Re: [Full-disclosure] Bank of the West security contact?
* Kristian Erik Hermansen: Anyone have security contact at Bank of the West? Is this an issue with their online banking? Then here's a hint: /** ** * Copyright ©2005 Corillian Corporation* ** * All rights reserved. * ** * Highly Confidential. * ** * No portion of this code may be reproduced,* * transmitted or distributed without the express* * written permission of Corillian Corporation. * ** **/ Corillian is now Fiserv, and here's another hint: http://investors.fiserv.com/releasedetail.cfm?releaseid=667216 If you suspect a software vulnerability in their online banking application, you should contact Fiserv. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2856-1] libcommons-fileupload-java security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2856-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 07, 2014 http://www.debian.org/security/faq - - Package: libcommons-fileupload-java Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2014-0050 It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition. For the oldstable distribution (squeeze), this problem has been fixed in version 1.2.2-1+deb6u2. For the stable distribution (wheezy), this problem has been fixed in version 1.2.2-1+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 1.3.1-1. We recommend that you upgrade your libcommons-fileupload-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS9WToAAoJEL97/wQC1SS+IcIH/18AS3UkkZtLgZcEGpBeBEM+ OX00IRYPc3emFQcB3ZUUeiYGtq3aAEKYTW5wd8tAA04K4wUMdcV70oUxnFEeUcLl ir0b4rIM/ozB86iBN95jmgQzY7pdx703tvhA7CQlNdC0WTEPFHW7yrGksrAk5rTv zw5NlN3Hi9McYH+kigp6ULoNavWfByNM7i7xNb7tPCulF0MnIyhfg0ewxgg+QfYj RB0V5U/jSW77n0E/Ft9MX5cthViwaCxYREJoXgSIDid/OYyNIE3aZuB+KKFDwPGw /dkC+QIE6Zbeesx73YBo+oCEKulGE1UOutjrHy/vnV+mvZklmvChyZEyaGjIG5w= =noFV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2852-1] libgadu security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2852-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 06, 2014 http://www.debian.org/security/faq - - Package: libgadu Vulnerability : heap-based buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-6487 Yves Younan and Ryan Pentney discovered that libgadu, a library for accessing the Gadu-Gadu instant messaging service, contained an integer overflow leading to a buffer overflow. Attackers which impersonate the server could crash clients and potentially execute arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 1:1.9.0-2+squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 1:1.11.2-1+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1:1.11.3-1. We recommend that you upgrade your libgadu packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS9AhJAAoJEL97/wQC1SS+72kH/iZmKem4G7Hgo6skXuOV8qhb kHFTqu4GL3fyX3cpxxUEngCGpeq8I3d408B0YiSO8tOc1zZlY8J4E/GZ8unM2Css ZVKZlorku4RtsUNFYyy6smslULuHldUDt4kmpk/sOkoe/iTB5pm+u5GBvtIoC9P6 /BjWa8TSxmCWLMs/LSxylTEibhrk49LcKfqmh2jwolUD8IKt+y6uM829GMbLv3Hg Z+dL6iwFMxw3W1hhsGt26CUIxelH3ZrKApfFDeU60uXLl2Z+w2WLrDdj8641XF68 HlQdeoyCckNlFSggUxYzzJUKJLn/OBLfSCtkh5ZMHBQBcd4xmafiDDgT2gmytI8= =HjpC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2849-1] curl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2849-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 31, 2014 http://www.debian.org/security/faq - - Package: curl Vulnerability : information disclosure Problem type : remote Debian-specific: no CVE ID : CVE-2014-0015 Paras Sethia discovered that libcurl, a client-side URL transfer library, would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user. For the oldstable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze7. For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy8. For the unstable distribution (sid), this problem has been fixed in version 7.35.0-1. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJS61xeAAoJEL97/wQC1SS+CwoIALD1YgDeI4wbeVHEfAEMeqZN /gEuAQRUKRMhQ3Z8x3+U6kGoIo8vrJYST2qtO0amuKnx5jdB9hX6ePdX47wWbmR9 ITYsEceHyI32vMM2OXs6Kc97QR/HemIuLYLugDdhWs7kw37OU7dhCHaG0xfzwYqG u+yKJNHqAVp4WzfUJsyd93dkChqaZfSFiaPd4Mz/LdAkdJpsq9Fq0ChvPQWFQCmd RctPABiqzFCVQKOlZXEDNqdmXxldq2q/lgYSHETn/IUsdCoAsTO/GVBpfyBaTOgH 2s3EfJTogJeBxkeoDDm/+VaY/073Ui7IJ0ePZoqbLZU+/V0u8LhK3W86tJK4RRY= =dg0U -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2830-1] ruby-i18n security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2830-1 secur...@debian.org http://www.debian.org/security/Florian Weiemr December 30, 2013 http://www.debian.org/security/faq - - Package: ruby-i18n Vulnerability : cross-site scripting Problem type : remote Debian-specific: no CVE ID : CVE-2013-4492 Peter McLarnan discovered that the internationalization component of Ruby on Rails does not properly encode parameters in generated HTML code, resulting in a cross-site scripting vulnerability. This update corrects the underlying vulnerability in the i18n gem, as provided by the ruby-i18n package. The oldstable distribution (squeeze) is not affected by this problem; the libi18n-ruby package does not contain the vulnerable code. For the stable distribution (wheezy), this problem has been fixed in version 0.6.0-3+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 0.6.9-1. We recommend that you upgrade your ruby-i18n packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSwfRdAAoJEL97/wQC1SS+xwAH/iI7ga/tjp1b8r//lKu3BBt5 GClsPWVKd9TBEYGHTM2ipskSU9+EDOkt/vhWH9TK2C5BA0eo68b6I2Gg8Z+BQzGa SwfQmnIee/UX3gFi+mRnppyNp1WqAxEXvRNN/1JCiVevZAUEicnUx36xUn7paLIi T+I2iae9LrCrP11XtU0KzNeg3ktt5QOTvOHIjlsdXoDHqT8EzjGalk99qA4fVK0I FU2as0zhN6aZtnivhoIuc4P3u4XYoKhK7R4BL4bwW1KzSr4/LqZ2PAOLRexyWDwV HJdfcR3WyRvpuxQKVFU9XF+agjBhWU98B8BWaC7O7aTsFYpwtHdtRN6PGJgCXUA= =GovW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2791-1] tryton-client security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2791-1 secur...@debian.org http://www.debian.org/security/Florian Weimer November 04, 2013 http://www.debian.org/security/faq - - Package: tryton-client Vulnerability : missing input sanitization Problem type : remote Debian-specific: no Cedric Krier discovered that the Tryton client does not sanitize the file extension supplied by the server when processing reports. As a result, a malicious server could send a report with a crafted file extension that causes the client to write any local file to which the user running the client has write access. For the oldstable distribution (squeeze), this problem has been fixed in version 1.6.1-1+deb6u1. For the stable distribution (wheezy), this problem has been fixed in version 2.2.3-1+deb7u1. We recommend that you upgrade your tryton-client packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSd0JkAAoJEL97/wQC1SS+yxIIAKhE710knodmQwpAoCSobSwp 3cK7RK7PIMkiyAfLnNi646cU0xXGWydgwydxvm1VyULBtsBbaOaEXzOu8j2eOYVR WQeUEy3kiDGE3J38QUzaf0MGejZI3jZQRERkYIxEOkEvsHZqZYLLe+BOvOt1Nz2T vMMRqCjcAN+k1eE271tL9omWZxpsVCFG0uIGwfTmpCgf7QGKqnlnuMfrpeDQ+7/3 8VOE6EOrIBbFdXeXxW/TKM94Z8HGGkpU+GUJ2FiMyF0q0e8e4n2JG0sldnIeM9RF cSrv5550JSSGgCLh3t3JtBTCsvQMGfnPKKdvx781vIz0inTgXy2SFAYaUukBPks= =ZvvC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2750-1] imagemagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2750-1 secur...@debian.org http://www.debian.org/security/Florian Weimer September 03, 2013 http://www.debian.org/security/faq - - Package: imagemagick Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE ID : CVE-2013-4298 Debian Bug : 721273 Anton Kortunov reported a heap corruption in ImageMagick, a program collection and library for converting and manipulating image files. Crafted GIF files could cause ImageMagick to crash, potentially leading to arbitrary code execution. The oldstable distribution (squeeze) is not affected by this problem. For the stable distribution (wheezy), this problem has been fixed in version 8:6.7.7.10-5+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 8:6.7.7.10-6. We recommend that you upgrade your imagemagick packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSJkb5AAoJEL97/wQC1SS+7CAIAI+AsoTtBpeeDOeXkwyfJXlN ORBb8X3ZHWZRO/TLIu/GiZVRfiAoiRyON7HpdOYhLY3ELHWKdWn1RzujVfSxJ8tL Xj6zOWTOe+lVTaFlDCbmayKqO+ykDm0ZCYzANN2PiV7m7TbuYSTIlzHojjUe+pyu A9W1Q7MUu4UfeSvEfATlLBv80i54JvG8CmnbsGLc9L63HTBZ4tSDEaxTn+NRd3kE hS1SAjthUkcNWKRN4G4VK3FtGafq4n/o4mGpucgx+akSMXSYkIIpYqDyUJdCklH0 hQjwcXvkSmV05ij6WL6fmL+PFS3e6T426B0xL0MhinqY2rf4x1luwSChMd/aN1I= =QFU6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2748-1] exactimage security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2748-1 secur...@debian.org http://www.debian.org/security/Florian Weimer September 01, 2013 http://www.debian.org/security/faq - - Package: exactimage Vulnerability : denial of service Problem type : local Debian-specific: no CVE ID : CVE-2013-1438 Debian Bug : 721236 Several denial-of-service vulnerabilities were discovered in the dcraw code base, a program for procesing raw format images from digital cameras. This update corrects them in the copy that is embedded in the exactimage package. For the oldstable distribution (squeeze), this problem has been fixed in version 0.8.1-3+deb6u2. For the stable distribution (wheezy), this problem has been fixed in version 0.8.5-5+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 0.8.9-1. We recommend that you upgrade your exactimage packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSIxKIAAoJEL97/wQC1SS+rL0H/iaAJC+uHCdUfTHW6gt1M2jZ MPIeyeZZFbYiZPDjdn1xT6XJ8G5q59SjczKxBGvXjXBozmhoOoA7dG25goTHoUQt KvtQDEbddbEW0MYBRlJHaCn+rVWm7gvVpp2wL7mONkfA3UyeVaYRIGcWBexbhNrB P4FOvxAxdmfz7Me1MaWx7vvibkakeUWrhyd6QvYKeX4AVJXOCpO7onYGeCczHlD3 +rmPCpd6ur16AfaTRD5g+rQASmmY0R4zVihznQBtiAin5Hm/1H25F9552o301rVJ Egnjvd2KocYjl/fCWbTqXeUToh/kB5KZ9/g7qYHP2XlxdOV31NNP8q/Y21jteyI= =xOXt -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2740-2] python-django regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2740-2 secur...@debian.org http://www.debian.org/security/Florian Weimer September 01, 2013 http://www.debian.org/security/faq - - Package: python-django Vulnerability : regression Problem type : remote Debian-specific: no The wheezy part of the previous python-django update, DSA-2740-1, was incorrectly built and did not include all legacy symbolic links for the jquery Javascript library. For the stable distribution (wheezy), this problem has been fixed in version 1.4.5-1+deb7u2. We recommend that you upgrade your python-django packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSIyVdAAoJEL97/wQC1SS+yEIH/ikkn+aSUCXHiLtABnUznwg0 oVD0teq4fLAfAndGCGzmDuisuXwtmw3EJ9DzKcg8QA4ndPZhdByUxM+Z9FpbUbrl xH9KhQT3H/GXqvbSfUPL9VRphiswp+khuk3DL/9CFMdKkLhBrbnUppUGR5xqLMjl zY2ToHjcjPcN867UMUm17M1hYonmVN+JXsdmEg0XX/lSAFGzfWGngMuTor9awLXI qe92/NWoY71GWmFA6Ca3j+iCG4JRct39RV1xGAC6jmfSEP2k2Wm+6/clgZ95uy98 ikfttUFFGPtbRGes4qjx+3kwFLEsbU/n7YvUsiOMk5s79zMe5hsWPeDZPuGW+eE= =cuYT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2747-1] cacti security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2747-1 secur...@debian.org http://www.debian.org/security/Florian Weimer August 31, 2013http://www.debian.org/security/faq - - Package: cacti Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-5588 CVE-2013-5589 Two vulnerabilities were discovered in Cacti, a web interface for graphing of monitoring systems: CVE-2013-5588 install/index.php and cacti/host.php suffered from Cross-Site Scripting vulnerabilities. CVE-2013-5589 cacti/host.php contained an SQL injection vulnerability, allowing an attacker to execute SQL code on the database used by Cacti. For the oldstable distribution (squeeze), these problems have been fixed in version 0.8.7g-1+squeeze3. For the stable distribution (wheezy), these problems have been fixed in version 0.8.8a+dfsg-5+deb7u2. For the unstable distribution (sid), these problems have been fixed in version 0.8.8b+dfsg-3. We recommend that you upgrade your cacti packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSIjM+AAoJEL97/wQC1SS++40H/RQJwb6+1U4HTa0oEe0XxDoc tarEazGr4nyHq2iP9yLKAZQAxtXZsLBznUGhIQVNplNpjRCVVATtLl+gzazvpQJk EDZdtlJkOrC5nvlsGmhXs7WWukemU/gkaskfXwd0/G3w1HxuSWmbdSuyyaKbYPZB opDiko0aDPrOo/2dRP/45J20lJ0zVn4C62HZvs6u8RCyji9yADibHe3J4QWlaj8G ZsHCoVjUgkA81fBiI/H42Wqiewf0+R56CXLsf/csEk7vMmGZYpfnd8trvS9I5Yx2 4ZQVbzWiX4ItvWmljWDLtBy11xKC5tz1bM5mKDAY2oAtM+S2rCzar5uLoduvwEk= =pAOw -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2742-1] php5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2742-1 secur...@debian.org http://www.debian.org/security/ August 26, 2013http://www.debian.org/security/faq - - Package: php5 Vulnerability : interpretation conflict Problem type : remote Debian-specific: no CVE ID : CVE-2013-4248 Debian Bug : 719765 It was discovered that PHP, a general-purpose scripting language commonly used for web application development, did not properly process embedded NUL characters in the subjectAltName extension of X.509 certificates. Depending on the application and with insufficient CA-level checks, this could be abused for impersonating other users. For the oldstable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze17. For the stable distribution (wheezy), this problem has been fixed in version 5.4.4-14+deb7u4. For the unstable distribution (sid), this problem has been fixed in version 5.5.3+dfsg-1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSG7EFAAoJEL97/wQC1SS+sy0H/R/vmCtb0q6ima5xADRT36dZ 9b6bmFyt+Q7WONZ/NvpX94bvVy0wXnTQ/mEhhky+erWjD+7hkFliMpesI5sy29vx HRpVX3KRs0D+pEIHf/WAQmN/ZydAsjstdPy7eWh3oKvEOuIC1Gpl8A9z7jyBsG+w IIDOz08LPu/mwLWf8l0Im43TZakp+bBsEOLGiPVQqBjDVliiU03Cq0GIEPmhndT9 Ny+NDg9amj7lQMqthf15trstZUo5f7K00IgFwb1QOpR490VlFImQiNS9S5hGoAj4 b/lWPe9LYU1QuCPrXp+SZjSrs7CsSdYuwm8PTK6z6UNNEZKDkyjiTucvN1mok/U= =D8vW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SECURITY] [DSA 2607-1] qemu-kvm security update
* jason: Could this be exploitable from within the guest vm? Eg could I execute commands on the hypervisor host as root by generating a malicious packet to attack the e1000 driver from within the guest? Yes, but at this point, you could directly patch the guest memory, so it's not a real attack. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SE-2012-01] New Reflection API affected by a known 10+ years old attack
* Georgi Guninski: Can Coverity find logic bugs like missing checks? Yes, some inconsistent cheks are reported. Here's a public example quoting some of the (textual) reporting: http://thread.gmane.org/gmane.comp.emulators.libvirt.cim/422/focus=423 For real logic bugs, this will not work because hopefully, your logic is far more concentrated and not spread all over the place. (I think this Coverity feature works only to ensure correct error threading, as a poor man's substitute for exceptions.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2723-1] php5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2723-1 secur...@debian.org http://www.debian.org/security/Florian Weiemr July 17, 2013 http://www.debian.org/security/faq - - Package: php5 Vulnerability : heap corruption Problem type : remote Debian-specific: no CVE ID : CVE-2013-4113 Debian Bug : 717139 It was discovered that PHP could perform an invalid free request when processing crafted XML documents, corrupting the heap and potentially leading to arbitrary code execution. Depending on the PHP application, this vulnerability could be exploited remotely. For the oldstable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze16. For the stable distribution (wheezy), this problem has been fixed in version 5.4.4-14+deb7u3. For the unstable distribution (sid), this problem has been fixed in version 5.5.0+dfsg-15. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJR5v8bAAoJEL97/wQC1SS+tugH/iq1jPjE01sKby53F/RK2nPf /hZ5Rhy47mXD94DCGPSJFnVvh+HUyjTmRdqBzioql5Ds93uzrDAQqo/HPg/3qM3z 1aR2hsBrW+MFoQgOJ7l3vFNeJogJSZN04Z1nLZjyq1NGJKcM2GBmb2aIxJgJ9Y+6 sOexSQY9wdt7/tHr+xw2/RZHqz83BK1HXnRLWxkhHfQCIepzypxNeSHNMQ6fKKNa qmwk9ULsQlHxlbZ2HWs9K/5NKTOGKrnJBzFi251tMeFgJUo4CPmn4fpd3IjR1ofx IlzTbAE8dmbCv2xafm3jEQRB0EKyDPyOQigwcqfdKMxsUIIdGwP6jS0lHb2qmTc= =EbR5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2712-1] otrs2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2712-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 19, 2013 http://www.debian.org/security/faq - - Package: otrs2 Vulnerability : privilege escalation Problem type : remote Debian-specific: no CVE ID : CVE-2013-4088 It was discovered that users with a valid agent login could use crafted URLs to bypass access control restrictions and read tickets to which they should not have access. The oldstable distribution (squeeze) is not affected by this problem. For the stable distribution (wheezy), this problem has been fixed in version 3.1.7+dfsg1-8+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 3.2.8-1. We recommend that you upgrade your otrs2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRwieBAAoJEL97/wQC1SS+ts0H/0+CgTo3bJpYYjSWmeKj4qbx m+1nz9qZHfgMGvelcO+dvffji8Y3eYyZDCFOK7zniv7wYQqBV1Hy6V+c2c1twLvU /VLilRSTv/ktVVQFtCwxhy3meUWw+Ek+OpYutVP1G2ebuWiFbxhppTFlxLBPLfdo 54dPpF0wNhV+MuHfa/XSj3bUKwqq2rFw0rB+Ce45pNwIQ5RfftoCR2l0+rcUsAv1 pAJgOVoxEZo+QdIrCPTTtvNervS2vdpzqgwzd3pxt+pwT1eV5ZMtDkes2cCNw5wv 8Chn4XnxX3ymN4rjBrzfTukCeAz3tNgDoDwpNC+MjUEZzJWy0nyT7WF4In51pUc= =7Wpc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2697-1] gnutls26 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2697-1 secur...@debian.org http://www.debian.org/security/Florian Weimer May 29, 2013 http://www.debian.org/security/faq - - Package: gnutls26 Vulnerability : out-of-bounds array read Problem type : remote Debian-specific: no CVE ID : CVE-2013-2116 Debian Bug : 709301 It was discovered that a malicious client could crash a GNUTLS server and vice versa, by sending TLS records encrypted with a block cipher which contain invalid padding. The oldstable distribution (squeeze) is not affected because the security fix that introduced this vulnerability was not applied to it. For the stable distribution (wheezy), this problem has been fixed in version 2.12.20-7. For the unstable distribution (sid), this problem has been fixed in version 2.12.23-5. We recommend that you upgrade your gnutls26 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRplgnAAoJEL97/wQC1SS+vdkH/jAIIOkjyJlPm5mxUCH6uDJA mDQ5Vd+0VoSDPz6fPfxWHPbDaFCdPZWU5v7rGlVsIwKXgDRIOuJm30xcKsguVWMz PSgGQIrhVU+79283ZaSO/qXBkaRZ/0Ti9NpBKzguSZWK/PmwwfkMvkvuABF/xgAQ yy5k02XL9pDwM0SX83GGRiJK37qodMAx7kk4PcWT2eO1dlTkiAhLLFS6TDvEAjll bCMoNHqu9wAtOGKKdzOI7RCePy/WR+JQTMTvFLmJ3PlhtRHC7LP6va0AmtPcF+Wl KJSEBZCyQF8BdBobMkUqFI3hXHZ/uT3435A/5nd75vriTnianrhfRxxr9FgS0Nk= =3G6P -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2672-1] kfreebsd-9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2672-1 secur...@debian.org http://www.debian.org/security/Florian Weimer May 22, 2013 http://www.debian.org/security/faq - - Package: kfreebsd-9 Vulnerability : interpretation conflict Problem type : remote Debian-specific: no CVE ID : CVE-2013-3266 Debian Bug : 706414 Adam Nowacki discovered that the new FreeBSD NFS implementation processes a crafted READDIR request which instructs to operate a file system on a file node as if it were a directory node, leading to a kernel crash or potentially arbitrary code execution. The kfreebsd-8 kernel in the oldstable distribution (squeeze) does not enable the new NFS implementation. The Linux kernel is not affected by this vulnerability. For the stable distribution (wheezy), this problem has been fixed in version 9.0-10+deb70.1. For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 9.0-11. We recommend that you upgrade your kfreebsd-9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRnSBsAAoJEL97/wQC1SS+AUIH/37RK8Rss3gXBRYRjv91NnkU TEPe22SEIPegeqNCP5XAP/zBC6aNy8O9KbcRE9P+D+nVQKj61lnX3NuF83dNUHVt ni1sc7SijlQ7TIFe9pMVAphRAC04qkkHGJmBzte10G2Wgl7o8o9o9bbKHGHZB+TK v4x0sZuhi3WObmOy5sOKSeeH40LnpSRAo5JrSEvAIWlzrn/KLoovTsFIltoMMS8l 0CSilidE638w+GwZQNzX2GDFrOmzi5w4BI0OoUCGybsPL/3M18/dspdrZ/4XTGuK UsRbZDKDbOk7Ww+Ld1Y/DSsTDlequsj6YaKEHy6shB0ehWzgVS3MbK6yfl6Z2Bk= =mqZx -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Q: CVE Database with Programming Language and Failure Classification?
* Jeffrey Walton: Does anyone know where to find an augmented CVE database with: (1) programming language and (2) failure classification? Red Hat's Bugzilla has CWE tagging for many CVEs, in the Whiteboard field. Mapping the affected packages to programming languages is some work, though. You could map the CVEs to Debian packages through the Debian Security Tracker, and use the implemented-in tags provided by Debian. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2653-1] icinga security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2653-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 26, 2013 http://www.debian.org/security/faq - - Package: icinga Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-6096 Debian Bug : 697931 It was discovered that Icinga, a host and network monitoring system, contains several buffer overflows in the history.cgi CGI program. For the stable distribution (squeeze), this problem has been fixed in version 1.0.2-2+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 1.7.1-5. For the unstable distribution (sid), this problem has been fixed in version 1.7.1-5. We recommend that you upgrade your icinga packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRUgT+AAoJEL97/wQC1SS+h4oIAKTl/sTEJGoNuw68I2mk+GPj zDHZQedpaT6tS6zoq1EJtKegvmRm9aqp0tLOds0p9DR+1Z8lzZyks2me00wFPxj8 pYNiA0/udLXcbrOoxbKNasd6RWqEVoIQwaZeQvnqWyVWIJ2RZ/QfYwyTvEYs0Gvw H/p8Ebqe6Ix486ARGH7iBna50yi/h9WfSIrnrwcU8Kw205/UruIOsb+7fIGA7SWu AYLUXlZ5zgqyMiBgSdbtuU9T/s4O6m6Ip6VUiA22olmubctfKVKTK4OK+E+Ld9eq AB8cDfcO2CjtUvG2c+k1kYS67QkBcKlRM0xMcbBtekGZxgBV1NPSiVZKo+EjXjk= =Zoin -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2623-1] openconnect security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2623-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 14, 2013 http://www.debian.org/security/faq - - Package: openconnect Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-6128 Kevin Cernekee discovered that a malicious VPN gateway can send crafted responses which trigger stack-based buffer overflows. For the stable distribution (squeeze), this problem has been fixed in version 2.25-0.1+squeeze2. We recommend that you upgrade your openconnect packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRHR74AAoJEL97/wQC1SS+bb0IAJJsKIsF5yBv9kDifVeGbvpR no4jMiqZpNbMvOD7lEqXkXCcdtKHhDiNrp1qUkj1qj0HAvHvYDW4MybIpcTTrzTr Jh1qYmtdkF0zr7/4JYEc1zLdPy4ZdfkHppAMI1Tk4jR5qBhavhtNs8cZ4aJmhVTO hel8O2mkTMSgUdsA7ig4TL7LuuvRSeA/Hd5AwinXjT5vCpBzPH0GlIWPoCiQoL5T sK4C1Y5dVUEMyVn3MQVoKYzs3FS8Gys1iPVmUVAw9sh94oXAXEsj6KkShsuqG2ri SS67oYeBo1xYkzW25uVTnQndZQqLQtAaSZ7ai9csEeGNHAhkv9VizxhvhGZX1q8= =/dNn -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2620-1] rails security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2620-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 12, 2013 http://www.debian.org/security/faq - - Package: rails Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-0276 CVE-2013-0277 Two vulnerabilities were discovered in Ruby on Rails, a Ruby framework for web application development. CVE-2013-0276 The blacklist provided by the attr_protected method could be bypassed with crafted requests, having an application-specific impact. CVE-2013-0277 In some applications, the +serialize+ helper in ActiveRecord could be tricked into deserializing arbitrary YAML data, possibly leading to remote code execution. For the stable distribution (squeeze), these problems have been fixed in version 2.3.5-1.2+squeeze7. We recommend that you upgrade your rails packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRGrHZAAoJEL97/wQC1SS+MioH/3mCWr/isUqOa4xgITK7PheV hlWnwSBhKK9Yc6s25Nb6tK1qUgsiHTWOviEmKuMoEPWQicj9JNvl8C5sf8iiFGlM swAgdN43TZY7s7ohZuttW6bnvJRiWxLcP60qlVlN2IBGsdxY2kGz25L7l3wOEqsp wluacV5sUBBDAi9HJ2Fle3PvW3LbVv4HthpHyILXONgm97dCgB8ZjFRqWm50piIo 5QTZjrcGmCdjWwLKzd/s+xwoaMF1keU7lRsMlEBicESb4h8qd4fKOXxbDjO3MdSR sH71oJgihBzC2GYTNjwjSia1KeOhkaSwBAuZqvf4ihsovKiwiQ7Ajh1eJkJkCbA= =wTxl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rather interesting whois for yahoo.com?
* Dan Dart: https://gist.github.com/4596868 Verisign's WHOIS server performs a prefix match. To restrict to actual domain names, use domain EXAMPLE.COM as the query string. The server's help message explains it quite well, but few WHOIS client authors know about this. (Just like you have to use 701 instead of AS701 to query for AS numbers on ARIN's WHOIS server.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2609-1] rails security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2609-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 16, 2013 http://www.debian.org/security/faq - - Package: rails Vulnerability : SQL query manipulation Problem type : remote Debian-specific: no CVE ID : CVE-2013-0155 An interpretation conflict can cause the Active Record component of Rails, a web framework for the Ruby programming language, to truncate queries in unexpected ways. This may allow attackers to elevate their privileges. For the stable distribution (squeeze), this problem has been fixed in version 2.3.5-1.2+squeeze5. We recommend that you upgrade your rails packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9xsBAAoJEL97/wQC1SS+iK8H/A4NKLTFtRXzjTaljnG3Q1ti VeLQGb0lNQpi1ddqdPN91lfOlpZehu2Ptnf3HMoXXwWA4a70WhnJSJu9QV32RYNt fH4hJAOj965c3cJVcFT6O7CLvyEianFJtvA9Y31dqjwgodu1JE1p8skJRmLa3K8c Opza79P64w84uR8sVHG/X/ZFKzksApUE42nQ5etFuUbmOI+V7RHB2wuJy387VznT mP5rrNtQ35DVNZU3ejDkGKfdqABoodCM6jGLA/ZoHP6GCVT4X2WJIRkNpfwIRtym a0szlnWAUQ1p9XFdNem7iH0CEP8wLQym4ZtxXQ8xgi4hGc4DiULBIs6XZpa0KpU= =CKJK -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2607-1] qemu-kvm security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2607-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 15, 2013 http://www.debian.org/security/faq - - Package: qemu-kvm Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-6075 Debian Bug : 696051 It was discovered that the e1000 emulation code in QEMU does not enforce frame size limits in the same way as the real hardware does. This could trigger buffer overflows in the guest operating system driver for that network card, assuming that the host system does not discard such frames (which it will by default). For the stable distribution (squeeze), this problem has been fixed in version 0.12.5+dfsg-5+squeeze10. For the unstable distribution (sid), this problem has been fixed in version 1.1.2+dfsg-4. We recommend that you upgrade your qemu-kvm packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9b8jAAoJEL97/wQC1SS+f4wH/iz8eghibcdy4bF2vqe0S4td kL8pMjrFJHylOY66R9S9CQuHMGTNyvnbYtHRzI0bDnCEfzKjYubC/tCXqu44+Ks5 aHlTl4ZdpxEySW5UwfotBhas9Rj0xs0Th7gLbWmZbq+kYvMcj+gnMtfM1vuWw4fC WwQkqRIyoQnby2M4v5I+aQhxzzExNYxQIyTEZTOrxeOjykUdFIcQGLtd1jwiZY7A Ik5SWIux8jVa0B1crWkdGGNGwx1xwV1oVfxoEFmhcxlsq4KHJM5Eyn7AHhX+LrAh nTdinsdkYjOzB4RxYmaSW9YQYIr3+1jA/ditstdrM3ZagYXdvMbh1itSfXWnWFY= =bcnn -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2608-1] qemu security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2608-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 15, 2013 http://www.debian.org/security/faq - - Package: qemu Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-6075 Debian Bug : 696051 It was discovered that the e1000 emulation code in QEMU does not enforce frame size limits in the same way as the real hardware does. This could trigger buffer overflows in the guest operating system driver for that network card, assuming that the host system does not discard such frames (which it will by default). For the stable distribution (squeeze), this problem has been fixed in version 0.12.5+dfsg-3squeeze3. For the unstable distribution (sid), this problem has been fixed in version 1.1.2+dfsg-4. We recommend that you upgrade your qemu packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9b9sAAoJEL97/wQC1SS+ZuoH/3CtnIXPv5KJmimauvHjk0/7 5Sg5VMwv5GDAIVOX4qcB4XFfK2KsLpLEULhdZj8swQQLEYVmfHtS4kUZWGYUYde5 ChCEJRD7O7wAi2CZTPuIFj895BqKebbSticeHZosxyfhKLnaaA18/0c1hHT8WqKp 8yYxEHzWy9O5AO8phHqsuOI5vNlde6h4UlRotB6+OfyXd6oSfkITa7qOLdS8FPEW pf+xJW1aQa4ttWkX6POnH04r6UDnT8tQyUtjHU7mYK+ATnpl1W9EHoUkSEMjILqN swqeua1YT4zW2jswijqJ4F/PVu3P8cb1bSSprWbDE+EVe7w7RXqkwBAJ3vtQ8Qo= =6z+u -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2602-1] zendframework security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2602-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 08, 2013 http://www.debian.org/security/faq - - Package: zendframework Vulnerability : XML external entity inclusion Problem type : remote Debian-specific: no CVE ID : CVE-2012-5657 Debian Bug : 696483 Yury Dyachenko discovered that Zend Framework uses the PHP XML parser in an insecure way, allowing attackers to open files and trigger HTTP requests, potentially accessing restricted information. For the stable distribution (squeeze), this problem has been fixed in version 1.10.6-1squeeze2. For the testing distribution (wheezy), this problem has been fixed in version 1.11.13-1.1. For the unstable distribution (sid), this problem has been fixed in version 1.11.13-1.1. We recommend that you upgrade your zendframework packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ7Gb6AAoJEL97/wQC1SS+4U0H/2jTQI7RX2qiMTouR63726zq apXl7/MH+DkXGxTzm+0gHAE5oPGv9xoSNw+TN9QS9ltGOnSJywEphDc5B3IthbSd aD4lHXlFdu4EZqKTUrCKcWcxFQxoPbHdCkt/yCujkUF+KljHVLdx5mm7/+416NBV KrZHr7ni9Cekp6wWMj3zYE+mSGeBhgElvBBWAdDudMbtS7RlpqMqO3UhSdbM1mXz 6sOzXCBWDEtCwrJM7LgCNZyJT8ZZPv/8A3l23r0uhA5Nw2sUs3k9GSUMd6aylJTe BgBKYYUiZRGoMxgBWyCgogTMh27G37A535haUUZGv93M0GyivlBVTkezZKwvzQs= =I6pV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2588-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2588-1 secur...@debian.org http://www.debian.org/security/ December 16, 2012 http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-4201 CVE-2012-4207 CVE-2012-4216 CVE-2012-5829 CVE-2012-5842 Multiple vulnerabilities have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. CVE-2012-4201 The evalInSandbox implementation uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on. CVE-2012-4207 The HZ-GB-2312 character-set implementation does not properly handle a ~ (tilde) character in proximity to a chunk delimiter, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document. CVE-2012-4216 Use-after-free vulnerability in the gfxFont::GetFontEntry function allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2012-5829 Heap-based buffer overflow in the nsWindow::OnExposeEvent function could allow remote attackers to execute arbitrary code. CVE-2012-5842 Multiple unspecified vulnerabilities in the browser engine could allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code. For the stable distribution (squeeze), these problems have been fixed in version 3.0.11-1+squeeze15. For the unstable distribution (sid), these problems have been fixed in version 10.0.11-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQzcfTAAoJEL97/wQC1SS+GdsH/Rx/EpAuwp8o5fLkccwikL9E 1mwaGHStjPictslUUPRPU2zcSZF0rFZdGxx7gwgVGQ+EOJ1PU5fEBZoqptZJZsM+ //kJNAHHX3+08AyEYg92CbAIyVljBAEQTgFC/JAWeIRV7XaXLHxTtZB6bWSN33Ly aS12xRJxKuaj7w+0T9qLzTdyNFHKfOuHfBum9AYPEQLwOfyH56KnkAnG/x4xFQsj eO212+j2UqRoC5/sntBm/0jX/ZpiFrrybsnDXmpaBCT8GTRSQ5A0X9oFtf4AOqxE mOkEsCNxnC3eZp1pP+u92ALcP4zD3Meft6/LnnjofuaLxdGIsT2b2Zhy0ukPhSE= =ug3g -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2589-1] tiff security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2589-1 secur...@debian.org http://www.debian.org/security/ December 16, 2012 http://www.debian.org/security/faq - - Package: tiff Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE ID : CVE-2012-5581 Debian Bug : 694693 The tiff library for handling TIFF image files contained a stack-based buffer overflow, potentially allowing attackers who can submit such files to a vulnerable system to execute arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 3.9.4-5+squeeze8. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 4.0.2-1 of the tiff package, and version 3.9.6-10 of the tiff3 package. We recommend that you upgrade your tiff packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQzexWAAoJEL97/wQC1SS+ZA4H/RyH+HNn+7ZjZs4JjvS0vaw1 QydiVGZNYaUaJtlVTprYumkcJk8t1OIovzVplrrZMLxwn6O2HNJMhnw4ERaJbcFl EvHUJjyHsZTspt4yg/ETRdhhQ1bnnrZed+GgeYjzL6iUmUR93n99J6y72Arjsn3I 6FMKHJujL3F190ssKYrNnlROF/FX6m9XmZvnrSE9DrlA7fSm7ubQLqBZPZatyFvu 0ODLvaW9AmYZswHR/Hw5UgDZ+zunGUYZVrTtJ7VBkeAaLliz/XUzy+3vN2H6524F T1HYraZk4YXXlsZ9AarsDKON8UfpxJs52yeycYsxHVb50pVOtD3KiiLp3Kk2QsU= =qZrE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2585-1] bogofilter security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2585-1 secur...@debian.org http://www.debian.org/security/ December 11, 2012 http://www.debian.org/security/faq - - Package: bogofilter Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-5468 Debian Bug : 695139 A heap-based buffer overflow was discovered in bogofilter, a software package for classifying mail messages as spam or non-spam. Crafted mail messages with invalid base64 data could lead to heap corruption and, potentially, arbitrary code execution. For the stable distribution (squeeze), this problem has been fixed in version 1.2.2-2+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1.2.2+dfsg1-2. We recommend that you upgrade your bogofilter packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQx30nAAoJEL97/wQC1SS+kUYH/2Gy18haNbQH4mcyubyopI7l 6rdPfHNBV8eycklg4oSmjDjjjk0OizbqqXRMEReLTZv/noOGVUNDDub7Sp5n9v2B 872PaS85VucvRncgDyQrOhk94omZz1A51DjJJxzqjOW7Hr+/jS+r5vHtdxGrd66/ OE3Dm85f2qlIZsuDr/Mho3f1gv85OwqHyXcR8837zsjhPRteJUKHzpZRCL9jWv4+ vzHKZx89wy5I3oP1WQQnkL7gFmY/BMi2XBpveQBncymUiPdGZtliBe6je2zVWjzc dcTvXOIgelmjjW/RM4/hufSxWD0OqWXv9yMhl6SI43IAzQxZAessDRfSt1Ju2r0= =Zl0F -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2586-1] perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2586-1 secur...@debian.org http://www.debian.org/security/ December 11, 2012 http://www.debian.org/security/faq - - Package: perl Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-5195 CVE-2012-5526 Debian Bug : 689314 693420 695223 Two vulnerabilities were discovered in the implementation of the Perl programming language: CVE-2012-5195 The x operator could cause the Perl interpreter to crash if very long strings were created. CVE-2012-5526 The CGI module does not properly escape LF characters in the Set-Cookie and P3P headers. In addition, this update adds a warning to the Storable documentation that this package is not suitable for deserializing untrusted data. For the stable distribution (squeeze), these problems have been fixed in version 5.10.1-17squeeze4. For the unstable distribution (sid), these problems have been fixed in version 5.14.2-16. We recommend that you upgrade your perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQx4YKAAoJEL97/wQC1SS+/VkIAIpSd3dfeM3O7ggbBmmhYTrW Ugj+6/U+re95NccRkev2cwMq15ZAD24IQWJC9ALs+zQp22kr3LTgUq7apviHLst2 LNdBvZVx5YKYQMhScu92vRij/q5SJmvmIzfdZxLMiF+YJm+7rno/m75PSQA9qAB1 LlhYHWX9ehLC2G6XLRs0HJl+ROaFmyxv1EC7MYqOk06VMoAsjN6u77L+A27lG0Hx CJYN7+4IDQO+Jd9nKMyPGQWE3XisbyOE/IJvytquRYgxVCD933Z4nLhz9RyTYL2k Zn12cAfgzxKhBjokIlfHwOQfrIKOBWA2OQSHaDJQQ1tAJ27ml2KyZZL2AiS9Lg0= =sJXD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2587-1] libcgi-pm-perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2587-1 secur...@debian.org http://www.debian.org/security/ December 11, 2012 http://www.debian.org/security/faq - - Package: libcgi-pm-perl Vulnerability : HTTP header injection Problem type : remote Debian-specific: no CVE ID : CVE-2012-5526 Debian Bug : 693421 It was discovered that the CGI module for Perl does not filter LF characters in the Set-Cookie and P3P headers, potentially allowing attackers to inject HTTP headers. For the stable distribution (squeeze), this problem has been fixed in version 3.49-1squeeze2. For the unstable distribution (sid), this problem has been fixed in version 3.61-2. We recommend that you upgrade your libcgi-pm-perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQx5tpAAoJEL97/wQC1SS+EAUH/1/Jy1JokeeIGjFlG5pRl1Mi 9Syt5ACvprey4tCJvJWMVgnkwZGwCytby6x+5w02nF0ZsNSl7b3aQ1J/9QhYZIqt CdNhCsb5Wxrnj4IPXci1RUTji004FyLQO+U5wCwKjM1HqOmiifiIh2YUhEb6GMAq JvJi2JWaXKBSBZ3osV8g/FInzVCshTrMCF/6jBrTrLU7W6jshK0qa4yyZ6a9SNxB kNxIxewULMolde8xf5F++91LmQZzSG/sWm+h86eLoeoXEuuefCtzCq0xRIBkbRFk p8n9IIqzmmsoeVB2Saa+5SP8kUWtZDUdK9OgKNSxO014ojs7wV0yCiviYRt4jVU= =7B7t -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2574-1] typo3-src security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2574-1 secur...@debian.org http://www.debian.org/security/ November 15, 2012 http://www.debian.org/security/faq - - Package: typo3-src Vulnerability : several Problem type : remote Debian-specific: no Several vulnerabilities were discovered in TYPO3, a content management system. This update addresses cross-site scripting, SQL injection, and information disclosure vulnerabilities and corresponds to TYPO3-CORE-SA-2012-005. For the stable distribution (squeeze), this problem has been fixed in version 4.3.9+dfsg1-1+squeeze7. For the unstable distribution (sid), this problem has been fixed in version 4.5.19+dfsg1-4. We recommend that you upgrade your typo3-src packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQpWJiAAoJEL97/wQC1SS+srIIAJu7qMpYBGgO4OndyjKIxR7O 8O+lxpzrXvEOPfA0EZ8Kqc/VzD4u8UGemaOHWKZRYHuhwZ+6oFhUGdo6ejLQQYcb ENpe41lRBTACUK3fPgLiKG+gJANU9Y8bsSISAqzJ2uONmoMeI5ev7GAsrouJ4lot KXXHdCk9QTlV9BOLD2jbEuO8DVdBM2iy852af2E/UrTPjsozH7AHgpXQjbrV3Ea9 r4Ii40boNkk4LEMJMJSiMmbLVHqV5/pH4xaOwTsX7ASAZsDKqZrVcKIUYNuBjfGP R86hsaxBB4Irj3QuAkUqxTJn9iBaC51zg/h6XLowQVUmVk61oDI4GTfR1JD3rdM= =EajD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2569-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2569-1 secur...@debian.org http://www.debian.org/security/Florian Weimer October 29, 2012 http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-3982 CVE-2012-3986 CVE-2012-3990 CVE-2012-3991 CVE-2012-4179 CVE-2012-4180 CVE-2012-4182 CVE-2012-4186 CVE-2012-4188 Multiple vulnerabilities have been discovered in Icedove, Debian's version of the Mozilla Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2012-3982 Multiple unspecified vulnerabilities in the browser engine allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2012-3986 Icedove does not properly restrict calls to DOMWindowUtils methods, which allows remote attackers to bypass intended access restrictions via crafted JavaScript code. CVE-2012-3990 A Use-after-free vulnerability in the IME State Manager implementation allows remote attackers to execute arbitrary code via unspecified vectors, related to the nsIContent::GetNameSpaceID function. CVE-2012-3991 Icedove does not properly restrict JSAPI access to the GetProperty function, which allows remote attackers to bypass the Same Origin Policy and possibly have unspecified other impact via a crafted web site. CVE-2012-4179 A use-after-free vulnerability in the nsHTMLCSSUtils::CreateCSSPropertyTxn function allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2012-4180 A heap-based buffer overflow in the nsHTMLEditor::IsPrevCharInNodeWhitespace function allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2012-4182 A use-after-free vulnerability in the nsTextEditRules::WillInsert function allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2012-4186 A heap-based buffer overflow in the nsWav-eReader::DecodeAudioData function allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2012-4188 A heap-based buffer overflow in the Convolve3x3 function allows remote attackers to execute arbitrary code via unspecified vectors. For the stable distribution (squeeze), these problems have been fixed in version 3.0.11-1+squeeze14. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 10.0.9-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQju5FAAoJEL97/wQC1SS+7rYH/2ayLRJIwq5SxtlfOPETsoJL 6Aun6aXvq+2JckDfBRvkcn+4vRYP8TpAgWtkvSA8cB3+AbYqM1UsVXtdLabq6E8y vHj28EXcyER2v7QflJqEXgf5IAa+jXAux/Fzwbi2YR6bB0ubwnvyg7JzrRdRJRFF ZbQy8wRk0ilHnJ2u1vzTKDIlRZFklIlAzvgscw3X+NPLKRmzzgu3A5YeQrV8DOYi MbKtkm9smEHGGj2oNujewoY/47lutdxlkkeyalVvmyrZafHiygQy7mOgVB73l+El seAgrrxn5pjL47egMbM/R300BlbpnFKlzZN5RkB8/QLTCED4ooRCUYnWykMjnmo= =h0EX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2567-1] request-tracker3.8 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2567-1 secur...@debian.org http://www.debian.org/security/Florian Weimer October 26, 2012 http://www.debian.org/security/faq - - Package: request-tracker3.8 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-4730 CVE-2012-4732 CVE-2012-4734 CVE-2012-4735 CVE-2012-4884 Several vulnerabilities were discovered in Request Tracker, an issue tracking system. CVE-2012-4730 Authenticated users can add arbitrary headers or content to mail generated by RT. CVE-2012-4732 A CSRF vulnerability may allow attackers to toggle ticket bookmarks. CVE-2012-4734 If users follow a crafted URI and log in to RT, they may trigger actions which would ordinarily blocked by the CSRF prevention logic. CVE-2012-4735 Several different vulnerabilities in GnuPG processing allow attackers to cause RT to improperly sign outgoing email. CVE-2012-4884 If GnuPG support is enabled, authenticated users attackers can create arbitrary files as the web server user, which may enable arbitrary code execution. Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The restart mechanism is not recommended, especially when using mod_perl. For the stable distribution (squeeze), these problems have been fixed in version 3.8.8-7+squeeze6. For the unstable distribution (sid), these problems have been fixed in version 4.0.7-2 of the request-tracker4 package. We recommend that you upgrade your request-tracker3.8 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQiu0pAAoJEL97/wQC1SS+6U0IAIgNEuMf+KkFN23+HBzHVjjm otnju+yfwGTq/esl9wSxpXtromWyl2hN9t8r0spgvp+fPsRdZQOko2gOzrAIyjqI DFHkwc2IGSnyw6qIn459mR5jTBGAB3mKxgr+FE/Vs57D+IlJ7oFDeISAEnp5JiLt Zg4glDcjtJfBzTs8r+v6hr9S31yBvhEC+NoJhF6sKSrZ/FBq6Da/mNIwUOt72oLf BGoCsVlGt/DZOzlaaMRk21DIkIhSu68yn+uxD3nNBMKoGWUrNtyz/HuK2616ZG8j PZVpcNAsAiV62pVtpwBUUr7onnYIESyCcLeomTj6iPxxdALD6jQYhJ0YKicwzY0= =W2Fm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2568-1] rtfm security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2568-1 secur...@debian.org http://www.debian.org/security/Florian Weimer October 26, 2012 http://www.debian.org/security/faq - - Package: rtfm Vulnerability : privilege escalation Problem type : remote Debian-specific: no CVE ID : CVE-2012-4731 IT was discovered that RTFM, the FAQ manager for Request Tracker, allows authenticated users to create articles in any class. For the stable distribution (squeeze), this problem has been fixed in version 2.4.2-4+squeeze2. We recommend that you upgrade your rtfm packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQiu91AAoJEL97/wQC1SS+1oMIAJVaimUm0qpz429KBSkdElSq 948z2ZgZmZuYTFBSdc+GwNC7OKLILXYYYC9oZTBgqqwB3RYiv3cxiEZhdOjj9bPA sFVg/VfnQYeIcZ0VQHIA+hd7ho74owCV4CwZJSRJIsYawL9sWj5nt6cagyLzxj3t iDrnbFEIHfw18meC6H3sBhjUnpUPg2+nadKcdz2GaLmbQutUNF7n6a/wc6PdQP9T Df931BlXwLfUi6A+/q6a9a69lKaVggtWb79LAY/8ld+zBI+cBrgWm1foVTUA72gG J+byC1R7Ej4Sze9lzW0yv5g/hPN8B/xY1aLC1s4/nEfYaD28lYULUk+b/jT737s= =LAqB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2565-1] iceweasel security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2565-1 secur...@debian.org http://www.debian.org/security/Florian Weimer October 23, 2012 http://www.debian.org/security/faq - - Package: iceweasel Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CVE-2012-3982 CVE-2012-3986 CVE-2012-3990 CVE-2012-3991 CVE-2012-4179 CVE-2012-4180 CVE-2012-4182 CVE-2012-4186 CVE-2012-4188 Multiple vulnerabilities have been discovered in Iceweasel, Debian's version of the Mozilla Firefox web browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2012-3982 Multiple unspecified vulnerabilities in the browser engine allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2012-3986 Iceweasel does not properly restrict calls to DOMWindowUtils methods, which allows remote attackers to bypass intended access restrictions via crafted JavaScript code. CVE-2012-3990 A Use-after-free vulnerability in the IME State Manager implementation allows remote attackers to execute arbitrary code via unspecified vectors, related to the nsIContent::GetNameSpaceID function. CVE-2012-3991 Iceweasel does not properly restrict JSAPI access to the GetProperty function, which allows remote attackers to bypass the Same Origin Policy and possibly have unspecified other impact via a crafted web site. CVE-2012-4179 A use-after-free vulnerability in the nsHTMLCSSUtils::CreateCSSPropertyTxn function allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2012-4180 A heap-based buffer overflow in the nsHTMLEditor::IsPrevCharInNodeWhitespace function allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2012-4182 A use-after-free vulnerability in the nsTextEditRules::WillInsert function allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2012-4186 A heap-based buffer overflow in the nsWav-eReader::DecodeAudioData function allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2012-4188 A heap-based buffer overflow in the Convolve3x3 function allows remote attackers to execute arbitrary code via unspecified vectors. For the stable distribution (squeeze), these problems have been fixed in version 3.5.16-19. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 10.0.8esr-1. We recommend that you upgrade your iceweasel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQhvVjAAoJEL97/wQC1SS+LpwH/i9wHRmpa8bO25gx40Wf9Fbv AvaVyEFxF565z5NnQSaVhjV1B9t5oswG3VTZmPfEgI0jdh6HfQGZfO0nZmSwEhy5 xgb7lJzD9WB4uCg1k0C9f/YIVXywsI9elfsbtbbroxz9a46jv5VWIyuxabiLr8ev QNv0gHXuPA1IaNqNJlgvF3AteN8/UCF6yhRMRK7DIUr3VqHRrGiHSxNi64VrisXA 7zbmZhi7x8jQSRz7Ji00enedimk8wzy0QPz9RQov4Z+FLX1z3GShnS7esEKB4Kuw XMVbMZij5N/6pknzDLRs9naBtp0gFnalTU8z24kHyx9kckXyKdinz25oPBm75eA= =Z1ad -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2560-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2560-1 secur...@debian.org http://www.debian.org/security/Florian Weimer October 20, 2012 http://www.debian.org/security/faq - - Package: bind9 Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2012-5166 Debian Bug : 690118 It was discovered that BIND, a DNS server, hangs while constructing the additional section of a DNS reply, when certain combinations of resource records are present. This vulnerability affects both recursive and authoritative servers. For the stable distribution (squeeze), this problem has been fixed in version 1:9.7.3.dfsg-1~squeeze8. We recommend that you upgrade your bind9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQgv3SAAoJEL97/wQC1SS+eLEH/RTPU+0QKjGkw8GGSp2zGtFt Yc4LVRH9wdDdxJ2dLkPzu5GBxKcA5gZqSjbB9RUBnHjaQSH77Cilb749hxHfSqqP ZpjyWfjcu3yjHoYVnIElcpNMStkTRZNbbhmtl5lm2XF9bxg7UqcTVBu6T679PJ5L nz1dR1tuBPFhE6MwJlArxsxuSR/3tuKJbVHlaWFmwGtKVjPNfIY7FBX3Yig8h9SL HTFDQ+/1+THP+V2gms4+8/a6kERuHrvXL+05YN+wcz5zveceIFJk01N1xCwrXBwR 9qJITGw5u2Td9PrxHEqFdbYKuRIIfVE5IXiCWy1pcGojyNhzaEqsWLSlByfg9VA= =Aa5W -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2547-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2547-1 secur...@debian.org http://www.debian.org/security/Florian Weimer September 12, 2012 http://www.debian.org/security/faq - - Package: bind9 Vulnerability : improper assert Problem type : remote Debian-specific: no CVE ID : CVE-2012-4244 It was discovered that BIND, a DNS server, does not handle DNS records properly which approach size limits inherent to the DNS protocol. An attacker could use crafted DNS records to crash the BIND server process, leading to a denial of service. For the stable distribution (squeeze), this problem has been fixed in version 1:9.7.3.dfsg-1~squeeze7. We recommend that you upgrade your bind9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQUO2GAAoJEL97/wQC1SS+73sH/1cqWEgYuMvKkTy+vW1DuTqd LOp7YcqQsHWKBW1DbE1WUy09k5fGeNNu+UhFITUoiHjXZIBtVen0g1pHfxAy2g59 Fo2dpJhoushOC57+4Sf+UJbfYO3Uv1zSTYYyCdiG9Df4AFOFLLPZvxIcCnjM+fhy DksM/U9T4fwgx+N3vb1EvTK3FZXkaniOuB7GNl5REfxMi/8vCSigsOOeWlPHcnuc SGJnYmuLpfCp+iSqCUzotDGlEL/HBVUozLXSVEPaKwEpc5dj7s+zJSFBt+FQij25 d6RRa1fetnzEGQSbocnko9DjiGeidkQIcmlAvFLy6i9XIsmyg6Xu5gN4/4P6To8= =O6mH -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2536-1] otrs2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2536-1 secur...@debian.org http://www.debian.org/security/Florian Weimer August 30, 2012http://www.debian.org/security/faq - - Package: otrs2 Vulnerability : cross-site scripting Problem type : remote Debian-specific: no CVE ID : CVE-2012-2582 It was discovered that otrs2, a ticket request system, contains a cross-site scripting vulnerability when email messages are viewed using Internet Explorer. This update also improves the HTML security filter to detect tag nesting. For the stable distribution (squeeze), this problem has been fixed in version 2.4.9+dfsg1-3+squeeze3. For the unstable distribution (sid), this problem has been fixed in version 3.1.7+dfsg1-5. We recommend that you upgrade your otrs2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQP70uAAoJEL97/wQC1SS+TWUIAKS5OkduqbLlYgIXrbttAHyX Bl8kFTr8DKrWEwsrgvWGb4KKyFoReI0UJzuck0sfy9Rr0trNF2W0MJzYsWe10QBb dxnXmI4nFdAFu6/Fyraeo6aF5vc69myyXAdHxjsrReFesZT3MQrwfBVPSDoTpuLf dDmvEOSnoJRry+I6msk3RiZa5OM1gkMiuJBqz/TXUTIJRLCcK/0HlSydfyuVQMyn ySZ5O0J93lyzn2YWKG8wcDVqAq4hv6xPNfqvFi2LYsFj6cUS8hHl6oWo1agAXZ8J yQ7A8wSJECRTuet2xnKFWbg25YZZzjvxWmG+kv1dyzh3A/kQZJ9bT8iP1JgJ3H4= =GksE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2537-1] typo3-src security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2537-1 secur...@debian.org http://www.debian.org/security/Florian Weimer August 30, 2012http://www.debian.org/security/faq - - Package: typo3-src Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-3527 CVE-2012-3528 CVE-2012-3529 CVE-2012-3530 CVE-2012-3531 Several vulnerabilities were discovered in TYPO3, a content management system. CVE-2012-3527 An insecure call to unserialize in the help system enables arbitrary code execution by authenticated users. CVE-2012-3528 The TYPO3 backend contains several cross-site scripting vulnerabilities. CVE-2012-3529 Authenticated users who can access the configuration module can obtain the encryption key, allowing them to escalate their privileges. CVE-2012-3530 The RemoveXSS HTML sanitizer did not remove several HTML5 JavaScript, thus failing to mitigate the impact of cross-site scripting vulnerabilities. For the stable distribution (squeeze), these problems have been fixed in version 4.3.9+dfsg1-1+squeeze5. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 4.5.19+dfsg1-1. We recommend that you upgrade your typo3-src packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQP8gcAAoJEL97/wQC1SS+ic0H/RUakdYXR9ym8GacNG8q87cC O5eABopjcLRURua5FLngzCIaYQwSfR247Pn8AnL1WkxZlxj8zqu8mq0+ZJX07kCR Tote3E3iKfe5zx0MWUXy2qHumKDN6B3sMTtyFjtpsAugKXgYJHCbqHmJT9heFH0P lzmLlaScEiCvKpFOfK6fuuXbMUS/wAry4pPi3GArrwNi0HeqZGBH2lfclqAGQG04 LbygNK8+N51DQWrc5RBvdrXky7XbAq1bCO2tH7SLw9nfNZ9MgwoAqbZrl8C0GEzz fDlTEZBWWhBnLtIexy22ZSFCDT97g8LpeCtQJini8BK+a4mu+LHDZbUBu+T9KTE= =Wapq -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2535-1] rtfm security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2535-1 secur...@debian.org http://www.debian.org/security/Florian Weimer August 29, 2012http://www.debian.org/security/faq - - Package: rtfm Vulnerability : cross-site scripting Problem type : remote Debian-specific: no CVE ID : CVE-2012-2768 It was discovered that rtfm, the Request Tracker FAQ Manager, contains multiple cross-site scripting vulnerabilities in the topic administration page. For the stable distribution (squeeze), this problem has been fixed in version 2.4.2-4+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 4.0.6-4 of the request-tracker4 package. We recommend that you upgrade your rtfm packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQPmzyAAoJEL97/wQC1SS+BgUH/2a5z3ovr7fzOvguEDCrvz8w W9RA8UqBYQJhjny27nZkOtRBjQMpDZ1RrLPvdk5/T0fh8BNZLeEDlpqJcAxtrZH3 HDgT83EqwuKYoMmgiUmzLY6jLN9+0dvI2b4PDJx88tvcYIv7FIpWg07RsfQjU175 +FiwKTxG9b64DcskuRUzihcLa7oHMz6Q/ojz4Z3kV0DSf8pmGKqGjnOT/qxj/ZYd QpjkfM3LqtvLivEd3Z6CTFEjF9vK8jv/DaJlKvmvbDIP/9TkI9rV1+lVMxS5X6/O jEnDcsOHIYBi+JvM702KM1ozGAj/6cJDbA8MDX26/68Lm3igmEi7+R6fjqGsw2U= =Zvxd -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2534-1] postgresql-8.4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2534-1 secur...@debian.org http://www.debian.org/security/Florian Weimer August 25, 2012http://www.debian.org/security/faq - - Package: postgresql-8.4 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-3488 CVE-2012-3489 Two vulnerabilities related to XML processing were discovered in PostgreSQL, an SQL database. CVE-2012-3488 contrib/xml2's xslt_process() can be used to read and write external files and URLs. CVE-2012-3489 xml_parse() fetches external files or URLs to resolve DTD and entity references in XML values. This update removes the problematic functionality, potentially breaking applications which use it in a legitimate way. Due to the natural of these vulnerabilities, it is possible that attackers who have only indirect address to the database can supply crafted XML data which exploits this vulnerability. For the stable distribution (squeeze), these problems have been fixed in version 8.4.13-0squeeze1. For the unstable distribution (sid), these problems have been fixed in version 9.1.5-1 of the postgresql-9.1 package. We recommend that you upgrade your postgresql-8.4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQOPKPAAoJEL97/wQC1SS+kAYH/jIoJIhFepzAQXiLyTVIUUne FwNjb6Pwze6R4xBTjYim4L1Fbzmafl+0C/Jbn568tP1N/F2MelXtgAJF+YhN9Z7M OtkDaf22dRNK+d9ZJ7DmlaKQovXoQqsunqeri+5T5Fbzh19tEJzWlVNTvXUg0BES 5d8USimt1tz0HudMUlxqfAF/BiSnnMvDGx0de6wRh9p7zLBLeK8gQbIy5rfoQ6vE 7M44dsKfPoUIpvOKmy1i2aEQ8g7NMJjQigiZpWAd2hNxaERR5aj6Gpy2D271eXiN QmPSeyS2euliCPiMv3haWmTWITj6DS7ukNfiRlTTt/caBOlW4ZkV1jZdajW7r2U= =u3YR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2533-1] pcp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2533-1 secur...@debian.org http://www.debian.org/security/Florian Weimer August 23, 2012http://www.debian.org/security/faq - - Package: pcp Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-3418 CVE-2012-3419 CVE-2012-3420 CVE-2012-3421 It was discovered that Performance Co-Pilot (pcp), a framework for performance monitoring, contains several vulnerabilites. CVE-2012-3418 Multiple buffer overflows in the PCP protocol decoders can cause PCP clients and servers to crash or, potentially, execute arbitrary code while processing crafted PDUs. CVE-2012-3419 The linux PMDA used by the pmcd daemon discloses sensitive information from the /proc file system to unauthenticated clients. CVE-2012-3420 Multiple memory leaks processing crafted requests can cause pmcd to consume large amounts of memory and eventually crash. CVE-2012-3421 Incorrect event-driven programming allows malicious clients to prevent other clients from accessing the pmcd daemon. To address the information disclosure vulnerability, CVE-2012-3419, a new proc PMDA was introduced, which is disabled by default. If you need access to this information, you need to enable the proc PMDA. For the stable distribution (squeeze), this problem has been fixed in version 3.3.3-squeeze2. For the unstable distribution (sid), this problem has been fixed in version 3.6.5. We recommend that you upgrade your pcp packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQNoiAAAoJEL97/wQC1SS+RZkH/jWSrAvDXic16J897CzMaNQf EseDAqXTG9ew01Pw6PHgmNa+XWqHgS7e5dOS/cyJ/QCkNr5OzIcnw6HN4FDOSQQe gW3n4cAxhcKIynhXPhBK7Ja/RyFG5Y4+8XEnM14wNXk+8cXd4y2x7DtJDUm3eFuw pI2+vlP670N7yy0xKNSD/YxbHCYms2tcKlSX8E2XokXM3gYlg1dSg6xA3AIvLPPm 4vMvRZE9wWrdMAFh6HocNIE/BR70lhBzmd4pTMMVIULdPwRFk/jovBzM3YpwkYeF zub0g+77hmp2lc+PhzauAL5sAJ2/Ms6AG37bIlSkiFy0yPb+9g3V0Zcn8h4uum4= =4hVC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2530-1] rssh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2530-1 secur...@debian.org http://www.debian.org/security/Florian Weimer August 15, 2012http://www.debian.org/security/faq - - Package: rssh Vulnerability : shell command injection Problem type : remote Debian-specific: no CVE ID : CVE-2012-3478 Henrik Erkkonen discovered that rssh, a restricted shell for SSH, does not properly restrict shell access. For the stable distribution (squeeze), this problem has been fixed in version 2.3.2-13squeeze1. For the unstable distribution (sid), this problem has been fixed in version 2.3.3-5. We recommend that you upgrade your rssh packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQK/ikAAoJEL97/wQC1SS+kjAH/1/i17W6fGRfBW9Csg95Sz46 QqKIq+80mZIPcE2kPtVe3USmpcfeeOSCptTnyzBbl6GPT3TN2DRPvwbnLdZDqo7r BMCqPnMR6cO+y54jII5JvhgdChJKWe7MwOkN5HmPuC8T8OjPGEXo1V8+V5o97qZY b4iACkFXeWj0HjT6zS2sxlpmXCinrwG8P9JhbnvjJoaeuKuqSO6rzU1zxsq7ZY0S 8AgxvGkDI8q16wSVNBs5fMdg8Gr5TwdHvEEZTBllJA9b/fFM6nk4mr99Oio+Cq3s Y78dsBMf8kmmOlo6TvhwX31zPgulqHckPaOek5RrCm9vilLTNNJB85hAF3s9MgM= =B9mz -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2528-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2528-1 secur...@debian.org http://www.debian.org/security/Florian Weimer August 14, 2012http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-1948 CVE-2012-1950 CVE-2012-1954 CVE-2012-1967 Several vulnerabilities were discovered in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. CVE-2012-1948 Multiple unspecified vulnerabilities in the browser engine were fixed. CVE-2012-1950 The underlying browser engine allows address bar spoofing through drag-and-drop. CVE-2012-1954 A use-after-free vulnerability in the nsDocument::AdoptNode function allows remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code. CVE-2012-1967 An error in the implementation of the Javascript sandbox allows execution of Javascript code with improper privileges using javascript: URLs. For the stable distribution (squeeze), these problems have been fixed in version 3.0.11-1+squeeze12. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 10.0.6-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQKqbqAAoJEL97/wQC1SS+IQcIAJ0R0R+4/gPgPwcco+U81PUr uehr4v0uAiSMuwXqC9NwR1l27AmmT/0S6fqRY7YB1hFxg6IeZPx73594yQsFsqAx 6kHFwfO/YIBLh9HFgQWwCwpl5OJ3VNiST87loMSiPgr57TXpNMGHNRU5MEGomrc4 wX0dpAJgnaI1dLMZn17fguf1ejzXJ6zcejNMpNJEFNbR/10Qi5lpWeE0n8RhfsyQ 9X0RSHGKypXz3hLpio9zuuKoUOvP/8hJ2/S61vqGBh1aOP3JjNdg5rUWVpXS/Szv 2EtOBWWK7zazwrgvaOywYv9Ju52X8B64jYLwtMaBpMVdfJX4WbbtsXt5ZGWzza0= =tukJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2505-1] zendframework security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2505-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 29, 2012 http://www.debian.org/security/faq - - Package: zendframework Vulnerability : information disclosure Problem type : remote Debian-specific: no CVE ID : CVE-2012-3363 Debian Bug : 679215 An XML External Entities inclusion vulnerability was discovered in Zend Framework, a PHP library. This vulnerability may allow attackers to access to local files, depending on how the framework is used. For the stable distribution (squeeze), this problem has been fixed in version 1.10.6-1squeeze1. For the unstable distribution (sid), this problem has been fixed in version 1.11.12-1. We recommend that you upgrade your zendframework packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP7gbWAAoJEL97/wQC1SS+6OEH/jkrMyTtmsitOAl2zutL6iLu eMB755peBuBb+PWL6JxK9cnI+tiWl4R1USQ7bpZKm6d0ZzRZRk6phDatUR5HXPDn DwzHF2J3hnxP4oaigpLZWSBM1vUP74ORyENSX8pznC46KZ3e/9eMCJ4Ueqw10jAD P2fdjPhy96LNexOBtj5p0UGsiQ0tPVqVV8ZTmmIr56RKi9PJ9/9oZeI0WUO6YS8u aqFKT48STxzmgXTxh8ImxTbsNaLjmxxIs407HxCEX0XG06tv2W7EaSDOxuwr2y7F g9NQqubqj7l/QWBISzbjDZR3OhiPKlWySYJYcde0ZW/ewbweImTxb4t/n71mkgU= =JrgU -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2503-1] bcfg2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2503-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 28, 2012 http://www.debian.org/security/faq - - Package: bcfg2 Vulnerability : shell command injection Problem type : remote Debian-specific: no CVE ID : CVE-2012-3366 Debian Bug : 679272 It was discovered that malicious clients can trick the server component of the Bcfg2 configuration management system to execute commands with root privileges. For the stable distribution (squeeze), this problem has been fixed in version 1.0.1-3+squeeze2. For the unstable distribution (sid), this problem has been fixed in version 1.2.2-2. We recommend that you upgrade your bcfg2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP7Jr1AAoJEL97/wQC1SS+qs4IAK14MzCHurmbqJQQYTIsQDdD uNmFMEWoorDcLIV+2wXQ4atVFreVIFJ+Bbugx170h/SYNNALxjUmoEWzfWaeMMIE Xe9WpOTLIIuGaOj2l/Sg/tfyLJ4QVkKyKzwBZqd3SQT0IRA3q8Pe5J7Wq8uuhYXm 2INe4AUbVmlw4F1eCMgw66ka8cyXLfQN23PQ7bWwRK4H0hsztaPKKIOei5Y6HAvT gl4ZMJB/6uOQcgXTRYHdiVTbnjPpvL9FfE/TNl7eGOqpJUKl6F6F6NEj3rG90ZOr wGL4UH/CUKUKWn/aLeJffwWky8hmHHOeeb05JQFh2/H+o3+vELegWL3zGDrHNC8= =9CIk -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2504-1] libspring-2.5-java security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2504-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 28, 2012 http://www.debian.org/security/faq - - Package: libspring-2.5-java Vulnerability : information disclosure Problem type : remote Debian-specific: no CVE ID : CVE-2011-2730 Debian Bug : 677814 It was discovered that the Spring Framework contains an information disclosure vulnerability in the processing of certain Expression Language (EL) patterns, allowing attackers to access sensitive information using HTTP requests. NOTE: This update adds a springJspExpressionSupport context parameter which must be manually set to false when the Spring Framework runs under a container which provides EL support itself. For the stable distribution (squeeze), this problem has been fixed in version 2.5.6.SEC02-2+squeeze1. We recommend that you upgrade your libspring-2.5-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP7KMbAAoJEL97/wQC1SS+Dz0IAJvg4eivzo+4NfdJWpP0V7C9 XE6ZbF20GP8vFjrYaen7lMDi39kqIeD4PK9FNXlnsEExCvNslw90zaaSLpuO7YQ+ RquCrBDP9dtKWZU4K4iBWJwXcTohRSKzspYYIUwJ+DgslOiZ6SV/VnxS/xIeBYuX mwUGk5gxZ0G60Rh0/33TXM/jCX61lFrPlmMBzM/sDS2rhw5adT9aljbcD2SdrvEp h0wRBXMJlOSTLgC6hiGQHAJ0Maz85PCMX1whaAVpudmOhgpGOmbOdPfHZ87i66HU ZzCgTgfx+VF989krdguEmEAwvBS00P35BlBaeQ40hZwdzoe/DqbWi+4mrA6X4WQ= =ocQ7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2499-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2499-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 24, 2012 http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-1937 CVE-2012-1939 CVE-2012-1940 Several vulnerabilities have been discovered in icedove, the Debian version of the Mozilla Thunderbird mail/news client. There were miscellaneous memory safety hazards (CVE-2012-1937, CVE-2012-1939) and a use-after-free issues (CVE-2012-1940). For the stable distribution (squeeze), these problems have been fixed in version 3.0.11-1+squeeze11. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP5vq0AAoJEL97/wQC1SS+9p0IAKSqkW+AUl2IiOGWWH3do/iQ LWzECU65TXORbd4lWwj96w5CDQZ8rfe/R9VGdqxXzYx0reA5Hy7bbhxYnzq+ocDz EC7OF4c7oEbB5yh7EeDMMtcqkcTkCTkN6YoVyRcp6+KZUeLZiTv66hQBLsJ0Q7yn RSTUECbmC7B4eKewTPFdLiRUUgOtsOOIxqxm4BG9T4VSKsdI3IDe5KBfYTeQ17A7 Kf8L59tMDSKUwBzTADknYZrYGK2k8mCcTs0k/+ZO7iYpe8ystzdUxzDr/43q3zSc b/GsNQvJHq7vzni/kt7ERte1CjZkEUNVo5LoHmMBPnA4gaJh2k1BflJvGuSabqk= =dEr5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2500-1] mantis security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2500-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 24, 2012 http://www.debian.org/security/faq - - Package: mantis Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-1118 CVE-2012-1119 CVE-2012-1120 CVE-2012-1122 CVE-2012-1123 CVE-2012-2692 Several vulnerabilities were discovered in Mantis, am issue tracking system. CVE-2012-1118 Mantis installation in which the private_bug_view_threshold configuration option has been set to an array value do not properly enforce bug viewing restrictions. CVE-2012-1119 Copy/clone bug report actions fail to leave an audit trail. CVE-2012-1120 The delete_bug_threshold/bugnote_allow_user_edit_delete access check can be bypassed by users who have write access to the SOAP API. CVE-2012-1122 Mantis performed access checks incorrectly when moving bugs between projects. CVE-2012-1123 A SOAP client sending a null password field can authenticate as the Mantis administrator. CVE-2012-2692 Mantis does not check the delete_attachments_threshold permission when a user attempts to delete an attachment from an issue. For the stable distribution (squeeze), these problems have been fixed in version 1.1.8+dfsg-10squeeze2. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 1.2.11-1. We recommend that you upgrade your mantis packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP5wlDAAoJEL97/wQC1SS+3uUH/iSpSYaS0ZHHlvJVyTXUzs4S R6tC8HYpbtgrZo4BYJk4ynWh/jpY3TVcuy5ekH5BSmNKmP0NTZ5VWoEzIu3HmU+a 86DCwxdhRTlzw7NDltiK7Q3EDtvIqb5u1j6Us+V2CUfENKI3MA9CBzBCMLhuco4w noN/+OaZ0LG9YgDTKBxmWJYNGb0a7h+Me0/hsBg6+E9L345vGS3WLibnj1Balvld RWH3BClh2jj6TdGvQJboDVShnIDJEe8FINCavCSKWF+EjQBkxM8ffDDQaNGiAlNZ GsG8P4VGJ4KscB+Avr/XKfi/fCN7ZkhdQu3ymbgTOhfUeKFjJaRiR3WZbMfhIs4= =ghRd -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2501-1] xen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2501-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 24, 2012 http://www.debian.org/security/faq - - Package: xen Vulnerability : several Problem type : local Debian-specific: no CVE ID : CVE-2012-0217 CVE-2012-0218 CVE-2012-2934 Several vulnerabilities were discovered in Xen, a hypervisor. CVE-2012-0217 Xen does not properly handle uncanonical return addresses on Intel amd64 CPUs, allowing amd64 PV guests to elevate to hypervisor privileges. AMD processors, HVM and i386 guests are not affected. CVE-2012-0218 Xen does not properly handle SYSCALL and SYSENTER instructions in PV guests, allowing unprivileged users inside a guest system to crash the guest system. CVE-2012-2934 Xen does not detect old AMD CPUs affected by AMD Erratum #121. For CVE-2012-2934, Xen refuses to start domUs on affected systems unless the allow_unsafe option is passed. For the stable distribution (squeeze), these problems have been fixed in version 4.0.1-5.2. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 4.1.3~rc1+hg-20120614.a9c0a89c08f2-1. We recommend that you upgrade your xen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP5xeWAAoJEL97/wQC1SS+hJEH/3zAZZyxoaeeqjgIhgbizdfE bF+LpWgAkoUAOjmbScJlLJ9olbHoExezdcUgQho/n47mAOxnuqH6POFpbwNhYFAH iFydEctoIdGA0aO6/wNGJDCP+MIFzgtaF+OHiaK8N5mggMhlE/2Slpu/xHtaZUvX 6DzRCgp/p2E0xTPf+NGj2tBnQ03M5CiqkvkaQXO4kGjYYUfcSJrtJkXKcMBIWIOu /NzCmB8+ueQFCA62K9zbCK9Wmt3wr0PIg//HASsZZiIlpUo8vU6YtmwNA3hzTLD7 tACaiETs4ik/iLW+jv3BJCiA3W5EB4yorcnvGHIwOzOl4UF2ovTAsV5SStYQLKI= =tjtc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2497-1] quagga security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2497-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 20, 2012 http://www.debian.org/security/faq - - Package: quagga Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2012-1820 Debian Bug : 676510 It was discovered that Quagga, a routing daemon, contains a vulnerability in processing the ORF capability in BGP OPEN messages. A malformed OPEN message from a previously configured BGP peer could cause bgpd to crash, causing a denial of service. For the stable distribution (squeeze), this problem has been fixed in version 0.99.20.1-0+squeeze3. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 0.99.21-3. We recommend that you upgrade your quagga packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP4jbDAAoJEL97/wQC1SS+e/4H/RRE5sgSw7+KkJ18+Q154WYC 706P/mzoSqtu4fBzr5AkSfOb+qnNctSue9bY01gjy1uHZmdQEqmnmFeJgp/1SR1i l4O3HqzSj4pXy6oQ3lWmUX0fnOcEGShmP+RKWbCE4Nzdihg2ysZmeW/BmBq0GNJH aJY6jeYKvuE2dmLUF+RxEIAxA5SH1/HNwgCHJso0W1Oq11rAjb6nf886FTYX4acM aD8JkcX133h9siUwCFS/gqalDW0trQDnhgsviqydi5BBg86ya4Z9TM9EHyoaaRm4 actQLdN2HGgJJyhXKR7fZamx8zAfIBVtGslzLJxy23X2l6sQ6huJz6j5FmtLHtM= =oUK0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2494-1] ffmpeg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2494-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 14, 2012 http://www.debian.org/security/faq - - Package: ffmpeg Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CVE-2011-3951 CVE-2011-3952 CVE-2012-0851 CVE-2012-0852 It was discovered that ffmpeg, Debian's version of the libav media codec suite, contains vulnerabilities in the DPCM codecs (CVE-2011-3951), H.264 (CVE-2012-0851), ADPCM (CVE-2012-0852), and the KMVC decoder (CVE-2011-3952). In addition, this update contains bug fixes from the libav 0.5.9 upstream release. For the stable distribution (squeeze), these problems have been fixed in version 4:0.5.9-1. For the unstable distribution (sid), these problems have been fixed in version 6:0.8.3-1. We recommend that you upgrade your ffmpeg packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP2k13AAoJEL97/wQC1SS+TuYH/RScyYCdJY4Jp/9tPPguY3zT cL9CK3T82UqbMRYrMXUwIcCooprBul1gJnD9k0desREY6TZ9qB90EFozu9wlW7fD NlQXqhKJEhXXn66h/byt0etds67HjzQ+56NhUxn2tC+ImKkxuycal9I/n8IwtPYW wOMdOmpHlJsncJ5P6sh1v3oVBwVHoX4DqYI3xYf8oK+2LFOSxJSdN76WhQNA84WD wnn2b0V/AhGONMb/ZtgRP6krK9HFyALay4V7hc4hpk6ywPA+fSUhsPqLDfMe6G3E kIx80w0yJwxFRG9DMr1aBkAKxdfeTTKv7IyZap7cO/0pEQxRgT49vBkNZj0KjY8= =jSXR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2493-1] asterisk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2493-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 12, 2012 http://www.debian.org/security/faq - - Package: asterisk Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2012-2947 CVE-2012-2948 Debian Bug : 675204 675210 Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit. CVE-2012-2947 The IAX2 channel driver allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold (when a certain mohinterpret setting is enabled). CVE-2012-2948 The Skinny channel driver allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode. In addition, it was discovered that Asterisk does not set the alwaysauthreject option by default in the SIP channel driver. This allows remote attackers to observe a difference in response behavior and check for the presence of account names. (CVE-2011-2666) System administrators concerned by this user enumerating vulnerability should enable the alwaysauthreject option in the configuration. We do not plan to change the default setting in the stable version (Asterisk 1.6) in order to preserve backwards compatibility. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze6. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1:1.8.13.0~dfsg-1. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP15u9AAoJEL97/wQC1SS+Pu0H/0ZPFRSNpL+hJKd7b5FGF6al BZSp51eAC0d2mEFWMml4DAvx6u1gMPzrO9PPNgsEc6gxNyD4Stj+rF54h6X5i5NR ZSlyeQTQ292J18+LdANYWwxQJyzNNthNmYL/2AiR6z2BRnD3ZqHiPbWGv0FV4Vyw rT8fZ7ujp7CQlFGwcqjPxUzBqEq5U2raN2K9BoP6zpu8mHf9WzcmL4KZR/wJxMkf 04McrMttF++gM3atFSSXCWC5Bpj8q0xpr3YIv0dI8+fWPFpevNX2MBM+diS06iNc PUWfCPTy2Psl46dC3J+JeF8TPWE/HCmV98DD54DEv0R1tPUmNm362dtfiutiBbQ= =Wy1e -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2492-1] php5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2492-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 10, 2012 http://www.debian.org/security/faq - - Package: php5 Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-2386 The Phar extension for PHP does not properly handle crafted tar files, leading to a heap-based buffer overflow. PHP applications processing tar files could crash or, potentially, execute arbitrary code. In addition, this update addresses a regression which caused a crash when accessing a global object that is returned as $this from __get. For the stable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze13. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 5.4.4~rc1-1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP1MvhAAoJEL97/wQC1SS+SwEH/iPdIRQQX3GBnncDDgUnmdpp oTUhmCBVaAyee2sAX6JDm5/dacwXfQocBDkSD+x5tqeMt7Yfi/8hYfRylDOFyRKP TQk1EeNm9Sj6Z+O2QjWd3vkBEf2iVbx4DE50PeOQVFIKf2MWRMJHpwiy/Mu/M5bh 67k4WDScT7lvH9qtDI4PPW21Zu/h7st4Kq905qvzr0yqQAtVrqITtvbBQkJ/lOSS UBE8jWux+ulyUwlIgNzEUfiyNl7Y5oRoTfuYXWXAOyMlIqqyrKB1gm824xRd/WyN eT97KatpTDSdoickkU4hQvJubxKMd4P+bwgulDoeGb9wvIJsyb1UFibIWAJ7u6g= =KVPx -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2491-1] postgresql-8.4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2491-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 09, 2012 http://www.debian.org/security/faq - - Package: postgresql-8.4 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-2143 CVE-2012-2655 Two vulnerabilities were discovered in PostgreSQL, an SQL database server: CVE-2012-2143 The crypt(text, text) function in the pgcrypto contrib module did not handle certain passwords correctly, ignoring characters after the first character which does not fall into the ASCII range. CVE-2012-2655 SECURITY DEFINER and SET attributes for a call handler of a procedural language could crash the database server. In addition, this update contains reliability and stability fixes from the 8.4.12 upstream release. For the stable distribution (squeeze), this problem has been fixed in version 8.4.12-0squeeze1. For the unstable distribution (sid), this problem has been fixed in version 8.4.12-1. We recommend that you upgrade your postgresql-8.4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP0yeOAAoJEL97/wQC1SS+mwYIAK5doy1RZ0p+1Lst2zGzxybN 270cFjqX8ZNUBEPu3wzK41stN6+0zBghkrGGZufMsLsooIgfLcz2FdSy6Z90om/S ap7UvGRBj+xLL3PrXZFjGjjYgXTTeRJWoYLF/PtZyZVu7IpFTfaf/ziDAfR1O1JP l7UnAvSeQm4WZfLlYcHiLyiz5OqcHKQtCuenZ1Se59leTgqAw5ypO6xHeNFriqP7 jsclAs+gTZ3z3Zmornb2LPYEhnuuuk9WKU0RrJEn5fLzlwfPsosbJmS5L03sW5Xt 06QvnmFYfa2HgXx328X9yd+NtmVHJEHQIkpQbSgtaivmzIeWSWaOtjxvBP9pdMI= =jKHg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2480-3] request-tracker3.8 regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2480-3 secur...@debian.org http://www.debian.org/security/Florian Weimer June 07, 2012 http://www.debian.org/security/faq - - Package: request-tracker3.8 Vulnerability : regression Debian Bug : 674924 675369 The recent security updates for request-tracker3.8, DSA-2480-1 and DSA-2480-2, contained another regression when running under mod_perl. Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The restart mechanism is not recommended, especially when using mod_perl. For the stable distribution (squeeze), this problem has been fixed in version 3.8.8-7+squeeze4. We recommend that you upgrade your request-tracker3.8 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP0PsjAAoJEL97/wQC1SS+7ecH/jFMGacquBz3fhvbfztCPYEH DMlxTJLl9yUEOfZM0bXrnmJaTMRS0FVFdQnqJ/APzq6T0Hh4NG8N4H6KhH/8N1PU uBRO6wVBxZ4Q81c5FZ9MmyXXkqv84j1Se1oqPnZTR9BJ+hFwRF19BzWifMVcE3SC QzGyUOHJ/r/n52KaQP1YUQli+GZaG7RNlYBY34Zag2vuEXXheQyW++O/830mJvz6 M89FnXazM4NuByEm8wINlq5GkJ2+pYNzx8WWNw7rqzJWPiiqXeFPsTcAnUqHHJlA aacZTM9prUuUDcZhtvUM+fLCWash5xJtYYNh4bIDSjO2JSJhLr50qLF47yB2yc0= =CgeJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2487-1] openoffice.org security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2487-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 07, 2012 http://www.debian.org/security/faq - - Package: openoffice.org Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2012-1149 CVE-2012-2334 It was discovered that OpenOffice.org would not properly process crafted document files, possibly leading to arbitrary code execution. CVE-2012-1149 Integer overflows in PNG image handling CVE-2012-2334 Integer overflow in operator new[] invocation and heap-based buffer overflow inside the MS-ODRAW parser For the stable distribution (squeeze), this problem has been fixed in version 1:3.2.1-11+squeeze6. For the unstable distribution (sid), these problems have been fixed in version 1:3.5.2~rc2-1 of the libreoffice package. We recommend that you upgrade your openoffice.org packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP0P4UAAoJEL97/wQC1SS+xVsH/RryzKONh1SBGKN4osq27UH2 774tOERttRzsDgipwpp560aPMM04rLfH2k3Os9vk3zvzgwnBd4e7GeLKYbTkK/M7 g1zIPNRjGbLxREsTbdXYbgB86+PWjtd4Ex6TPFsPWPyOheqZMKEj2clNOW32ZKfV X7vBXDt3OlxrZo4Vxy6Q33HGF0Nf9eJv9N0se4o4mZJ/Uom8LpgOrfy4Lwsyxkkg csRrzqus9GgYpvjpf9R10YCj11rpXojGybZL6Xz5MPrqTcD6c2pTTTvIWczKTy5j QlYGuu/l4sTql5aZjdbIt/TAThQpKDPSIBc10/Br/sTER1YrrYuDj0ZDY8PR5cQ= =3nsr -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2486-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2486-1 secur...@debian.org http://www.debian.org/security/Florian Weimer June 05, 2012 http://www.debian.org/security/faq - - Package: bind9 Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2012-1667 It was discovered that BIND, a DNS server, can crash while processing resource records containing no data bytes. Both authoritative servers and resolvers are affected. For the stable distribution (squeeze), this problem has been fixed in version 1:9.7.3.dfsg-1~squeeze5. We recommend that you upgrade your bind9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPznhPAAoJEL97/wQC1SS+qKYH/3Utmyv9stmMx8SxPYwa34fw iGQIxLXQRHhFVxQj1La4lFAIqm724p2mOOcxUg1uIH+i7MYF8243T4MR5TCNRLcD nD5GLpKcwUlz1IXV5/PZQsHMkeNEcEW81ez+HVN0/NhagM8Sqdb88lxMpGtBkSCn tt0vN/FL99ny44XZCo8gaC29Nh4K9U3uvjE0009d7rimDuNP9yhr6rU2rJrvaeT8 7Tl2TewiOHwLSNx1huOXv+BgH5bfoJoBMr/lmomJ005VjozW2MLgYo49Jpo055BL VvNtkECAvmTkIiESd3ss5qivUuOcbSVbPOColTVhdre2f+qOqHXXuglaehQMwzE= =UfVD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2480-2] request-tracker3.8 regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2480-2 secur...@debian.org http://www.debian.org/security/Florian Weimer May 29, 2012 http://www.debian.org/security/faq - - Package: request-tracker3.8 Vulnerability : regression Problem type : remote Debian-specific: no It was discovered that the recent request-tracker3.8 update, DSA-2480-1, introduced a regression which caused outgoing mail to fail when running under mod_perl. Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The restart mechanism is not recommended, especially when using mod_perl. For the stable distribution (squeeze), this problem has been fixed in version 3.8.8-7+squeeze3. We recommend that you upgrade your request-tracker3.8 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPxSLMAAoJEL97/wQC1SS+G3kH/Raa0U94IZOS/6CeabfnXXWh APwy/SY2A8yWoEMcP4NnClwnElu6W/V6B+a3f7To0k7nOvM+kLWLBhAR2iNVaxqR R0+X115GefhZ4RzDge7z2qoXz+zif/BycVrv5VX0XH7UA/9YtCJBRLiOo2jW8s/E qB+YpHXVjm1op5aQqz+ihX7o67jZMxkkANleP5R0T5IMq0ilLXIOyNIjHK/ldxFf jK18XGdN5RXqEBYBa9a45c+KVas8Dt5eaCZpXQhCrI/beBd075+dB30Rofl3WZVU RI+zDoXiKoV3hXcG0YudM34rnbC9MrsknYg+OaGatRoPlnYlJRc0znUD2ikqXSw= =8t9U -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2477-1] sympa security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2477-1 secur...@debian.org http://www.debian.org/security/Florian Weimer May 20, 2012 http://www.debian.org/security/faq - - Package: sympa Vulnerability : authorization bypass Problem type : remote Debian-specific: no CVE ID : CVE-2012-2352 Debian Bug : Several vulnerabilities have been discovered in Sympa, a mailing list manager, that allow to skip the scenario-based authorization mechanisms. This vulnerability allows to display the archives management page, and download and delete the list archives by unauthorized users. For the stable distribution (squeeze), this problem has been fixed in version 6.0.1+dfsg-4+squeeze1. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 6.1.11~dfsg-2. We recommend that you upgrade your sympa packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPuT+EAAoJEL97/wQC1SS+vxAH/jYCNKyrlOKvMj61ZCc+bxxH X/kgdQEGgqw70pQYnlxM81hZr1YdK0KgncTiNqa0R9iN3SrVDgYNGJNGOZSxAE+M zGqduwkeh8QRXpwORb11DKqYIAPxVYvKnJwxHv/SzFskh9Lm4ppX1vdpVZqpDNpd 8GB2xlgqjb1SKy7YYmGaGIZ6mVMqzG4+bKuix7xIiAkFhu5loQ7mnSaWlgFjeMre tdy0Gz56rfYfuwcpC0qdEn9tfVUWBVYALG5ZgWt2i1XeMN7dNAu3FRAZvNNmxqMt YEft+TnXdfre34Vd68kszShRlVaqEqjjtYdAY2pq4Prttqg/vKXGWg139QfJEjE= =LMTp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2472-1] gridengine security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2472-1 secur...@debian.org http://www.debian.org/security/Florian Weimer May 15, 2012 http://www.debian.org/security/faq - - Package: gridengine Vulnerability : privilege escalation Problem type : remote Debian-specific: no CVE ID : CVE-2012-0208 Dave Love discovered that users who are allowed to submit jobs to a Grid Engine installation can escalate their privileges to root because the environment is not properly sanitized before creating processes. For the stable distribution (squeeze), this problem has been fixed in version 6.2u5-1squeeze1. For the unstable distribution (sid), this problem has been fixed in version 6.2u5-6. We recommend that you upgrade your gridengine packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPssBDAAoJEL97/wQC1SS+hQoH/0SS/5Y7YGa0ZId76G/BVCr7 4Wn+9pNSg0w9DXIPCdOXTOyYEyi1P5s4XS5ccr5QTsQ73rBhjMlgW/ASSbsJ50Na vyKRGiGj/ISuNllFET4sk/V1sRnr2XNPC5JKQ2V6b4L8S8NRduPoTQ3XIBuduXGK yPbd158qursgNd3J3nN/EMRhsexPsTqWj2ypcrjL9TfbNXgj4XMtvltNUzcFMEp6 1q9eNi2sXvVSV2Ecu8bWa65DuuXKgBYBX2dObM77DPXyL4Jkog4vssPZQ32Q3b7n jhWeI5BvrgBh2OJEyq63rmnbRA3NMyHHMfcljVlplX9gl78qWTb+S3OtPP1AFuE= =4w3Z -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2473-1] openoffice.org security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2473-1 secur...@debian.org http://www.debian.org/security/Florian Weimer May 16, 2012 http://www.debian.org/security/faq - - Package: openoffice.org Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2012-1149 Tielei Wang discovered that OpenOffice.org does not allocate a large enough memory region when processing a specially crafted JPEG object, leading to a heap-based buffer overflow and potentially arbitrary code execution. For the stable distribution (squeeze), this problem has been fixed in version 1:3.2.1-11+squeeze5. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1:3.4.5-1 of the libreoffice package. We recommend that you upgrade your openoffice.org packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPtClUAAoJEL97/wQC1SS+34IH/0INUvBvkuel/9IXtDDDXE3H N2hgzgSHu92U6QfOPqu/P+C5rGH4O0I9kCbjhyYOiiIXTxWNPe+Ng2ml5X+QpdAH Lj9hC9EwXJlcwVLm9v5FUkiWhvmUNt94HW22Qo61N6Jy1yeXqSG/nEIK1d5qe+84 k+lyUKICBaT+irn1KGUKc4zoYrmKFhR9og363LOA9ZZXQYWZG+wKH0dpMHpdFEvv 12mdEQNIbLpZlWJmYqVeaaY6f4C1Fdbqekcyu+sk6FofIV7zdtzxI3yBpuD9SiJf XcQtDmyofDM8pWczh/HT/GiSckf2ebOYgSwvzk92sEGNSuZBH1y75kXa2p0kOBE= =KEKg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2468-1] libjakarta-poi-java security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2468-1 secur...@debian.org http://www.debian.org/security/Florian Weimer May 09, 2012 http://www.debian.org/security/faq - - Package: libjakarta-poi-java Vulnerability : unbounded memory allocation Problem type : local Debian-specific: no CVE ID : CVE-2012-0213 It was discovered that Apache POI, a Java implementation of the Microsoft Office file formats, would allocate arbitrary amounts of memory when processing crafted documents. This could impact the stability of the Java virtual machine. For the stable distribution (squeeze), this problem has been fixed in version 3.6+dfsg-1+squeeze1. We recommend that you upgrade your libjakarta-poi-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPqs4eAAoJEL97/wQC1SS+vW4H/javD0EcF4EUw9KN9zJb8gJG sBtULjsxoMsKOog5L2HNxKuqnU8dBVnJlO+OleAaaThhS6hg/dytsGjZ0Zclro9W Oe7N3INrTgjNZ1t1+rUUP7p03STjVwClcLXzhuxU5jzCIqJ8kxHfHtZUbwo7O9dQ eUkTGtPQIvRlYv9mQtbb4v526EMiSLKQzWF49rguxHQVnePlZ4cTPCg3/je0NdV8 L+E1iThzqQo1MHFX3jFa4sYU2xz4f/d6R6cxul9ElDRLNqnWLe3dmxgaYbNfpD3y +To3gPtYiW2yaFis58iqTOTN8w+yK+ImjR7Vb6RmQVKripx7eWvKAnprO7THpMA= =7m5/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2464-2] icedove regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2464-2 secur...@debian.org http://www.debian.org/security/Florian Weimer May 08, 2012 http://www.debian.org/security/faq - - Package: icedove Debian Bug : 671408 671410 The latest security update, DSA-2464-1, for Icedove, Debian's version of the Mozilla Thunderbird mail client, contained a regression: the removal of UTF-7 support resulted in incorrect display of IMAP folder names. For the stable distribution (squeeze), this problem has been fixed in version 3.0.11-1+squeeze10. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPqXg8AAoJEL97/wQC1SS+4WAH/3/zuRDz1RZ+assGHwwuJQ5h ysVGW3TDYU3I2ugnWe06V2LcqydCHZBfB05/K0VxMl9PTsS+ljP6ds9lgWzw0zxr RuV4TXg1c7+oyxPfOZz76C33JjddflSIGQNOWq3loq7GXVuAW9zvXb+MzaRITFKM 9JoSy/JpPdCdJ8Zf4ATj8vDHfEoXJ2ZrTC8ZiS6CINef+jMt/WWpZqb6bWlhuZby CQmqDQs4rDgQa4weNL+HIBXI7gQrv33yUh9wexBxx9/NaW1YsvD+LC0ZDG9DEQKa Fi+Br8DXhQJlpyLEqJHuGud+5Ar8KNBemGTDdc7ctQHV2nIBfbrh4W8ZsqUEo1E= =JT0i -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2459-2] quagga security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2459-2 secur...@debian.org http://www.debian.org/security/Florian Weimer May 04, 2012 http://www.debian.org/security/faq - - Package: quagga Vulnerability : regression Problem type : remote Debian-specific: no The recent quagga update, DSA-2459-1, introduced a memory leak in the bgpd process in some configurations. For the stable distribution (squeeze), this problem has been fixed in version 0.99.20.1-0+squeeze2. We recommend that you upgrade your quagga packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPpFAgAAoJEL97/wQC1SS+HzgH/ikUoSRCeVqx2664IJklSEin 1Yi/dcKS1zUM9fk7nNlIk7NSpRXGBFhQ72QSo7PKCXw4FmglZXJCn5i7rnMv2/xT nxFsUtnrk6L25X12V0vlTws15t/04iHE2nmuOhqy1rOIxlq91T6ngrilr4+ZpMVp ePvKpRQBjqPIOd+8HFtHsmcrEkCpkOHupvUZ3rTIIs+rIs1ijZP3j+PzJbIDkqLR GhQEShktIrQ8HD1mq+eIw7AQ5dWPctwLT0ZmuLLU5nS9BP3j5BQM/syHKDQEhdfj BbCudBN0sjt8kK3Rvyu9Lw7ByCj/7RSSRzkyVT/+VmGCgojJ0Xw1nkFCJ/o3wd4= =xo1n -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2459-1] quagga security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2459-1 secur...@debian.org http://www.debian.org/security/Florian Weimer April 26, 2012 http://www.debian.org/security/faq - - Package: quagga Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-0249 CVE-2012-0250 CVE-2012-0255 Several vulnerabilities have been discovered in Quagga, a routing daemon. CVE-2012-0249 A buffer overflow in the ospf_ls_upd_list_lsa function in the OSPFv2 implementation allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a Link State Update (aka LS Update) packet that is smaller than the length specified in its header. CVE-2012-0250 A buffer overflow in the OSPFv2 implementation allows remote attackers to cause a denial of service (daemon crash) via a Link State Update (aka LS Update) packet containing a network-LSA link-state advertisement for which the data-structure length is smaller than the value in the Length header field. CVE-2012-0255 The BGP implementation does not properly use message buffers for OPEN messages, which allows remote attackers impersonating a configured BGP peer to cause a denial of service (assertion failure and daemon exit) via a message associated with a malformed AS4 capability. This security update upgrades the quagga package to the most recent upstream release. This release includes other corrections, such as hardening against unknown BGP path attributes. For the stable distribution (squeeze), these problems have been fixed in version 0.99.20.1-0+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 0.99.20.1-1. We recommend that you upgrade your quagga packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPmOgYAAoJEL97/wQC1SS+aH8H/jh5fp5jGA1G0/fnF6QOCAmi dkPAk51Lf0V/yTf/W1qoN5rOJ9B1G1PP1QCOUUHPunuCSQvynXuPb0QMmOLvtAjb +wlQX5EbdLrjcfc4Rer95dnZITU1uaCiTKw9aGRlOBMcu5jedG21Jks7vwWnBgCE lL2RuBBk1Rut5YtXuuPZTgXae3BOjjUh7yNPy/cZ/AWf1T442KLaZRQhLwimBrco S2PNHjeV+bPQUa5eKwE6OdWkNdZt85JcFzz13ojEMMxh/kPiJF7+guec8dIjHr+n OyKytdhO/wm6lyBlR4BYryGW4U1AuuiTTGs0ldAIzUBzhlLTPLQWt+Te96TMbAw= =7lac -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2445-1] typo3-src security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2445-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 31, 2012 http://www.debian.org/security/faq - - Package: typo3-src Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-1606 CVE-2012-1607 CVE-2012-1608 Several remote vulnerabilities have been discovered in the TYPO3 web content management framework: CVE-2012-1606 Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities. CVE-2012-1607 Accessing a CLI Script directly with a browser may disclose the database name used for the TYPO3 installation. CVE-2012-1608 By not removing non printable characters, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting. For the stable distribution (squeeze), these problems have been fixed in version 4.3.9+dfsg1-1+squeeze3. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 4.5.14+dfsg1-1. We recommend that you upgrade your typo3-src packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPduYCAAoJEL97/wQC1SS+pQ4H/i/60HkUmm3wyur55Xvn6kCo 3A/idLzJTfSYvoE5V6KPxM5A23IGIermN9qiNO5nHHcRtRJkbFafZHtcoQZwBm1Z Ryjx+gSt8s7C3WJKEDy76tHgcdhtSL9l3VMdTAMBv6ZVT1ts5WKUnoHFCu10yLQh /EcuNctElQz6chub6yrTIgOViLwY+RTLYY9SlhE3rt6j2mpGyBZn2IK+QCIbpGBN UCT0O7w1i4Jn5gYoxQuArM0+fy+ej/1r91O50DiCnXbp11xQxFHcK28QxVIQhYDi B09MrGZdjxvLY+G3l0D4A1z+83bySa8R+qSHsMy8Q6m46ipk0LyOpjB17RdqnbI= =dWxS -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2442-2] openarena regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2442-2 secur...@debian.org http://www.debian.org/security/Florian Weimer March 31, 2012 http://www.debian.org/security/faq - - Package: openarena Vulnerability : UDP traffic amplification Problem type : remote Debian-specific: no CVE ID : CVE-2010-5077 The openarena update DSA-2442-1 introduced a regression in which servers would cease to respond to status requests after an uptime of several weeks. For the stable distribution (squeeze), this problem has been fixed in version 0.8.5-5+squeeze3. We recommend that you upgrade your openarena packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPdu15AAoJEL97/wQC1SS+EO4H/A3AE3MYGS+Mc17upIftsSdi nbIE94RVAeSUz2p6I15jqqzOnC67Gp1xmeGniSeF6JIk+/J5aUqqrQnGid6k2vgc OEEs8M+c8ce0ivBcf6J+t3IByF4vKAAkW8yd/isad/dcydzYx25IBDZL3ADhCWxg eyPdTTm6Ey2D1mQvfq+hXhF5TvWMThGJU7FkajaYTyfXWh4rLbFZaOfJIEUA+7La kIIuVpYHlwCfaRimjZtI1nDeXoQ9nX3+0HUpkCAMh6LK0b4qqM6hHT3DNqrwM/SU uds+nuw0mi8R+IDlupIAAFn0nlVgwkG8+QaRCBDwq3DvY+sHM5df5UV7SrkCBKc= =hKMs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2398-2] curl regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2398-2 secur...@debian.org http://www.debian.org/security/Florian Weimer March 31, 2012 http://www.debian.org/security/faq - - Package: curl Vulnerability : regression Debian-specific: no Debian Bug : 658276 cURL is a command-line tool and library for transferring data with URL syntax. It was discovered that the countermeasures against the Dai/Rogaway chosen-plaintext attack on SSL/TLS (CVE-2011-3389, BEAST) cause interoperability issues with some server implementations. This update ads the the CURLOPT_SSL_OPTIONS and CURLSSLOPT_ALLOW_BEAST options to the library, and the - --ssl-allow-beast option to the curl program. For the stable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze2. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPd10cAAoJEL97/wQC1SS+888H/RqIFN6Ar1dMC5s/cqkKw6lv s1TBltSE8pKe3oR3zS+z4RBKNG0RdxElON2Z9AlhqZM2XF9ZDf0jUKIBdrrdiSgm tfh5pMH5rfMJrF3VODnXRZqzGm7zWlzZD2Q7H47OMwxgD5qd87ucuB3tWgc04xjv scH/TbxW2AUoP68KB8POQiFN+TJc0m8WFyQIUiDx3eXw2Mx7qEVO0fWm2tLsDQFF KoZ8cPS1aC3/S2nN3JfCOWZZ/X+i6kibASNZLxAAzEcPT/6heWNk8t+CeQdulXrD 1ZAcUj7A2+HMCHBaC1JNySL36eacs5A0l/HIouR+1M/jd/tnZKMZlv0gTb6h0FE= =Oun5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2444-1] tryton-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2444-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 29, 2012 http://www.debian.org/security/faq - - Package: tryton-server Vulnerability : privilege escalation Problem type : remote Debian-specific: no CVE ID : CVE-2012-0215 It was discovered that the Tryton application framework for Python allows authenticated users to escalate their privileges by editing the Many2Many field. For the stable distribution (squeeze), this problem has been fixed in version 1.6.1-2+squeeze1. For the unstable distribution (sid), this problem has been fixed in version 2.2.2-1. We recommend that you upgrade your tryton-server packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPc/0AAAoJEL97/wQC1SS+F5kH/0NGInrbXAk/UuCJh2zAgqbI pqa1ggZkjLrCP0JiAe/dsRPq/lhd17CoZkPuekxwvI9HppkSWKtwWKCbEKtpcAos VbJsZZ3TYqrZFJpBzQOFLXTd+Kou2XUFKPV741bfrKZP8CNCZQWZHx0yXmtorfGt w6/4896Z2lQIPFwCvvseIp3umjFykEAb3WgmD6ZDYzkl6gNXvTRBk4Cd+RLDwKC5 6FFzDbAVI6VQWoO1sXU4qN2KkfqKDM7BQhWcuIXA0ZWn8WLWqNElvmBtagmi/yC4 yOxwoU8jwsV1zBNZMWy2U6NfntKvqVOq0tiE5+e3hCVJYiE5MLi7A7n7mgQF0/g= =+fGV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2442-1] openarena security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2442-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 26, 2012 http://www.debian.org/security/faq - - Package: openarena Vulnerability : UDP traffic amplification Problem type : remote Debian-specific: no CVE ID : CVE-2010-5077 Debian Bug : 665656 It has been discovered that spoofed getstatus UDP requests are being sent by attackers to servers for use with games derived from the Quake 3 engine (such as openarena). These servers respond with a packet flood to the victim whose IP address was impersonated by the attackers, causing a denial of service. For the stable distribution (squeeze), this problem has been fixed in version 0.8.5-5+squeeze2. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 0.8.5-6. We recommend that you upgrade your openarena packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPcMUiAAoJEL97/wQC1SS+26wH/3N4FqJ58SxBJLhVsBHPBy+h 1oUEJs7XKbjjqCU876DJ7N2LgpGQNzCrLOfT3hNVMRWLnypvOLcDG3VQmmpBwn+/ XcHkSiJ4qUuSsXpQyyEN+DgmD3y7Hf21fkEUvBeQuoBjA25wJhAEptgBB00sGjRd 3MD6Nagjg3aB73WriDTXSxQKpPGLZLb4QF7xP/VYdLjxCiBWrTCgukvVhRBXUlrH 9JzHcensvTLpzkqtdUqBe4T1sisNWs5TqPmQqkpUO0IsrlW2r8QAo7+YYidhUtKa 2yULdA9xre1+PaaZ+bFV5wtzWgC2U4PoCB/7vUXRFBWGcfxfeG4Vs+DHKWM9/WQ= =crI0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2441-1] gnutls26 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2441-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 25, 2012 http://www.debian.org/security/faq - - Package: gnutls26 Vulnerability : missing bounds check Problem type : remote Debian-specific: no CVE ID : CVE-2012-1573 Matthew Hall discovered that GNUTLS does not properly handle truncated GenericBlockCipher structures nested inside TLS records, leading to crashes in applications using the GNUTLS library. For the stable distribution (squeeze), this problem has been fixed in version 2.8.6-1+squeeze2. For the unstable distribution (sid), this problem has been fixed in version 2.12.18-1 of the gnutls26 package and version 3.0.17-2 of the gnutls28 package. We recommend that you upgrade your gnutls26 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPb2oHAAoJEL97/wQC1SS+QRgIAKYv2qHZZ2mL1DHDq4of7w/U xdSauiyXEyVh+pLiKXObfSuZhEbJQoemX8cg766sh3iXG5G81Rx9zpz1QuazNE0R NfDCHX0MCvdc74FP6lc1uCG6gWxgfma0kLP5/TxbtQ9fbmB8DwtH8hyhwC3Vac/V RbWVowElalLWEC06F9hVqF9/2WNWdkn7RAQ4w3XwsD0Lc+F9NVpwtX+sCKqVQR04 mEe7lFMoy2ZX9HhJs+x5q2VobBsd3TjdbaFTQXvcWagCQf7OK4esX2sq3nzyP4Us x0k77EYDzlVMdNunLO6L6x82Ihw2Vq2MmA79ofuyMbjMLUe9stURWGG6IcdwAf4= =jBvl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2440-1] libtasn1-3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2440-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 24, 2012 http://www.debian.org/security/faq - - Package: libtasn1-3 Vulnerability : missing bounds check Problem type : remote Debian-specific: no CVE ID : CVE-2012-1569 Matthew Hall discovered that many callers of the asn1_get_length_der function did not check the result against the overall buffer length before processing it further. This could result in out-of-bounds memory accesses and application crashes. Applications using GNUTLS are exposed to this issue. For the stable distribution (squeeze), this problem has been fixed in version 2.7-1+squeeze+1. For the unstable distribution (sid), this problem has been fixed in version 2.12-1. We recommend that you upgrade your libtasn1-3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPbk3rAAoJEL97/wQC1SS+M3cH/0Paiu9LKPgbcbSOi3Mv26bx lofgEYo57A0EoaVx5nPBBM+3kyTSFdL2xjDWDdXseM7m53N8prH32jQOW4vy+ip+ zUHgXc2+wINjRQs9ywl+FONYbOdvyI3JD4r+EGWfjVPdaCixrW5GWphtmv97ZHuG o8ZxYfU6F1eqH0R9fjHqaDiZXcjq1Vn7QvJpq12Jz8iLBl2fsR0t//uB5xZr/0xN uDYHPPKHKTW+BVtRKlt2A7nYDcevQP0Qj038I/IP+zynC3LgMW8caCsK6UGUe1E9 fw8GcOHMc/bHhbbfodzmgRD4KWoy8c5FbdqzNEHJsvEJiOuusR/J6zIT1pIFQ8c= =hQt8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2429-1] mysql-5.1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2429-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 07, 2012 http://www.debian.org/security/faq - - Package: mysql-5.1 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-2262 CVE-2012-0075 CVE-2012-0087 CVE-2012-0101 CVE-2012-0102 CVE-2012-0112 CVE-2012-0113 CVE-2012-0114 CVE-2012-0115 CVE-2012-0116 CVE-2012-0118 CVE-2012-0119 CVE-2012-0120 CVE-2012-0484 CVE-2012-0485 CVE-2012-0490 CVE-2012-0492 Debian Bug : 659687 Several security vulnerabilities were discovered in MySQL, a database management system. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.1.61, which includes additional changes, such as performance improvements and corrections for data loss defects. These changes are described in the MySQL release notes at: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html For the stable distribution (squeeze), these problems have been fixed in version 5.1.61-0+squeeze1. For the unstable distribution (sid), these problems have been fixed in version 5.1.61-2. We recommend that you upgrade your mysql-5.1 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPV8DTAAoJEL97/wQC1SS+L24H/15Ovi05XFuAcy4dQpLfOWr4 3pjA6p03aaWBKeqW0DoQ+768MoShxjKiSA2ERXByX0AiKUXxLu6YG5sNohiOjOEP NqO84Jq+gmpiQdiWhMqOsEj61JEXvncRtKvo8N6QnJ9j+y+MR2ja2KjNtEeGyUr1 yc8ubMgS7mbqxZKK3+cStZwChRPy8p6f+/nplHfyL9AgCkJDjTjNhoZrZ21aSfeu eC6zzvWAiFWkHxNqM+HQBURPedbyEIJDNf25fMkMIzuqeLDfIoC3ATwpZHCE2mxq fLRH7Bp4cpHNBAjDpwuOqkYuAduj1fL5+oBmw/zkpHBp5oHrBpnTZ2zULJ062Tg= =mr98 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2426-1] gimp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2426-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 06, 2012 http://www.debian.org/security/faq - - Package: gimp Vulnerability : several Problem type : local Debian-specific: no CVE ID : CVE-2010-4540 CVE-2010-4541 CVE-2010-4542 CVE-2010-4543 CVE-2011-1782 CVE-2011-2896 Several vulnerabilities have been identified in GIMP, the GNU Image Manipulation Program. CVE-2010-4540 Stack-based buffer overflow in the load_preset_response function in plug-ins/lighting/lighting-ui.c in the LIGHTING EFFECTS LIGHT plugin allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long Position field in a plugin configuration file. CVE-2010-4541 Stack-based buffer overflow in the loadit function in plug-ins/common/sphere-designer.c in the SPHERE DESIGNER plugin allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long Number of lights field in a plugin configuration file. CVE-2010-4542 Stack-based buffer overflow in the gfig_read_parameter_gimp_rgb function in in the GFIG plugin allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long Foreground field in a plugin configuration file. CVE-2010-4543 Heap-based buffer overflow in the read_channel_data function in file-psp.c in the Paint Shop Pro (PSP) plugin allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE compression) image file that begins a long run count at the end of the image. CVE-2011-1782 The correction for CVE-2010-4543 was incomplete. CVE-2011-2896 The LZW decompressor in the LZWReadByte function in plug-ins/common/file-gif-load.c does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream. For the stable distribution (squeeze), these problems have been fixed in version 2.6.10-1+squeeze3. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 2.6.11-5. We recommend that you upgrade your gimp packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPVlM6AAoJEL97/wQC1SS+gDYH/j24PZB+ZC0nPXZUnc1y++I0 Kfvm2cCSKA1jK1g5OhWEKWkOlGn3W8blytT2gXtdYxLu3ySbb2SdTU8mKSoKcFjU rLuYFoyegORbtPf7vujCz8xy7LYNUUqSnJ9X0DSH2m1EcuvcSMunr5X0W2wxPMUS 5BqcKpBa1qN3NexAzEtnFmaSbjsC4C2w8L1YC+V4fNKTi5LDgYcsUthduv01v/LI zHGgPYdM7p5EJ+kzeWNsjJ9Y98R7QEtsIuGMRHGtjTzQiPVgkxEWlfuE8K0hxutu 812kVi1Ae1Ra/EtWxcNO136RCQonm7NY14Yk1iEzPuf6VUe+yn6jUCbUunZN6wc= =fKIu -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2427-1] imagemagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2427-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 06, 2012 http://www.debian.org/security/faq - - Package: imagemagick Vulnerability : several Problem type : local CVE ID : CVE-2012-0247 CVE-2012-0248 Two security vulnerabilities related to EXIF processing were discovered in ImageMagick, a suite of programs to manipulate images: CVE-2012-0247 When parsing a maliciously crafted image with incorrect offset and count in the ResolutionUnit tag in EXIF IFD0, ImageMagick writes two bytes to an invalid address. CVE-2012-0248 Parsing a maliciously crafted image with an IFD whose all IOP tags value offsets point to the beginning of the IFD itself results in an endless loop and a denial of service. For the stable distribution (squeeze), these problems have been fixed in version 8:6.6.0.4-3+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 8:6.6.9.7-6. We recommend that you upgrade your imagemagick packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPVmIcAAoJEL97/wQC1SS+E1wH/jylVSEeV3WaW/3uWhY7e6Fi CS3p7WgMAll+Lm+T1J5IRXxfcjX8pfbNPWuaZyIWWfTbr1Pyc7tQLue1QRKpRUb0 IGxMNxXhA0ZjAqy/V0Pz+O5u4hy21yTD7HiqhEslnMVOaEWbZ3bLXis9D0PMPYQd f37V2veKuUwY+ozKDILlEzSOh1FyFxqbtIRoWBqO0FPkuwiQ5OArAUtu1z8/Me7n eugVrDXoSDtnqxZD4B2t24ZL6XpaJ5PU7SUIrfibOHa1EyBMz5EwheVUk++yOzj5 iRpgw+GRUMRzKqWyePsr5o72W4OAdOuTqNNMOdiV8sZxTw2DGMj6I2cQrl/ROWg= =gz5r -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2424-1] libxml-atom-perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2424-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 04, 2012 http://www.debian.org/security/faq - - Package: libxml-atom-perl Vulnerability : XML external entity expansion Problem type : remote Debian-specific: no It was discovered that the XML::Atom Perl module did not disable external entities when parsing XML from potentially untrusted sources. This may allow attackers to gain read access to otherwise protected ressources, depending on how the library is used. For the stable distribution (squeeze), this problem has been fixed in version 0.37-1+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 0.39-1. We recommend that you upgrade your libxml-atom-perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPU5qcAAoJEL97/wQC1SS+vPkIAKqYWwKE0IX7TSP4APfXs8DH kwfLZhRbQIqOFtYP3j+p9IQwHLJkc6wjrtXG05AAWoNqca65tx9qadie20+APU0A YuWJRv5/KXpr6osXSvPaLbJcSSmHSZh4Cl1o0efE1KpXVwtPL7XYjHUH8SVsqPWb 6kTHzAI5Oa7PB8ZgSzJ3ebauc0CuoQAIZEWgYup8RqtoDkGGZrgzfel6aq4Oxj4Z 5wxwpc4rDKFRpUFpZyKzszz5h2bEEDFTLyUXfVzYDpeEqLNeiSHT6/O3pJL9FtBr 8VHuAuo1b9NtIlGxDGXulsRHFFaDIMbmYBKtlhTWZ3LhxOSw5T5Wc6FULhHEO6s= =fCTR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2425-1] plib security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2425-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 04, 2012 http://www.debian.org/security/faq - - Package: plib Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2011-4620 Debian Bug : 654785 It was discovered that PLIB, a library used by TORCS, contains a buffer overflow in error message processing, which could allow remote attackers to execute arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 1.8.5-5+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1.8.5-5.1. We recommend that you upgrade your plib packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPU9dGAAoJEL97/wQC1SS+2nQIAIcxUIKWilDEczBANCW2/e11 0xvJh9o60iJYSD7Ac17Owhe6EsB2Hi8r1zWiwUd9qLPq8Pa53i3VEXL4fXRQg0D5 lylg1zdA5xuTdKSGgf6IoWPoOIvym9ls0GQ+fbIPTJqC7RY07Oujzh6duFJ11iAr LGksQKJg5bU+eU3bCOV7mwBzUqZ0KWasHpYS25+fDVkcnPy18foc/wfjZO++//t6 ULMeyD2LMO/lWd2KGQ+7kHfELeY4rhEF1luejc5yIxEF0Oxep7RF/fHXmJCqvtdM 4QhZ78BbwnOXeBVqDcLei2zkvQwJglOrvYWjBR9qZHaPuamKNR8UzKcfIn3hKcU= =cTXF -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2423-1] movabletype-opensource security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2423-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 02, 2012 http://www.debian.org/security/faq - - Package: movabletype-opensource Vulnerability : several Problem type : remote Debian-specific: no Debian Bug : 631437 661064 Several vulnerabilities were discovered in Movable Type, a blogging system: Under certain circumstances, a user who has Create Entries or Manage Blog permissions may be able to read known files on the local file system. The file management system contains shell command injection vulnerabilities, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files. Session hijack and cross-site request forgery vulnerabilities exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim's browser under the certain circumstances. Templates which do not escape variable properly and mt-wizard.cgi contain cross-site scripting vulnerabilities. For the stable distribution (squeeze), these problems have been fixed in version 4.3.8+dfsg-0+squeeze2. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 5.1.3+dfsg-1. We recommend that you upgrade your movabletype-opensource packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPURmgAAoJEL97/wQC1SS++gIIAJYa8/VTPTBpZ2UveBNmXwgg e4y56m37U286B1mP2HBWEc/a3NLVSfhIgapvmWVqfFXdq99Ho7J5CjLrJV17+uIB 0cK615rIx5ZVv8qRnlBCkR1efuuoomhhdLxostF+9RLvDbHBRSt1hUK9591u9JNa fd3uMq/+MeH36Mrn3syEAmp47WZ3dkwAqCrzGSm7sdsyq3SrbsdT22NTp3wrF9zP tNK3S8wxTzFfyInAOJOc6nCfmWTzR29f/vI0oU1PL52oQ38O32tCycpljfquzkAm Fq1G85waOSAZt1EidDukep3EfAGMyJHfzX+/t7fN8C0i0wO4sp1+7bmSXZcdbH4= =8Uv7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2422-1] file security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2422-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 29, 2012 http://www.debian.org/security/faq - - Package: file Vulnerability : missing bounds checks Problem type : remote Debian-specific: no The file type identification tool, file, and its associated library, libmagic, do not properly process malformed files in the Composite Document File (CDF) format, leading to crashes. Note that after this update, file may return different detection results for CDF files (well-formed or not). The new detections are believed to be more accurate. For the stable distribution (squeeze), this problem has been fixed in version 5.04-5+squeeze1. We recommend that you upgrade your file packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPTpUrAAoJEL97/wQC1SS+xjIH/RKCNTX9XDy9RmKnLubx5gME e3MOWFZHk0ZOaNAuorRmyrxygbRkLPVMNECTKenv2eE1CORYIHBvzFDZXNn0Yl+9 +NS2KkmwpigU33Tu/8NfuG/xsoLl9fS1a3iJU+yVeEC14gdr0Nw5OtLzSP5C6HUS KcXZRXQZoHs21SrdotBm0Lx86tmoluZ1QtWmlacJcFnGwMLi3sRBwkE57UufEgCj dd8BD79tdVWm2YlPjnnfpG8Pe+ikq4tIxDHEKHfsFudUxgeSDAZaHjBvF/2xXrxn nEjOjbCpaQT9hUaaBzAxFh10qPiKKV4oA3ueR1RZt/T8XMbTXJAM54NYutF2b7Q= =kRH8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2420-1] openjdk-6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2420-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 28, 2012 http://www.debian.org/security/faq - - Package: openjdk-6 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3377 CVE-2011-3563 CVE-2011-5035 CVE-2012-0497 CVE-2012-0501 CVE-2012-0502 CVE-2012-0503 CVE-2012-0505 CVE-2012-0506 CVE-2012-0507 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform. CVE-2011-3377 The Iced Tea browser plugin included in the openjdk-6 package does not properly enforce the Same Origin Policy on web content served under a domain name which has a common suffix with the required domain name. CVE-2011-3563 The Java Sound component did not properly check for array boundaries. A malicious input or an untrusted Java application or applet could use this flaw to cause Java Virtual Machine to crash or disclose portion of its memory. CVE-2011-5035 The OpenJDK embedded web server did not guard against an excessive number of a request parameters, leading to a denial of service vulnerability involving hash collisions. CVE-2012-0497 It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. This could lead to JVM crash or Java sandbox bypass. CVE-2012-0501 The ZIP central directory parser used by java.util.zip.ZipFile entered an infinite recursion in native code when processing a crafted ZIP file, leading to a denial of service. CVE-2012-0502 A flaw was found in the AWT KeyboardFocusManager class that could allow untrusted Java applets to acquire keyboard focus and possibly steal sensitive information. CVE-2012-0503 The java.util.TimeZone.setDefault() method lacked a security manager invocation, allowing an untrusted Java application or applet to set a new default time zone. CVE-2012-0505 The Java serialization code leaked references to serialization exceptions, possibly leaking critical objects to untrusted code in Java applets and applications. CVE-2012-0506 It was discovered that CORBA implementation in Java did not properly protect repository identifiers (that can be obtained using _ids() method) on certain Corba objects. This could have been used to perform modification of the data that should have been immutable. CVE-2012-0507 The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine to crash or bypass Java sandbox restrictions For the stable distribution (squeeze), these problems have been fixed in version 6b18-1.8.13-0+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 6b24-1.11.1-1. We recommend that you upgrade your openjdk-6 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPTTmbAAoJEL97/wQC1SS+lqwH/1F5hffrk0ciMajdYvUuPgs5 tDeo+Sq6WwZqSYJFYsXDyyxtLProzR9Szi4n0O5942nUqRV6UtzxsvWPoQVm+gVF c9waYDogwr7X6KNUdhLoWRwR0wZm5lryLPUNPx1AGJd0CstxJJ3cFX243m2F0+03 BuDU4QuwMliS5YpvEJ3JUFA4zZ3ETwa033poeOD9Pkh5Y8wfbaiYM6/0yvI/lIDC EmszvApi8iM/Q6s5olvFgHpv+J2aiLR6IYmP8wWJLd2vvGpukoix06U/eqF0NirT ilZaZmw1YGultG34yWP95TaF5+AOYgkm5g80SeHX2B3iL2u1cd1xklo6i2eGVBE= =jUub -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2419-1] puppet security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2419-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 27, 2012 http://www.debian.org/security/faq - - Package: puppet Vulnerability : several Problem type : local Debian-specific: no CVE ID : CVE-2012-1053 CVE-2012-1054 Two vulnerabilities were discovered in Puppet, a centralized configuration management tool. CVE-2012-1053 Puppet runs execs with an unintended group privileges, potentially leading to privilege escalation. CVE-2012-1054 The k5login type writes to untrusted locations, enabling local users to escalate their privileges if the k5login type is used. For the stable distribution (squeeze), these problems have been fixed in version 2.6.2-5+squeeze4. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 2.7.11-1. We recommend that you upgrade your puppet packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPS+FdAAoJEL97/wQC1SS+ZQQIAJSwK65I2Zu3vbszCf0Ba+AP hVHLLNdyA56clrDwvqhIf7jncAY9BrkykVkML2fu8K8Zn8hn96r4GyZ1MkzWMBqK Smf4tZTEr1fD0QGbXLmHCZGMosdZVg6RJtBwhfwG8QNBYjspBBzaQ0kixHMHxiam KkYSuFcc1oLfVhJe0ubIIy30mIinaEpLQ6Sxhe75Cm8aIq7gUG60LSlxI5auKBZu w4U52CRdfZPd8I0UIswudD9hEW8Chr7hfq9yBiANXhB8lHyFMpf9nrUNhiC7oAtK i3GWGrKm71paTrS9aMva4c73/Mz9zqMlI905Nt0OgGJqMxqXbxOkE9YrjgKaQ5g= =90wL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2411-1] mumble security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2411-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 19, 2012 http://www.debian.org/security/faq - - Package: mumble Vulnerability : information disclosure Problem type : local Debian-specific: no CVE ID : CVE-2012-0863 Debian Bug : 659039 It was discovered that mumble, a VoIP client, does not probably manage permission on its user-specific configuration files, allowing other local users on the system to access them. For the stable distribution (squeeze), this problem has been fixed in version 1.2.2-6+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1.2.3-3. We recommend that you upgrade your mumble packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPQQ0XAAoJEL97/wQC1SS+0YEH/0joT00TF14zG+fNGPe/pk1y d9ggWa/RFFnkJuFV/ckWbB9jyCcxWb518mi3SQsRYNYbLZDexh6KCNSWZFttoc/Z LDYjUjODnP4ZP1mNk5sXU8lXuk+G5vW3Pz0KyyD5XurlUJhPq+KG++YEHZrB0ow4 Vr1xiVruMpWjMzUieBhxLrVvgodRwYg9mqlsSxoFzACm0XtV73ZQV9ZAvDUKvoxO KBk4SJBjvLzfT4XN106qRW/rwMCEVPXqj+K89G8A9cMaEwhSGiaMpjHMcXgga6QY 1m7fFnyHnWcp8S++DC8WX03zD1A8BbhRKEf9DU6SHL3+tXyGkMMR1CSsaiPuF8U= =t/7S -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2406-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2406-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 09, 2012 http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3670 CVE-2012-0442 CVE-2012-0444 CVE-2012-0449 Several vulnerabilities have been discovered in Icedove, Debian's variant of the Mozilla Thunderbird code base. CVE-2011-3670 Icedove does not not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages. CVE-2012-0442 Memory corruption bugs could cause Icedove to crash or possibly execute arbitrary code. CVE-2012-0444 Icedove does not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file. CVE-2012-0449 Icedove allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document For the stable distribution (squeeze), this problem has been fixed in version 3.0.11-1+squeeze7. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPM7PyAAoJEL97/wQC1SS+46QH/0NkqnkfapTtEUKV71mvSufA KSjeYaZqowMJtM1JQcuGdcGQifTeOoXqfm9lBCyXOpoxgGS5ltqOTYkbYRT+2XNr +sw6SbMA+X5N3+gHIpeuZtDgEqT3hZWlyxoB83LarvVoQfxU+43jfjeR3d4GPNQe kL0H40v3mt7WneVOdrk+N1LUlqO/EY1KK7lStXhyjSGShTQqOTrWzUXcogKBDcY9 DFT9bR3jKKjPXYKHr1kc4/mEUSGsJ9XHxm0nEAGiXEV6Np+6owB54ANb4BoLV3ON ZXpYglfqw44ikYi+wDGaPsq91ofmIwb7eqiAadQPBMZTmjUM3BMLKLvumrp1CBY= =KEq1 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2407-1] cvs security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2407-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 09, 2012 http://www.debian.org/security/faq - - Package: cvs Vulnerability : heap overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-0804 It was discovered that a malicious CVS server could cause a heap overflow in the CVS client, potentially allowing the server to execute arbitrary code on the client. For the stable distribution (squeeze), this problem has been fixed in version 1:1.12.13-12+squeeze1. For the unstable distribution (sid), this problem has been fixed in version 2:1.12.13+real-7. We recommend that you upgrade your cvs packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPM8aCAAoJEL97/wQC1SS+sTkH/0CT3+vm2K0QcK8KUEJcY7ML a9Wt/rChtSDnWWAcUJqnzizR0HJbjKdOzlX6RqVOfR3JwFfMPMo0j3RA8tqEb+Mn l/Z9pdI/fJAB0qSrlb1yeWQaL1k/GQo1bcIbRsAEbAeETDTzbNRVuEm0O1Arf6ij IwIa9B54Gbfuw4eEvzCJeaokyp/yMS4TEoxuPC/GYQkQTwEOeEhbh9PLz9p+W5k8 wTNhYzvIGNaUFqg0NKUm4ffbWyQ2f/Yt2F09UgSg5PNKraF2AhhURouwKCXLzXa8 GFiAXkJqoJIrc30YjGNhzTNoWrWkFSyAlRjXnMdfZ8FfTHbJj/78FJ1bk4UTm1c= =nPqk -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2404-1] xen-qemu-dm-4.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2404-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 05, 2012 http://www.debian.org/security/faq - - Package: xen-qemu-dm-4.0 Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-0029 Nicolae Mogoraenu discovered a heap overflow in the emulated e1000e network interface card of QEMU, which is used in the xen-qemu-dm-4.0 packages. This vulnerability might enable to malicious guest systems to crash the host system or escalate their privileges. The old stable distribution (lenny) does not contain the xen-qemu-dm-4.0 package. For the stable distribution (squeeze), this problem has been fixed in version 4.0.1-2+squeeze1. The testing distribution (wheezy) and the unstable distribution (sid) will be fixed soon. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPLnzXAAoJEL97/wQC1SS+AroH/RktLoquNfqGZDXA8APP3TJG EhKsSPz4WH2ddt3uEWuEFacHjTqZ54QaXpgth4osr684yXd3K1L2bMtJKGDQ1GT0 xtsAJqNCYSfootqPeMOxCHX4/dS28dsDxRBR3cTV4L8Kk2VAosrDmvbMRN2nu2IH /Y5qYpXlV9DKlQuBu5FIpQIaR1/liOvRq3tmcnpqZEU5yJ90AIqCeesU1v/aGFLv bmFI9d8rVI6TxC3jEBKnV9+z/CroxPIIsUUUNnLRUa63TSPIWT0FyEaDhdnyGAd4 7Q+/lhUSLyNai4h2E0LrWCOwf05g4AuQ1Z27YgNTdNqcei2hhaTpI97885HtLPk= =VKgf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2301-2] rails regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2392-1 secur...@debian.org http://www.debian.org/security/ January 23, 2012 http://www.debian.org/security/faq - - Package: rails Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-2930 CVE-2011-2931 CVE-2011-3186 CVE-2009-4214 Debian Bug : 629067 It was discovered that the last security update for Ruby on Rails, DSA-2301-1, introduced a regression in the libactionpack-ruby package. For the oldstable distribution (lenny), this problem has been fixed in version 2.1.0-7+lenny2. For the stable distribution (squeeze), this problem has been fixed in version 2.3.5-1.2+squeeze2. We recommend that you upgrade your rails packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPHawgAAoJEL97/wQC1SS+TJ8H/2L7Sxp26vyE1A8nxxWAhesm nT94DsfiPuGnyB5UWQj1mN+viiofNjlhd4VcmwvmM51gcyirjfjGDl/DJuUYrEjG UgEy4UNiSq7KxxgnwWU8EAeu0ge/H8mZaXvLiGEbi2+oFckuvkUQr6x0bAizgYBY +eAxjM03TcjIExrqn4Dwms/DLHDTCenPRhGNN+ApqG0QCiWfV1SStYVGyvhAj9mY jx9BKPgqUUFWMh/JYpE5UiC1C2WXXu5EDnk9w0q4Zjgcv4Q7k99QVvMqkSU7U7xx +9Mex1wksZv4hmu0vHdKQa8hTMC3+xURL/IWhaScNqtxiYvxl7T7eM3A2N4/MqA= =LL/u -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2392-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2392-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 23, 2012 http://www.debian.org/security/faq - - Package: openssl Vulnerability : out-of-bounds read Problem type : remote Debian-specific: no CVE ID : CVE-2012-0050 Antonio Martin discovered a denial-of-service vulnerability in OpenSSL, an implementation of TLS and related protocols. A malicious client can cause the DTLS server implementation to crash. Regular, TCP-based TLS is not affected by this issue. For the oldstable distribution (lenny), this problem has been fixed in version 0.9.8g-15+lenny16. For the stable distribution (squeeze), this problem has been fixed in version 0.9.8o-4squeeze7. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1.0.0g-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPHbhEAAoJEL97/wQC1SS+0/8H/0N8mxv9ZyjGsx7LPBFpYrjT 1v83soDr0OgT9jmnTYO4xKLuclPniTK74RoqkK9d6img6BFO2ycb0XD2y4cvX+TB dJncBiWV+v1zVlayXQydLMj/17I0LeKUdduWlLkfcedi4scxC3EbXWN5Q5EwK369 zY7zltv7pJgmZgIN5ZSIPPdUDmf8yoK+UfIJyG6rzCciHJqWnc/cJm6lM7tPo7Sx OFWHI6qFZ+A3S4JjMUr2+Ey2b69zPjYOgVUejRklDMCcs4DxkomL9aJJbu6lWrD6 weeLCLMPVo60gZEnfcfnrDolRpZ8X5qam/E1CIgvOgRR9Hx6DXiTDOUX8/kjiD8= =t/+m -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2390-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2390-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 15, 2012 http://www.debian.org/security/faq - - Package: openssl Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-4108 CVE-2011-4109 CVE-2011-4354 CVE-2011-4576 CVE-2011-4619 Several vulnerabilities were discovered in OpenSSL, an implementation of TLS and related protocols. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2011-4108 The DTLS implementation performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. CVE-2011-4109 A double free vulnerability when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to cause applications crashes and potentially allow execution of arbitrary code by triggering failure of a policy check. CVE-2011-4354 On 32-bit systems, the operations on NIST elliptic curves P-256 and P-384 are not correctly implemented, potentially leaking the private ECC key of a TLS server. (Regular RSA-based keys are not affected by this vulnerability.) CVE-2011-4576 The SSL 3.0 implementation does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. CVE-2011-4619 The Server Gated Cryptography (SGC) implementation in OpenSSL does not properly handle handshake restarts, unnecessarily simplifying CPU exhaustion attacks. For the oldstable distribution (lenny), these problems have been fixed in version 0.9.8g-15+lenny15. For the stable distribution (squeeze), these problems have been fixed in version 0.9.8o-4squeeze5. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 1.0.0f-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPEzckAAoJEL97/wQC1SS+I6QH/3m+WwIZkLVOuxIvLG4fH/6E FI7YeN7o0fC4bCtJp+k8QJIMUZ0oYIbGC15/zMgW04nnnDi4zfn+c7sSb4Ja1bbo yF5i8Zl0JAzkjvGp4JnSYEnRZb/ctRYanWrI+O1FuR9GNI+DPhGoOxSU2ksI0niO HPZjyN1oRyGU6+4/Z2AaPoslDqeZvRyL1mLPsm/zgyY3I6WwKFeVd7xgUMNdE5Dw rCBNxtPEN1E/ftmkE05u0mjGGGJZlEZadYL4K1JLdQN2dYYPM1Amqmj4YE7ipy1D YyTcb/BWRPMeC5H/0ZSbyd+304pIcAZJaIGdd+pFIu1o/CdMCC1ZRI88e21KuEQ= =gWrz -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2385-1] pdns security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2385-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 10, 2012 http://www.debian.org/security/faq - - Package: pdns Vulnerability : packet loop Problem type : remote Debian-specific: no CVE ID : CVE-2012-0206 Ray Morris discovered that the PowerDNS authoritative sever responds to response packets. An attacker who can spoof the source address of IP packets can cause an endless packet loop between a PowerDNS authoritative server and another DNS server, leading to a denial of service. For the oldstable distribution (lenny), this problem has been fixed in version 2.9.21.2-1+lenny1. For the stable distribution (squeeze), this problem has been fixed in version 2.9.22-8+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your pdns packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPDIQ5AAoJEL97/wQC1SS+nz8H/1qB4Rzmu8X91C82/AUoaKjQ 6yKU85D7e+/iBtjHN8qAec7xGJugGonJCmHK+IgenoCksvaI4rJEZgymj2W83LDC HB/0KYq3Js7YFLmtTrJkz/xzgwFUB1bh59dzQWWfphgzjw8Nnz4EWkWNbF4ZhuHJ JYAIkbmipLukNs2ioiu8GaNcE/r5pa/w8sAP/h+E4fKsYC/gcVhQI5/mRTG3jjqF 4Jt7ZrxmRD9hjHclTcmRt2gAql0Q70TsM8gZl66tW+I8HzSc26mYWgRMgRe0mdN6 WN8gfx7FhGF8EnTTv27GDtysnmS61N2akIFr6v/BboyqYQ1qAu9H1rxBzu0jWr8= =k1Um -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2381-1] squid3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2381-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 06, 2012 http://www.debian.org/security/faq - - Package: squid3 Vulnerability : invalid memory deallocation Problem type : remote Debian-specific: no CVE ID : CVE-2011-4096 It was discovered that the IPv6 support code in Squid does not properly handle certain DNS responses, resulting in deallocation of an invalid pointer and a daemon crash. The squid package and the version of squid3 shipped in lenny lack IPv6 support and are not affected by this issue. For the stable distribution (squeeze), this problem has been fixed in version 3.1.6-1.2+squeeze2. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 3.1.18-1. We recommend that you upgrade your squid3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPBwcOAAoJEL97/wQC1SS+m9IH/jRWc9kKuku8KXGpihVK5TCB boq81hmIlO74Oa9ZSlF3lEAVU4ZqlFtkCnrWxW3ieRP5zK22P/OvMSdM+RxsWu/M gFi4gueXBKD2a1wks26c5kVcOaeg2cgz4uBQowdSAkwg+vXR9x2ZGr0Ed4CeMziO OqcYiMkfX8/niCV1xCQuF+9QlLD24EFOQpp49elH34aBZmjnhZGNMf1ok2aISydV 8/LO4PRYhVjSM1cCqtiVc/6kyCgpCVezluhAsfFhn4+GcslI5/deaf3xlgybH0Mz 4WFT6y0U/iHn8SvbzXQAL4c8Q0UiIMSRKBsxiGv+jIDLkaOBL0cd1Sp63/AWptM= =7lar -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2379-1] krb5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2379-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 04, 2012 http://www.debian.org/security/faq - - Package: krb5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-1528 CVE-2011-1529 It was discovered that the Key Distribution Center (KDC) in Kerberos 5 crashes when processing certain crafted requests: CVE-2011-1528 When the LDAP backend is used, remote users can trigger a KDC daemon crash and denial of service. CVE-2011-1529 When the LDAP or Berkeley DB backend is used, remote users can trigger a NULL pointer dereference in the KDC daemon and a denial of service. The oldstable distribution (lenny) is not affected by these problems. For the stable distribution (squeeze), these problems have been fixed in version 1.8.3+dfsg-4squeeze5. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 1.10+dfsg~alpha1-1. We recommend that you upgrade your krb5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPBKCaAAoJEL97/wQC1SS+/3kIAKdxHCj0h0Bc6Xe+YisGXSA2 xiZjxy0aZILMW+h8/K+5TZb3WhM3mEdVybk9eyDn12mdxquAVlAlEr5VHk3Lraz4 DPnV9KrVvoXwuP008QWLNp97UNtm6sUBF9tqf2hzjn0dOWMIuMb4vxkC1pMP87qr fW0p0W3hWqrTR13cmTS9k0iRcGwPexwa1CYv+TeGY2S2T5FNsjisyfKVogN4txFp OxykTkq7I2o26j0kpIyjsOuj0+g+pW/8qvQaIJ//UtLCV8JuNvCPgwThuklrqo9e 1Z+lbeuNirZvoR9TQc+FbUpm9fSJKCt+DguB8lr0GQPG8WqKyxU0Q7WI0Ogp3tU= =yG6H -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2380-1] foomatic-filters security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2380-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 04, 2012 http://www.debian.org/security/faq - - Package: foomatic-filters Vulnerability : shell command injection Problem type : remote Debian-specific: no CVE ID : CVE-2011-2697 CVE-2011-2964 Debian Bug : 635549 It was discovered that the foomatic-filters, a support package for setting up printers, allowed authenticated users to submit crafted print jobs which would execute shell commands on the print servers. CVE-2011-2697 was assigned to the vulnerability in the Perl implementation included in lenny, and CVE-2011-2964 to the vulnerability affecting the C reimplementation part of squeeze. For the oldstable distribution (lenny), this problem has been fixed in version 3.0.2-20080211-3.2+lenny1. For the stable distribution (squeeze), this problem has been fixed in version 4.0.5-6+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 4.0.9-1. We recommend that you upgrade your foomatic-filters packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPBLxbAAoJEL97/wQC1SS+mp0H/jSmC8YAOiGfuoqh6kXFqs6c 3A5d/OWdt/PmxiGB50uU5PUMRtvf0YsH8zdBnsLxodP8BT/67UEVvlBjcLZ3X8vX e6auNGP1irGOSIgYb7MWtw+0lCspqv49dc5gK0if/kHBv0ExcHavoR4IMaIvsP6w YOZcd3FL5rTdgIyIMB+KEbMTJW/sR26GjPbAO/N5WWtwbs3IyctM1YK/DTAu9Yji opNrQG/vCJIQSWlGEjdQ1oto74WiwEExLPsKgZ7hgv0NL4tKnihFnK3Llox5xFvN Tx57zt4N916uaPGV20GXin0Vlg2x5IwrLy6S8uAljN/3NnMCobzkCFOP4sc/lp0= =kTKo -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2375-1] krb5. krb5-appl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2375-1 secur...@debian.org http://www.debian.org/security/Florian Weimer December 26, 2011 http://www.debian.org/security/faq - - Package: krb5, krb5-appl Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2011-4862 It was discovered that the encryption support for BSD telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to the Telnet port to execute arbitrary code with root privileges. For the oldstable distribution (lenny), this problem has been fixed in version 1.6.dfsg.4~beta1-5lenny7 of the krb5 package. For the stable distribution (squeeze), this problem has been fixed in version 1:1.0.1-1.2 of the krb5-appl package. For the testing distribution (wheezy) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your krb5 and krb5-appl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJO+G20AAoJEL97/wQC1SS+o5sIAJqmXPSliVzHi8rB4o5/L7/5 7Pv6UUR0+ktCSC/bGdPl+cUBIlrqYxoCugAR+AfsY6LsjYUro5q6f8EPvotD4+Gl IhiDphnHtY+XRT3ybDJSAQFlptt1D9ab+G1UHd6gcbhXI0F5vNuXdR+sZu5iEJEE 5ubiCIWhcICt5jxYFr8kHP8/u0j2HrkL0dRsyvTu8CTdg4XwJqhaBkqWdGXDb5qv QrQaZRukHE/zxx7D/ZzDOz9qm1+9lu25URdwUN4Wnd9j0mdAAeQO6hFp2fd9aU+/ VPvmrxTG029aVlQhooGkNDPpON8YUOY2SeN988CotX7q9MIiaDO/EeamBBEE23w= =7SZG -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2372-1] heimdal security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2372-1 secur...@debian.org http://www.debian.org/security/Florian Weimer December 25, 2011 http://www.debian.org/security/faq - - Package: heimdal Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2011-4862 It was discovered that the Kerberos support for telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to the Telnet to execute arbitrary code with root privileges. For the oldstable distribution (lenny), this problem has been fixed in version 1.2.dfsg.1-2.1+lenny1. For the stable distribution (squeeze), this problem has been fixed in version 1.4.0~git20100726.dfsg.1-2+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your heimdal packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJO91W9AAoJEL97/wQC1SS+uJEH/RwR3du5TUtcMldjkZHy7TYm syw6NYwqu1mHNtQwxNghqcJzODFxFwtfaS4rrbGusokT/ZytZ2LOvT3es/2NS9N6 0cfGNrpOYPnf9O/KBG/qDKS4wkIzhET8TXc/bm/IZWSSuSqT1zdZiepDLCV2KyFi 9C/1pPUByKcEUJSqBN/3Yn9AUFWFgu+kdJhq4BX2rU8T7eiTDHG5OtJZAHF6tCxP ADhxDb88iFuaPZLiAMouAEdeAIBxycvuPH1UcMxAVEkIQHyugkvJlwJyVBxmNxTu NGxUZkhPsxrltPPcdSyOXVKtd6zV67ZpQwlDeC/URlQSC0QgdOyORZbM/1itLSI= =aUt6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2373-1] inetutils security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2373-1 secur...@debian.org http://www.debian.org/security/Florian Weimer December 25, 2011 http://www.debian.org/security/faq - - Package: inetutils Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2011-4862 It was discovered that the Kerberos support for telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to the Telnet to execute arbitrary code with root privileges. For the oldstable distribution (lenny), this problem has been fixed in version 2:1.5.dfsg.1-9+lenny1. For the stable distribution (squeeze), this problem has been fixed in version 2:1.6-3.1+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your inetutils packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJO91XCAAoJEL97/wQC1SS+6XcH/iiEPh9fJIlA721vvYHyJVXM m/YKIr1mvzf7EWBTaCGRrGeL7hb3942PsPGvDwVVI5Ewtqq3bYimERZsbA/s/pIW SpDyr/fWfQEpuol36b0QpkUYSlRWHRT2M7NUrmkD6mKNWq6eeYxPWoIF9luBlY3v 6Z+WnUGKoV3/2trx0g5o8tttNidCNjeLu/jf6b6b/owLyIT7zgNtXdiZRySWT6Sk 4K5/gycscLwf8XfVnyHZP1xptm8kk43BTo5d2EcqA4RkK9TuLr6IqsPMozgF5+MA 1T/Png7IdI33F8TpmMANVXzi2L0GmPJmAhN83uod9WtWXDvORBFZ44sYtwq1if8= =yGPu -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2370-1] unbound security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2370-1 secur...@debian.org http://www.debian.org/security/Florian Weimer December 22, 2011 http://www.debian.org/security/faq - - Package: unbound Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-4528 CVE-2011-4869 It was discovered that Unbound, a recursive DNS resolver, would crash when processing certain malformed DNS responses from authoritative DNS servers, leading to denial of service. CVE-2011-4528 Unbound attempts to free unallocated memory during processing of duplicate CNAME records in a signed zone. CVE-2011-4869 Unbound does not properly process malformed responses which lack expected NSEC3 records. For the oldstable distribution (lenny), these problems have been fixed in version 1.4.6-1~lenny2. For the stable distribution (squeeze), these problems have been fixed in version 1.4.6-1+squeeze2. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 1.4.14-1. We recommend that you upgrade your unbound packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJO84AiAAoJEL97/wQC1SS+o7MIALCSkqwBIcOdsT10ltH6nHvB +Of40Vs6QNCDhplmX8+Y6e5Ha6UG5hZLdV/PALok3OkMj0Oyd2cIs6EXXT+QICg9 BgFgDwFtpFSZw5/X9WN3AensVmp2RXmIowM9CQ1MigHCrc08BIRVqiYKK9ZoQZ6m 4zE2ZDbug92pIK4ax1qUBzPoxESlw8E1zgcntZxS7AgaaLvKrEFXPlymsu+Eavv/ E3qyyXAEtE+DQ1Sl9X2w0o59CR9SKgWbTahsY2kS5tO631e3N3/RmApYGxssWl4h IGKJaONRjyOh13HVK1FZ7Um2y0KCXNlEtiKbTrCstx0Aa9Ka04LRfHSUPdEpeIs= =cEIS -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2361-1] chasen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2361-1 secur...@debian.org http://www.debian.org/security/Florian Weimer December 07, 2011 http://www.debian.org/security/faq - - Package: chasen Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2011-4000 It was discovered that ChaSen, a Japanese morphological analysis system, contains a buffer overflow, potentially leading to arbitrary code execution in programs using the library. For the oldstable distribution (lenny), this problem has been fixed in version 2.4.4-2+lenny2. For the stable distribution (squeeze), this problem has been fixed in version 2.4.4-11+squeeze2. We recommend that you upgrade your chasen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJO39YNAAoJEL97/wQC1SS+SGAIAIHGcb2CYGdzWlGiuNO1L1x7 swna8zVEMCHIY79EJEXEs0I/iGTKKcMKz0qeQjYOds4ER+I9g8/jd4YjIy/+acex 4sdnOJQN6xjaIlaO9u+qSIFLAmAqsD5ChZQodfTqPRAnBusVRAQsdJ+B3Rnkv9GK 8rQcy2sHSj6ThVadI0B90Z1718Ad1Vjj1PsppVNLw0gkDoCBLJyqVwYVitMbSaP8 ZMZRSbuDU3L1x5zWDuvYgmZlDv1aVA+XHps37wTc7kNt5CiaZh9Tuh1nT/3ce5mN RQPlR11T3+aVrr8k/EB2NwayF5qy305L4eRx2/xNE8BIu1h5UheEdEiNqQmKSBM= =eBOh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2359-1] mojarra security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2359-1 secur...@debian.org http://www.debian.org/security/Florian Weimer December 06, 2011 http://www.debian.org/security/faq - - Package: mojarra Vulnerability : EL injection Problem type : remote Debian-specific: no CVE ID : CVE-2011-4358 It was discovered that Mojarra, an implementation of JavaServer Faces, evaluates untrusted values as EL expressions if includeViewParameters is set to true. For the stable distribution (squeeze), this problem has been fixed in version 2.0.3-1+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 2.0.3-2. We recommend that you upgrade your mojarra packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJO3nfRAAoJEL97/wQC1SS+yh0H/3xr1x659eOAxJNQuFqqp6k/ ffDYvowL4FCietuFtVWJW9mYaI/KR3MveQiWrWfSd8WOp881qVuPHa327YTDjjQr 6c+IafCKvlySZ+Jq8oWXdLvIVjKQTLZ60itDLzI7afDhRl0wTm/JOV409D+uFY91 4Ng/289txmbLFEO6+FYvBX16cymmhoupnnk112aUpNNXzAfiDzUzeejOEKwUEa6+ zBIJtDKY4Il05x6VSWARjqKGBfRdVhReStnkj44v37mJCUZxg48MO4clB9JdG/0C s6vbz6eql/Jez2ywC7N/5JeDD6nNlvraCQ6Df7bFzcC3QEqGIknV/95rVYCxRdg= =SviP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/