[SECURITY] [DSA 523-1] New www-sql packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 523-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman June 19th, 2004 http://www.debian.org/security/faq - -- Package: www-sql Vulnerability : buffer overflow Problem-Type : local Debian-specific: no CVE Ids: CAN-2004-0455 Ulf Härnhammar discovered a buffer overflow vulnerability in www-sql, a CGI program which enables the creation of dynamic web pages by embedding SQL statements in HTML. By exploiting this vulnerability, a local user could cause the execution of arbitrary code by creating a web page and processing it with www-sql. For the current stable distribution (woody), this problem has been fixed in version 0.5.7-17woody1. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you update your www-sql package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/w/www-sql/www-sql_0.5.7-17woody1.dsc Size/MD5 checksum: 623 830be25aad38186b4178ce5ff424d796 http://security.debian.org/pool/updates/main/w/www-sql/www-sql_0.5.7-17woody1.diff.gz Size/MD5 checksum: 5651 17f259d168cb7d620c125d5d7cc3a311 http://security.debian.org/pool/updates/main/w/www-sql/www-sql_0.5.7.orig.tar.gz Size/MD5 checksum: 144332 96aaae705c711c4af723c6646a48c301 Alpha architecture: http://security.debian.org/pool/updates/main/w/www-sql/www-mysql_0.5.7-17woody1_alpha.deb Size/MD5 checksum:47508 453ee924cde1a11376a4502995670e8e http://security.debian.org/pool/updates/main/w/www-sql/www-pgsql_0.5.7-17woody1_alpha.deb Size/MD5 checksum:48472 e1652f6b7d2454a7e1288874821a09e1 ARM architecture: http://security.debian.org/pool/updates/main/w/www-sql/www-mysql_0.5.7-17woody1_arm.deb Size/MD5 checksum:42002 4254ca5e05d673c1d73c4f9ed73ed126 http://security.debian.org/pool/updates/main/w/www-sql/www-pgsql_0.5.7-17woody1_arm.deb Size/MD5 checksum:42338 404e674c59182c200b9693d80289b752 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/w/www-sql/www-mysql_0.5.7-17woody1_i386.deb Size/MD5 checksum:41446 28de214d36809a8ed88484d65a290619 http://security.debian.org/pool/updates/main/w/www-sql/www-pgsql_0.5.7-17woody1_i386.deb Size/MD5 checksum:41798 3cdd4a39f99a88b4ee868c7be8e051fc Intel IA-64 architecture: http://security.debian.org/pool/updates/main/w/www-sql/www-mysql_0.5.7-17woody1_ia64.deb Size/MD5 checksum:53050 8d8caceeb1843afef110dba1f94f91bb http://security.debian.org/pool/updates/main/w/www-sql/www-pgsql_0.5.7-17woody1_ia64.deb Size/MD5 checksum:53524 b5e42ce7363e4617fe88a05fc1dd048e HP Precision architecture: http://security.debian.org/pool/updates/main/w/www-sql/www-mysql_0.5.7-17woody1_hppa.deb Size/MD5 checksum:45330 a0da3671f82ebd5c4dac0ff894463021 http://security.debian.org/pool/updates/main/w/www-sql/www-pgsql_0.5.7-17woody1_hppa.deb Size/MD5 checksum:45796 6729114cc8e92fa1b278ccf619370f50 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/w/www-sql/www-mysql_0.5.7-17woody1_m68k.deb Size/MD5 checksum:40222 0af8912f6629243e49f71b520c9522c1 http://security.debian.org/pool/updates/main/w/www-sql/www-pgsql_0.5.7-17woody1_m68k.deb Size/MD5 checksum:40542 edb269316ec27e7f73bb801e0bb74c00 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/w/www-sql/www-mysql_0.5.7-17woody1_mips.deb Size/MD5 checksum:45190 eba2210f7bbfb019d7a4dacb40e69460 http://security.debian.org/pool/updates/main/w/www-sql/www-pgsql_0.5.7-17woody1_mips.deb Size/MD5 checksum:45438 ee92959d93a961dcd431a7b917677aef Little endian MIPS architecture: http://security.debian.org/pool/updates/main/w/www-sql/www-mysql_0.5.7-17woody1_mipsel.deb Size/MD5 checksum:45154 409d7105da9c8ad1f6058d5ac9afa3e1 http://security.debian.org/pool/updates/main/w/www-sql/www-pgsql_0.5.7-17woody1_mipsel.deb Size/MD5 checksum:45396 3c546d9fb0bd4a8e9d7cf49170548025 PowerPC architecture:
[SECURITY] [DSA 524-1] New rlpr packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 524-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman June 19th, 2004 http://www.debian.org/security/faq - -- Package: rlpr Vulnerability : several Problem-Type : local, remote Debian-specific: no CVE Ids: CAN-2004-0393 CAN-2004-0454 [EMAIL PROTECTED] discovered a format string vulnerability in rlpr, a utility for lpd printing without using /etc/printcap. While investigating this vulnerability, a buffer overflow was also discovered in related code. By exploiting one of these vulnerabilities, a local or remote user could potentially cause arbitrary code to be executed with the privileges of 1) the rlprd process (remote), or 2) root (local). CAN-2004-0393: format string vulnerability via syslog(3) in msg() function in rlpr CAN-2004-0454: buffer overflow in msg() function in rlpr For the current stable distribution (woody), this problem has been fixed in version 2.02-7woody1. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you update your rlpr package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1.dsc Size/MD5 checksum: 520 4fc2b5e321d5dceba3dfc480c569bad5 http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1.diff.gz Size/MD5 checksum: 4275 bf830077979ba42aaa9fd1befa86f148 http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02.orig.tar.gz Size/MD5 checksum: 152750 09b27ef3f67bc95fc5566d6c35025f58 Alpha architecture: http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_alpha.deb Size/MD5 checksum:73504 3754865750b1a62370cb401dd44d7eab ARM architecture: http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_arm.deb Size/MD5 checksum:46202 8f7de308545d274e96e4fcf9a9e6fbea Intel IA-32 architecture: http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_i386.deb Size/MD5 checksum:55222 d373769fa727b8fb5881818a9a1b52f1 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_ia64.deb Size/MD5 checksum:90206 7991cf6c9c6364c89f4a4b53dc497099 HP Precision architecture: http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_hppa.deb Size/MD5 checksum:51230 1714b62af8cb81eda68a7c28ab5f9d39 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_m68k.deb Size/MD5 checksum:45764 519427c01fc7bd3ba274322ca631fb9b Big endian MIPS architecture: http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_mips.deb Size/MD5 checksum:65596 dba2dd1d4644fc646bc09033211e931d Little endian MIPS architecture: http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_mipsel.deb Size/MD5 checksum:65674 6e4d7d75b3fa624faa0310126a887eee PowerPC architecture: http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_powerpc.deb Size/MD5 checksum:47308 fd192bbd137378a91e691b5c94de5cdd IBM S/390 architecture: http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_s390.deb Size/MD5 checksum:46680 912f9256b9231463cc5dfcfe95a29284 Sun Sparc architecture: http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_sparc.deb Size/MD5 checksum:59614 e192f3a0517f9819ae7601775a40b490 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA1O8BArxCt0PiXR4RAsX0AJ0dQfNKM8Vq7Spv7XnRFAVQI16p0wCg2IdO xfG9TDLWEUj+UrE/GKMtM2M= =2JxA -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of
Re: [SECURITY] [DSA 522-1] New super packages fix format string vulnerability
Hi Matt! Matt Zimmerman wrote: Package: super Vulnerability : format string Problem-Type : remote Max Vozeler discovered a format string vulnerability in super, a program to allow specified users to execute commands with root privileges. This vulnerability could potentially be exploited by a local user to execute arbitrary code with root privileges. Why is the problem remote, when it can be exploited by a local user? Bernhard -- Webspace; Low end Serverhousing ab 15 e, etc.: http://www.bksys.at Linux Admin/Programmierer: http://bksys.at/bernhard/services.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password managers
On Tue, 15 Jun 2004 (10:46), Alberto Gonzalez Iniesta wrote: autocmd BufReadPre,FileReadPre *.gpg,*.asc set viminfo= autocmd BufReadPre,FileReadPre *.gpg,*.asc set noswapfile These auto-commands are very interesting... But there is an error: BufReadPre is _not_ executed if the file does not exist, so if you are editing a new file your viminfo setting are the defaults, leaving traces of your encrypted file in your .viminfo . I strongly suggest to add the event 'BufNewFile' to the first 2 autocmd, hoping this can resolve the problem. Ciao, Daniele -- JID: [EMAIL PROTECTED] (http://www.jabber.org) Free your mind signature.asc Description: Digital signature
Re: [SECURITY] [DSA 522-1] New super packages fix format string vulnerability
On Sat, Jun 19, 2004 at 11:46:37AM +0200, Bernhard Kuemel wrote: Matt Zimmerman wrote: Package: super Vulnerability : format string Problem-Type : remote Max Vozeler discovered a format string vulnerability in super, a program to allow specified users to execute commands with root privileges. This vulnerability could potentially be exploited by a local user to execute arbitrary code with root privileges. Why is the problem remote, when it can be exploited by a local user? Late night. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Ticket creation failed
No permission to create tickets in the queue 'accounts' -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 521-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman June 18th, 2004 http://www.debian.org/security/faq - -- Package: sup Vulnerability : format string Problem-Type : remote Debian-specific: no CVE Ids: CAN-2004-0451 [EMAIL PROTECTED] discovered a format string vulnerability in sup, a set of programs to synchronize collections of files across a number of machines, whereby a remote attacker could potentially cause arbitrary code to be executed with the privileges of the supfilesrv process (this process does not run automatically by default). CAN-2004-0451: format string vulnerabilities in sup via syslog(3) in logquit, logerr, loginfo functions For the current stable distribution (woody), this problem has been fixed in version 1.8-8woody2. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you update your sup package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2.dsc Size/MD5 checksum: 538 f5817f83647a677ec6781c9d55843307 http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2.diff.gz Size/MD5 checksum: 6859 7b9cf999b1fb2c7662024ceb0c498039 http://security.debian.org/pool/updates/main/s/sup/sup_1.8.orig.tar.gz Size/MD5 checksum: 65 76371f01340ce62cd71687349c5aa27e Alpha architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_alpha.deb Size/MD5 checksum: 103714 62123f3b8178825af23107d24c843bd1 ARM architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_arm.deb Size/MD5 checksum:82756 a866d4f3b3fdbdb86e2db7ba745ea480 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_i386.deb Size/MD5 checksum:82624 580ca0b977cc27212c4e7778b435d4f3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_ia64.deb Size/MD5 checksum: 127664 cf7db9e24bbf333da16343bcdc5e9e82 HP Precision architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_hppa.deb Size/MD5 checksum:94516 371292e2eaec3f04d49c8b29cb6e82ed Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_m68k.deb Size/MD5 checksum:76454 4144ec09078326ba8e3facc6bef0e3b8 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_mips.deb Size/MD5 checksum:96814 c7e843b2ac5573c792c8c45910717f07 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_mipsel.deb Size/MD5 checksum:96452 c0558b55bce77470e1d9d52b515d39e1 PowerPC architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_powerpc.deb Size/MD5 checksum:85246 06e0683ba5c24a406a02b131304a6e6f IBM S/390 architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_s390.deb Size/MD5 checksum:84656 b1e6f251fc3a22eb43d9bbd3044828bc Sun Sparc architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_sparc.deb Size/MD5 checksum:89948 b8965ae16901df1eb9eb64faa8169d39 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA07eRArxCt0PiXR4RArlSAJ4iW4GblVHLWXwzearT+H4mGQcg/gCgiViY A2Pf/3Y9xupsEwnFSH+Cr5w= =yjyQ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 522-1] New super packages fix format string vulnerability
Hi Matt! Matt Zimmerman wrote: Package: super Vulnerability : format string Problem-Type : remote Max Vozeler discovered a format string vulnerability in super, a program to allow specified users to execute commands with root privileges. This vulnerability could potentially be exploited by a local user to execute arbitrary code with root privileges. Why is the problem remote, when it can be exploited by a local user? Bernhard -- Webspace; Low end Serverhousing ab 15 e, etc.: http://www.bksys.at Linux Admin/Programmierer: http://bksys.at/bernhard/services.html
Re: password managers
On Tue, 15 Jun 2004 (10:46), Alberto Gonzalez Iniesta wrote: autocmd BufReadPre,FileReadPre *.gpg,*.asc set viminfo= autocmd BufReadPre,FileReadPre *.gpg,*.asc set noswapfile These auto-commands are very interesting... But there is an error: BufReadPre is _not_ executed if the file does not exist, so if you are editing a new file your viminfo setting are the defaults, leaving traces of your encrypted file in your .viminfo . I strongly suggest to add the event 'BufNewFile' to the first 2 autocmd, hoping this can resolve the problem. Ciao, Daniele -- JID: [EMAIL PROTECTED] (http://www.jabber.org) Free your mind signature.asc Description: Digital signature
Re: [SECURITY] [DSA 522-1] New super packages fix format string vulnerability
On Sat, Jun 19, 2004 at 11:46:37AM +0200, Bernhard Kuemel wrote: Matt Zimmerman wrote: Package: super Vulnerability : format string Problem-Type : remote Max Vozeler discovered a format string vulnerability in super, a program to allow specified users to execute commands with root privileges. This vulnerability could potentially be exploited by a local user to execute arbitrary code with root privileges. Why is the problem remote, when it can be exploited by a local user? Late night. -- - mdz
