Re: [SECURITY] [DSA 2327-1] libfcgi-perl security-update

2011-10-24 Thread Tom Furie 
On Mon, Oct 24, 2011 at 03:13:28PM -0600, Lustick, Richard wrote:

> Please remove me from this email. 

Read the footer of the -announce mails, and unsubscribe yourself.

Cheers,
Tom

-- 
It is Texas law that when two trains meet each other at a railroad crossing,
each shall come to a full stop, and neither shall proceed until the other
has gone.


signature.asc
Description: Digital signature

RE: [SECURITY] [DSA 2327-1] libfcgi-perl security-update

2011-10-24 Thread Lustick, Richard 
Please remove me from this email. 


Richard Lustick
EchoStar Broadcasting Corporation
UPL- Systems Engineering
Staff DBA
(307) 633-5313

-Original Message-
From: Nico Golde [mailto:n...@debian.org] 
Sent: Monday, October 24, 2011 12:17 PM
To: debian-security-annou...@lists.debian.org
Subject: [SECURITY] [DSA 2327-1] libfcgi-perl security-update
Importance: High

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA-2327-1secur...@debian.org
http://www.debian.org/security/ Nico Golde
Oct 24th, 2011  http://www.debian.org/security/faq
- --

Package: libfcgi-perl
Vulnerability  : authentication bypass
Problem type   : remote
Debian-specific: no
Debian bug : 607479
CVE IDs: CVE-2011-2766

Ferdinand Smit discovered that libfcgi-perl, a Perl module for writing FastCGI 
applications, is incorrectly restoring environment variables of a prior request 
in subsequent requests.  In some cases this may lead to authentication bypasses 
or worse.


The oldstable distribution (lenny) is not affected by this problem.

For the stable distribution (squeeze), this problem has been fixed in version 
0.71-1+squeeze1.

For the testing distribution (wheezy), this problem has been fixed in version 
0.73-2.

For the unstable distribution (sid), this problem has been fixed in version 
0.73-2.

We recommend that you upgrade your libfcgi-perl packages.

Further information about Debian Security Advisories, how to apply these 
updates to your system and frequently asked questions can be found at: 
http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk6lq34ACgkQHYflSXNkfP89PACffGjDkG63EMaUzQopBGp2w5nk
NyQAn1GE45ffdISzrvv2QGRwmSsdYrTH
=/1RH
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20111024181630.ga23...@ngolde.de




--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/d61c0c65d3dfa34890fe68a51adf418a1407170...@echoexcc1.sats.corp

AW: Bug#645881: critical update 29 available

2011-10-24 Thread Simon,Mathieu 
Hi

Von: Sylvestre Ledru [sylves...@debian.org]
Gesendet: Freitag, 21. Oktober 2011 11:34

>> As for stable/oldstable: I noticed that Red Hat provided packages for
>> update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK):
>> http://lwn.net/Articles/463919/
> Well, I wonder how (if ?) they can do that...

I'd expect RedHat has a agreement with Oracle that allows them to do so 
(including financial agreement) ;)

- Mathieu

--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/6A26EF6B7A56E04EBBE1839FF122B456780AFBE6E9@poschta2.gymnasium.koeniz

Re: Bug#645881: critical update 29 available

2011-10-24 Thread Sylvestre Ledru 
Le vendredi 21 octobre 2011 à 08:41 +0200, Moritz Muehlenhoff a écrit :
> On Wed, Oct 19, 2011 at 06:20:12PM +0200, Torsten Werner wrote:
> > Hi Philipp,
> > 
> > Am 19.10.2011 16:33, schrieb Philipp Kern:
> > > Or it's the removal of the package.
> > 
> > we should remove sun-java5 from oldstable, too, if we are going to
> > remove sun-java6 from (old)stable. But I do not have a strong opinion on
> > that.
> 
> In any case we should go ahead with the removal from unstable ASAP.
OK. I will fill a request tonight.

> As for stable/oldstable: I noticed that Red Hat provided packages for
> update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): 
> http://lwn.net/Articles/463919/
Well, I wonder how (if ?) they can do that...

Sylvestre



--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1319189695.2676.3.ca...@pomegues.inria.fr