Re: [SECURITY] [DSA 1714-1] New rt2570 packages fix arbitrary code execution
Thank you Moritz for your information! I'm using Ubuntu i386 debian. 2009/1/28 Moritz Muehlenhoff > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - > Debian Security Advisory DSA-1714-1 secur...@debian.org > http://www.debian.org/security/ Moritz Muehlenhoff > January 28, 2009 http://www.debian.org/security/faq > - > > Package: rt2570 > Vulnerability : integer overflow > Problem type : remote > Debian-specific: no > CVE Id(s) : CVE-2009-0282 > > It was discovered that an integer overflow in the "Probe Request" packet > parser of the Ralinktech wireless drivers might lead to remote denial of > service or the execution of arbitrary code. > > Please note that you need to rebuild your driver from the source > package in order to set this update into effect. Detailed > instructions can be found in /usr/share/doc/rt2570-source/README.Debian > > For the stable distribution (etch), this problem has been fixed in > version 1.1.0+cvs20060620-3+etch1. > > For the upcoming stable distribution (lenny) and the unstable > distribution (sid), this problem has been fixed in version > 1.1.0+cvs20080623-2. > > We recommend that you upgrade your rt2570 package. > > Upgrade instructions > - > > wget url >will fetch the file for you > dpkg -i file.deb >will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update >will update the internal database > apt-get upgrade >will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 4.0 alias etch > - --- > > Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, > mipsel, powerpc, s390 and sparc. > > Source archives: > > > http://security.debian.org/pool/updates/main/r/rt2570/rt2570_1.1.0+cvs20060620-3+etch1.dsc >Size/MD5 checksum: 664 457b00a7cf3d60bef559e9cdc442e036 > > http://security.debian.org/pool/updates/main/r/rt2570/rt2570_1.1.0+cvs20060620-3+etch1.diff.gz >Size/MD5 checksum: 4958 20b48e5fb05d999bfc643a2bb0c7401f > > http://security.debian.org/pool/updates/main/r/rt2570/rt2570_1.1.0+cvs20060620.orig.tar.gz >Size/MD5 checksum: 253367 f4131d670920a878b4d4a0f5d4d8b93a > > Architecture independent packages: > > > http://security.debian.org/pool/updates/main/r/rt2570/rt2570-source_1.1.0+cvs20060620-3+etch1_all.deb >Size/MD5 checksum: 252986 58a62ca3f7d3b1b49cfbe9aa02eabe7b > > These files will probably be moved into the stable distribution on > its next update. > > - > - > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: > ftp://security.debian.org/debian-securitydists/stable/updates/main > Mailing list: debian-security-annou...@lists.debian.org > Package info: `apt-cache show ' and http://packages.debian.org/ > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkmA1AYACgkQXm3vHE4uylqP5wCgvkyLcqYXLurUCv63n/d976yp > y4oAnR+rh2rcq3guOIIGtbincx3m71/j > =mHgg > -END PGP SIGNATURE- > > > > -- > To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > > -- Andy Smith
Re: [SECURITY] [DSA 1711-1] New TYPO3 packages fix remote code execution
Hello Nico! I received your message. Thank you! Andy Smith 2009/1/26 Nico Golde > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - > Debian Security Advisory DSA-1711-1 secur...@debian.org > http://www.debian.org/security/ Nico Golde > January 26, 2009 http://www.debian.org/security/faq > - > > Package: typo3-src > Vulnerability : several > Problem type : remote > Debian-specific: no > CVE ID : CVE-2009-0255 CVE-2009-0256 CVE-2009-0257 CVE-2009-0258 > Debian Bug : 512608 > BugTraq ID : 33376 > > Several remotely exploitable vulnerabilities have been discovered in the > TYPO3 web content management framework. The Common Vulnerabilities and > Exposures project identifies the following problems: > > CVE-2009-0255 >Chris John Riley discovered that the TYPO3-wide used encryption key is >generated with an insufficiently random seed resulting in low entropy >which makes it easier for attackers to crack this key. > > CVE-2009-0256 >Marcus Krause discovered that TYPO3 is not invalidating a supplied > session >on authentication which allows an attacker to take over a victims >session via a session fixation attack. > > CVE-2009-0257 >Multiple cross-site scripting vulnerabilities allow remote attackers to >inject arbitrary web script or HTML via various arguments and user- >supplied strings used in the indexed search system extension, adodb >extension test scripts or the workspace module. > > CVE-2009-0258 >Mads Olesen discovered a remote command injection vulnerability in >the indexed search system extension which allows attackers to >execute arbitrary code via a crafted file name which is passed >unescaped to various system tools that extract file content for >the indexing. > > > Because of CVE-2009-0255, please make sure that besides installing > this update, you also create a new encryption key after the > installation. > > For the stable distribution (etch) these problems have been fixed in > version 4.0.2+debian-7. > > For the unstable distribution (sid) these problems have been fixed in > version 4.2.5-1. > > We recommend that you upgrade your TYPO3 packages. > > Upgrade instructions > - > > wget url >will fetch the file for you > dpkg -i file.deb >will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update >will update the internal database > apt-get upgrade >will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 4.0 alias etch > - --- > > Source archives: > > > http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian.orig.tar.gz >Size/MD5 checksum: 7683527 be509391b0e4d24278c14100c09dc673 > > http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian-7.diff.gz >Size/MD5 checksum:23596 344f6b5ada56d361e274556d6d7eaf99 > > http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian-7.dsc >Size/MD5 checksum: 610 6b99cc9acd82ec6010a38006910169c9 > > Architecture independent packages: > > > http://security.debian.org/pool/updates/main/t/typo3-src/typo3_4.0.2+debian-7_all.deb >Size/MD5 checksum:76924 33b4077e99038121aa5667a3a166d99e > > http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src-4.0_4.0.2+debian-7_all.deb >Size/MD5 checksum: 7691182 f5c8ecbf93c7af50b29b5ded8f455b75 > > > These files will probably be moved into the stable distribution on > its next update. > > - > - > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: > ftp://security.debian.org/debian-securitydists/stable/updates/main > Mailing list: debian-security-annou...@lists.debian.org > Package info: `apt-cache show ' and http://packages.debian.org/ > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (GNU/Linux) > > iQEcBAEBAgAGBQJJfiIoAAoJEL97/wQC1SS+Zy4IAIccGZx8Hc/kHEl907UC8sJ2 > 72Cs7PSQLsB4z9fRbLyYx2Hyy5Zz+4aAOeRHO3Oy+jzJyjidqvrzdrxN8zd0uhTV > UZGwRdEqPVO1fNCxVbmpY4EvcctaYpDSEajqKAcLuypyCTPmZ215AJCOx5PeT2QH > aGUK8ZTeaVWhi3P9hIavDoh7bi/MfoobBBNxmIykDIls2okww7C318Q9WTlaSULq > e0xfc+4m8J8FXjZw2nlmuyreY35gc67nga/nwA/8xCI5lnoWm72T9/54pOLLOh9g > 2qee3i2UOEqMJxwpFbQJ2UlcvWcG5FeO+lE2TGXqRaPuzdOqslr3tqa0Ffb7N3Y= > =SyTo > -END PGP SIGNATURE- > > > -- > To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > > -- Andy Smith