpage or files on a network filesystem or other untrusted source. By carefully crafting such data an attacker might be able to execute arbitary commands on a vulnerable system using the victim's account and privileges. The KDE Project is not aware of any existing exploits of these vulnerabilities. The patches also provide better safe guards and check data from untrusted sources more strictly in multiple places. For the current stable distribution (woody), these problems have been fixed in version 2.2.2-9.2. The old stable distribution (potato) does not contain KDE packages. For the unstable distribution (sid), these problems will most probably not be fixed but new packages for KDE 3.1 for sid are expected for this year. We recommend that you upgrade your KDE packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kdeutils/kdeutils_2.2.2-9.2.dsc Size/MD5 checksum: 860 8591a1cec7cc63c3b9f2dc1c5cadcd31 http://security.debian.org/pool/updates/main/k/kdeutils/kdeutils_2.2.2-9.2.diff.gz Size/MD5 checksum:14829 0d39bcbfe9874bc7427bef0b850d2ad0 http://security.debian.org/pool/updates/main/k/kdeutils/kdeutils_2.2.2.orig.tar.gz Size/MD5 checksum: 1474615 717aa3449f128bff9591b09f04586a7e Alpha architecture: http://security.debian.org/pool/updates/main/k/kdeutils/ark_2.2.2-9.2_alpha.deb Size/MD5 checksum: 220580 4d774f7163330550c74ee278c34ac8ba http://security.debian.org/pool/updates/main/k/kdeutils/kab_2.2.2-9.2_alpha.deb Size/MD5 checksum: 257660 a448d1efdbc02d86c7621ec37da20946 http://security.debian.org/pool/updates/main/k/kdeutils/karm_2.2.2-9.2_alpha.deb Size/MD5 checksum:88292 4f244194714f608862edd40cdc62e8eb http://security.debian.org/pool/updates/main/k/kdeutils/kcalc_2.2.2-9.2_alpha.deb Size/MD5 checksum: 105414 1e8a8d9d9c41ba806f7e3f5f59859f30 http://security.debian.org/pool/updates/main/k/kdeutils/kcharselect_2.2.2-9.2_alpha.deb Size/MD5 checksum:47350 4df9f9b310ec298cb2bb6994a1dfe285 http://security.debian.org/pool/updates/main/k/kdeutils/kdepasswd_2.2.2-9.2_alpha.deb Size/MD5 checksum:27232 f45a5d19dc796d0d5a1e2d8251adddb8 http://security.debian.org/pool/updates/main/k/kdeutils/kdf_2.2.2-9.2_alpha.deb Size/MD5 checksum: 220450 fd94dbc1396236237c1295fbdc4625df http://security.debian.org/pool/updates/main/k/kdeutils/kedit_2.2.2-9.2_alpha.deb Size/MD5 checksum: 105908 38c3edf16c83194fba4af72baa080264 http://security.debian.org/pool/updates/main/k/kdeutils/kfind_2.2.2-9.2_alpha.deb Size/MD5 checksum:79484 a0d8428062d21bfad6f084c8a2837d37 http://security.debian.org/pool/updates/main/k/kdeutils/kfloppy_2.2.2-9.2_alpha.deb Size/MD5 checksum:48948 ecc3685640ea65799a613ae40bf20500 http://security.debian.org/pool/updates/main/k/kdeutils/khexedit_2.2.2-9.2_alpha.deb Size/MD5 checksum: 321458 dfe120742481f5aaa35194ca1a535123 http://security.debian.org/pool/updates/main/k/kdeutils/kjots_2.2.2-9.2_alpha.deb Size/MD5 checksum:77358 38387929149bdafbf8efb65d9a5fac93 http://security.debian.org/pool/updates/main/k/kdeutils/klaptopdaemon_2.2.2-9.2_alpha.deb Size/MD5 checksum:95180 55daccbd400db12616a8510d622f0464 http://security.debian.org/pool/updates/main/k/kdeutils/kljettool_2.2.2-9.2_alpha.deb Size/MD5 checksum:93044 2f73b824dbaeba31b5b172a355dfb4df http://security.debian.org/pool/updates/main/k/kdeutils/klpq_2.2.2-9.2_alpha.deb Size/MD5
[SECURITY] [DSA 237-1] New kdenetwork packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 237-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 22nd, 2003 http://www.debian.org/security/faq - -- Package: kdenetwork Vulnerability : several Problem-type : local, remote Debian-specific: no CVE Id : CAN-2002-1393 The KDE team discovered several vulnerabilities in the K Desktop Environment. In some instances KDE fails to properly quote parameters of instructions passed to a command shell for execution. These parameters may incorporate data such as URLs, filenames and e-mail addresses, and this data may be provided remotely to a victim in an e-mail, a webpage or files on a network filesystem or other untrusted source. By carefully crafting such data an attacker might be able to execute arbitary commands on a vulnerable sytem using the victim's account and privileges. The KDE Project is not aware of any existing exploits of these vulnerabilities. The patches also provide better safe guards and check data from untrusted sources more strictly in multiple places. For the current stable distribution (woody), these problems have been fixed in version 2.2.2-14.6. The old stable distribution (potato) does not contain KDE packages. For the unstable distribution (sid), these problems will most probably not be fixed but new packages for KDE 3.1 for sid are expected for this year. We recommend that you upgrade your KDE packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kdenetwork/kdenetwork_2.2.2-14.6.dsc Size/MD5 checksum: 902 7d838dc381bb2ae2bd97f8942c4f4df4 http://security.debian.org/pool/updates/main/k/kdenetwork/kdenetwork_2.2.2-14.6.diff.gz Size/MD5 checksum:29614 54ba6afd41239d88c8978dad67824418 http://security.debian.org/pool/updates/main/k/kdenetwork/kdenetwork_2.2.2.orig.tar.gz Size/MD5 checksum: 3319181 25fbfc5d2592937480c0d3796a2416e0 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/kdict_2.2.2-14.6_alpha.deb Size/MD5 checksum: 231836 a73a1c7184121b4b47deb784ea511275 http://security.debian.org/pool/updates/main/k/kdenetwork/kit_2.2.2-14.6_alpha.deb Size/MD5 checksum: 154678 6d1bcf5f5f2764c6f0ac09574bae0d47 http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.6_alpha.deb Size/MD5 checksum: 189188 c4e540b2a1e7cf55d529ce64752eebe9 http://security.debian.org/pool/updates/main/k/kdenetwork/kmail_2.2.2-14.6_alpha.deb Size/MD5 checksum: 999084 05c2c7dd98f3f345ac049fe7a9872585 http://security.debian.org/pool/updates/main/k/kdenetwork/knewsticker_2.2.2-14.6_alpha.deb Size/MD5 checksum: 439708 4a1583e539d407e9eab478ef0337519b http://security.debian.org/pool/updates/main/k/kdenetwork/knode_2.2.2-14.6_alpha.deb Size/MD5 checksum: 1287668 71e5ebd2c056767e8f77dff9cee9bf5f http://security.debian.org/pool/updates/main/k/kdenetwork/korn_2.2.2-14.6_alpha.deb Size/MD5 checksum:98800 3ae8cc2a578439949a56c4e166536484 http://security.debian.org/pool/updates/main/k/kdenetwork/kppp_2.2.2-14.6_alpha.deb Size/MD5 checksum: 573246 bda921e4dd5e40074bc6609dd6277fd4 http://security.debian.org/pool/updates/main/k/kdenetwork/ksirc_2.2.2-14.6_alpha.deb Size/MD5 checksum: 616142 731fe0a8aaef46ce3e5658a9ff96ce7f http://security.debian.org/pool/updates/main/k/kdenetwork/ktalkd_2.2.2-14.6_alpha.deb Size/MD5 checksum: 132618 adbd43f6d1e0a262ae5d61e5292f5d5b http://security.debian.org/pool/updates/main/k/kdenetwork/libkdenetwork1_2.2.2-14.6_alpha.deb Size/MD5 checksum: 157132 e81bd1379fb9f174b69ea5dc31512600 http://security.debian.org/pool/updates/main/k/kdenetwork/libmimelib-dev_2.2.2-14.6_alpha.deb Size/MD5 checksum:61900 e97ac304b22480308e7ead1c7c1da156 http://security.debian.org/pool/updates/main/k/kdenetwork/libmimelib1_2.2.2-14.6_alpha.deb Size/MD5 checksum: 100888 d1dbf97bdb8697c2c5cf1affa611072a ARM architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/kdict_2.2.2-14.6_arm.deb Size/MD5 checksum: 212900 f4dbecadcddffce7adea7e967a0c0c35 http
[SECURITY] [DSA 244-1] New noffle packages fix buffer overflows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 244-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 27th, 2003 http://www.debian.org/security/faq - -- Package: noffle Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0037 Dan Jacobson noticed a problem in noffle, an offline news server, that leads to a segmentation fault. It is not yet clear whether this problem is exploitable. However, if it is, a remote attacker could trigger arbitrary code execution under the user that calls noffle, probably news. For the stable distribution (woody) this problem has been fixed in version 1.0.1-1.1. The old stable distribution (potato) does not contain a noffle package. For the unstable distribution (sid) this problem has been fixed in version 1.1.2-1. We recommend that you upgrade your noffle package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1.dsc Size/MD5 checksum: 568 41fead6d752a47cf643b5c103779770d http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1.diff.gz Size/MD5 checksum:15625 f6495c8bce145f1ac5e41feedb035b8f http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1.orig.tar.gz Size/MD5 checksum: 125867 fe6b49a43e7fd0341b055d558e1a8202 Alpha architecture: http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1_alpha.deb Size/MD5 checksum:90250 31ef26b74460b1e872eb830bc986846a ARM architecture: http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1_arm.deb Size/MD5 checksum:78840 5bcace22be85c12902d460344f705b58 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1_i386.deb Size/MD5 checksum:76410 2363f56a8ec52a321cb963771135271e Intel IA-64 architecture: http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1_ia64.deb Size/MD5 checksum: 102736 6faa80c92a43875fc71185c70f643ef5 HP Precision architecture: http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1_hppa.deb Size/MD5 checksum:86038 bc787ecf3a2f507b0c5ca3fbd2a3757f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1_m68k.deb Size/MD5 checksum:73972 282a82c2066349d6ef9ae761abf1ed55 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1_mips.deb Size/MD5 checksum:86824 a3e1514fe172001a5168139b40aa6e21 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1_mipsel.deb Size/MD5 checksum:86896 fa2945f320dfbe681165d0efd504ceb5 PowerPC architecture: http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1_powerpc.deb Size/MD5 checksum:79402 7b554b10c5a006e6892a62904e9d6eb2 IBM S/390 architecture: http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1_s390.deb Size/MD5 checksum:80188 a4c3e1681de2445fdd94ba7fab4ee8f2 Sun Sparc architecture: http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1_sparc.deb Size/MD5 checksum:80764 2e81d34a2d6b40dd7c8a71d0b7d63e9a These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+NU+QW5ql+IAeqTIRAoghAJ9l70mRenzXa321y7tbjtOpzdwkNgCfaMPg purIqjcNk55rJ4BoqkSM7w0= =ANH3 -END PGP SIGNATURE-
[SECURITY] [DSA 249-1] New w3mmee packages fix cookie information leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 249-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 11th, 2003 http://www.debian.org/security/faq - -- Package: w3mmee Vulnerability : missing HTML quoting Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1335 CAN-2002-1348 Hironori Sakamoto, one of w3m developers, found two security vulnerabilities in w3m and associated programs. The w3m browser does not properly escape HTML tags in frame contents and img alt attributes. A malicious HTML frame or img alt attribute may deceive a user to send his local cookies which are used for configuration. The information is not leaked automatically, though. For the stable distribution (woody) these problems have been fixed in version 0.3.p23.3-1.5. Please note that the update also contains an important patch to make the program work on the powerpc platform again. The old stable distribution (potato) is not affected by these problems. For the unstable distribution (sid) these problems have been fixed in version 0.3.p24.17-3 and later. We recommend that you upgrade your w3mmee packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee_0.3.p23.3-1.5.dsc Size/MD5 checksum: 675 d14d0bdbae966177c68b3c4768669856 http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee_0.3.p23.3-1.5.diff.gz Size/MD5 checksum:10794 25fe90b7b65d921350c0cbf749bb6463 http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee_0.3.p23.3.orig.tar.gz Size/MD5 checksum: 647067 4953803b51ff72205021114f6cf6149d Alpha architecture: http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee_0.3.p23.3-1.5_alpha.deb Size/MD5 checksum: 623454 c7240cfa6e9da670fa395fe390b31d0b http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee-img_0.3.p23.3-1.5_alpha.deb Size/MD5 checksum:64102 1d38145b8c27a2943bf6fc7c08ea0091 ARM architecture: http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee_0.3.p23.3-1.5_arm.deb Size/MD5 checksum: 543150 8af838178d72f59ef6b398c579e7445c http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee-img_0.3.p23.3-1.5_arm.deb Size/MD5 checksum:61366 7982b97269924fdc3af12839380af069 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee_0.3.p23.3-1.5_i386.deb Size/MD5 checksum: 521574 3f177cd8f1861af383a4bad617b833d3 http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee-img_0.3.p23.3-1.5_i386.deb Size/MD5 checksum:60816 f72bc5ead9f93e5c6f4c451ced0dff93 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee_0.3.p23.3-1.5_ia64.deb Size/MD5 checksum: 749928 324bc5c78acc896395fe7e1d4a5593c4 http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee-img_0.3.p23.3-1.5_ia64.deb Size/MD5 checksum:66578 baf2c26446e3ca0319420c1304fd0e9c HP Precision architecture: http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee_0.3.p23.3-1.5_hppa.deb Size/MD5 checksum: 603192 43d20efd96405fd42d60e410a12f http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee-img_0.3.p23.3-1.5_hppa.deb Size/MD5 checksum:62446 657f3513cc4ee37043e85e62c9ddc760 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee_0.3.p23.3-1.5_m68k.deb Size/MD5 checksum: 505846 afd6d22ecc9b7a3a0cbd5c68414179ed http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee-img_0.3.p23.3-1.5_m68k.deb Size/MD5 checksum:60420 c408393749cd105c7c2e14bc5e2abc01 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee_0.3.p23.3-1.5_mips.deb Size/MD5 checksum: 592042 8cdee63a4f084d4f9a0e1d918da4d0c2 http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee-img_0.3.p23.3-1.5_mips.deb Size/MD5 checksum:61510 b5cd8f1afcd007196253daf55ed3854b Little endian MIPS architecture: http://security.debian.org/pool/updates/main/w/w3mmee/w3mmee_0.3.p23.3-1.5_mipsel.deb Size/MD5 checksum: 591040
[SECURITY] [DSA 248-1] New hypermail packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 248-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 31st, 2003 http://www.debian.org/security/faq - -- Package: hypermail Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0057 Ulf Harnhammar discovered two problems in hypermail, a program to create HTML archives of mailing lists. An attacker could craft a long filename for an attachment that would overflow two buffers when a certain option for interactive use was given, opening the possibility to inject arbitrary code. This code would then be executed under the user id hypermail runs as, mostly as a local user. Automatic and silent use of hypermail does not seem to be affected. The CGI program mail, which is not installed by the Debian package, does a reverse look-up of the user's IP number and copies the resulting hostname into a fixed-size buffer. A specially crafted DNS reply could overflow this buffer, opening the program to an exploit. For the stable distribution (woody) this problem has been fixed in version 2.1.3-2.0. For the old stable distribution (potato) this problem has been fixed in version 2.0b25-1.1. For the unstable distribution (sid) this problem has been fixed in version 2.1.6-1. We recommend that you upgrade your hypermail packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.0b25-1.1.dsc Size/MD5 checksum: 577 96bc728b8bdc3f3b31b2f6e7fb96e1c8 http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.0b25-1.1.diff.gz Size/MD5 checksum: 9685 0450f68f3ab45eadc7fab7e97076c845 http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.0b25.orig.tar.gz Size/MD5 checksum: 297049 7a5875311ae71fc6fa5dee18e9d826ee Alpha architecture: http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.0b25-1.1_alpha.deb Size/MD5 checksum: 416502 97032e2a8ad790a2b760a49ac39871f2 ARM architecture: http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.0b25-1.1_arm.deb Size/MD5 checksum: 150356 d3bf5bcce7068ccec8c5e246f6cc9491 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.0b25-1.1_i386.deb Size/MD5 checksum: 145048 987bb3659b98eb4dc7e020afd58c24ac Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.0b25-1.1_m68k.deb Size/MD5 checksum: 141910 cbe0d66a017f5ab47b6318c7a40a02b6 PowerPC architecture: http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.0b25-1.1_powerpc.deb Size/MD5 checksum: 156548 5cda5263360e4f39d8b82e47843039e3 Sun Sparc architecture: http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.0b25-1.1_sparc.deb Size/MD5 checksum: 175610 3dec97942bb30b61eff8c748577bc473 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.1.3-2.0.dsc Size/MD5 checksum: 606 e335b50b6f796c6e4808084840560bee http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.1.3-2.0.diff.gz Size/MD5 checksum:13146 106aba184df6afb95733bfe24da073fc http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.1.3.orig.tar.gz Size/MD5 checksum: 723942 f1bea3df4b34e58e2f6318f2ed3f9770 Alpha architecture: http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.1.3-2.0_alpha.deb Size/MD5 checksum: 212258 8bad85e95bfa8f47e967a29a7b0a9f85 ARM architecture: http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.1.3-2.0_arm.deb Size/MD5 checksum: 187986 0583077e67b953f71de182ff42547bbe Intel IA-32 architecture: http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.1.3-2.0_i386.deb Size/MD5 checksum: 179114 aeb01e13233b078e4ad7266d5b5d5860 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/h/hypermail/hypermail_2.1.3-2.0_ia64.deb Size
[SECURITY] [DSA 250-1] New w3mmee-ssl packages fix cookie information leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 250-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 12th, 2003 http://www.debian.org/security/faq - -- Package: w3mmee-ssl Vulnerability : missing HTML quoting Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1335 CAN-2002-1348 Hironori Sakamoto, one of the w3m developers, found two security vulnerabilities in w3m and associated programs. The w3m browser does not properly escape HTML tags in frame contents and img alt attributes. A malicious HTML frame or img alt attribute may deceive a user to send his local cookies which are used for configuration. The information is not leaked automatically, though. For the stable distribution (woody) these problems have been fixed in version 0.3.p23.3-1.5. Please note that the update also contains an important patch to make the program work on the powerpc platform again. The old stable distribution (potato) is not affected by these problems. For the unstable distribution (sid) these problems have been fixed in version 0.3.p24.17-3 and later. We recommend that you upgrade your w3mmee-ssl packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5.dsc Size/MD5 checksum: 690 e256e36bb0bf8d8bf9e9975412973208 http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5.diff.gz Size/MD5 checksum:10637 d9fbc273ea87e86541d7b640ca964ded http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3.orig.tar.gz Size/MD5 checksum: 647067 4953803b51ff72205021114f6cf6149d Alpha architecture: http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5_alpha.deb Size/MD5 checksum: 400162 7a1f209555e61803849e3b55a09e9e06 ARM architecture: http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5_arm.deb Size/MD5 checksum: 329450 4d11889a060c4cccd51d66c091d36071 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5_i386.deb Size/MD5 checksum: 308562 6430f41778cf4a16a86fa4bc74d9886c Intel IA-64 architecture: http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5_ia64.deb Size/MD5 checksum: 519748 ef15af2b6056eb2786a0fd67e1280ece HP Precision architecture: http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5_hppa.deb Size/MD5 checksum: 382358 ba11e5ae971e3a1a70b9c98a98d1d196 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5_m68k.deb Size/MD5 checksum: 292480 7e9c4ccb4fd24a43e6555e9e01c01173 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5_mips.deb Size/MD5 checksum: 371774 4d7760c56c62879c856b5f0698bb89ff Little endian MIPS architecture: http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5_mipsel.deb Size/MD5 checksum: 371202 629306c3589377d45687f42f0ab8226d PowerPC architecture: http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5_powerpc.deb Size/MD5 checksum: 334850 7684f24bf001b405288bbc85bf93fb38 IBM S/390 architecture: http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5_s390.deb Size/MD5 checksum: 330170 f015edd377f8a61ebda32c2aec42da20 Sun Sparc architecture: http://security.debian.org/pool/updates/main/w/w3mmee-ssl/w3mmee-ssl_0.3.p23.3-1.5_sparc.deb Size/MD5 checksum: 328290 1585bb05d4b658a8cde88cc27b15316e These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http
[SECURITY] [DSA 251-1] New w3m packages fix cookie information leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 251-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 14th, 2003 http://www.debian.org/security/faq - -- Package: w3m, w3m-ssl Vulnerability : missing HTML quoting Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1335 CAN-2002-1348 Hironori Sakamoto, one of the w3m developers, found two security vulnerabilities in w3m and associated programs. The w3m browser does not properly escape HTML tags in frame contents and img alt attributes. A malicious HTML frame or img alt attribute may deceive a user to send his local cookies which are used for configuration. The information is not leaked automatically, though. For the stable distribution (woody) these problems have been fixed in version 0.3-2.4. The old stable distribution (potato) is not affected by these problems. For the unstable distribution (sid) these problems have been fixed in version 0.3.2.2-1 and later. We recommend that you upgrade your w3m and w3m-ssl packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/w/w3m/w3m_0.3-2.4.dsc Size/MD5 checksum: 622 20b45c25d667d7070eb577bb3a79dbcc http://security.debian.org/pool/updates/main/w/w3m/w3m_0.3-2.4.diff.gz Size/MD5 checksum:30286 fea2017c4a531d1ff8bef12900beb0f4 http://security.debian.org/pool/updates/main/w/w3m/w3m_0.3.orig.tar.gz Size/MD5 checksum: 1061650 837dc9c4b64c85e720eed60a54e409ef http://security.debian.org/pool/updates/main/w/w3m-ssl/w3m-ssl_0.3-2.4.dsc Size/MD5 checksum: 641 7de04cb1692172671a9c6c1361c228d7 http://security.debian.org/pool/updates/main/w/w3m-ssl/w3m-ssl_0.3-2.4.diff.gz Size/MD5 checksum:29622 446fb46c6b1b1bea398beb7d4568dfb5 http://security.debian.org/pool/updates/main/w/w3m-ssl/w3m-ssl_0.3.orig.tar.gz Size/MD5 checksum: 1061650 837dc9c4b64c85e720eed60a54e409ef Alpha architecture: http://security.debian.org/pool/updates/main/w/w3m/w3m_0.3-2.4_alpha.deb Size/MD5 checksum: 716678 a4be8bbaf22be37109c24fc926ac90d2 http://security.debian.org/pool/updates/main/w/w3m/w3m-img_0.3-2.4_alpha.deb Size/MD5 checksum:46038 832edd93d5bce7f975089a4280c783c9 http://security.debian.org/pool/updates/main/w/w3m-ssl/w3m-ssl_0.3-2.4_alpha.deb Size/MD5 checksum: 522114 4e63b78eea41987eb3c9d4e56c37f2bb ARM architecture: http://security.debian.org/pool/updates/main/w/w3m/w3m_0.3-2.4_arm.deb Size/MD5 checksum: 576102 7955eee2d641927783e4d980acca3e2b http://security.debian.org/pool/updates/main/w/w3m/w3m-img_0.3-2.4_arm.deb Size/MD5 checksum:44918 cdc767960efdb93bf98f16b2d0dbba81 http://security.debian.org/pool/updates/main/w/w3m-ssl/w3m-ssl_0.3-2.4_arm.deb Size/MD5 checksum: 416534 bc19d77a1de0eb19ae0a890331c757ce Intel IA-32 architecture: http://security.debian.org/pool/updates/main/w/w3m/w3m_0.3-2.4_i386.deb Size/MD5 checksum: 536546 403d4d66e4a35b72fde1ca2648477eee http://security.debian.org/pool/updates/main/w/w3m/w3m-img_0.3-2.4_i386.deb Size/MD5 checksum:44696 2dea9365153597340338fa6cb3d26a73 http://security.debian.org/pool/updates/main/w/w3m-ssl/w3m-ssl_0.3-2.4_i386.deb Size/MD5 checksum: 378256 f678a241934a5cd884dc08a19602670a HP Precision architecture: http://security.debian.org/pool/updates/main/w/w3m/w3m_0.3-2.4_hppa.deb Size/MD5 checksum: 679602 4e45ab940066fd4b31eafda7324cb882 http://security.debian.org/pool/updates/main/w/w3m/w3m-img_0.3-2.4_hppa.deb Size/MD5 checksum:45474 08805d242612377e90de7e0e6658a1eb http://security.debian.org/pool/updates/main/w/w3m-ssl/w3m-ssl_0.3-2.4_hppa.deb Size/MD5 checksum: 488050 abf5cba42d0f2209a9614bcbdb47d0df Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/w/w3m/w3m_0.3-2.4_m68k.deb Size/MD5 checksum: 509352 42729e7a7cf55b0f635ec7b82d74e4d3 http://security.debian.org/pool/updates/main/w/w3m/w3m-img_0.3-2.4_m68k.deb Size/MD5 checksum:44404 ab8a616265b6061dd12d81e26eeb2c86 http://security.debian.org/pool/updates/main/w/w3m-ssl/w3m-ssl_0.3-2.4_m68k.deb Size
[SECURITY] [DSA 252-1] New slocate packages fix local root exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 252-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 21st, 2003 http://www.debian.org/security/faq - -- Package: slocate Vulnerability : buffer overflow Problem-Type : local Debian-specific: no CVE Id : CAN-2003-0056 A problem has been discovered in slocate, a secure locate replacement. A buffer overflow in the setuid program slocate can be used to execute arbitrary code as superuser. For the stable distribution (woody) this problem has been fixed in version 2.6-1.3.1. The old stable distribution (potato) is not affected by this problem. For the unstable distribution (sid) this problem has been fixed in version 2.7-1. We recommend that you upgrade your slocate package immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1.dsc Size/MD5 checksum: 550 9ade1dcc6d5185c9acddd8b487d5d28b http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1.diff.gz Size/MD5 checksum: 7058 a7ac6632dc02e1e26ad9f5cb462cced7 http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6.orig.tar.gz Size/MD5 checksum:69213 08b1902323d686130a6daaca1fac61fc Alpha architecture: http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1_alpha.deb Size/MD5 checksum:28100 44eccd6ca90b61996b50eb396456f798 ARM architecture: http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1_arm.deb Size/MD5 checksum:25290 52d54dacf94f35519fbfb8d5a2ebd8a9 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1_i386.deb Size/MD5 checksum:24788 9c9121191ee8ce7321bda76b3bb0c8fa Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1_ia64.deb Size/MD5 checksum:31100 039ee8d8218e953d51a3514d9318f2d6 HP Precision architecture: http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1_hppa.deb Size/MD5 checksum:26822 0ad73800a4c0c19518cad0aa3768f1c6 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1_m68k.deb Size/MD5 checksum:24338 2eb37c351a989dd14d9ad84fe6f3176b Big endian MIPS architecture: http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1_mips.deb Size/MD5 checksum:25656 85426c291c393fec878012afdcf85aaf Little endian MIPS architecture: http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1_mipsel.deb Size/MD5 checksum:25592 fabe9486658781a7584a583e07370442 PowerPC architecture: http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1_powerpc.deb Size/MD5 checksum:25658 08a2aa276b88ed5335c2e0ff8650c696 IBM S/390 architecture: http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1_s390.deb Size/MD5 checksum:25710 956dbf8e147bd1f31ffa3fa43c3e31d4 Sun Sparc architecture: http://security.debian.org/pool/updates/main/s/slocate/slocate_2.6-1.3.1_sparc.deb Size/MD5 checksum:27604 10aa9aff27a87f88d78b57b33ae5b2d5 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+VjcoW5ql+IAeqTIRAtYEAJ0eJUFnd8j9SNkoYcdXuOmAYHm0+QCgmLcx sZxf1OclKYi5BrCozhwCYfE= =yK7h -END PGP SIGNATURE-
[SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 253-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 24th, 2003 http://www.debian.org/security/faq - -- Package: openssl Vulnerability : information leak Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0078 A vulnerability has been discovered in OpenSSL, a Secure Socket Layer (SSL) implementation. In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and demonstrate a timing-based attack on CBC cipher suites used in SSL and TLS. OpenSSL has been found to vulnerable to this attack. For the stable distribution (woody) this problem has been fixed in version 0.9.6c-2.woody.2. For the old stable distribution (potato) this problem has been fixed in version 0.9.6c-0.potato.5. Please note that this updates the version from potato-proposed-updates that superseds the version in potato. For the unstable distribution (sid) this problem has been fixed in version 0.9.7a-1. We recommend that you upgrade your openssl packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5.dsc Size/MD5 checksum: 634 a4b14f05a0eeff8573519287c23b1b1e http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5.diff.gz Size/MD5 checksum:42879 9345bdacc7f296d81762d786348e8dfd http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc Architecture independent components: http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.5_all.deb Size/MD5 checksum: 980 1f1b9b4ae27c1d6cac23d0715d730521 Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.5_alpha.deb Size/MD5 checksum: 1550748 f41914ab3a49636fd8513f085b8d8d07 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.5_alpha.deb Size/MD5 checksum: 591238 132ad76defee30d09333896ca75cb90d http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5_alpha.deb Size/MD5 checksum: 746694 d2a4637ac612a543e8c1e74aabbf4c60 ARM architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.5_arm.deb Size/MD5 checksum: 1349612 c49ce68da5e42b0e9fdc77e931d9a809 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.5_arm.deb Size/MD5 checksum: 469878 1bf2a3485e8d787d0e879b181cc93a5d http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5_arm.deb Size/MD5 checksum: 730052 d01dbf4b1eb9fcec88f0c167e3c9c5c2 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.5_i386.deb Size/MD5 checksum: 1288324 5dcf752ef1f92c96740b14fbb38c3e9f http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.5_i386.deb Size/MD5 checksum: 463876 e387781c3aaada9be43d0859ea8acc69 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5_i386.deb Size/MD5 checksum: 724680 23d423b4f5c790fde8381859e5c13e63 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.5_m68k.deb Size/MD5 checksum: 1263364 6c450e56f29d665062db9b1057f9b5ed http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.5_m68k.deb Size/MD5 checksum: 451096 a4b7abbae2630643e9530c5d9301668c http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5_m68k.deb Size/MD5 checksum: 721532 a89c6146d949c6574c7c9d35adf25dcc PowerPC architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.5_powerpc.deb Size/MD5 checksum: 1385246 a0a8c6448562365168e018cfa2c954be http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.5_powerpc.deb Size/MD5 checksum: 504092
[SECURITY] [DSA 254-1] New NANOG traceroute packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 254-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 27th, 2003 http://www.debian.org/security/faq - -- Package: traceroute-nanog Vulnerability : buffer overflow Problem-Type : local, remote Debian-specific: no CVE Id : CAN-2002-1051 CAN-2002-1364 CAN-2002-1386 CAN-2002-1387 BugTraq Id : 4956 6166 6274 6275 A vulnerability has been discovered in NANOG traceroute, an enhanced version of the Van Jacobson/BSD traceroute program. A buffer overflow occurs in the 'get_origin()' function. Due to insufficient bounds checking performed by the whois parser, it may be possible to corrupt memory on the system stack. This vulnerability can be exploited by a remote attacker to gain root privileges on a target host. Though, most probably not in Debian. The Common Vulnerabilities and Exposures (CVE) project additionally identified the following vulnerabilities which were already fixed in the Debian version in stable (woody) and oldstable (potato) and are mentioned here for completeness (and since other distributions had to release a separate advisory for them): * CAN-2002-1364 (BugTraq ID 6166) talks about a buffer overflow in the get_origin function which allows attackers to execute arbitrary code via long WHOIS responses. * CAN-2002-1051 (BugTraq ID 4956) talks about a format string vulnerability that allows local users to execute arbitrary code via the -T (terminator) command line argument. * CAN-2002-1386 talks about a buffer overflow that may allow local users to execute arbitrary code via a long hostname argument. * CAN-2002-1387 talks about the spray mode that may allow local users to overwrite arbitrary memory locations. Fortunately, the Debian package drops privileges quite early after startup, so those problems aer not likely to result in an exploit on a Debian machine. For the current stable distribution (woody) the above problem has been fixed in version 6.1.1-1.2. For the old stable distribution (potato) the above problem has been fixed in version 6.0-2.2. For the unstable distribution (sid) these problems have been fixed in version 6.3.0-1. We recommend that you upgrade your traceroute-nanog package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2.dsc Size/MD5 checksum: 578 c0a65b3b527a4939ceb53195eb67078f http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2.diff.gz Size/MD5 checksum: 6651 74ae0eb419bd8bcbcf3f0f591b1015aa http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0.orig.tar.gz Size/MD5 checksum:27020 39246e5b1d44d6276489d4801c4a7bfb Alpha architecture: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2_alpha.deb Size/MD5 checksum:23168 67c44d189c1c2c8384e49fda6dc25df1 ARM architecture: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2_arm.deb Size/MD5 checksum:19872 4f9a429c9eb0623e02ebcf226dcfb20a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2_i386.deb Size/MD5 checksum:18588 78445b5c9cbef332d14f22e40dce094b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2_m68k.deb Size/MD5 checksum:17742 a797b9831aee1f5bdca3fa879a39fc34 PowerPC architecture: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2_powerpc.deb Size/MD5 checksum:19550 66ccd20f5d062885425531ee141d0cf1 Sun Sparc architecture: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2_sparc.deb Size/MD5 checksum:22154 623a8662411fd9a00fea53688237c60d Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.1.1-1.2.dsc Size/MD5 checksum: 589 d7eb4bd225e4f2fc16c021776da0c081 http
[SECURITY] [DSA 255-1] New tcpdump packages fix denial of service vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 255-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 27th, 2003 http://www.debian.org/security/faq - -- Package: tcpdump Vulnerability : infinite loop Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0108 Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a powerful tool for network monitoring and data acquisition. An attacker is able to send a specially crafted network packet which causes tcpdump to enter an infinite loop. In addition to the above problem the tcpdump developers discovered a potential infinite loop when parsing malformed BGP packets. They also discovered a buffer overflow that can be exploited with certain malformed NFS packets. For the stable distribution (woody) these problems have been fixed in version 3.6.2-2.3. For the old stable distribution (potato) does not seem to be affected by this problem. For the unstable distribution (sid) these problems have been fixed in version 3.7.1-1.2. We recommend that you upgrade your tcpdump packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3.dsc Size/MD5 checksum: 587 7316fea776a03291973de9db5dda34a1 http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3.diff.gz Size/MD5 checksum:10413 467813aab9a57869160e3082c7a11679 http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2.orig.tar.gz Size/MD5 checksum: 380635 6bc8da35f9eed4e675bfdf04ce312248 Alpha architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_alpha.deb Size/MD5 checksum: 213570 17577dd6cbe33e486dd8b193a3f188b0 ARM architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_arm.deb Size/MD5 checksum: 179598 005967e88f0895d8f962f07f3db525f7 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_i386.deb Size/MD5 checksum: 169482 2e6aadf125c8e7bbde3d0dd162201480 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_ia64.deb Size/MD5 checksum: 246744 c42598c647c1380689a7e196a7f685bb HP Precision architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_hppa.deb Size/MD5 checksum: 192974 6d2133766c5e3d2dd5d8121a55d57bed Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_m68k.deb Size/MD5 checksum: 157444 b20c63dca863d7e752eac1ac8089b469 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_mips.deb Size/MD5 checksum: 188792 07f375adc0a86d704ce12e6f50036fa8 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_mipsel.deb Size/MD5 checksum: 193058 46aa1ad7a702c9214e028c7f1f7bf877 PowerPC architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_powerpc.deb Size/MD5 checksum: 176780 074f39b9dcc3d4d47f73c8e2052ff91c IBM S/390 architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_s390.deb Size/MD5 checksum: 174304 72e42bf4582d67d69b2f6bc84961f7db Sun Sparc architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_sparc.deb Size/MD5 checksum: 179182 e1ebe0dec3667c68f8213827e66826fe These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+XnZ6W5ql+IAeqTIRAmFFAJ9/XqbMsibLWcHpzwULzXtLrrv/YACgsiZM Z8FnivzplvG1QcNhYnlljVk= =cFNB -END PGP SIGNATURE-
[SECURITY] [DSA 258-1] New ethereal packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 258-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 10th, 2003http://www.debian.org/security/faq - -- Package: ethereal Vulnerability : format string vulnerability Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0081 Georgi Guninski discovered a problem in ethereal, a network traffic analyzer. The program contains a format string vulnerability that could probably lead to execution of arbitrary code. For the stable distribution (woody) this problem has been fixed in version 0.9.4-1woody3. For the old stable distribution (potato) does not seem to be affected by this problem. For the unstable distribution (sid) this problem has been fixed in version 0.9.9-2. We recommend that you upgrade your ethereal packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3.dsc Size/MD5 checksum: 679 d1d61066e2bf5c4f3ae2c842dc238ea0 http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3.diff.gz Size/MD5 checksum:34387 d2b4229ac5009eba25f3ff214dfa3dd2 http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz Size/MD5 checksum: 3278908 42e999daa659820ee9339ea1e9ea Alpha architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_alpha.deb Size/MD5 checksum: 1939124 0ffa4e1947a996741ca37455ffd7f4c2 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_alpha.deb Size/MD5 checksum: 333660 710e12a1b2961ab791897c114c1e7207 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_alpha.deb Size/MD5 checksum: 221454 02e5b338717337a5dd3b400fa8f8c7ce http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_alpha.deb Size/MD5 checksum: 1706050 0b645d3c030c33e8f29ebee354a6b546 ARM architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_arm.deb Size/MD5 checksum: 1633066 5bdb9ee07245dd8c40d7fa67134bd8d4 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_arm.deb Size/MD5 checksum: 296456 09e572c9ed3b6930c6b96fc92ab673bc http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_arm.deb Size/MD5 checksum: 205294 7cfbeb0fe22d8b45a6357a51b06e8d5d http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_arm.deb Size/MD5 checksum: 1437308 d6fa8aa979905914bfc58f44dbdb65f7 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_i386.deb Size/MD5 checksum: 1511698 82a59c219398c48e420cda7d2e715116 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_i386.deb Size/MD5 checksum: 285768 b40e3cf0e9bbb222dc412b0d5b188c5c http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_i386.deb Size/MD5 checksum: 197614 1e4c85a78880b6ed7fc97d446dd4898d http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_i386.deb Size/MD5 checksum: 1324276 614f13d1070786bda57e1e9a30310288 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_ia64.deb Size/MD5 checksum: 2148490 f3d2d8f7690829c368c83c649befe4ce http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_ia64.deb Size/MD5 checksum: 372514 d5afd45af2fb3a25b43fc7d76c9e273f http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_ia64.deb Size/MD5 checksum: 233006 c0b62c056a2dcdb4d3577f630154e407 http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_ia64.deb Size/MD5 checksum: 1858696 1dd251efeacb7dbcc696577713d032fc HP Precision architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_hppa.deb Size/MD5 checksum: 1801870
[SECURITY] [DSA 261-1] New tcpdump packages fix denial of service vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 261-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 14th, 2003http://www.debian.org/security/faq - -- Package: tcpdump Vulnerability : infinite loop Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0093 A problem has been discovered in tcpdump, a powerful tool for network monitoring and data acquisition. An attacker is able to send a specially crafted RADIUS network packet which causes tcpdump to enter an infinite loop. For the stable distribution (woody) this problem has been fixed in version 3.6.2-2.4. The old stable distribution (potato) does not seem to be affected by this problem. The unstable distribution (sid) is not affected by this problem anymore. We recommend that you upgrade your tcpdump package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4.dsc Size/MD5 checksum: 587 22e458b4495fc067a2bf9d90a67287e1 http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4.diff.gz Size/MD5 checksum:11124 88ff9765d341f1af10f92e3ea3cda244 http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2.orig.tar.gz Size/MD5 checksum: 380635 6bc8da35f9eed4e675bfdf04ce312248 Alpha architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4_alpha.deb Size/MD5 checksum: 213734 81ff64e9d313bca103f6608b1d545078 ARM architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4_arm.deb Size/MD5 checksum: 179746 6b18bb14dd88c3d1d4e8798b0a310d31 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4_i386.deb Size/MD5 checksum: 169580 ff9e64004901cb5b00bf0cb213451e76 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4_ia64.deb Size/MD5 checksum: 246924 d9fe0747e449c2b589b4cb3c832c1a97 HP Precision architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4_hppa.deb Size/MD5 checksum: 193134 5abb11bd6ea2cd15c3fb3281d9ab6424 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4_m68k.deb Size/MD5 checksum: 157590 81d3584524762e3362995ae758c730ac Big endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4_mips.deb Size/MD5 checksum: 188894 c49f7abc550ef4a86ff24a80be376515 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4_mipsel.deb Size/MD5 checksum: 193268 961b6b8d7e70ae97722759b8049445b1 PowerPC architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4_powerpc.deb Size/MD5 checksum: 176932 ad0506235a5ce9c5be7aa52453a037bf IBM S/390 architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4_s390.deb Size/MD5 checksum: 174438 adb1b8f55cfbe0ea4c575c119f72ca41 Sun Sparc architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.4_sparc.deb Size/MD5 checksum: 179334 a25c169a27505382818a51c55e33982d These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+ceK/W5ql+IAeqTIRAhcBAJ9KCVFkJl1I23nugEXDg3qmI8x8fwCgh09H M2AFtF/TOUJnI8j9xu/2DuQ= =3/oI -END PGP SIGNATURE-
[SECURITY] [DSA 263-1] New tcpdump packages fix denial of service vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 263-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 17th, 2003http://www.debian.org/security/faq - -- Package: netpbm-free Vulnerability : math overflow errors Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0146 CERT advisory : VU#378049 VU#630433 Al Viro and Alan Cox discovered several maths overflow errors in NetPBM, a set of graphics conversion tools. These programs are not installed setuid root but are often installed to prepare data for processing. These vulnerabilities may allow remote attackers to cause a denial of service or execute arbitrary code. For the stable distribution (woody) this problem has been fixed in version 9.20-8.2. The old stable distribution (potato) does not seem to be affected by this problem. For the unstable distribution (sid) this problem has been fixed in version 9.20-9. We recommend that you upgrade your netpbm package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_9.20-8.2.dsc Size/MD5 checksum: 662 1c8d2ac6308e12bd407551f0a239709e http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_9.20-8.2.diff.gz Size/MD5 checksum:48519 15bdcd7cdbbd33e4eafedc4224ec158a http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_9.20.orig.tar.gz Size/MD5 checksum: 1882851 0f153116c21bc7d2e167e574a486c22f Alpha architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_alpha.deb Size/MD5 checksum:77636 fbd95c88eec1506033829ef65a56b033 http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_alpha.deb Size/MD5 checksum: 135348 d6fc73f5432869a4c8c20d6a6d202a3e http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_alpha.deb Size/MD5 checksum: 1412714 9c508ca408fbc5f6a03f5a2e320cad60 ARM architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_arm.deb Size/MD5 checksum:64038 5d2ff5816d2bc9f5b9b8f6555c0dc365 http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_arm.deb Size/MD5 checksum: 125450 3422bd71d85d14d950f4b490ea7fcb14 http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_arm.deb Size/MD5 checksum: 1127198 ff627c8920c5bd9c3420a7182e07a764 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_i386.deb Size/MD5 checksum:62358 89e5f42f2d3a11b4b7c9dc27b996324d http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_i386.deb Size/MD5 checksum: 103340 0f0c7e2bbbeb897bc1993ce2ca2dee06 http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_i386.deb Size/MD5 checksum: 1078350 415a6018874f103405739bb92d718100 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_ia64.deb Size/MD5 checksum:96448 65abd6e7e2945f52cc31727d5c2d48b1 http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_ia64.deb Size/MD5 checksum: 170308 05e9e8e8b00f1fcba4511cb55b8be368 http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_ia64.deb Size/MD5 checksum: 1608002 84bca62575bc798425e65ce0733fde65 HP Precision architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_hppa.deb Size/MD5 checksum:83808 6c997768d27d95ff71247ab15a63dad1 http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_hppa.deb Size/MD5 checksum: 122828 dab9d6a493a3bb46393c7302a44accf7 http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_hppa.deb Size/MD5 checksum: 1337162 054e5945f8146d45a1b178ca95658b12 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_m68k.deb Size/MD5 checksum:61934 bb0176c0eed79eafa32cbc8f5a99dfdf http
[SECURITY] [DSA 264-1] New lxr packages fix information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 264-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 19th, 2003http://www.debian.org/security/faq - -- Package: lxr Vulnerability : missing filename sanitizing Problem-Type : remote Debian-specific: no Upstream developers of lxr, a general hypertext cross-referencing tool, have been alerted of a vulnerability that allows a remote attacker to read arbitrary files on the host system as user www-data. This could disclose local files that were not meant to be shared with the public. For the stable distribution (woody) this problem has been fixed in version 0.3-3. The old stable distribution (potato) is not affected since it does not contain an lxr package. For the unstable distribution (sid) this problem has been fixed in version 0.3-4. We recommend that you upgrade your lxr package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3.dsc Size/MD5 checksum: 529 2247880271390dcc2e8b5840e35b8740 http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3.diff.gz Size/MD5 checksum: 4741 c4ac9ea82443f00fc6d893eac95d0eb6 http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3.orig.tar.gz Size/MD5 checksum:29354 57417ee8fdafef8e04141690c7a8b6aa Alpha architecture: http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3_alpha.deb Size/MD5 checksum:25916 7afae8f316b5d49460ec228ce65505e3 ARM architecture: http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3_arm.deb Size/MD5 checksum:25930 3f0c071bd857b60094bab17710740feb Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3_i386.deb Size/MD5 checksum:25922 b0e19c5aaf6930b9e88d1a2dd0e4828e Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3_ia64.deb Size/MD5 checksum:25916 30f33037dbf3b0c7a2f38e4792253ff9 HP Precision architecture: http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3_hppa.deb Size/MD5 checksum:25924 a3afbdeca4e74064c2ad93f8d89f02cb Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3_m68k.deb Size/MD5 checksum:25954 57d078cff179225eb026275f21e7 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3_mips.deb Size/MD5 checksum:25920 3051ef49ccd9cceeb6bc2c4ade214227 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3_mipsel.deb Size/MD5 checksum:25944 64c72605a28df3c8f8e0b7728509c3fe PowerPC architecture: http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3_powerpc.deb Size/MD5 checksum:25918 f282e391627defac8898b78da1eb5f1a IBM S/390 architecture: http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3_s390.deb Size/MD5 checksum:25912 3911d941d4036b6eab20b06ceb572e59 Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/lxr/lxr_0.3-3_sparc.deb Size/MD5 checksum:25922 2c54bb734a88ae4f52eee6a2331359ec These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+eHpnW5ql+IAeqTIRApDVAJ9fdXc7pepGVTnlq8ntx/br2LZJrwCgs1Sa bj/pRFJHjQL1HOxmxu37TNo= =e1pW -END PGP SIGNATURE-
[SECURITY] [DSA 265-1] New bonsai packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 265-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 21st, 2003http://www.debian.org/security/faq - -- Package: bonsai Vulnerability : several Problem-Type : remote Debian-specific: no CVE Ids: CAN-2003-0152 CAN-2003-0153 CAN-2003-0154 CAN-2003-0155 RĂ©mi Perrot fixed several security related bugs in the bonsai, the Mozilla CVS query tool by web interface. Vulnerabilities include arbitrary code execution, cross-site scripting and access to configuration parameters. The Common Vulnerabilities and Exposures project identifies the following problems: * CAN-2003-0152 - Remote execution of arbitrary commands as www-data * CAN-2003-0153 - Absolute path disclosure * CAN-2003-0154 - Cross site scriptiong attacks * CAN-2003-0155 - Unauthenticated access to parameters page For the stable distribution (woody) these problems have been fixed in version 1.3+cvs20020224-1woody1. The old stable distribution (potato) is not affected since it doesn't contain bonsai. For the unstable distribution (sid) these problems have been fixed in version 1.3+cvs20030317-1. We recommend that you upgrade your bonsai package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1.dsc Size/MD5 checksum: 675 55a326a22076c5eb4ae06b9f45040ca0 http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1.diff.gz Size/MD5 checksum:53566 d168b5366401692756ad7d6260ca2f74 http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224.orig.tar.gz Size/MD5 checksum: 150238 5dea945aa87188e1dda4f9e5a285808c Alpha architecture: http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_alpha.deb Size/MD5 checksum: 154504 fcb8ac72eece822427c7510ced4e21c4 ARM architecture: http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_arm.deb Size/MD5 checksum: 154020 f2adb4988192cb84344c3473b8402a21 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_i386.deb Size/MD5 checksum: 154122 c2b39dfcfc33c3752afcb744323a91a2 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_ia64.deb Size/MD5 checksum: 155282 a5cc11db973bdb952528330125dadc71 HP Precision architecture: http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_hppa.deb Size/MD5 checksum: 154590 f69e416af4e3ba0164084283584eb083 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_m68k.deb Size/MD5 checksum: 154054 f4126c21a9e5283806f02a7f43d4e7cf Big endian MIPS architecture: http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_mips.deb Size/MD5 checksum: 154590 a3368e19dbc46fad391a198df2af9526 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_mipsel.deb Size/MD5 checksum: 154614 dd7f9cbe92c2f9825bd91e3ebfad250e PowerPC architecture: http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_powerpc.deb Size/MD5 checksum: 154024 f8702f4c9471ebdd56c9f858b1d0c10e IBM S/390 architecture: http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_s390.deb Size/MD5 checksum: 154540 fb6c638075c196104c7f445a65f1ac9c Sun Sparc architecture: http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_sparc.deb Size/MD5 checksum: 158044 1d81d6c62382a6f78b7c3a11ea668ae1 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing
[SECURITY] [DSA 266-1] New krb5 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 266-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 17th, 2003http://www.debian.org/security/faq - -- Package: krb5 Vulnerability : several Problem-Type : remote Debian-specific: no CVE Ids: CAN-2003-0028 CAN-2003-0072 CAN-2003-0138 CAN-2003-0139 CERT advisories: VU#623217 VU#442569 VU#516825 CA-2003-10 Several vulnerabilities have been discovered in krb5, an implementation of MIT Kerberos. . A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. Additional cryptographic weaknesses in the krb4 implementation included in the MIT krb5 distribution permit the use of cut-and-paste attacks to fabricate krb4 tickets for unauthorized client principals if triple-DES keys are used to key krb4 services. These attacks can subvert a site's entire Kerberos authentication infrastructure. Kerberos version 5 does not contain this cryptographic vulnerability. Sites are not vulnerable if they have Kerberos v4 completely disabled, including the disabling of any krb5 to krb4 translation services. . The MIT Kerberos 5 implementation includes an RPC library derived from SUNRPC. The implementation contains length checks, that are vulnerable to an integer overflow, which may be exploitable to create denials of service or to gain unauthorized access to sensitive information. . Buffer overrun and underrun problems exist in Kerberos principal name handling in unusual cases, such as names with zero components, names with one empty component, or host-based service principal names with no host name component. For the stable distribution (woody) this problem has been fixed in version 1.2.4-5woody4. The old stable distribution (potato) does not contain krb5 packages. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your krb5 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.4p1-0woody1.dsc Size/MD5 checksum: 715 d96f63ec5433fe5e34541322f2ec4e6f http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.4p1-0woody1.diff.gz Size/MD5 checksum: 117016 050172c17604c6075d5141adf62721bb http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.4p1.orig.tar.gz Size/MD5 checksum: 837668 459c1d0262e939d6432f193c7a4ba8a8 Architecture independent components: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.2.4-5woody4_all.deb Size/MD5 checksum: 512446 29525c9953ceb91febdad9ef375b2a44 Alpha architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_alpha.deb Size/MD5 checksum: 253298 38272cd78cbafdd28b6634448a9b4339 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_alpha.deb Size/MD5 checksum: 217044 2dac6d7e4253d856c55575ec1ad547ce http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_alpha.deb Size/MD5 checksum:62486 0d0cbeeb24b2ae83ac464e19cd7b9cce http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_alpha.deb Size/MD5 checksum: 251682 49a774635a51081e01e8b3f13e5fe526 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_alpha.deb Size/MD5 checksum:75928 cae86e32606c1fcfa845acb5148708ac http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_alpha.deb Size/MD5 checksum:58594 34c719bd595658d3c20eef588cdbc775 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_alpha.deb Size/MD5 checksum: 207088 f8b4550bfb753354ae0d40161926bc0b http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_alpha.deb Size/MD5 checksum:83204 9b70ed19838cb9f5777808eccee91914 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_alpha.deb Size/MD5 checksum: 632620
[SECURITY] [DSA 267-1] New lpr packages fix local root exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 267-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 24th, 2003http://www.debian.org/security/faq - -- Package: lpr Vulnerability : buffer overflow Problem-Type : local Debian-specific: no CVE Id : CAN-2003-0144 A buffer overflow has been discovered in lpr, a BSD lpr/lpd line printer spooling system. This problem can be exploited by a local user to gain root privileges, even if the printer system is set up properly. For the stable distribution (woody) this problem has been fixed in version 2000.05.07-4.3. For the old stable distribution (potato) this problem has been fixed in version 0.48-1.1. For the stable distribution (sid) this problem has been fixed in version 2000.05.07-4.20. We recommend that you upgrade your lpr package immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1.dsc Size/MD5 checksum: 533 2eb50aa0c9f2292f2977d0029bd3fdd3 http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1.diff.gz Size/MD5 checksum: 8800 709256e0ad0a7f664aba6e0c2ddaf231 http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48.orig.tar.gz Size/MD5 checksum:75943 7b6768e1c2d03aedbe66098a52a5 Alpha architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1_alpha.deb Size/MD5 checksum: 112682 1ea3231bfa2024cb1d7d9fd8c94aa091 ARM architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1_arm.deb Size/MD5 checksum:89128 d185b06412be87a1966ac25cda23dea1 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1_i386.deb Size/MD5 checksum:85960 1758a9683ae487c20f46a73ba32d9c15 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1_m68k.deb Size/MD5 checksum:81900 f64919ec85dd3bdc27d6f7de192fafc5 PowerPC architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1_powerpc.deb Size/MD5 checksum:91200 3b790c8221b61cf7aaff0bcb90fe00de Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1_sparc.deb Size/MD5 checksum:97776 954f64d74744f3c37fecbb4a78ffbe14 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3.dsc Size/MD5 checksum: 559 8daab94fdff4f6e286224956eaecf054 http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3.diff.gz Size/MD5 checksum:24745 8e7a035f2392a1e4a43ab3eef20a596d http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07.orig.tar.gz Size/MD5 checksum:71600 d0e726f0fea4324c9b63db50bbfd778e Alpha architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_alpha.deb Size/MD5 checksum: 129660 94f6b0b445c3b89ce76f2e2d3fa54c6e ARM architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_arm.deb Size/MD5 checksum:95384 31e43ac786a3731b7d19eee00b757adc Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_i386.deb Size/MD5 checksum:93136 4d81cb964fb6bdcf732bbedcbf06ce45 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_ia64.deb Size/MD5 checksum: 158734 a58ce7dd66d423dbf26e3eb9e16dd5d4 HP Precision architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_hppa.deb Size/MD5 checksum: 108290 1cabcb262997bdc0bea262b9a54c1392 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_m68k.deb Size/MD5 checksum:90322 aacd62143f4736ed6ac5d80f0399bb1c Big endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_mips.deb Size/MD5 checksum: 111904 2af9c7b4e0754ebf7e175e59a2a20574 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lpr
[SECURITY] [DSA 268-1] New mutt packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 268-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 25th, 2003http://www.debian.org/security/faq - -- Package: mutt Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no Bugtraq ID : 7120 CVE Id : CAN-2003-0140 Core Security Technologies discovered a buffer overflow in the IMAP code of Mutt, a text-oriented mail reader supporting IMAP, MIME, GPG, PGP and threading. This problem allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a specially crafted mail folder. For the stable distribution (woody) this problem has been fixed in version 1.3.28-2.1. The old stable distribution (potato) is not affected by this problem. For the unstable distribution (sid) this problem has been fixed in version 1.5.4-1. We recommend that you upgrade your mutt package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1.dsc Size/MD5 checksum: 715 c3057724009f05673b3c75bae5d251a3 http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1.diff.gz Size/MD5 checksum:50332 bb652f41e2606b8cadb2efcdf690ff49 http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28.orig.tar.gz Size/MD5 checksum: 2540330 015e4fce09e323997d64ad455524be19 Alpha architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_alpha.deb Size/MD5 checksum: 1406670 bfe02cc93b3b062dc870045d38200659 http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_alpha.deb Size/MD5 checksum: 457324 1721fd54a25cf63ec902eb1556c096d2 ARM architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_arm.deb Size/MD5 checksum: 1324028 813b7f5a2afab876fbb5a67c23d537c2 http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_arm.deb Size/MD5 checksum: 381706 c08ae68a55e0672d6e8be8aaf0670c16 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_i386.deb Size/MD5 checksum: 1301398 f20f7221425af30530cc4c32fa93c5d9 http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_i386.deb Size/MD5 checksum: 360742 c37eb100e007a5afa6fbcc6174f01266 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_ia64.deb Size/MD5 checksum: 1517926 fe637601654c1febf069346fdec86b9d http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_ia64.deb Size/MD5 checksum: 559014 06ddd5496426d2485d626be919d757cd HP Precision architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_hppa.deb Size/MD5 checksum: 1373344 52a212f168a3e0c10b4125f5452fce83 http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_hppa.deb Size/MD5 checksum: 427294 4b71238edb2937177ab340715c1e2870 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_m68k.deb Size/MD5 checksum: 1279036 250a83073d2e6c60b765b3eb129eda7a http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_m68k.deb Size/MD5 checksum: 338394 9a4d00486eee58cb71f9aafd4f1614e2 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_mips.deb Size/MD5 checksum: 1350300 fe602f4e3f41413eebcafc26361ab0ad http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_mips.deb Size/MD5 checksum: 406784 f16f6e804bbafe0aa1b00d0f6600f25c Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_mipsel.deb Size/MD5 checksum: 1348352 2f4c24dda0156a6f012796fa278929f0 http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_mipsel.deb Size/MD5 checksum: 405042 569a82fe40e936f6786a9cdca87fa981 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_powerpc.deb Size/MD5 checksum: 1332422
[SECURITY] [DSA 269-1] New heimdal packages fix authentication failure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 269-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 26th, 2003http://www.debian.org/security/faq - -- Package: heimdal Vulnerability : Cryptographic weakness Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0138 CERT advisory : VU#623217 A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. Additional cryptographic weaknesses in the krb4 implementation permit the use of cut-and-paste attacks to fabricate krb4 tickets for unauthorized client principals if triple-DES keys are used to key krb4 services. These attacks can subvert a site's entire Kerberos authentication infrastructure. This version of the heimdal package changes the default behavior and disallows cross-realm authentication for Kerberos version 4. Because of the fundamental nature of the problem, cross-realm authentication in Kerberos version 4 cannot be made secure and sites should avoid its use. A new option (--kerberos4-cross-realm) is provided to the kdc command to re-enable version 4 cross-realm authentication for those sites that must use this functionality but desire the other security fixes. For the stable distribution (woody) this problem has been fixed in version 0.4e-7.woody.6 The old stable distribution (potato) is not affected by this problem, since it isn't compiled against kerberos 4. For the unstable distribution (sid) this problem has been fixed in version 0.5.2-1. We recommend that you upgrade your heimdal packages imediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.4e-7.woody.6.dsc Size/MD5 checksum: 1063 f925f5c81bef908a62366670f311511e http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.4e-7.woody.6.diff.gz Size/MD5 checksum: 1278560 ea0268363a4b9a986fc731ac64367948 http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.4e.orig.tar.gz Size/MD5 checksum: 2885718 1d27b06ec2f818f5b4ae2b90ca0e9cb8 Architecture independent components: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-docs_0.4e-7.woody.6_all.deb Size/MD5 checksum: 1055480 e22766e034934ac5b6664468d1bd39c4 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-lib_0.4e-7.woody.6_all.deb Size/MD5 checksum:19456 3be2de9ba824fd90ec6f0df606e9d716 Alpha architecture: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients_0.4e-7.woody.6_alpha.deb Size/MD5 checksum: 274250 38719c545872e901bd7eeb9dad9d0b80 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients-x_0.4e-7.woody.6_alpha.deb Size/MD5 checksum:60170 f5476c57a24af3c4ef9124bdc7908178 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-dev_0.4e-7.woody.6_alpha.deb Size/MD5 checksum: 572102 a407490c744a95276ff8863672c44dbb http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.6_alpha.deb Size/MD5 checksum: 132516 bac7e612f0d73d341a2a1fa5364051ae http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.6_alpha.deb Size/MD5 checksum: 180996 554ac920d68041805185a036b9013e9c http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.6_alpha.deb Size/MD5 checksum:39004 2795b39db81ef82f66d98ffc37a15466 http://security.debian.org/pool/updates/main/h/heimdal/libasn1-5-heimdal_0.4e-7.woody.6_alpha.deb Size/MD5 checksum:64542 699a4851fb0380eece24913650cc72ba http://security.debian.org/pool/updates/main/h/heimdal/libcomerr1-heimdal_0.4e-7.woody.6_alpha.deb Size/MD5 checksum:23036 5502e63afbb41f53707344f59901b5f7 http://security.debian.org/pool/updates/main/h/heimdal/libgssapi1-heimdal_0.4e-7.woody.6_alpha.deb Size/MD5 checksum:42446 270c023c95cadd077bd2255c4b25a7b4 http://security.debian.org/pool/updates/main/h/heimdal/libhdb7-heimdal_0.4e-7.woody.6_alpha.deb Size/MD5 checksum:40994 4d6d2e9b23beacf3d8c1c4395ac5e16c http
[SECURITY] [DSA 270-1] New Linux kernel packages (mips + mipsel) fix local root exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 270-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 27sh, 2003http://www.debian.org/security/faq - -- Packages : kernel-patch-2.4.17-mips, kernel-patch-2.4.19-mips Vulnerability : local privilege escalation Problem-Type : local Debian-specific: no CVE Id : CAN-2003-0127 The kernel module loader in Linux 2.2 and Linux 2.4 kernels has a flaw in ptrace. This hole allows local users to obtain root privileges by using ptrace to attach to a child process that is spawned by the kernel. Remote exploitation of this hole is not possible. This advisory only covers kernel packages for the big and little endian MIPS architectures. Other architectures will be covered by separate advisories. For the stable distribution (woody) this problem has been fixed in version 2.4.17-0.020226.2.woody1 of kernel-patch-2.4.17-mips (mips+mipsel) and in version 2.4.19-0.020911.1.woody1 of kernel-patch-2.4.19-mips (mips only). The old stable distribution (potato) is not affected by this problem for these architectures since mips and mipsel were first released with Debian GNU/Linux 3.0 (woody). For the unstable distribution (sid) this problem has been fixed in version 2.4.19-0.020911.6 of kernel-patch-2.4.19-mips (mips+mipsel). We recommend that you upgrade your kernel-images packages immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody1.dsc Size/MD5 checksum: 786 937c32a962c27f9461a10d4d2c98c350 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody1.tar.gz Size/MD5 checksum: 1140097 e26c4406aa52e77b00df972335fdbb71 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody1.dsc Size/MD5 checksum: 832 4e431992276bcd65d34bd07b86784200 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody1.tar.gz Size/MD5 checksum: 1035256 cd2e9213d798552a7ebc550903e45bf9 Architecture independent components: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody1_all.deb Size/MD5 checksum: 1142510 b1c1c6d93281938651b91c0caa85b818 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody1_all.deb Size/MD5 checksum: 1036948 8de25b980c15831460c844a535b76e3a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-headers-2.4.17_2.4.17-0.020226.2.woody1_mips.deb Size/MD5 checksum: 3494700 3ebb5ff6d044f808b500dfb0f5beccad http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r4k-ip22_2.4.17-0.020226.2.woody1_mips.deb Size/MD5 checksum: 2038950 baae9c9e139d2b5ef035f01adea32171 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r5k-ip22_2.4.17-0.020226.2.woody1_mips.deb Size/MD5 checksum: 2039084 5bb6ad7c4207a6f351612fd4e330a337 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-headers-2.4.19_2.4.19-0.020911.1.woody1_mips.deb Size/MD5 checksum: 3897722 8d096cf0e9286e175127dfb1763bfcd2 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r4k-ip22_2.4.19-0.020911.1.woody1_mips.deb Size/MD5 checksum: 2072292 3f49ce11a63309465f1ee5c31b54a1c4 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r5k-ip22_2.4.19-0.020911.1.woody1_mips.deb Size/MD5 checksum: 2072926 b4ac7b3f74a392c4f7482eb590eadcb2 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/mips-tools_2.4.19-0.020911.1.woody1_mips.deb Size/MD5 checksum:12418 ec83e5bf008c27285768faffcbbd8534 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips
[SECURITY] [DSA 271-1] New ecartis and listar packages fix password change vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 271-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 27th, 2003http://www.debian.org/security/faq - -- Package: ecartis, listar Vulnerability : unauthorized password change Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0162 A problem has been discovered in ecartis, a mailing list manager, formerly known as listar. This vulnerability enables an attacker to reset the password of any user defined on the list server, including the list admins. For the stable distribution (woody) this problem has been fixed in version 0.129a+1.0.0-snap20020514-1.1 of ecartis. For the old stable distribution (potato) this problem has been fixed in version 0.129a-2.potato3 of listar. For the unstable distribution (sid) this problem has been fixed in version 1.0.0+cvs.20030321-1 of ecartis. We recommend that you upgrade your ecartis and listar packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3.dsc Size/MD5 checksum: 556 6a598c9cac5f1da997f3790b47711e33 http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3.diff.gz Size/MD5 checksum:82819 d8154d1316c73efa71907f026b5a5df4 http://security.debian.org/pool/updates/main/l/listar/listar_0.129a.orig.tar.gz Size/MD5 checksum: 323888 0302a199d9e5ee180c9e6e55ee7a0780 Alpha architecture: http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_alpha.deb Size/MD5 checksum: 357788 7db5223f510d4d0d03cbf68e2d9a554c http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_alpha.deb Size/MD5 checksum:32072 5e63d71fa7a8cd8aed70821f529b5d13 ARM architecture: http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_arm.deb Size/MD5 checksum: 335076 5b51113b57b948e9b2b73c06a835dde2 http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_arm.deb Size/MD5 checksum:32174 1182335a3ce6c842aaef2832cd56db09 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_i386.deb Size/MD5 checksum: 301830 aa8d67d1f07cb0a769d2030708e3725c http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_i386.deb Size/MD5 checksum:25342 efd78841548a3e97b0d0557e8b360a3d Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_m68k.deb Size/MD5 checksum: 308188 fbacaef28d85db28a2d3d5e1e70945ce http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_m68k.deb Size/MD5 checksum:28030 2acf707d75e5f1e04cd297b5f1e33a3a PowerPC architecture: http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_powerpc.deb Size/MD5 checksum: 339304 4fb6eaa9bb7a3bc6f7598b6dd77a11b6 http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_powerpc.deb Size/MD5 checksum:32094 ee010d55634c49190c6c31158474bc11 Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_sparc.deb Size/MD5 checksum: 343804 f43699c1036fbbacba2ee9f726796208 http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_sparc.deb Size/MD5 checksum:31450 f0cd070c44790d8afdabd87a01aa3a9f Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1.dsc Size/MD5 checksum: 633 c12d84d29fc5f3a4d035abe9a4364d59 http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1.diff.gz Size/MD5 checksum:10058 a3a508ca141857099b5a2162ab960d2c http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514.orig.tar.gz Size/MD5 checksum: 326215 2772a595a3fe7ea5073874113da813ec Alpha architecture: http://security.debian.org/pool/updates
